# GCP Stream deployment ## GCP Stream Deployment Deployment of Stream in GCP utilizes the [gcloud command line tool](https://cloud.google.com/sdk/gcloud) with a template provided by Vectra. The template references a Stream image that is shared by Vectra with the Compute Image User referenced by the project number. ## Requirements * User with sufficient permissions in GCP who is available to deploy using the template. * User will need to be able to create a project or have access to a project they can use. * User will need to be able to create VPCs, subnets, firewall rules, and VMs. * Access to gcloud command line tool either via GCP SDK or cloud shell. * Vectra will provide the following information: * Access to Stream image from Vectra (requires GCP project number). * Access to the deployment template from Vectra. ## SSH Key Pair An RSA SSH key pair will need to be created, or reuse an existing pair, for Stream to allow an administrator to login to the CLI as the `vectra` user. These can be generated using any standard tool. Google has some options documented: * [Creating an SSH key](https://cloud.google.com/compute/docs/instances/adding-removing-ssh-keys?_ga=2.189872046.-405308179.1628802162#createsshkeys) The public key will need to be copied for later use during deployment so that it can be assigned to Stream. After Stream is deployed and registered with Vectra, you can login to the Stream CLI via SSH: * You may need to make the key readable to you using a command such as: * `chmod 400 vectra.pem` * Example login command: * `ssh -i vectra@BrainHostnameOrIP` ## Retrieving selfLink for GCP Network Objects Later in the deployment process, you will need to provide selfLink for the management network. Instructions for retrieving a selfLink are below. * The selfLink can be retrieved from the GCP Console GUI by selecting your VPC network, clicking on **EQUIVALENT REST** and then copying the selflink: * Copy the `projects/…` portion from the highlighted area (do not include the quote marks). * In our example below the selfLink would be: * `projects/vectra-tme-dev/regions/us-east4/subnetworks/mgt` ![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-3d99d3eec3a211cdbf19c9f900631d8ee02fe122%2Fgcp-stream-deployment-1.png?alt=media) * The selfLink can also be retrieved via the GCP CLI using the `gcloud compute networks describe` command: * In our example below the selfLink would be: * `projects/vectra-tme-dev/global/networks/tme-sensor-mgt` ``` ❯ gcloud compute networks describe tme-sensor-mgt autoCreateSubnetworks: false creationTimestamp: '2021-08-24T12:28:04.908-07:00' description: '' id: '579626880853407403' kind: compute#network mtu: 1460 name: tme-sensor-mgt . . . . REMOVED SOME OUTPUT FOR DISPLAY PURPOSES . . . routingConfig: routingMode: REGIONAL selfLink: https://www.googleapis.com/compute/v1/projects/vectra-tme-dev/global/networks/tme-sensor-mgt subnetworks: - https://www.googleapis.com/compute/v1/projects/vectra-tme-dev/regions/us-east4/subnetworks/mgt x_gcloud_bgp_routing_mode: REGIONAL ``` ## Information to gather before proceeding with Stream deployment via gcloud command line: * **Infrastructure Manager Service Account** – Used by the GCP Infrastructure Manager to create your resources during initial deployment. * This service account needs the **Cloud Infrastructure Manager Agent** and **Compute Admin** roles. * Instructions to create this service account are included in [Creating GCP service accounts](#creating-gcp-service-accounts). * **Brain IP or Hostname –** IP address or hostname of the Brain for Stream to register and pair with. * Vectra Stream can pair by IP or hostname. Hostname based pairing may be desirable in some failover scenarios. * **Registration Token** - This token must be copied from the Vectra UI. * The token is valid for 24 hours and can be regenerated on-demand. * A valid registration token must be presented by Stream in order to pair with the Brain. * Instructions to generate a Sensor registration token are shown in [Sensor Registration Token](https://docs.vectra.ai/deployment/preparing-to-deploy-stream#sensor-registration-token-srt). * Stream pairs and communicates like a Sensor so “Sensor” language is sometimes used when referring to Stream. * **Public SSH Key** – The public key you created in the above section. * You may reuse an existing key if you prefer. * **Project** – The GCP Project ID (not the project name or project number). * This can be seen in the GCP console dashboard for your project. * **Region** – The GCP region in which to deploy. * e.g. – `us-east4` * **Zone** – The GCP zone is which to deploy. * e.g. – `us-east4-a` * **Size** – Size of Stream VM to deploy. * Options are `e2-standard-4` , `e2-standard-8` , or `e2-standard-16` * **Stream Image** – GCP identifier for the Stream image to be used to build the VM. * This will be provided by Vectra. * **Management Subnetwork** – selfLink of GCP subnet to provision the management (MGT) interface into. * Example: `projects/vectra-tme-dev/global/networks/tme-sensor-mgt` ## Creating Infrastructure Manager Service Account A service account is required for one part of the Stream deployment process: * **Infrastructure Manager Service Account** – Used by the GCP Infrastructure Manager to create your resources during the initial Stream image deployment. ### **Resources** * [Creating and Managing GCP Service Accounts](https://cloud.google.com/iam/docs/creating-managing-service-accounts) * [Understanding GCP Roles - Also details predefined roles](https://cloud.google.com/iam/docs/understanding-roles) ### **Basic Steps** * After signing into the GCP console, navigate to *IAM and Admin → Service Accounts* and click **+ CREATE SERVICE ACCOUNT.** ![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-84e3939d9f0120218de6a05944089511cc33cec1%2Fgcp-hostid-extraction-2.png?alt=media) * Give the account a name and optionally a description and then click **CREATE AND CONTINUE.** ![](https://4227135129-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FHJ1ltuWFvsArFWtevnRn%2Fuploads%2Fgit-blob-a0c21e16e7c22e2e70d16543392a7eda5237b232%2Fgcp-hostid-extraction-3.png?alt=media) * The Infrastructure Manager service account requires the following roles. * **Cloud Infrastructure Manager Agent** * **Compute Admin**

* Under the **Principals with Access tab**, grant your user the **Service Account User** role on the service.

