Deploy Firetiger to Google Cloud

This document describes how to deploy Firetiger to a GCP project in your GCP organization.

During this process, you will:

  1. Create a new GCP Project configured with a Billing Account
  2. Enable required service APIs within the project
  3. Grant Firetiger permission to deploy the Firetiger stack in your new project

Prerequisites

  1. You, the Firetiger customer, have access to the Google Cloud Console with permission to:
    • Create and Manage Projects (ie roles/resourcemanager.projectCreator)
    • Associate a project with a GCP Billing Account (ie roles/billing.user)
    • Enable APIs within the new project
    • Manage IAM permissions within the new project
  2. Google Cloud CLI installed (gcloud)

Setup

First, we’ll ensure we have a GCP Project and that it is associated with a billing account:

  1. Create a new project (if not using an existing one):
# Create new project (optional - can use existing)
export GCP_PROJECT_ID="firetiger-$company"
gcloud projects create $GCP_PROJECT_ID --name="Firetiger"

# Set the working project
gcloud config set project $GCP_PROJECT_ID
  1. Associate the project with a Billing Account

First, choose the relevant Billing Account for your GCP Organization. You can see your billing accounts by running:

gcloud billing accounts list

Then, configure your billing account ID and link it to the new project

export BILLING_ACCOUNT_ID="your-billing-account-id"
gcloud billing projects link $GCP_PROJECT_ID --billing-account $BILLING_ACCOUNT_ID
  1. Enable Required Services in Your Project:
# Enable services required by Firetiger
gcloud --project $GCP_PROJECT_ID services enable \
 cloudresourcemanager.googleapis.com \
  iam.googleapis.com \
  artifactregistry.googleapis.com \
  cloudbuild.googleapis.com \
  cloudfunctions.googleapis.com \
  eventarc.googleapis.com \
  run.googleapis.com \
  cloudscheduler.googleapis.com \
 sqladmin.googleapis.com \
  secretmanager.googleapis.com \
  storage.googleapis.com \
  pubsub.googleapis.com \
  logging.googleapis.com \
  bigquery.googleapis.com
  1. Grant Firetiger Permission to Deploy the Firetiger Stack to your project (via Service Account)
export FIRETIGER_SA="deployer@firetiger-control-plane.iam.gserviceaccount.com"

# Grant required permissions to the Firetiger Project
gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
    --member="domain:firetiger.com" \
    --role="roles/editor"

gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
    --member="serviceAccount:$FIRETIGER_SA" \
    --role="roles/editor"

gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
    --member="serviceAccount:$FIRETIGER_SA" \
    --role="roles/resourcemanager.projectIamAdmin"

gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
    --member="serviceAccount:$FIRETIGER_SA" \
    --role="roles/secretmanager.admin"

gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
    --member="serviceAccount:$FIRETIGER_SA" \
    --role="roles/run.admin"

gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
    --member="serviceAccount:$FIRETIGER_SA" \
    --role="roles/artifactregistry.admin"

gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
    --member="serviceAccount:$FIRETIGER_SA" \
    --role="roles/pubsub.admin"

gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
    --member="serviceAccount:$FIRETIGER_SA" \
    --role="roles/storage.admin"

gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
    --member="serviceAccount:$FIRETIGER_SA" \
    --role="roles/serviceusage.serviceUsageAdmin"

gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
     --member="serviceAccount:$FIRETIGER_SA" \
    --role="roles/iam.serviceAccountUser"

gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
    --member="serviceAccount:$FIRETIGER_SA" \
    --role="roles/logging.configWriter"

gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
    --member="serviceAccount:$FIRETIGER_SA" \
    --role="roles/bigquery.admin"

gcloud projects add-iam-policy-binding $GCP_PROJECT_ID \
    --member="serviceAccount:$FIRETIGER_SA" \
    --role="roles/cloudfunctions.admin"
  1. Share your new GCP Project ID with your Firetiger point of contact

Next Steps

Firetiger will set up resources in that project. They’ll add a bucket that will hold data, services that ingest and compact data, and credentials for access. They’ll give you connection info, which will include URLs for ingesting and querying data as well as credential sets.

Firetiger can ingest data in multiple ways.

Refer to the following documentation for instructions on how to send data to Firetiger:

Firetiger Ingestion Methods

Additional Resources

How to Create Public Google Cloud Run Services When Domain Restricted Sharing is Enabled

This site uses Just the Docs, a documentation theme for Jekyll.