Protect Service Installation

Product Installation Guide.

Preparation

Ensure that all the steps in pre-configuration are performed.
Log in to the Google Cloud account where Protegrity will be installed.
Select the project.
Ensure that you have access to shell command on your computer or Cloud Shell with Terraform CLI v0.14 or higher installed.
Ensure that the Terraform scripts provided by Protegrity are available on your local computer.

Install Protect Function via Terraform Scripts

Resources created with Terraform scripts include Protect Cloud Functions Service and other required resources depending on Terraform parameters. If you don’t specify the deployment bucket Terraform parameter, a new storage bucket will also be created. You can optionally choose to create a new service account with custom IAM role.

To install using Terraform:

From the command shell move to directory where you downloaded Protegrity installation bundle.
Unzip the bundle. Verify that the following files are available:
- pty-protect-gcp/
- main.tf
- outputs.tf
- protegrity-cloud-api-gcp-{version}.zip
- README.md
Unzip the protegrity-cloud-protect-gcp-{version}.zip file. Verify that the following files are available:
- pty-protect-gcp/
- main.tf
- outputs.tf
- protegrity-cloud-protect-gcp-{version}.zip
- README.md

Open the main.tf file and update Terraform backend information at the top of the file:


terraform {
  backend "gcs" {
    bucket  = ""
    prefix  = "protegrity/terraform/pty-protect-gcp/state"
  }
}

In the same main.tf file, specify the following Terraform variables: All the values were recorded in Google Cloud Project.

Warning

Google Cloud Function 2nd Generation currently does not support CMEK.

Parameter	Description
project_id	The project id recorded in the pre-configuration step
region	The Region recorded in the pre-configuration step.
deployment_id	Specify short name to identify deployment. This id will be added to all resources deployed with Terraform.
deployment_bucket	Use Deployment Bucket Name recorded in pre-configuration or leave empty to create new bucket.
deployment_bucket_location	Geographical location of deployment bucket, e.g., US, EU, ASIA.
deployment_file_directory_path	Path to directory where deployment zip file is located. By default the deployment file should be in the same directory as this main.tf file.
create_service_account	Leave this as false if you created service account in pre-configuration. Otherwise set to true.
protect_function_service_account_email	Use Protect Function Service account recorded in pre-configuration or leave empty.
min_log_level	Minimum log level for log forwarder function. One of off\|severe\|warning\|info\|config\|all. Defaults to ‘severe’
pty_log_output	Audit log output. Accepted values: “"(empty string), “pub_sub”. Note When set to “pub_sub” audit logs will be aggregated and sent to Pub/Sub topic. See Log Forwarder installation section for more details.
audit_log_flush_interval	Time interval in seconds used to accumulate audit logs before sending to Pub/Sub topic. Default value: 30, Min value: 1, Max value: 900
pty_pub_sub_topic	Pub/Sub topic where audit logs will be sent.
username_regex	If username_regex is set, the effective policy user will be extracted from the user in the request. Note See gcp_username_regex_appendix to learn how to extract username from the request.
max_instance_count	GCP Cloud Functions advanced configuration
available_memory_mb	GCP Cloud Functions advanced configuration
timeout_seconds	GCP Cloud Functions advanced configuration
gen2_available_cpu	2nd Gen Cloud Function advanced configuration
gen2_container_concurrency	2nd Gen Cloud Function advanced configuration
upgrade_step	Set this variable when upgrading to the latest version.
labels	You can set this map to include labels for deployed resources. Pay attention to GCP label requirements. For more information, refer to Labeling Resources. For example, only use lowercase and maximum length of 63 characters.

From local command line or Cloud Shell, change directory to location of the main.tf, for example: protegrity-gcp-bigquery-{version}/pty-protect-gcp/
Run the following command.
```
terraform init
```
Terraform will download necessary providers.
Run the following command to verify configuration and print out deployment plan.
```
terraform plan
```
Run the following command to deploy resources to your account.
```
terraform apply
```
Once deployment is complete Terraform will print output variables.
Record the following values:

protect_function_name: ________________________________
protect_function_url: __________________________
api_gateway_managed_service: _____________________________
api_gateway_protect_service_url: ____________________
protect_function_resource_name: _______________________

Test Protect Function Installation

Before continuing with next steps, you can verify whether Cloud Functions are installed correctly. This step is optional and can be skipped.

Below you can find example Linux curl command to test your function.
Before you can execute it, you need to obtain temporary authentication token. Run the gcloud auth login and then gcloud auth print-identity-token commands. The logged in gcloud user must have the Cloud Run Invoker Role (roles/run.invoker) role. Record the output of print identity token command.
gcloud_auth_token: _________________
Replace {protect_function_url} with value recorded in previous step.
Replace {gcloud_auth_token} with value recorded in above step.

Run the following CURL command to test Function deployment.

curl -X POST "{protect_function_url}" \
  -H 'Authorization:Bearer {gcloud_auth_token}' \
  -d '{
    "caller": "bigquery.googleapis.com/projects/my-project-id/jobs/123456",
    "requestId": "124ab1c",
    "sessionUser": "test-user@test-company.com",
    "userDefinedContext": {
      "data_element": "alpha",
      "op_type": "unprotect"
    },
    "calls": [
      [
        "UtfVk UHgcD!"
      ]
    ]
  }'

Verify the following output:
```
{"replies":["hello world!"]}
```

Feedback

Was this page helpful?

Last modified : April 27, 2026