/
Deploying PO Box in GCP

Deploying PO Box in GCP

This playbook provides step-by-step instructions for setting up a GCP deployment for PO Box. The steps include creating a service accounts with necessary permissions, setting up Google Artifact Registry (GAR), setting up cloud storage and cloud run job and trigger to run it every 24 hours with necessary configurations.

Prerequisites

  • A Google Cloud Project is created

  • Necessary permissions to create resources in the GCP project

  • Artifact registry API and cloud run API are enabled

Steps for PO Box deployment in GCP

Option 1: Run Scripts on Google Cloud Shell

  1. Login to https://console.cloud.google.com/ and go to set up project. Open Google Cloud Shell in the top right corner of the screen. Copy the below scripts and update the variable names with your information to create resources.

image-20250417-171237.png

Create Cloud Storage and Service Account to Read the ZINC Image from GAR

  1. Run the script below to create a cloud storage for storing Zilla_API_Key, create a service account, and give permission to pull the latest ZINC image from GAR.

#!/bin/bash # Set Variables PROJECT_ID="zilla-pobox-project" # Replace with your project ID REGION="us-east1" # Specify your region BUCKET_NAME="pobox-storage-bucket" # GCS Bucket Name SERVICE_ACCOUNT_NAME="zincImageReader" # Service account name KEY_FILE_NAME="zincImageReader.json" # Service account key file name CLOUD_RUN_JOB_NAME="pobox-cloud-run-job" # Cloud Run Job Name CLOUD_RUN_CONTAINER_NAME="pobox-container" # Container name IMAGE="<Image name>" # Replace with your image (e.g., Docker image URL) # Folder Structure Inside the Bucket PARENT_FOLDER="zilla/" FOLDER1="pobox-config/" FOLDER2="pobox-output/" # Enable Required APIs echo "Enabling required APIs..." gcloud services enable storage.googleapis.com \ artifactregistry.googleapis.com \ run.googleapis.com \ --project=$PROJECT_ID # Create Cloud Storage Bucket and Folder Structure echo "Creating Cloud Storage bucket '$BUCKET_NAME'..." gsutil mb -p $PROJECT_ID -c STANDARD -l $REGION gs://$BUCKET_NAME/ echo "Creating folder structure inside the 'zilla' folder..." gsutil cp /dev/null gs://$BUCKET_NAME/$PARENT_FOLDER$FOLDER1/empty-file.txt gsutil cp /dev/null gs://$BUCKET_NAME/$PARENT_FOLDER$FOLDER2/empty-file.txt # Verify if the bucket was created successfully BUCKET_EXISTS=$(gsutil ls gs://$BUCKET_NAME/) if [ -n "$BUCKET_EXISTS" ]; then echo "Bucket '$BUCKET_NAME' created successfully in $REGION." else echo "Failed to create bucket '$BUCKET_NAME'." exit 1 fi # Create Service Account echo "Creating Service Account..." gcloud iam service-accounts create $SERVICE_ACCOUNT_NAME \ --project=$PROJECT_ID \ --display-name="Service Account for Cloud Storage and Cloud Run" # Assign Permissions for Cloud Storage and Cloud Run echo "Assigning permissions to Service Account..." gcloud projects add-iam-policy-binding $PROJECT_ID \ --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/artifactregistry.reader" # Read permission for Artifact Registry gcloud projects add-iam-policy-binding $PROJECT_ID \ --member="serviceAccount:$SERVICE_ACCOUNT_NAME@$PROJECT_ID.iam.gserviceaccount.com" \ --role="roles/storage.objectAdmin" # Admin permission for Cloud Storage # Create and Download Service Account Key (JSON) echo "Creating and downloading the service account key..." gcloud iam service-accounts keys create $KEY_FILE_NAME \ --iam-account=$SERVICE_ACCOUNT_NAME@$PROJECT_ID.iam.gserviceaccount.com \ --project=$PROJECT_ID # Output the service account key file and verify Cloud Run Job echo "Service Account '$SERVICE_ACCOUNT_NAME' created successfully." echo "Service Account key saved to '$KEY_FILE_NAME'."

Add Client Credentials or Zilla_API_Key

Client Credentials Flow (Preferred): Add ZILLA_CLIENT_ID and ZILLA_CLIENT_SECRET obtained by following the instructions provided in Add Multiple PO Boxes in Zilla as environment variables when creating the container in next step.

