This guide is only for V2 assemblers being deployed with a virtual machine in the Google Cloud Platform by using Terraform, an infrastructure as code (IaC) tool. The V1 assembler is no longer supported as of June 30, 2024.
Each assembler you created must be deployed via a virtual machine, and then you can add your technology as a security device in Workbench to complete the full integration. For more information about the Expel Assembler or how it works, see the About the Expel Assembler guide.
Prerequisites
- You must have completed all of the steps in Add a New Assembler for each assembler you wish to deploy.
- You must have already created a project in the Google Cloud Console and set up billing.
- You must have Terraform installed.
- You must have the gcloud CLI installed.
Quick Start
Terraform lets you define both cloud and on-prem resources in human-readable configuration files that you can version, reuse, and share. These instructions assume you have working knowledge of Terraform; if you need additional help or context, refer to the Terraform Documentation.
Setup includes the following steps (click any step for detailed instructions):
- Download the Ignition File
- Set Up the Terraform Config File for GCP
- Set the Path and Bucket Name
- Configure and Spin Up the Virtual Machine
- Verify a “Connected” Status in Workbench
To see a full code example, go to the Reference section.
Step 1: Download the Ignition File
The ignition file enables the virtual machine to read a configuration file, and to provision the Fedora CoreOS system based on the contents of that file. You will use this file when you configure the virtual machine in GCP.
- Log in to Workbench.
- In the side menu, navigate to Organization Settings > Assemblers.
- Find the assembler you created, leave the file format as JSON, and select Download the CoreOS Ignition File. This action will download a JSON file that you will need in the next section. You may choose a different file format if you like, but the JSON format is recommended for this type of assembler.
- Move your ignition file to a remote, secure location such as Google's Cloud Storage. The contents of the ignition file will be stored in plaintext (unencrypted) wherever your Terraform state files are located. Some guidelines:
- Do not store your ignition file in a git repository. The file contains sensitive information and git is not a suitable place for this type of data.
- Be sure to lock down access to the storage location. Only people who need access to the ignition file (and to the Terraform state files if using Terraform Remote State) should have access to the storage location.
- Repeat this process for any additional assemblers. Important: you must keep track of the files, and which came from which assembler, because each assembler has its own unique ignition file.
Step 2: Set Up the Terraform Config File for GCP
Terraform will use the Google Cloud provider to configure your GCP infrastructure.
- If you are running Terraform locally, first use the following command to authenticate with GCP.
gcloud auth application-default login
- Create a Terraform config file if you do not have one (a file name might be terraform.tf), and make sure the file has the following configuration.
- The google provider block is used to configure your GCP authentication credentials.
- The project field is your project ID.
- The region is the default location for your created resources.
- Optional: If you have zonal resources, add zone to this config file as well (a zone will be set automatically if you do not specify one).
provider "google" { project = "YourProject" region = "us-east1" }
Step 3: Set the Path and Bucket Name
Use the google_storage_bucket_object_content data source and set the path and bucket name to point to where you stored your ignition file. If you are deploying more than one assembler, this step will need to be repeated for each assembler.
data "google_storage_bucket_object_content" "ignition_file" { name = "path/to/ignition/file.json" bucket = var.ignition_file_bucket }
Step 4: Configure and Spin Up the Virtual Machine
Use the google_compute_instance resource to configure your virtual machine with the minimum requirements. If you are deploying more than one assembler, this step will need to be repeated for each assembler.
- machine_type is “n2-standard-2”, which has the minimum CPU and RAM requirements for an assembler.
- image is “fedora-coreos-stable”, which is the image family name provided by Google that is needed for an assembler.
- size is "20", which indicates the 20GB minimum disk size required for an assembler.
resource "google_compute_instance" "assembler" { name = var.assembler_name machine_type = "n2-standard-2" zone = var.zone network_interface { network = var.network_id } boot_disk { initialize_params { image = "fedora-coreos-stable" size = 20 } } metadata_startup_script = data.google_storage_bucket_object_content.ignition_file.content }
Step 5: Verify a “Connected” Status in Workbench
It can take 10 to 15 minutes for the assembler’s status to update in Workbench.
- Log in to Workbench.
- In the side menu, navigate to Organization Settings > Assemblers. (or, refresh the page if you never logged out).
- Find your newly created assembler(s) and verify that the status has changed from “Not Yet Connected” to “Connected.”
- If the status has not updated yet, make sure you have waited at least 15 minutes, then refresh the page and check again.
Troubleshooting
If your assembler is still not showing as “Connected” after 15 minutes:
- Make sure your chosen connection has the proper firewall configurations to allow our outbound ports.
- Make sure your config file includes the correct project name and region (Step 2).
- Make sure your ignition file is at the path specified, and that you are referencing the correct ignition file for your assembler (Step 3).
- Make sure your chosen machine’s size meets the required minimums (2 virtual CPUs, 8 GB RAM, and 20 GB disk space).
If all firewall, config file, and resource definitions settings are correct and you are still unable to connect the assembler, contact your Engagement Manager for help.
Reference
Full Code Example
terraform.tf (config file)
provider "google" { project = "myproject" region = "us-east1" }
assembler.tf (resource definitions)
data "google_storage_bucket_object_content" "ignition_file" { name = "path/to/ignition/file.json" bucket = var.ignition_file_bucket } resource "google_compute_instance" "assembler" { name = var.assembler_name machine_type = "n2-standard-2" zone = var.zone network_interface { network = var.network_id } boot_disk { initialize_params { image = "fedora-coreos-stable" size = 20 } } metadata_startup_script = data.google_storage_bucket_object_content.ignition_file.content }