# Module: gcp
# Docs: https://www.elastic.co/guide/en/beats/filebeat/7.x/filebeat-module-gcp.html

- module: gcp
  vpcflow:
    enabled: true

    # Google Cloud project ID.
    var.project_id: my-gcp-project-id

    # Google Pub/Sub topic containing VPC flow logs. Stackdriver must be
    # configured to use this topic as a sink for VPC flow logs.
    var.topic: gcp-vpc-flowlogs

    # Google Pub/Sub subscription for the topic. Filebeat will create this
    # subscription if it does not exist.
    var.subscription_name: filebeat-gcp-vpc-flowlogs-sub

    # Credentials file for the service account with authorization to read from
    # the subscription.
    var.credentials_file: ${path.config}/gcp-service-account-xyz.json

    # Set internal networks. This is used to classify network.direction based
    # off of what networks are considered "internal" either base off of a CIDR
    # block or named network conditions. If this is not specified, then traffic
    # direction is determined by whether it is between source and destination
    # instance information rather than IP.
    #
    # For a full list of network conditions see:
    # https://www.elastic.co/guide/en/beats/filebeat/current/defining-processors.html#condition-network
    #var.internal_networks: [ "private" ]

  firewall:
    enabled: true

    # Google Cloud project ID.
    var.project_id: my-gcp-project-id

    # Google Pub/Sub topic containing firewall logs. Stackdriver must be
    # configured to use this topic as a sink for firewall logs.
    var.topic: gcp-vpc-firewall

    # Google Pub/Sub subscription for the topic. Filebeat will create this
    # subscription if it does not exist.
    var.subscription_name: filebeat-gcp-firewall-sub

    # Credentials file for the service account with authorization to read from
    # the subscription.
    var.credentials_file: ${path.config}/gcp-service-account-xyz.json

    # Set internal networks. This is used to classify network.direction based
    # off of what networks are considered "internal" either base off of a CIDR
    # block or named network conditions. If this is not specified, then traffic
    # is taken from the direction data in the rule_details event payload.
    #
    # For a full list of network conditions see:
    # https://www.elastic.co/guide/en/beats/filebeat/current/defining-processors.html#condition-network
    #var.internal_networks: [ "private" ]

  audit:
    enabled: true

    # Google Cloud project ID.
    var.project_id: my-gcp-project-id

    # Google Pub/Sub topic containing firewall logs. Stackdriver must be
    # configured to use this topic as a sink for firewall logs.
    var.topic: gcp-vpc-audit

    # Google Pub/Sub subscription for the topic. Filebeat will create this
    # subscription if it does not exist.
    var.subscription_name: filebeat-gcp-audit

    # Credentials file for the service account with authorization to read from
    # the subscription.
    var.credentials_file: ${path.config}/gcp-service-account-xyz.json