* Save and make note of the account to use in the deployment CLI command below. ## Deploying the Stream Image * You will receive a template file from Vectra. Save both to a locally accessible directory from where you will run the gcloud infra-manager deployment command. * `_example.tf` - Save a new copy of this and edit it to customize the deployment for your needs. * This template contains instructions and syntax for the deployment command. *

Do NOT change the source argument. Only use the source specified in the <VERSION>_example.tf file.
Vectra recommends that you do not have any other files in the directory from which you run the deployment command. The gcloud command could run more slowly or error if there are other terraform files in the directory.

* Below is a sample edited `_example.tf` file. * In this case, the file was called `9.7_example.tf` . ``` #################################################################################### # This configuration deploys resources necessary for the Vectra Stream product. # # # # This template can be deployed with the `gcloud` commandline tool. # # Please save this file into an empty directory of your choosing. # # Before deploying the template, update the arguments in this file to # # the desired values. The comment above each argument should explain the argument. # # # # Then, from within the directory, run: (replacing the placeholders in <>) # # $ gcloud infra-manager deployments apply \ # # --service-account \ # # --project \ # # projects//locations//deployments/ \ # # --local-source=./ # # # # You may also use Terraform on its own if you are familiar with using Terraform. # # # #################################################################################### module "my_test_stream" { source = "https://cognito-public-deployment-tools.s3.us-west-2.amazonaws.com/GCPStream/9.7.zip" # Name of the resources to be created (will be appended to; e.g. the name `vectra-brain` will create `vectra-brain-vm` and `vectra-brain-os`) name = "stream-resources" # IP address or hostname of the brain to register with brain-ip = "44.242.149.206" # Token for registration with headend, 32 letters long registration-token = "xwzfffkkycztvhqwvrwcyrbmzzdrxqmx" # SSH public key for vectra user (format: ssh-rsa XXXX) ssh-key = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABtruncatedfordisplayandsecurityreasons" # Project in which to deploy (project ID) project = "vectra-tme-dev" # Region in which to deploy region = "us-east4" # Zone in which to deploy (actual zone, not just region) zone = "us-east4-a" # Size of stream VM, must be one of e2-standard-4, e2-standard-8, e2-standard-16 size = "e2-standard-4" # Base image provided by Vectra image = "projects/vectra-shared-images/global/images/vectra-gcp-embryo-6-12" # Management subnetwork for VM (subnetwork selflink, such as projects/PROJ/regions/REG/subnetworks/SUBNET) subnetwork = "projects/vectra-tme-dev/regions/us-east4/subnetworks/mgt" } ``` * After editing the `_example.tf` file you are now ready to deploy the Stream. * Perform the deployment using the `gcloud infra-manager deployments apply` command. Be sure to specify the service account created for Infrastructure Manager. ``` gcloud infra-manager deployments apply --service-account projects/example-dev/serviceAccounts/infra-manager-deployment@example-dev.iam.gserviceaccount.com --project example-dev projects/example-dev/locations/us-west2/deployments/test-terraform-deployment --local-source=./ Uploading 1 file(s) totalling 7.1 KiB. Updating the deployment... logs=gs://348721043829-us-east4-blueprint-config/vectra-stream/r-0/logs, step=RUNNING_TF_PLAN ...⠏ Updating the deployment... logs=gs://348721043829-us-east4-blueprint-config/vectra-stream/r-0/logs, step=RUNNING_TF_APPLY ...done. ``` * If the deployment fails, you can view the logs by going to Infrastructure Manager in the Google Cloud console, and clicking on the deployment that failed.

The example shown is for a Brain, but this screen looks the same for a Stream deployment

* For example, this deployment failed because the image was not yet shared with the example customer:

* If you have failed deployments for any reason, you can simply delete them by name as in this example: ``` $ gcloud infra-manager deployments delete --project example-dev projects/example-dev/locations/us-east4/deployments/vectra-sensor You are about to delete deployment [vectra-stream] Do you want to continue (Y/n)? y Delete request issued for: [vectra-stream] Waiting for operation [projects/example-dev/locations/us-east4/operations/operation-1764970842168-6453b4c161c8d-963ce3b4-a67084ef] to complete...done. Deleted deployment [vectra-stream]. ``` * You can list deployments as follows: * `gcloud infra-manager deployments list -–project --location ` * To see resources created with a deployment, you can click on the **Resources** tab on the deployment page in the GCP console. {% hint style="success" %} Congratulations!! You have now deployed Stream in GCP and can move on to initial CLI configuration and pairing with your Brain. {% endhint %}