Table of contents

Add GCP stacks

After deploying File Storage Security, you might want to add more stacks.

Topics:


How many stacks should I add?

Storage stacks

You'll need one storage stack per Protecting bucket.

There is no limit to the number of storage stacks you can add, but keep in mind that costs will go up as the number of stacks increases. If you have a lot of files to scan that are spread across many storage accounts, consider deploying just one storage stack, and transferring files into its associated storage account to scan and then back out after scanning. We provide a sample Google Cloud Function that automates some of this work. See Post-Scan Action: Promote or Quarantine on GitHub for details.

The number of storage stacks you deploy will not affect performance, so deploy as many or as few as you want.

Scanner stacks

Typically, you'll only need one scanner stack for your entire deployment regardless of size. This is because the scanner stack auto-scales to handle increases in load. (For details on performance, see How long do scans take?)

Where can I add stacks?

Unless otherwise noted, you can add stacks anywhere in GCP in separate GCP regions.

Add a scanner stack

Although you can deploy a scanner stack separately, we recommend that you deploy a scanner stack in conjunction with a storage stack. For information on deploying a scanner and storage stack, see Deploy scanner and storage stacks on GCP.

Add the scanner stack following the instructions below.

  1. In the File Storage Security console, select the Stack Management page, select GCP, then select Deploy.

  2. To deploy the stacks, select Scanner Stack.
    The Deploy Scanner Stack dialog box opens.

  3. Make sure you're signed in to your GCP account.

    The GCP account must be connected in the Cloud One Cloud Provider Account list first. See Connect GCP account to Trend Micro Cloud One.

  4. Retrieve your Service Account:

    1. Type in the GCP project ID.
    2. Click Get.

    Paste this information in the <SERVICE_ACCOUNT> parameter of the deployment script when you launch the stack.

  5. Configure and run the deployment script:

    1. Click Launch Stack to launch the deployment script in the GCP Cloud Shell.

    2. Click the Trust Repo check box.

    3. Set up your project:

      1. Under Project setup, select the project from the drop-down list.
      2. Execute the script in Cloud Shell.
        If you do not have a project ID, you need to create one:
        1. Under Project setup, click create a new one.
        2. Create the project.
        3. Under Project setup, select the project from the drop-down list.
        4. Execute the script in Cloud Shell.
    4. Specify the following fields:

      • Deployment name: Specify the name of this deployment. Use a maximum of 22 characters.
      • Region: Specify the region of your bucket. For the list of supported GCP regions, see Supported GCP Regions.
      • Cloud One region: Specify the region ID of your Trend Micro Cloud One account. For the list of supported Cloud One regions, see supported Cloud One regions.
      • Service account: Paste the retrieved service account information from the File Storage Security console.
      • Function auto update: Enables or disables automatic remote code update. The default value is 'True'. Allows values "True', 'False'
    5. Execute the deployment script in the Cloud Shell:

      ./deployment-script-scanner.sh -d <DEPLOYMENT_NAME> -r <REGION> -c <CLOUD_ONE_REGION> -m <SERVICE_ACCOUNT> -f <FUNCTION_AUTO_UPDATE>

  6. To complete the deployment process follow the steps to configure the management role:

    1. Copy the contents of <DEPLOYMENT_NAME>-scanner.json from the Cloud Shell script output.
    2. Paste the content back to the File Storage Security console in the Scanner stack - configure JSON text box.
  7. Click Submit.

Add a storage stack

You can add additional storage stacks to a scanner stack. You cannot add storage stacks that are not associated with a scanner stack.

Add the storage stack following the instructions below.

  1. In the File Storage Security console, select the Stack Management page, select GCP, then select Deploy.

  2. Select the scanner stack that you want to use.

  3. Select Add Storage.
    The Add Storage Stack dialog box opens.

  4. Make sure you're signed in to your GCP account.

  5. Retrieve your Service Account:

    1. Type in the GCP project ID.
    2. Click Get.

    Paste this information in the <SERVICE_ACCOUNT> parameter of the deployment script when you launch the stack.

  6. Click Copy to copy the scanner stack information.

    Paste this information in the <SCANNER_INFORMATION> parameter of the deployment script when you launch the stack.

  7. Configure and run the deployment script:

    1. Click Launch Stack to launch the deployment script in the GCP Cloud Shell.

    2. Click the Trust repo checkbox to select it.

    3. Set up your project:

      1. Under Project setup, select the project from the drop-down list.
      2. Execute the script in Cloud Shell.
        If you do not have a project ID, you need to create one:
        1. Under Project setup, click create a new one.
        2. Create the project.
        3. Under Project setup, select the project from the drop-down list.
        4. Execute the script in Cloud Shell.
    4. Specify the following fields:

      • Scanning bucket name: Specify the existing bucket name that you wish to protect.
      • Deployment name: Specify the prefix of this deployment. Use a maximum of 22 characters.
      • Region: Specify the region of your bucket. For the list of supported GCP regions, see Supported GCP Regions.
      • Scanner information: Paste the scanner information copied from the File Storage Security console.
      • Service account: Paste the service account information from the File Storage Security console.
      • Function auto update: Enables or disables automatic remote code update. The default value is 'True'. Allows values "True', 'False'.
    5. Execute the deployment script in the Cloud Shell:

      ./deployment-script-storage.sh -s <SCANNING_BUCKET_NAME> -d <DEPLOYMENT_NAME> -r <REGION> -i <SCANNER_INFORMATION> -m <SERVICE_ACCOUNT> -f <FUNCTION_AUTO_UPDATE>

  8. To complete the deployment process follow the steps to configure the management role:

    1. Copy the contents of <DEPLOYMENT_NAME>.json from the Cloud Shell script output.

    2. Paste the contents back to the File Storage Security console in the Storage Stack - configure JSON text box.

  9. Click Submit.

To determine the status of your deployment, go to Deployment Manager and search for:

  • <DEPLOYMENT_NAME>