Table of contents

Create stacks in GCP

Create a Cloud Account for GCP

Follow the steps to create a Cloud Account for GCP.

After you create the Cloud Account, retrieve the serviceAccountEmail by calling the Describe GCP project API.

Prerequisites

  1. Install the gcloud CLI.

  2. Set up an environment to run bash shell scripts.

Using gcloud CLI

Create an all-in-one stack using gcloud CLI

  1. Setup gcloud project:

    gcloud config set project PROJECT-ID

    where "PROJECT-ID" is the ID of the GCP project you deploy the stack.

  2. Download the templates:

    wget https://file-storage-security.s3.amazonaws.com/latest/gcp-templates/gcp-templates.zip && unzip gcp-templates.zip "templates/*.sh"

  3. Create the all-in-one stack in GCP with the following commands:

    cd templates && ./deployment-script.sh \GCP

    GCP-s SCANNING_BUCKET_NAME \GCP

    GCP-d DEPLOYMENT_NAME_PREFIX \GCP

    GCP-r REGION \GCP

    GCP-c CLOUD_ONE_REGION \GCP

    GCP-m SERVICE_ACCOUNT;

    where...

    • SCANNING_BUCKET_NAME must be replaced with the name of your [Cloud Storage Bucket], as it appears in Cloud Storage. You can only specify one bucket. Example: my-bucket-to-scan-01
    • DEPLOYMENT_NAME_PREFIX must be replaced with the prefix of the stack name. The prefix must be less than 22 characters. Example: FSS-All-In-One
    • REGION must be replaced with the region of your bucket. For the list of supported GCP regions, please see Supported GCP Regions. Example: us-central1
    • CLOUD_ONE_REGION must be replaced with the region ID of your Trend Micro Cloud One account. For the list of supported Cloud One regions, see supported Cloud One regions. Example: us-1
    • SERVICE_ACCOUNT must be replaced with the serviceAccountEmail retrieved in the previous step. Example: cloud-one-service-account@my-gcp-project.iam.gserviceaccount.com
  4. When the creation finishes, the script generates the following file for the deployment steps later on:

    • DEPLOYMENT_NAME_PREFIX-scanner-info.json

Create a scanner stack using gcloud CLI

  1. Setup gcloud project:

    gcloud config set project PROJECT-ID

    where "PROJECT-ID" is the ID of the GCP project you deploy the stack.

  2. Download the templates with the following command:

    wget https://file-storage-security.s3.amazonaws.com/latest/gcp-templates/gcp-templates.zip && unzip gcp-templates.zip "templates/*.sh"

  3. Create the scanner stack in GCP with the following commands:

    cd templates && ./deployment-script-scanner.sh \

    -s SCANNING_BUCKET_NAME \

    -d DEPLOYMENT_NAME \

    -r REGION \

    -c CLOUD_ONE_REGION \

    -m SERVICE_ACCOUNT

    where...

    • SCANNING_BUCKET_NAME must be replaced with the name of your [Cloud Storage Bucket], as it appears in Cloud Storage. You can only specify one bucket. Example: my-bucket-to-scan-01
    • DEPLOYMENT_NAME must be replaced with the the stack name. The name must be less than 22 characters. Example: FSS-Scanner-Stack
    • REGION must be replaced with the region of the stack. For the list of supported GCP regions, please see Supported GCP Regions. Example: us-central1
    • CLOUD_ONE_REGION must be replaced with the region ID of your Trend Micro Cloud One account. For the list of supported Cloud One regions, see supported Cloud One regions. Example: us-1
    • SERVICE_ACCOUNT must be replaced with the serviceAccountEmail retrieved in the previous step. Example: cloud-one-service-account@my-gcp-project.iam.gserviceaccount.com
  4. When the creation completes, the script generates the following file for the deployment steps later on:

    • DEPLOYMENT_NAME-info.json

Create a storage stack using gcloud CLI

  1. Setup gcloud project:

    gcloud config set project PROJECT-ID

    where "PROJECT-ID" is the ID of the GCP project you deploy the stack.

  2. Download the templates with the following command:

    wget https://file-storage-security.s3.amazonaws.com/latest/gcp-templates/gcp-templates.zip && unzip gcp-templates.zip "templates/*.sh"

  3. Prepare the scanner stack info JSON:

    You can find the scanner stack information JSON in any of the following ways:

    • From the content of the output file of the scanner stack deployment script:

    echo "'$(cat SCANNER_DEPLOYMENT_NAME-info.json)'"

    • From the output of the Describe Stack API, if the scanner stack has been added to File Storage Security:

    echo '\'{"SCANNER_TOPIC": "API_OUTPUT_SCANNER_TOPIC","SCANNER_PROJECT_ID": "API_OUTPUT_SCANNER_PROJECT_ID","SCANNER_SERVICE_ACCOUNT_ID": "API_OUTPUT_SCANNER_SERVICE_ACCOUNT_ID"}\'' where...

    • API_OUTPUT_SCANNER_TOPIC is the value of scannerTopic in the API output.
    • API_OUTPUT_SCANNER_PROJECT_ID is the value of projectID in the API output.
    • API_OUTPUT_SCANNER_SERVICE_ACCOUNT_ID is the value of scannerServiceAccountID in the API output.
  4. Create the storage stack in GCP with the following command: cd templates && ./deployment-script-scanner.sh \ -s SCANNING_BUCKET_NAME \ -d DEPLOYMENT_NAME \ -r REGION \ -i SCANNER_INFORMATION_JSON \ -m SERVICE_ACCOUNT where...

    • SCANNING_BUCKET_NAME must be replaced with the name of your [Cloud Storage Bucket], as it appears in Cloud Storage. You can only specify one bucket. Example: my-bucket-to-scan-01
    • DEPLOYMENT_NAME must be replaced with the stack name. The name must be less than 22 characters. Example: FSS-Storage-Stack
    • REGION must be replaced with the region of your bucket. For the list of supported GCP regions, please see Supported GCP Regions. Example: us-central1
    • SCANNER_INFORMATION_JSON must be replaced with the scanner stack information JSON string retrieved in step 3.
    • SERVICE_ACCOUNT must be replaced with the serviceAccountEmail retrieved in the previous step. Example: cloud-one-service-account@my-gcp-project.iam.gserviceaccount.com