Table of contents
Topics on this page

Deploy scanner and storage stacks on GCP

Follow the procedure below to deploy a scanner and a storage stack into your GCP account.

  1. In the File Storage Security console, select the Stack Management page, go to Stack Management > GCP (Terraform), then select Deploy.

  2. To deploy the stacks, select Scanner Stack and Storage Stack.
    The Deploy Scanner Stack and Storage Stack dialog box opens.

    There is also the option to add a scanner stack by itself.

  3. Make sure you're signed in to your GCP account.

    The GCP account must be connected in the Cloud One Cloud Provider Account list first. See Connect GCP account to Trend Micro Cloud One.

  4. Retrieve your Service Account:

    1. Type in the GCP project ID.

    2. Click Get.

      Paste this information in the managementServiceAccountProjectID and managementServiceAccountID variables of the Terraform deployment when you launch the stack.

  5. Configure and run the Terraform deployment:

    1. Click Launch Stack to launch the Terraform deployment in the GCP Cloud Shell.

    2. Click the Trust Repo check box to select it.

    3. Set up your project:

      1. Under Project setup, select the project from the drop-down list.
      2. Execute the script in Cloud Shell.
        If you do not have a project ID, you need to create one:
        1. Under Project setup, click create a new one.
        2. Create the project.
        3. Under Project setup, select the project from the drop-down list.
        4. Execute the script in Cloud Shell.

    4. Enable permissions for deployment:

      You need to apply the settings and create the custom roles in the project before File Storage Security stack deployment. You only need to apply once on a GCP project for File Storage Security stack deployment:

      1. Apply the GCP configuration deployment:

        • Enable all the needed APIs and create the required custom roles by Terraform.

        • Specify the projectID in terraform.tfvars.json under gcp-configuration folder.

        • Specify the customRolePrefix in terraform.tfvars.json if the prefix of the roles is needed.

        • Apply the Terraform template in the Cloud Shell

          terraform -chdir=gcp-configuration init && terraform -chdir=gcp-configuration apply

    5. Configure and deploy the stacks:

      Specify the following fields in terraform.tfvars.json under all-in-one folder and apply the Terraform template in the Cloud Shell.

      There could be multiple stacks in the JSON objects scannerStacks and storageStacks could be multiples. There is a limit of 5 scanner stacks and 20 storage stacks per Terraform deployment. Please create another workspace in Terraform to separate the deployment if the number of stacks exceeds the limit.

      Terraform Input Variables:

      1. projectID: Specify the project for this deployment.
      2. functionAutoUpdate: Enable or disable automatic remote code update. The default value is true. Allow values: true, false.
      3. customRolePrefix: Specify the prefix of the custom roles if needed.

      Scanner stack:

      1. <SCANNER_STACK_NAME>: Specify the name of the scanner stack. The name, as a resource prefix, must be less than 17 characters. Replace the key with the scanner stack name.
      2. region: Specify the region for the scanner stack. For the list of supported GCP regions, please see Supported GCP Regions.
      3. managementServiceAccountProjectID: Copy and paste the service account project ID from the File Storage Security console.
      4. managementServiceAccountID: Copy and paste the service account information from the File Storage Security console.

      Storage stack:

      1. <STORAGE_STACK_NAME>: Specify the name of the storage stack. The name, as a resource prefix, must be less than 17 characters. Replace the key with the storage stack name.
      2. scanner: Specify the name of the scanner stack.
      3. scanningBucketName: Specify the existing bucket name that you wish to protect.
      4. region: Specify the region of the storage stack. For the list of supported GCP regions, please see Supported GCP Regions.
      5. managementServiceAccountProjectID: Copy and paste the service account project ID from the File Storage Security console.
      6. managementServiceAccountID: Copy and paste the service account information from the File Storage Security console.
      7. reportObjectKey: Select true to report the object keys of the scanned objects to File Storage Security backend services. File Storage Security can then display the object keys of the malicious objects in the response of events API. Allows values true, false.
      8. objectFilterPrefix: Enter the prefix of the objects you want to scan from the bucket. Enter '' to scan without filters.

      scannerProjectID, scannerTopic, scannerServiceAccountID should be null in All-in-One deployment. disableScanningBucketIAMBinding is required by converting from the GCP Deployment Manager's deployment, if it's a new deployment should be false.

    6. Initialize and deploy in the Cloud Shell

      terraform -chdir=all-in-one init && terraform -chdir=all-in-one apply

    Please save terraform.tfstate and terraform.tfvars.json for managing the deployment (You will need them for updating and deleting stacks). We recommend that you use remote configuration to keep your tfstate somewhere safe.

  6. Configure output in the File Storage Security console:

    To complete the deployment process, once the stacks are deployed, configure the management role:

    1. Copy the output content of all_in_one_outputs from the Cloud Shell output of Terraform.
    2. Paste the content into the File Storage Security console.

    You can get Terraform output by the command: terraform output

  7. Click Submit.