Views:

Learn which resources are deployed in your Google Cloud environment for each TrendAI Vision One™ feature that you can enable on a Google Cloud project. For more information about each feature and permission set, see Google Cloud features and permissions.

Google Cloud Project Services deployed by feature

Feature name
Google Cloud Project services deployed (number)
Core Features
Resources:
  • Service Account (1)
  • Workload Identity Pool (1)
  • Workload Identity Pool Provider (1)
  • IAM (3)
  • Tag Key (1)
  • Tag Value (1)
  • Cloud Storage (1)
Enabled APIs:
  • IAM Service Account Credentials
  • Cloud Resource Manager
  • Identity and Access Management
  • Cloud Build
  • Deployment Manager
  • Cloud Functions
  • Cloud Pub/Sub
  • Secret Manager
Agentless Vulnerability & Threat Detection
IAM & Service Accounts per stack:
  • iam member (10)
  • service account iam member (10)
  • iam custom role (3)
  • service account (3)
Cloud Run Services & Jobs:
Primary region:
  • cloud run v2 service (12)
  • cloud run v2 service iam policy (10)
  • cloud run service iam policy (2)
  • cloud run v2 job (4)
  • cloud run v2 job iam policy (4)
Non-primary Region:
  • cloud run v2 service (6)
  • cloud run v2 service iam policy (5)
  • cloud run service iam policy (1)
  • cloud run v2 job (4)
  • cloud run v2 job iam policy (4)
Cloud Scheduler (primary region only):
  • cloud scheduler job (7)
Pub/Sub:
Primary region:
  • pubsub topic (4)
  • pubsub subscription (4)
  • pubsub topic iam policy (3)
  • pubsub topic iam member (3)
  • pubsub subscription iam policy (3)
Non-primary Region:
  • pubsub topic (2)
  • pubsub subscription (2)
  • pubsub topic iam policy (2)
  • pubsub subscription iam policy (2)
Cloud Storage (per region):
  • storage bucket iam member (2)
  • storage bucket (2)
  • storage bucket object (1)
Secret Manager (primary region only):
  • secret manager secret (2)
  • secret manager secret iam policy (2)
Workflows (per region):
  • workflows (2)
Networking:
Primary Region:
  • compute network (1)
  • compute firewall (1)
All regions:
  • compute subnetwork (1)
Firestore (primary region only):
  • firestore database (1)
Logging (per region):
  • logging project sink (1)
Eventarc (per region):
  • eventarc trigger (1)
Virtual Machines (per region):
  • virtual machine (10 per region when disks are available for scanning)
Enabled APIs:
  • Cloud Run Admin API (run.googleapis.com)
  • Cloud Logging API (logging.googleapis.com)
  • IAM Service Account Credentials API (iamcredentials.googleapis.com)
  • Cloud Billing API (cloudbilling.googleapis.com)
  • Cloud Firestore API (firestore.googleapis.com)
  • Secret Manager API (secretmanager.googleapis.com)
  • Compute Engine API (compute.googleapis.com)
  • Cloud Scheduler API (cloudscheduler.googleapis.com)
  • Cloud Workflows API (workflows.googleapis.com)
  • Workflow Executions API (workflowexecutions.googleapis.com)
  • Eventarc API (eventarc.googleapis.com)
For more information on the permissions required for each service account, see Google Cloud required permissions.
Real-Time Posture Monitoring
Resources:
  • Logging Sink
  • Pub/Sub Topic
  • Pub/Sub IAM Binding
  • Cloud Storage Bucket
  • Cloud Storage Object
  • Service Account
  • Cloud Function (Gen 2)
  • Cloud Run Service IAM Binding
  • Eventarc Trigger
  • Artifact Registry Repository
Enabled APIs:
  • Cloud Logging API (Service: logging.googleapis.com)
  • Cloud Pub/Sub API (Service: pubsub.googleapis.com)
