Install Policy Agent Function through Terraform Scripts

Agent Terraform scripts provided by Protegrity create a Cloud Function in your Google account. If you don’t specify the deployment bucket Terraform parameter, a new storage bucket will also be created. You can also create the following optional resources by specifying the corresponding parameters:

• Service account with IAM role
• VPC with NAT external IP
• VPC access connector

To install Policy Agent Function through Terraform:

1. From command shell, move to the directory where you downloaded Protegrity installation bundle.

2. Unzip the bundle, then unzip the protegrity-agent-gcp-{version}.zip. Verify that the following files are available:

   • pty-agent-gcp/
   • main.tf
   • outputs.tf
   • README.md

3. Open the main.tf file and update Terraform backend information at the top of the file:

   
   terraform {
     backend "gcs" {
       bucket  = ""
       prefix  = "protegrity/terraform/pty-protect-gcp/state"
     }
   }
   

4. Set the bucket property to Terraform Backend Bucket Name recorded in Google Cloud Storage

5. Set the prefix property with value unique to your deployment.

6. In the same main.tf file, specify the following Terraform variables.

   Parameter	Description
   project_id	The Project ID recorded in the pre-configuration step
   region	The Region recorded in the pre-configuration step, for example, us-central1.
   deployment_id	Specify short name to identify deployment. This id will be added to all resources deployed with Terraform.
   deployment_bucket	Use Deployment Bucket Name recorded in pre-configuration or leave empty to create new bucket.
   deployment_bucket_location	Geographical location of deployment bucket, e.g., US, EU, ASIA.
   deployment_file_directory_path	Path to directory where deployment zip file is located. By default the deployment file should be in the same directory as this main.tf file.
   policy_download_cron_expression	Cron expression determining how often policy agent function will run to synchronize security policy from ESA.
   create_service_account	Leave this as false if you created service account in pre-configuration. Otherwise set to true.
   agent_function_service_account_email	Use Agent Function Service account recorded in pre-configuration or leave empty.
   create_vpc	Set this to true, if you would like to create VPC with NAT, external IP and vpc access connector, otherwise leave empty. This will be ignored if google_vpc_access_connector_name is specified.
   google_vpc_access_connector_name	Specify the existing VPC access connector name you identified in earlier step, otherwise leave empty. This setting will disable create_vpc = true.
   google_vpc_access_connector_full_resource_name	Alternative configuration for VPC access connector. If this parameter is set the google_vpc_access_connector_name will be ignored. Use this parameter, if vpc connector is in different region/project that the one specified for the deployment.
   labels	You can set this map to include labels for deployed resources. Pay attention to gcp label requirements. More information in: https://cloud.google.com/compute/docs/labeling-resources. For example, only use lowercase and maximum length of 63 characters.

   All the values were recorded in Pre-Configuration and this section’s previous steps.

7. Provide Policy update Terraform variables. In the same main.tf file, you can specify configuration related to policy update. Any of these variables can be updated at any given time by running the terraform again or directly in the GCP Console. Most of the values were recorded in previous installation steps.

