I recently installed and configured this TA. For the configurations portion, only a JSON key from a GCP service account is needed; Splunk will then automatically scan for GCP projects and subscriptions. After selecting the desired project and subscriptions, Splunk is indexing data.
How exactly does this work? I was expecting there would be some firewall rules/ports that need to be configured before external data could be indexed.
You should log this as a new question. But the answer is: neither. You should install the add-on on the heavy forwarders for data collection. Please refer to: https://docs.splunk.com/Documentation/AddOns/released/GoogleCloud/installation