  • Cloud Storage API (Service: storage.googleapis.com)
  • Cloud Functions API (Service: cloudfunctions.googleapis.com)
  • Cloud Run Admin API (Service: run.googleapis.com)
  • Eventarc API (Service: eventarc.googleapis.com)
  • Cloud Build API (Service: cloudbuild.googleapis.com)
  • Artifact Registry API (Service: artifactregistry.googleapis.com)
  • Cloud Deployment Manager (Service: deploymentmanager.googleapis.com)
  • Identity and Access Management (IAM) API (Service: iam.googleapis.com)
Permissions:
Used in deployment:
  • resourcemanager.projects.get
  • iam.serviceAccounts.create
  • iam.serviceAccounts.delete
  • iam.serviceAccounts.get
  • iam.serviceAccounts.actAs
  • cloudfunctions.functions.create
  • cloudfunctions.functions.delete
  • cloudfunctions.functions.get
  • cloudfunctions.functions.update
  • run.services.get
  • run.services.setIamPolicy
  • eventarc.triggers.create
  • eventarc.triggers.delete
  • eventarc.triggers.get
  • artifactregistry.repositories.create
  • artifactregistry.repositories.get
  • pubsub.topics.create
  • pubsub.topics.delete
  • pubsub.topics.get
  • pubsub.topics.setIamPolicy
  • pubsub.topics.getIamPolicy
  • logging.sinks.create
  • logging.sinks.delete
  • logging.sinks.get
  • storage.buckets.create
  • storage.buckets.get
  • storage.buckets.delete
  • storage.objects.create
  • storage.objects.delete
  • storage.objects.get
  • deploymentmanager.deployments.get
  • deploymentmanager.deployments.delete
Roles used by the service account created:
  • roles/run.invoker
  • roles/pubsub.publisher
Data Security Posture
Phase: Deployment
IAM:
  • google_service_account (1)
  • google_project_iam_member (14)
Networking:
  • google_compute_network (1)
  • google_compute_subnetwork (1)
  • google_compute_router (1)
  • google_compute_router_nat (1)
  • google_compute_firewall (4 to 5, conditional)
  • google_vpc_access_connector (1)
Storage:
  • google_storage_bucket (2)
  • google_storage_bucket_object (1)
  • google_storage_bucket_iam_member (1)
Compute:
  • google_compute_disk (0 to 1, conditional)
Secret Manager:
  • google_secret_manager_secret (1)
  • google_secret_manager_secret_version (1)
  • google_secret_manager_secret_iam_member (1)
Monitoring:
  • google_monitoring_metric_descriptor (1)
  • google_monitoring_alert_policy (0 to 1, conditional)
  • google_monitoring_notification_channel (0 to 1, conditional)
Pub/Sub:
  • google_pubsub_topic (2 to 3)
  • google_pubsub_subscription (1)
Cloud Functions:
  • google_cloudfunctions2_function (2)
  • google_cloudfunctions2_function_iam_member (0 to 1, conditional)
Eventarc:
  • google_eventarc_trigger (0 to 1, conditional)
Cloud Scheduler:
  • google_cloud_scheduler_job (1 to 2)
Artifact Registry:
  • google_artifact_registry_repository (1)
Cloud Run:
  • google_cloud_run_v2_service (1)
Logging:
  • google_logging_project_sink (0 to 1, conditional)
Cloud Build:
  • google_cloudbuild_trigger (0 to 1, conditional)
Phase: Runtime
The following resources are created at runtime by application code and are not managed by Terraform:
  • VM Instance (google_compute_instance): Created per scan job, terminated after heartbeat timeout
  • Ephemeral External IP: Non-production environments only, released with VM deletion
  • Secret Manager Versions: New version per rotation cycle, keeps last 5 versions
  • Custom Metric Time Series Data: Written during VM lifecycle for monitoring
  • GCS Objects (Audit Logs): Delivered by GCP logging infrastructure