Views:

Learn which resources are deployed in your Google Cloud environment for each TrendAI Vision One™ feature that you can enable on a Google Cloud project. For more information about each feature and permission set, see Google Cloud features and permissions.

Google Cloud Project Services deployed by feature

Feature name
Google Cloud Project services deployed (number)
Core features and permissions
Resources:
  • Service Account (1)
  • Workload Identity Pool (1)
  • Workload Identity Pool Provider (1)
  • IAM (3)
  • Tag Key (1)
  • Tag Value (1)
  • Cloud Storage (1)
Enabled APIs:
  • IAM Service Account Credentials
  • Cloud Resource Manager
  • Identity and Access Management
  • Cloud Build
  • Deployment Manager
  • Cloud Functions
  • Cloud Pub/Sub
  • Secret Manager
Agentless Vulnerability & Threat Detection
Resources:
  • Control Plane Service Account
  • Customer Role Service Account
  • Data Plane Service Account
For more information on the permissions required for each service account, see Google Cloud required permissions.
Real-Time Posture Monitoring
Resources:
  • Logging Sink
  • Pub/Sub Topic
  • Pub/Sub IAM Binding
  • Cloud Storage Bucket
  • Cloud Storage Object
  • Service Account
  • Cloud Function (Gen 2)
  • Cloud Run Service IAM Binding
  • Eventarc Trigger
  • Artifact Registry Repository
Enabled APIs:
  • Cloud Logging API (Service: logging.googleapis.com)
  • Cloud Pub/Sub API (Service: pubsub.googleapis.com)
  • Cloud Storage API (Service: storage.googleapis.com)
  • Cloud Functions API (Service: cloudfunctions.googleapis.com)
  • Cloud Run Admin API (Service: run.googleapis.com)
  • Eventarc API (Service: eventarc.googleapis.com)
  • Cloud Build API (Service: cloudbuild.googleapis.com)
  • Artifact Registry API (Service: artifactregistry.googleapis.com)
  • Cloud Deployment Manager (Service: deploymentmanager.googleapis.com)
  • Identity and Access Management (IAM) API (Service: iam.googleapis.com)
Permissions:
Used in deployment:
  • resourcemanager.projects.get
  • iam.serviceAccounts.create
  • iam.serviceAccounts.delete
  • iam.serviceAccounts.get
  • iam.serviceAccounts.actAs
  • cloudfunctions.functions.create
  • cloudfunctions.functions.delete
  • cloudfunctions.functions.get
  • cloudfunctions.functions.update
  • run.services.get
  • run.services.setIamPolicy
  • eventarc.triggers.create
  • eventarc.triggers.delete
  • eventarc.triggers.get
  • artifactregistry.repositories.create
  • artifactregistry.repositories.get
  • pubsub.topics.create
  • pubsub.topics.delete
  • pubsub.topics.get
  • pubsub.topics.setIamPolicy
  • pubsub.topics.getIamPolicy
  • logging.sinks.create
  • logging.sinks.delete
  • logging.sinks.get
  • storage.buckets.create
  • storage.buckets.get
  • storage.buckets.delete
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • deploymentmanager.deployments.get
  • deploymentmanager.deployments.delete
Roles used by the service account created:
  • roles/run.invoker
  • roles/pubsub.publisher
Data Security Posture
Phase: Deployment
IAM:
  • google_service_account (1)
  • google_project_iam_member (14)
Networking:
  • google_compute_network (1)
  • google_compute_subnetwork (1)
  • google_compute_router (1)
  • google_compute_router_nat (1)
  • google_compute_firewall (4 to 5, conditional)
  • google_vpc_access_connector (1)
Storage:
  • google_storage_bucket (2)
  • google_storage_bucket_object (1)
  • google_storage_bucket_iam_member (1)
Compute:
  • google_compute_disk (0 to 1, conditional)
Secret Manager:
  • google_secret_manager_secret (1)
  • google_secret_manager_secret_version (1)
  • google_secret_manager_secret_iam_member (1)
Monitoring:
  • google_monitoring_metric_descriptor (1)
  • google_monitoring_alert_policy (0 to 1, conditional)
  • google_monitoring_notification_channel (0 to 1, conditional)
Pub/Sub:
  • google_pubsub_topic (2 to 3)
  • google_pubsub_subscription (1)
Cloud Functions:
  • google_cloudfunctions2_function (2)
  • google_cloudfunctions2_function_iam_member (0 to 1, conditional)
Eventarc:
  • google_eventarc_trigger (0 to 1, conditional)
Cloud Scheduler:
  • google_cloud_scheduler_job (1 to 2)
Artifact Registry:
  • google_artifact_registry_repository (1)
Cloud Run:
  • google_cloud_run_v2_service (1)
Logging:
  • google_logging_project_sink (0 to 1, conditional)
Cloud Build:
  • google_cloudbuild_trigger (0 to 1, conditional)
Phase: Runtime
The following resources are created at runtime by application code and are not managed by Terraform:
  • VM Instance (google_compute_instance): Created per scan job, terminated after heartbeat timeout
  • Ephemeral External IP: Non-production environments only, released with VM deletion
  • Secret Manager Versions: New version per rotation cycle, keeps last 5 versions
  • Custom Metric Time Series Data: Written during VM lifecycle for monitoring
  • GCS Objects (Audit Logs): Delivered by GCP logging infrastructure