Protect Service Installation
Preparation
Ensure that all the steps in Pre-Configuration are performed.
Log in to the Google Cloud account where Protegrity will be installed.
Select the project.
Ensure that you have access to shell command on your computer or Cloud Shell with Terraform CLI v0.14 or higher installed.
Ensure that the Terraform scripts provided by Protegrity are available on your local computer.
Install Protect Function via Terraform Scripts
Resources created with Terraform scripts include Protect Cloud Functions Service and other required resources depending on Terraform parameters. If you don’t specify the deployment bucket Terraform parameter, a new storage bucket will also be created. You can optionally choose to create a new service account with custom IAM role.
To install using Terraform:
From the command shell move to directory where you downloaded Protegrity installation bundle.
Unzip the main bundle. Then unzip protegrity-cloud-protect-gcp-{version}.zip. Verify that the following files are available:
- pty-protect-gcp/
- main.tf
- outputs.tf
- protegrity-cloud-protect-gcp-{version}.zip
- README.md
Unzip the protegrity-cloud-protect-gcp-{version}.zip file. Verify that the following files are available:
- pty-protect-gcp/
- main.tf
- outputs.tf
- protegrity-cloud-protect-gcp-{version}.zip
- README.md
Open the main.tf file and update Terraform backend information at the top of the file:
terraform { backend "gcs" { bucket = "" prefix = "protegrity/terraform/pty-protect-gcp/state" } }In the same main.tf file, specify the following Terraform variables: All the values were recorded in Google Cloud Project.
Warning
Google Cloud Function 2nd Generation currently does not support CMEK.
Parameter | Description |
|---|---|
project_id | The project id recorded in the pre-configuration step |
region | The Region recorded in the pre-configuration step. |
deployment_id | Specify short name to identify deployment. This id will be added to all resources deployed with Terraform. |
deployment_bucket | Use Deployment Bucket Name recorded in pre-configuration or leave empty to create new bucket. |
create_service_account | Leave this as false if you created service account in pre-configuration. Otherwise set to true. |
protect_function_service_account_email | Use Protect Function Service account recorded in pre-configuration or leave empty. |
api_gateway_gcp_service_account_issuer | Allows setting issuer of JSON Web Token credential used to authenticate calls to API Gateway. Set this to API_GCP_SERVICE_ACCOUNT obtained in section Describe the API Integration Object |
username_regex | If username_regex is set, the effective policy user will be extracted from the user in the request. NoteSee Configuring Regular Expression to Extract Policy Username to learn how to extract username from the request |
max_instance_count | GCP Cloud Functions advanced configuration |
available_memory_mb | GCP Cloud Functions advanced configuration |
timeout_seconds | GCP Cloud Functions advanced configuration |
gen2_available_cpu | 2nd Gen Cloud Function advanced configuration |
gen2_container_concurrency | 2nd Gen Cloud Function advanced configuration |
upgrade_step | Set this variable when upgrading to the latest version. |
labels | You can set this map to include labels for deployed resources. Pay attention to GCP label requirements. For more information, refer to the following link https://cloud.google.com/compute/docs/labeling-resources. For example, only use lowercase and maximum length of 63 characters. |
min_log_level | Minimum log level for log forwarder function. One of off|severe|warning|info|config|all. Defaults to ‘severe’ |
pty_log_output | Audit log output. Accepted values: “”(empty string), “pub_sub”. NoteWhen set to “pub_sub” audit logs will be aggregated and sent to Pub/Sub topic. See Log Forwarder installation section for more details. |
pty_pub_sub_topic | Pub/Sub topic where audit logs will be sent. |
Run the following command.
terraform initTerraform will download necessary providers.
Run the following command to verify configuration and print out deployment plan.
terraform planRun the following command to deploy resources to your account.
terraform applyOnce deployment is complete Terraform will print output variables.
Record the following values:
- protect_function_name: ________________________________
- protect_function_url: __________________________
- api_gateway_managed_service: _____________________________
- api_gateway_protect_service_url: ____________________
- protect_function_resource_name: _______________________
Test Protect Function Installation
Before continuing with next steps, you can verify whether Cloud Functions are installed correctly. This step is optional and can be skipped.
Below you can find example CURL command to test your function.
Before you can execute it, you need to obtain temporary authentication token. Run the gcloud auth login and then gcloud auth print-identity-token commands. The logged in gcloud user must have the roles/run.invoker role. Record the output of print identity token command.
gcloud_auth_token: _________________
Replace {protect_function_url}; with value recorded in previous step.
Replace {gcloud_auth_token} with value recorded in above step.
Run the following CURL command to test Function deployment.
curl -X POST "{protect_function_url}" \ -H 'Authorization:Bearer {gcloud_auth_token}' \ -H 'sf-custom-X-Protegrity-HCoP-Rules: {"jsonpaths":[{"op_type":"unprotect","data_element":"alpha"}]}' \ -H 'sf-context-current-user: test' \ -H 'sf-external-function-current-query-id: test-id' \ -H 'Content-Type: application/json' \ -d '{ "data": [ ["0", "UtfVk UHgcD!"] ] } 'Note
When you copy-paste the curl command, make sure each header is in its separate line.Verify the following output:
{"data":[[0,"hello world!"]]}
Feedback
Was this page helpful?