GCP Deployment with CLI

This guide provides the necessary technical steps to install the Google Cloud CLI, configure your project environment, and deploy BlueRock-hardened instances on Google Cloud Platform (GCP).

Prerequisites

Google Cloud CLI tools (gcloud), for installation refer to the official Google Cloud CLI installation guide.
BlueRock images: BlueRock provides pre-packaged images of BlueRock Ubuntu 2404 Linux Distribution - (Free or Full version), contact BlueRock support for the images.

Version

Kernel Version

GCP Image Name

Description

Free

Ubuntu 24.04

6.12.63

bluerock-release-26-08-0-ubuntu2404-6.12.63-free

Loads default policy in observe mode and policy changes are not allowed.

Full

Ubuntu 24.04

6.12.63

bluerock-release-26-08-0-ubuntu2404-6.12.63

Provides full policy configuration control. Allow switching policy action from observe to enforce mode.

Procedure

To deploy the BlueRock-hardened instances on GCP with CLI following is the procedure:

Instance Deployment

Deploy the instance to provision the virtual hardware and Identity (Service Account) required for BlueRock. This command initializes a pre-configured environment with the security protocols needed to securely pull your configuration from GCP storage buckets.

gcloud compute instances create <instance-name> \
--zone us-central1-a \
--machine-type n1-standard-2 \
--image bluerock-release-26-08-0-ubuntu2404-6.12.63-free \
--image-project <project-name> \
--boot-disk-size <insert-size-in-GB> \
--boot-disk-type <insert-disk-type> \
--tags <insert-tags>

Parameter (Flag)

Description

Example Value

--zone

Defines the specific physical data center location where the VM resides.

us-central1-a

--machine-type

Specifies the hardware configuration (CPU and RAM).

n1-standard-2

--image

The image name or OS template to install on the boot disk.

bluerock-release-26-08-0-ubuntu2404-6.12.63-free

--image-project

The Project ID where the specific image is stored (crucial for custom images in other projects).

project-1234

--scopes

Grants the VM permissions to interact with other GCP services (like Cloud Storage or Logging).

cloud-platform

--boot-disk-size

Sets the total storage capacity of the primary (OS) disk.

20GB

--boot-disk-type

Defines the performance tier of the disk (Standard, Balanced, or SSD).

pd-balanced

--tags

Metadata labels for the instance.

bluerock-instance

To validate the instance status:

gcloud compute instances describe <instance-name> --zone=us-central1-a --format="value(status)"

To connect with instance using SSH:

gcloud compute ssh <instance-name> --zone=<zone-id>

Note:
SSH may give some warnings and prompts to generate an SSH key for the first time. While generating SSH key leave the passphrase as empty by pressing Enter. It will automatically create the key and add the key permanently to the host.

Create a Storage Bucket

Ensure to create a GCP Storage Bucket to save the Configuration files and Policy files as the BlueRock Instance picks these files from a separate bucket using config.source file that contains this Bucket's URL/URI.

To create a bucket run the following command:

gcloud storage buckets create gs://<your-bucket-name> --location=<insert-location>

Bucket URL example: gs://bluerock-bucket/

Refer to the About Cloud Storage buckets guide to learn more about storage buckets in GCP.

BlueRock Instance Configuration

BlueRock instances require a configuration file (config.toml or config.yaml) to define telemetry and policy settings. Create config.toml or config.yaml either one of them.

config.yaml

event_format: "OTEL"
event_url: "http://<your-internal-ip>:4318"
ucpcm:

config.toml

event_format = "OTEL"
event_url = "http://<your-internal-ip>:4318"
[ucpcm]

config.yaml

event_format: "OTEL"
event_url: "http://<your-internal-ip>:4318"
ucpcm:
  policy_url: "gs://<policy-url>"
  policy: "policy.json"
  policy_sig: "policy.json.sig"
  public_key: "gs://<policy-key-url>"
  transport:
    transport_type: "gcs"  # or "gs"
    auth_method: "default" # Uses Application Default Credentials (ADC) / Service Account
    region: "us-central1"

config.toml

event_format = "OTEL"
event_url = "http://<your-internal-ip>:4318"
[ucpcm]
policy_url = "gs://<policy-url>"
policy = "policy.json"
policy_sig = "policy.json.sig"
public_key = "gs://<policy-key-url>"
[ucpcm.transport]
transport_type = "gcs"  # or "gs"
auth_method = "default" # Uses Application Default Credentials (ADC) / Service Account
region = "us-central1"

