Table of contents

Create stacks in GCP

Create a Cloud Account for GCP

Follow the steps to create a Cloud Account for GCP.

After you create the Cloud Account, retrieve the serviceAccountEmail by calling the Describe GCP project API.

Prerequisites

  1. Install the gcloud CLI.

  2. Install Terraform.

  3. Set up an environment to run shell scripts.

Using Terraform with gcloud CLI

Create an all-in-one stack by Terraform

  1. Log into gcloud:

    gcloud auth application-default login

  2. Set up the gcloud project

    gcloud config set project PROJECT-ID

    where PROJECT-ID is the ID of the GCP project where you are deploying the stack.

  3. Download the templates:

    wget https://file-storage-security.s3.amazonaws.com/latest/gcp-templates/gcp-templates-terraform.zip && unzip gcp-templates-terraform.zip

  4. Configure the GCP project using Terraform deployment:

    sed -i.bak "s/<GCP_PROJECT_ID>/<projectID>/g" ./gcp-configuration/terraform.tfvars.json

    terraform -chdir=gcp-configuration init && terraform -chdir=gcp-configuration apply

    where...

    • projectID must be replaced with the ID of your GCP project.
  5. Create the all-in-one stack in GCP with the following commands:

    sed -i.bak "s/<GCP_PROJECT_ID>/<projectID>/g" ./all-in-one/terraform.tfvars.json

    sed -i "s/<SCANNER_STACK_NAME>/<scannerStackName>/g" ./all-in-one/terraform.tfvars.json

    sed -i "s/<STORAGE_STACK_NAME>/<storageStackName>/g" ./all-in-one/terraform.tfvars.json

    sed -i "s/<GCP_REGION>/<region>/g" ./all-in-one/terraform.tfvars.json

    sed -i "s/<SCANNING_BUCKET_NAME>/<scanningBucketName>/g" ./all-in-one/terraform.tfvars.json

    sed -i "s/<MANAGEMENT_SERVICE_ACCOUNT_GCP_PROJECT_ID>/<managementServiceAccountProjectID>/g" ./all-in-one/terraform.tfvars.json

    sed -i "s/<MANAGEMENT_SERVICE_ACCOUNT_ID>/<managementServiceAccountID>/g" ./all-in-one/terraform.tfvars.json

    terraform -chdir=all-in-one init && terraform -chdir=all-in-one apply

    where...

    • projectID must be replaced with the ID of your GCP project.
    • scanningBucketName must be replaced with the name of your [Cloud Storage Bucket], as it appears in Cloud Storage. You can only specify one bucket. Example: my-bucket-to-scan-01
    • scannerStackName must be replaced with the prefix of the stack name. The prefix must be less than 17 characters. Example: FSS-AIO-SCANNER
    • storageStackName must be replaced with the prefix of the stack name. The prefix must be less than 17 characters. Example: FSS-AIO-STORAGE
    • region must be replaced with the region of your bucket. For the list of supported GCP regions, please see Supported GCP Regions. Example: us-central1
    • managementServiceAccountProjectID must be replaced with the GCP project ID of your management service account retrieved from serviceAccountEmail in the previous step. Example: cloud-one-service-account@<managementServiceAccountProjectID>.iam.gserviceaccount.com
    • managementServiceAccountID must be replaced with the service account retrieved from serviceAccountEmail in the previous step. Example: <managementServiceAccountID>@my-gcp-project.iam.gserviceaccount.com

    When the deployment is finished, Terraform generates the stack outputs in a tfstate file for the deployment steps later on.

Create a scanner stack by using Terraform

  1. Log into gcloud:

    gcloud auth application-default login

  2. Set up the gcloud project

    gcloud config set project PROJECT-ID

    where PROJECT-ID is the ID of the GCP project where you are deploying the stack.

  3. Download the templates:

    wget https://file-storage-security.s3.amazonaws.com/latest/gcp-templates/gcp-templates-terraform.zip && unzip gcp-templates-terraform.zip

  4. Configure the GCP project by using the Terraform deployment:

    sed -i.bak "s/<GCP_PROJECT_ID>/<projectID>/g" ./gcp-configuration/terraform.tfvars.json

    terraform -chdir=gcp-configuration init && terraform -chdir=gcp-configuration apply

    where...

    • <projectID> must be replaced with the ID of your GCP project.
  5. Create the scanner stack in GCP with the following commands:

    sed -i.bak "s/<GCP_PROJECT_ID>/<projectID>/g" ./scanners/terraform.tfvars.json

    sed -i "s/<SCANNER_STACK_NAME>/<scannerStackName>/g" ./scanners/terraform.tfvars.json

    sed -i "s/<GCP_REGION>/<region>/g" ./scanners/terraform.tfvars.json

    sed -i "s/<MANAGEMENT_SERVICE_ACCOUNT_GCP_PROJECT_ID>/<managementServiceAccountProjectID>/g" ./scanners/terraform.tfvars.json

    sed -i "s/<MANAGEMENT_SERVICE_ACCOUNT_ID>/<managementServiceAccountID>/g" ./scanners/terraform.tfvars.json

    terraform -chdir=scanners init && terraform -chdir=scanners apply

    where...