   Parameter	Description	Notes
   pty_esa_ip	ESA IP address or hostname	ESA Server
   pty_esa_ca_server_cert	ESA self-signed CA certificate used by policy Agent Function to ensure ESA is the trusted server.	Recorded in step Certificates on ESA In case ESA is configured with publicly signed certificates, the pty_esa_ca_server_cert configuration will be ignored.
   gcp_esa_credentials_secret_resource_id	ESA username and password (encrypted value by Google Cloud Secrets Manager). For example, projects/{project-id}/secrets/{secret name}/versions/{version}	Creating ESA Credentials
   pty_esa_credentials_function	ESA credentials GCP function resource name. For example, projects/{project-name}/locations/{region}/functions/{esa-credentials-function-name}.	Recorded in step Option 2: Custom Cloud Function ESA CREDENTIALS FUNCTION NAME. Presence of gcp_esa_credentials_secret_resource_id will cause this value to be ignored. The Policy Agent Function must have network access and IAM permissions to call the ESA Credentials function you have created in Option 2: Custom Cloud Function.
   gcp_kms_key_resource_name	The Key full resource name. For Example, projects/{project-id}/locations/region/keyRings/ {key-ring}/cryptoKeys/{key-name}/cryptoKeyVersions/1	Key Management Service
   gcp_protect_function_resource_name	List of comma separated Protect function resource names. For Example, projects/{project-id}/ locations/{region}/functions/{function-name1},projects/{project-id}/ locations/{region}/functions/{function-name2}	Use protect_function_resource_name recorded in Protect Service Installation section.
   gcp_policy_retention_storage_bucket	Deployment Bucket Name where the encrypted policy will be written.	You can use deployment bucket recorded in Google Cloud Storage section, or you can specify other existing bucket.
   gcp_policy_version_object_key	Filename of the encrypted policy stored in the Deployment Bucket Name	Default: policy.zip
   retain_policy_versions	Number of policy versions to retain as backup. (e.g. 2 will retain the latest 2 policies and remove older ones). -1 retains all.	Default: 10
   disable_deploy	This flag can be either 1 or 0. If set to 1, then the agent will not update protector function with the newest policy. Else, the policy will be saved in the cloud storage bucket and deployed to the protector function. Warning Agent deployment requires a deployed Protect or Log Forwarder Cloud Run function when disable_deploy is set	Default: 0
   log_level	Application and audit logs verbiage level	Default: INFO. Allowed values: DEBUG – the most verbose INFO, WARNING, ERROR – the least verbose
   policy_pull_timeout	Time in seconds to wait for the ESA to send the full policy	Default: 20
   pty_core_casesensitive	Specifies whether policy usernames should be case sensitive	Default: no. Allowed values: yes, no
   pty_core_emptystring	Override default behavior. Empty string response values are returned as null values. For instance, (un)protect(’’) -> null (un)protect(’’) -> ''	Default: empty. Allowed values: null, empty
   esa_connection_timeout	Time in seconds to wait for the ESA response	Default: 5s
   pty_addipaddressheader	When enabled, agent will send its source IP address in the request header. This configuration works in conjunction with ESA hubcontroller configuration ASSIGN_DATASTORE_USING_NODE_IP (default=false). See Associating ESA Data Store With Cloud Protect Agent for more information.	Default: yes. Allowed values: yes, no
   pty_datastore_key	ESA policy datastore public key fingerprint (64 char long) e.g. 123bff642f621123d845f006c6bfff27737b21299e8a2ef6380aa642e76e89e5.	Note This configuration is not applicable for ESA versions lower than 10.2. The export key is the public part of an asymmetric key pair created in a Create KMS Key. A user with Security Officer permissions adds the public key to the data store in ESA via Policy Management > Data Stores > Export Keys. The fingerprint can then be copied using the Copy Fingerprint icon next to the key. Refer to Exporting Keys to Datastore for details. Note For PPC deployments, see PPC Appendix: Policy Agent Certificate and Key Guidance for details on obtaining and using the datastore key fingerprint.
   pty_sync_datastore	Optional name of the policy datastore to sync with ESA. Refer to ESA documentation for more information on policy datastore sync.	Default: ""

8. From local command line or Cloud Shell, change directory to location of the main.tf, for example:

   protegrity-agent-gcp-{version}/pty-agent-gcp/
   

9. Run terraform init.

   Terraform will download necessary providers.

10. Run terraform plan to verify configuration and print out deployment plan.

11. Run terraform apply to deploy resources to your account. Once deployment is complete, Terraform will print output variables.

12. Below is the sample output from successful deployment.

    
            Apply complete! Resources: 1 added, 0 changed, 0 destroyed. 
            Outputs: 
            agent_function_service_account_email = "pty-agent-test@test.iam.gserviceaccount.com" 
            deployment_bucket_name = "test-bucket" 
            nat_ip = 0 
            policy_agent_function_deployment_object = "pty-agent-test-1.0.1.zip" 
            policy_agent_function_name = "pty-agent-test"