Table of contents

Getting started with Google Cloud Platform (GCP) Cloud Accounts

To set up a new Cloud Account, you must deploy resources in your Google Cloud Platform (GCP) project to provide access to Trend Micro Cloud One. You can deploy the Terraform template provided by Cloud One, which will create the required GCP resources for you, by following the steps below.

You can manage GCP Cloud Accounts through the User Interface or by using a Command Line Interface.

Through the User Interface

Adding a Cloud Account

In the Cloud One Console

  1. At the bottom of the Trend Micro Cloud One console home page, click on Integrations.
  2. Click the GCP tab.
  3. Click the New button to start the Cloud Account setup wizard.
  4. Click Download Terraform template button to download the Terraform template used to deploy the necessary GCP resources in your GCP project.
  5. Click the GCP Cloud Shell link to sign into the GCP console and open Google Cloud Shell.

In the GCP Console

  1. Once Cloud Shell is started, run the following command to set the Project ID for the Cloud Shell session:

    gcloud config set project [PROJECT_ID]

    The GCP resources required by Cloud One to authenticate will be deployed here.

  2. From the More menu (with the "traffic light" icon), click Upload to upload the Terraform template to Cloud Shell. upload

  3. Select the template you downloaded from the Cloud One console.

  4. Once the template has been successfully uploaded, run the following command to initialize and deploy the Terraform template:

    terraform init && terraform apply

    Terraform will initialize and display the resources it intends to create.

  5. To continue the deployment, type yes then select the Enter key.

  6. Run the following command to extract the outputs of the template to a JSON file:

    terraform output -json > cloudone_gcp_output.json
  7. From the Cloud Shell Terminal window, in the More menu (with the "traffic light" icon), click Download to download the JSON file you generated in the previous step.

    download

  8. Once the JSON file has been successfully downloaded, navigate back to the Cloud One Console.

In the Cloud One Console

  1. In the Connect Google Cloud Platform Account setup wizard's dialog box, click the Upload JSON File button.

  2. Select cloudone_gcp_output.json.

    upload json

  3. Click the Connect button.

Protect more than a single project

Follow the steps below to protect a new GCP project with your configured GCP Cloud Account.

In the Cloud One Console

  1. Copy the Service Account ID from your configured GCP Cloud Account in the Cloud One Console to the clipboard by pressing Ctrl+C.
  2. Take note of the Project Number associated with the GCP Cloud Account.

In the GCP Console

Determine the Service Account Email then use it, as detailed in the "Add a new role..." procedure below, to add more than a single project to your configured Cloud Account.

Determine Service Account Email
  1. Navigate to the project in the GCP Console corresponding to the Project Number you just took note of.
  2. In the Navigation menu, click IAM & Admin, then Service Accounts.
  3. Press Ctrl+F and then Ctrl-V to search for (and paste) the Service Account ID you copied from the Cloud One Console.
  4. Copy the Service Account Email associated with the Service Account ID.
Add a new role to the Service Account
  1. Navigate to a new Project or Folder.
  2. In the Navigation menu click IAM & Admin, then IAM.
  3. At the top of the screen, click Add.
  4. In the New principals box, type the Service Account Email.
  5. From the Select a role dropdown, under Quick Access select Basic, then Viewer.
  6. Click Save.

If you grant the IAM role access to the Service Account at the folder level, all projects contained by that folder are automatically given access.

Enable Necessary APIs for new Projects
  1. Click the Activate Cloud Shell button at the top right of the GCP Console.
  2. Run the following command to set the Cloud Shell session Project ID to that of the project you're adding:

    gcloud config set project [PROJECT_ID]
  3. Run the following command to enable the required APIs:

    gcloud services enable cloudbuild.googleapis.com deploymentmanager.googleapis.com cloudfunctions.googleapis.com pubsub.googleapis.com secretmanager.googleapis.com
  4. For each new project, repeat the steps 1 to 3 immediately above to enable the necessary APIs in all new projects.

Updating an existing Cloud Account

  1. At the bottom of the Trend Micro Cloud One console home page, click on Integrations.
  2. Click the GCP tab.
  3. Select the account you wish to update.
  4. Edit the relevant fields, then click the Save button.

Listing your Cloud Accounts

Your GCP Cloud Accounts will automatically be listed on the Cloud Accounts page in the GCP tab.

Removing an existing Cloud Account

  1. At the bottom of the Trend Micro Cloud One console home page, click on Integrations.
  2. Click the GCP tab.
  3. Select the account you wish to remove, then click Delete.
  4. From the pop-up dialog box, click Delete.

Using a Command Line Interface

Adding a Cloud Account

In the GCP Console

  1. Navigate to Google Cloud Shell.

  2. Once Cloud Shell is started, run the following command to set the Project ID for the Cloud Shell session:

    gcloud config set project [PROJECT_ID]

The GCP resources required by Cloud One to authenticate will be deployed here.