Parameter

Type

Description

hostid

String

A unique identifier for this specific machine or agent (e.g., bluerock). This flag is optional.

event_format

String

The data schema used for logging/events. OTEL stands for OpenTelemetry.

event_url

URL

The endpoint where the agent sends its telemetry data (usually an OTEL Collector).

ucpcm.policy_url

GCS Path

The Google Cloud Storage bucket path where the master policy file is stored.

ucpcm.policy

File Name

The specific JSON file name that contains the configuration rules.

ucpcm.policy_sig

File Name

The digital signature file used to verify that the policy.json hasn't been tampered with.

ucpcm.public_key

GCS Path

The location of the public key used to validate the policy_sig.

ucpcm.metrics_timer

Integer

How often (in seconds) the agent pushes its performance metrics (1800s = 30 mins).

ucpcm.policy_poll_period

Integer

How often (in seconds) the agent checks GCS for a new policy version (60s = 1 min).

ucpcm.transport_type

String

The protocol used to fetch files. gcs or gs indicates Google Cloud Storage.

ucpcm.auth_method

String

Authentication type. default uses the VM's attached Service Account (ADC).

ucpcm.region

String

The GCP region where the storage resources are located.

Note:
BlueRock Secure MCP Server enforces runtime security controls through configurable MCP Protection Policies. Refer to Policy Configuration guide to learn more about these policies.

Upload this config file to your bucket:

gcloud storage cp config.toml gs://<bucket-name>/

Updating Configuration Source

To ensure Bluerock agent stays synchronized with the latest policies, link your local environment to the cloud-hosted configuration. This is done by updating the config.source file's parameter with the gsutil URI.

To save the gsutil URI in the config.source file:

Locate your file: Ensure your config.toml or config.yaml is uploaded to your GCP Bucket.
Get the URI: The address should follow this format: gs://<bucket-name>/<filename>
Example: gs://bluerock-bucket/config.toml

Navigate to config.source file at:

$ cd /opt/bluerock/etc

Save the config.source file with gsutil URI from the bucket in GCP web console.

config.source

gs://bluerock-dg-internal/config.toml

# Bluerock Configuration
# ---------------------------
# `config.source` tells where to fetch the configuration file.

OTEL Event Collection

Locate the docker files at:

$ cd /opt/bluerock/otel

$ ls

docker-compose.yaml  otel-config.yaml

Run the docker:

$ sudo docker-compose up -d

List all the running dockers

$ sudo docker ps

CONTAINER ID   IMAGE                                                                                                      COMMAND                  CREATED              STATUS              PORTS                                                             NAMES
03c2db3abd92   us-docker.pkg.dev/cloud-ops-agents-artifacts/google-cloud-opentelemetry-collector/otelcol-google:0.141.0   "/otelcol-google --f…"   About a minute ago   Up About a minute   0.0.0.0:4317-4318->4317-4318/tcp, [::]:4317-4318->4317-4318/tcp   otel-collector
178d03129e78   ultracontrol:latest

Start or Restart BlueRock control plane service to load the configuration.

For Free version, the BlueRock control plane starts by default. Restart the service to apply new configurations.

$ sudo systemctl restart uc-docker.service

For Full version, the BlueRock control plane must be enabled manually and started before use.

$ sudo systemctl enable uc-docker.service
$ sudo systemctl start uc-docker.service
$ sudo systemctl status uc-docker.service

To check the logs
```
$ sudo docker log otel-collector
```

View Logs in GCP

To view logs In GCP:

Log in to your GCP account in a browser navigate to Compute Engine > VM Instances.
Select the required instance.
Select Logging.

PreviousGCP Deployments NextGCP Deployment with Terraform

Last updated 1 month ago