    • projectID must be replaced with the ID of your GCP project.
    • scannerStackName must be replaced with the prefix of the stack name. The prefix must be less than 17 characters. Example: FSS-AIO-SCANNER
    • region must be replaced with the region of your bucket. For the list of supported GCP regions, please see Supported GCP Regions. Example: us-central1
    • managementServiceAccountProjectID must be replaced with the GCP project ID of your management service account retrieved from serviceAccountEmail in the previous step. Example: cloud-one-service-account@<managementServiceAccountProjectID>.iam.gserviceaccount.com
    • managementServiceAccountID must be replaced with the service account retrieved from serviceAccountEmail in the previous step. Example: <managementServiceAccountID>@my-gcp-project.iam.gserviceaccount.com

    When the deployment is finished, Terraform generates the stack outputs in a tfstate file for the deployment steps later on.

Create a storage stack by using Terraform

  1. Log into gcloud:

    gcloud auth application-default login

  2. Set up the gcloud project

    gcloud config set project PROJECT-ID

    where PROJECT-ID is the ID of the GCP project where you are deploying the stack.

  3. Download the templates:

    wget https://file-storage-security.s3.amazonaws.com/latest/gcp-templates/gcp-templates-terraform.zip && unzip gcp-templates-terraform.zip

  4. Configure the GCP project using Terraform deployment:

    sed -i.bak "s/<GCP_PROJECT_ID>/<projectID>/g" ./gcp-configuration/terraform.tfvars.json

    terraform -chdir=gcp-configuration init && terraform -chdir=gcp-configuration apply

    where...

    • projectID must be replaced with the ID of your GCP project.
  5. Create the storage stack in GCP with the following commands:

    sed -i.bak "s/<GCP_PROJECT_ID>/<projectID>/g" ./storages/terraform.tfvars.json

    sed -i "s/<STORAGE_STACK_NAME>/<storageStackName>/g" ./storages/terraform.tfvars.json

    sed -i "s/<GCP_REGION>/<region>/g" ./storages/terraform.tfvars.json

    sed -i "s/<SCANNING_BUCKET_NAME>/<scanningBucketName>/g" ./storages/terraform.tfvars.json

    sed -i "s/<MANAGEMENT_SERVICE_ACCOUNT_GCP_PROJECT_ID>/<managementServiceAccountProjectID>/g" ./storages/terraform.tfvars.json

    sed -i "s/<MANAGEMENT_SERVICE_ACCOUNT_ID>/<managementServiceAccountID>/g" ./storages/terraform.tfvars.json

    sed -i "s/<SCANNER_STACK_PROJECT_ID>/<scannerProjectID>/g" ./storages/terraform.tfvars.json

    sed -i "s/<SCANNER_STACK_PUBSUB_TOPIC_NAME>/<scannerTopic>/g" ./storages/terraform.tfvars.json

    sed -i "s/<SCANNER_STACK_SERVICE_ACCOUNT_ID>/<scannerServiceAccountID>/g" ./storages/terraform.tfvars.json

    terraform -chdir=storages init && terraform -chdir=storages apply

    where...

    • projectID must be replaced with the ID of your GCP project.
    • scanningBucketName must be replaced with the name of your [Cloud Storage Bucket], as it appears in Cloud Storage. You can only specify one bucket. Example: my-bucket-to-scan-01
    • storageStackName must be replaced with the prefix of the stack name. The prefix must be less than 17 characters. Example: FSS-AIO-STORAGE
    • region must be replaced with the region of your bucket. For the list of supported GCP regions, please see Supported GCP Regions. Example: us-central1
    • managementServiceAccountProjectID must be replaced with the GCP project ID of your management service account retrieved from serviceAccountEmail in the previous step. Example: cloud-one-service-account@<managementServiceAccountProjectID>.iam.gserviceaccount.com
    • managementServiceAccountID must be replaced with the service account retrieved from serviceAccountEmail in the previous step. Example: <managementServiceAccountID>@my-gcp-project.iam.gserviceaccount.com
    • scannerProjectID must be replaced with the ID of your scanner's GCP project from the scanner_informations output of the scanner's Terraform deployment.
    • scannerTopic must be replaced with the name of your scanner's Pub/Sub topic from the scanner_informations output of the scanner's Terraform deployment.
    • scannerServiceAccountID must be replaced with the name of your scanner's service account ID from the scanner_informations output of the scanner's Terraform deployment.

    When the deployment is finished, Terraform generates the stack outputs in a tfstate file for the deployment steps later on.