In the Command Line Interface

  1. Acquire a Cloud One API key if you do not already have one generated.

  2. Get the Terraform template to deploy the necessary resources in your GCP project by calling the GET /api/cloudaccounts/gcp/templates endpoint. The endpoint can be accessed through the following curl command:

    curl -X GET https://cloudaccounts.{region}.cloudone.trendmicro.com/api/cloudaccounts/gcp/templates \
        -H 'Authorization: ApiKey <your_api_key>' \
        -H 'Api-Version: v1'
    • {region} is your Cloud One Region
    • <your_api_key> is your Cloud One API key

    You will get a plain text response containing the raw Terraform Template.

  3. Copy and paste the contents of the response into a file with the .tf extension and save it for later use.

In the GCP Console

  1. From the Cloud Shell Terminal window, in the More menu (with the "traffic light" icon), click Upload to upload the Terraform template. upload

  2. Select the template file you just created from your local file system.

  3. Once the template has been successfully uploaded, run the following command to initialize and deploy the Terraform template:

    terraform init && terraform apply

    Terraform will initialize and display the resources it intends to create.

  4. To continue the deployment, type yes then select the Enter key.

  5. Run the following command to extract the outputs of the template to a JSON file:

    terraform output -json > cloudone_gcp_output.json
  6. From the Cloud Shell Terminal window, in the More menu (with the "traffic light" icon), click Download to download the JSON file you generated in the previous step.

    download

  7. Once the JSON file has been successfully downloaded, navigate back to your command line interface.

In the Command Line Interface

  • Call the POST /api/cloudaccounts/gcp endpoint to add a new Cloud Account. The endpoint can be accessed through the following curl command:
curl -X POST https://cloudaccounts.{region}.cloudone.trendmicro.com/api/cloudaccounts/gcp \
    -H 'Authorization: ApiKey <your_api_key>' \
    -H 'Api-Version: v1' \
    -d '{"workloadIdentityPoolID": <your_workloadIdentityPoolID>, "oidcProviderID": <your_oidcProviderID>, "serviceAccountID": <your_serviceAccountID>, "projectNumber": <your_projectNumber>, "alias": <your_alias>, "description:" <your_description>}'
  • {region} is your Cloud One Region
  • <your_api_key> is your Cloud One API key
  • <your_workloadIdentityPoolID> is the workloadIdentityPoolID outputted from the Terraform template
  • <your_oidcProviderID> is the oidcProviderID outputted from the Terraform template
  • <your_serviceAccountID> is the serviceAccountID outputted from the Terraform template
  • <your_projectNumber> is the projectNumber outputted from the Terraform template
  • <your_alias> is the optional alias for your GCP Cloud Account
  • <your_description> is the optional description for your GCP Cloud Account.

Updating an existing Cloud Account

  1. Acquire a Cloud One API key if you do not already have one generated.

  2. Update a GCP Cloud Account via the POST /api/cloudaccounts/gcp/{serviceAccountID} endpoint. The endpoint can be accessed through the following curl command:

curl -X POST https://cloudaccounts.{region}.cloudone.trendmicro.com/api/cloudaccounts/gcp/{serviceAccountID} \
    -H 'Authorization: ApiKey <your_api_key>' \
    -H 'Api-Version: v1' \
    -d '{"alias": <updated_alias>, "description:" <updated_description>}'
  • {region} is your Cloud One Region
  • {serviceAccountID} is the GCP Service Account ID used to add the cloud account
  • <your_api_key> is your Cloud One API key
  • <updated_alias> is the optional updated alias for your GCP Cloud Account
  • <updated_description> is the optional updated description for your GCP Cloud Account.

Listing your Cloud Accounts

  1. Acquire a Cloud One API key if you do not already have one generated.

  2. List your GCP cloud accounts using the GET /api/cloudaccounts/gcp endpoint. The endpoint can be accessed through the following curl command:

curl -X GET https://cloudaccounts.{region}.cloudone.trendmicro.com/api/cloudaccounts/gcp \
    -H 'Authorization: ApiKey <your_api_key>' \
    -H 'Api-Version: v1'
  • {region} is your Cloud One Region
  • <your_api_key> is your Cloud One API key

Removing an existing Cloud Account

  1. Acquire a Cloud One API key if you do not already have one generated.

  2. Remove a Cloud Account via the DELETE /api/cloudaccounts/gcp/{serviceAccountID} endpoint. The endpoint can be accessed through the following curl command:

curl -X DELETE https://cloudaccounts.{region}.cloudone.trendmicro.com/api/cloudaccounts/gcp/{serviceAccountID} \
    -H 'Authorization: ApiKey <your_api_key>' \
    -H 'Api-Version: v1'
  • {region} is your Cloud One Region
  • {serviceAccountID} is the GCP Service Account ID used to add the cloud account
  • <your_api_key> is your Cloud One API key