Views:

Create a Cloud Account for GCP Parent topic

Follow the steps to create a Cloud Account for GCP.
After you create the Cloud Account, retrieve the serviceAccountEmail by calling the Describe GCP project API.

Prerequisites Parent topic

Procedure

  1. Install the gcloud CLI.
  2. Install Terraform.
  3. Set up an environment to run shell scripts.

Using Terraform with gcloud CLI Parent topic

Create an all-in-one stack by Terraform Parent topic

Procedure

  1. Log into gcloud:
    gcloud auth application-default login
  2. Set up the gcloud project
    gcloud config set project PROJECT-ID
    where PROJECT-ID is the ID of the GCP project where you are deploying the stack.
  3. Download the templates:
    wget https://file-storage-security.s3.amazonaws.com/latest/gcp-templates/gcp-templates-terraform.zip && unzip gcp-templates-terraform.zip
  4. Configure the GCP project using Terraform deployment:
    sed -i.bak "s/<GCP_PROJECT_ID>/<projectID>/g" ./gcp-configuration/terraform.tfvars.json
    terraform -chdir=gcp-configuration init && terraform -chdir=gcp-configuration apply
    where...
    • projectID must be replaced with the ID of your GCP project.
  5. Create the all-in-one stack in GCP with the following commands:
    sed -i.bak "s/<GCP_PROJECT_ID>/<projectID>/g" ./all-in-one/terraform.tfvars.json
    sed -i "s/<SCANNER_STACK_NAME>/<scannerStackName>/g" ./all-in-one/terraform.tfvars.json
    sed -i "s/<STORAGE_STACK_NAME>/<storageStackName>/g" ./all-in-one/terraform.tfvars.json
    sed -i "s/<GCP_REGION>/<region>/g" ./all-in-one/terraform.tfvars.json
    sed -i "s/<SCANNING_BUCKET_NAME>/<scanningBucketName>/g" ./all-in-one/terraform.tfvars.json
    sed -i "s/<MANAGEMENT_SERVICE_ACCOUNT_GCP_PROJECT_ID>/<managementServiceAccountProjectID>/g" ./all-in-one/terraform.tfvars.json
    sed -i "s/<MANAGEMENT_SERVICE_ACCOUNT_ID>/<managementServiceAccountID>/g" ./all-in-one/terraform.tfvars.json
    terraform -chdir=all-in-one init && terraform -chdir=all-in-one apply
    where...
    • projectID must be replaced with the ID of your GCP project.
    • scanningBucketName must be replaced with the name of your [Cloud Storage Bucket], as it appears in Cloud Storage. You can only specify one bucket. Example: my-bucket-to-scan-01
    • scannerStackName must be replaced with the prefix of the stack name. The prefix must be less than 17 characters. Example: FSS-AIO-SCANNER
    • storageStackName must be replaced with the prefix of the stack name. The prefix must be less than 17 characters. Example: FSS-AIO-STORAGE
    • region must be replaced with the region of your bucket. For the list of supported GCP regions, please see Supported GCP Regions. Example: us-central1
    • managementServiceAccountProjectID must be replaced with the GCP project ID of your management service account retrieved from serviceAccountEmail in the previous step. Example: cloud-one-service-account@<managementServiceAccountProjectID>.iam.gserviceaccount.com
    • managementServiceAccountID must be replaced with the service account retrieved from serviceAccountEmail in the previous step. Example: <managementServiceAccountID>@my-gcp-project.iam.gserviceaccount.com
    When the deployment is finished, Terraform generates the stack outputs in a tfstate file for the deployment steps later on.

Create a scanner stack by using Terraform Parent topic

Procedure

  1. Log into gcloud:
    gcloud auth application-default login
  2. Set up the gcloud project
    gcloud config set project PROJECT-ID
    where PROJECT-ID is the ID of the GCP project where you are deploying the stack.
  3. Download the templates:
    wget https://file-storage-security.s3.amazonaws.com/latest/gcp-templates/gcp-templates-terraform.zip && unzip gcp-templates-terraform.zip
  4. Configure the GCP project by using the Terraform deployment:
    sed -i.bak "s/<GCP_PROJECT_ID>/<projectID>/g" ./gcp-configuration/terraform.tfvars.json
    terraform -chdir=gcp-configuration init && terraform -chdir=gcp-configuration apply
    where...
    • <projectID> must be replaced with the ID of your GCP project.
  5. Create the scanner stack in GCP with the following commands:
    sed -i.bak "s/<GCP_PROJECT_ID>/<projectID>/g" ./scanners/terraform.tfvars.json
    sed -i "s/<SCANNER_STACK_NAME>/<scannerStackName>/g" ./scanners/terraform.tfvars.json
    sed -i "s/<GCP_REGION>/<region>/g" ./scanners/terraform.tfvars.json
    sed -i "s/<MANAGEMENT_SERVICE_ACCOUNT_GCP_PROJECT_ID>/<managementServiceAccountProjectID>/g" ./scanners/terraform.tfvars.json
    sed -i "s/<MANAGEMENT_SERVICE_ACCOUNT_ID>/<managementServiceAccountID>/g" ./scanners/terraform.tfvars.json
    terraform -chdir=scanners init && terraform -chdir=scanners apply
    where...
    • projectID must be replaced with the ID of your GCP project.
    • scannerStackName must be replaced with the prefix of the stack name. The prefix must be less than 17 characters. Example: FSS-AIO-SCANNER
    • region must be replaced with the region of your bucket. For the list of supported GCP regions, please see Supported GCP Regions. Example: us-central1
    • managementServiceAccountProjectID must be replaced with the GCP project ID of your management service account retrieved from serviceAccountEmail in the previous step. Example: cloud-one-service-account@<managementServiceAccountProjectID>.iam.gserviceaccount.com
    • managementServiceAccountID must be replaced with the service account retrieved from serviceAccountEmail in the previous step. Example: <managementServiceAccountID>@my-gcp-project.iam.gserviceaccount.com
    When the deployment is finished, Terraform generates the stack outputs in a tfstate file for the deployment steps later on.

Create a storage stack by using Terraform Parent topic

Procedure

  1. Log into gcloud:
    gcloud auth application-default login
  2. Set up the gcloud project
    gcloud config set project PROJECT-ID
    where PROJECT-ID is the ID of the GCP project where you are deploying the stack.
  3. Download the templates:
    wget https://file-storage-security.s3.amazonaws.com/latest/gcp-templates/gcp-templates-terraform.zip && unzip gcp-templates-terraform.zip
  4. Configure the GCP project using Terraform deployment:
    sed -i.bak "s/<GCP_PROJECT_ID>/<projectID>/g" ./gcp-configuration/terraform.tfvars.json
    terraform -chdir=gcp-configuration init && terraform -chdir=gcp-configuration apply
    where...
    • projectID must be replaced with the ID of your GCP project.
  5. Create the storage stack in GCP with the following commands:
    sed -i.bak "s/<GCP_PROJECT_ID>/<projectID>/g" ./storages/terraform.tfvars.json
    sed -i "s/<STORAGE_STACK_NAME>/<storageStackName>/g" ./storages/terraform.tfvars.json
    sed -i "s/<GCP_REGION>/<region>/g" ./storages/terraform.tfvars.json
    sed -i "s/<SCANNING_BUCKET_NAME>/<scanningBucketName>/g" ./storages/terraform.tfvars.json
    sed -i "s/<MANAGEMENT_SERVICE_ACCOUNT_GCP_PROJECT_ID>/<managementServiceAccountProjectID>/g" ./storages/terraform.tfvars.json
    sed -i "s/<MANAGEMENT_SERVICE_ACCOUNT_ID>/<managementServiceAccountID>/g" ./storages/terraform.tfvars.json
    sed -i "s/<SCANNER_STACK_PROJECT_ID>/<scannerProjectID>/g" ./storages/terraform.tfvars.json
    sed -i "s/<SCANNER_STACK_PUBSUB_TOPIC_NAME>/<scannerTopic>/g" ./storages/terraform.tfvars.json
    sed -i "s/<SCANNER_STACK_SERVICE_ACCOUNT_ID>/<scannerServiceAccountID>/g" ./storages/terraform.tfvars.json
    terraform -chdir=storages init && terraform -chdir=storages apply
    where...
    • projectID must be replaced with the ID of your GCP project.
    • scanningBucketName must be replaced with the name of your [Cloud Storage Bucket], as it appears in Cloud Storage. You can only specify one bucket. Example: my-bucket-to-scan-01
    • storageStackName must be replaced with the prefix of the stack name. The prefix must be less than 17 characters. Example: FSS-AIO-STORAGE
    • region must be replaced with the region of your bucket. For the list of supported GCP regions, please see Supported GCP Regions. Example: us-central1
    • managementServiceAccountProjectID must be replaced with the GCP project ID of your management service account retrieved from serviceAccountEmail in the previous step. Example: cloud-one-service-account@<managementServiceAccountProjectID>.iam.gserviceaccount.com
    • managementServiceAccountID must be replaced with the service account retrieved from serviceAccountEmail in the previous step. Example: <managementServiceAccountID>@my-gcp-project.iam.gserviceaccount.com
    • scannerProjectID must be replaced with the ID of your scanner's GCP project from the scanner_informations output of the scanner's Terraform deployment.
    • scannerTopic must be replaced with the name of your scanner's Pub/Sub topic from the scanner_informations output of the scanner's Terraform deployment.
    • scannerServiceAccountID must be replaced with the name of your scanner's service account ID from the scanner_informations output of the scanner's Terraform deployment.
    When the deployment is finished, Terraform generates the stack outputs in a tfstate file for the deployment steps later on.