Zilla_API_Key Flow: Store the Zilla_API_Key provided by Customer Success in the folder zilla → pobox-config.

image-20250219-192408.png

Create Cloud Run Job to Start a Container

  1. Run the script below to create a cloud run job, start a container, and mount the bucket storage created previously.

#!/bin/bash # Set Variables PROJECT_ID="zilla-pobox-project" # Replace with your project ID REGION="us-east1" # Specify your region CLOUD_RUN_JOB_NAME="pobox-cloud-run-job" # Cloud Run Job Name CLOUD_RUN_CONTAINER_NAME="pobox-container" # Updated container name IMAGE=<Image name provided by CS team> # Replace with your image (e.g., Docker image URL) # Cloud Storage Bucket details BUCKET_NAME="zilla-storage-bucket" # GCS Bucket Name created in above step PARENT_FOLDER="zilla/" FOLDER1="pobox-config/" FOLDER2="pobox-output/" # Service Account Details SERVICE_ACCOUNT_NAME="zincImageReader-test" # Service account name # Environment Variables to be passed to the Cloud Run job ZILLA_URL="https://app.zillasecurity.com" TENANT_DOMAIN="<tenant domain>" # Added TENANT_DOMAIN value USE_FILE_SYSTEM='true' SECRETS_DIRECTORY_PATH='/mnt/zilla/pobox-config' STORAGE_DIRECTORY_PATH='/mnt/zilla/pobox-output' # **Required only when using Client Credentials Flow (New) ** ZILLA_CLIENT_ID="<ZILLA_CLIENT_ID from CS>" ZILLA_CLIENT_SECRET="<ZILLA_CLIENT_SECRET from CS>" # Enable Required APIs echo "Enabling required APIs..." gcloud services enable run.googleapis.com storage.googleapis.com artifactregistry.googleapis.com --project=$PROJECT_ID # Create Cloud Run Job echo "Creating Cloud Run Job '$CLOUD_RUN_JOB_NAME'..." gcloud beta run jobs create $CLOUD_RUN_JOB_NAME \ --image=$IMAGE \ --project=$PROJECT_ID \ --region=$REGION \ --service-account=$SERVICE_ACCOUNT_NAME@$PROJECT_ID.iam.gserviceaccount.com \ --tasks=1 \ --max-retries=3 \ --task-timeout=168h \ --set-env-vars="ZILLA_URL=$ZILLA_URL,TENANT_DOMAIN=$TENANT_DOMAIN,USE_FILE_SYSTEM=$USE_FILE_SYSTEM,SECRETS_DIRECTORY_PATH=$SECRETS_DIRECTORY_PATH,STORAGE_DIRECTORY_PATH=$STORAGE_DIRECTORY_PATH,ZILLA_CLIENT_ID=$ZILLA_CLIENT_ID,ZILLA_CLIENT_SECRET=$ZILLA_CLIENT_SECRET" \ --cpu=1 \ --memory=1Gi \ --add-volume name=volume1,type=cloud-storage,bucket=$BUCKET_NAME \ --add-volume-mount volume=volume1,mount-path=/mnt # Cloud Run job should access the bucket directly during runtime echo "Cloud Run job is now created. During execution, you can use 'gsutil' or Cloud Storage client libraries to access the bucket." echo "For example, you can use the following command inside the container to download a file from the bucket:" echo "gsutil cp gs://$BUCKET_NAME/$PARENT_FOLDER$FOLDER1/your-file.txt /mnt/zilla/pobox-config/" # Verify if Cloud Run Job was created successfully CLOUD_RUN_JOB_EXISTS=$(gcloud run jobs list --project=$PROJECT_ID --region=$REGION --filter="name=$CLOUD_RUN_JOB_NAME" --format="value(name)") if [ "$CLOUD_RUN_JOB_EXISTS" == "$CLOUD_RUN_JOB_NAME" ]; then echo "Cloud Run Job '$CLOUD_RUN_JOB_NAME' created successfully." else echo "Failed to create Cloud Run Job '$CLOUD_RUN_JOB_NAME'." exit 1 fi echo "Cloud Run Job '$CLOUD_RUN_JOB_NAME' created successfully."

  1. Navigate to created job and click EXECUTE to start the job.

image-20250219-192747.png

  1. Verify the logs to confirm a successful deployment.

image-20250417-173330.png
image-20250417-173457.png

Set Up a cron Job and Trigger to Pull the Image Every 24 Hours

  1. Expand the navigation menu by clicking the hamburger icon in the upper left corner of the page and select Cloud Run. Click DEPLOY CONTAINERJob.

  2. Select job created in the previous step, click the TRIGGERS tab, and click + ADD SCHEDULER TRIGGER.

image-20250217-090313.png

  1. Add a Name, Region, and Frequency. Click CONTINUE and then click CREATE.

image-20250217-090428.png
image-20250217-090637.png

Option 2: Manual Deployment Through Google Cloud Platform

Create Service Account for Reading the ZINC Image from GAR and Give Necessary Permissions

  1. Open the Google Cloud Platform, open the left navigation panel, and go to IAM & Admin -> Service Accounts.

image-20250417-173804.png

  1. Click CREATE SERVICE ACCOUNT.

image-20250417-174921.png

  1. Add the details listed below and click CREATE AND CONTINUE and then click DONE.

    1. Service account name: zincImageReader

    2. Service account ID: This is auto-generated based on the service account name.

    3. Service account description (Optional): Provide a description. For example, "Service account for reading zinc image to Artifact Registry".

image-20250417-175019.png

  1. Copy the service account email and share it with the Support team to give Artifact Registry Reader Permissions to GAR.

Add Client Credentials or Zilla_API_Key

Client Credentials Flow (Preferred): Add ZILLA_CLIENT_ID and ZILLA_CLIENT_SECRET obtained by following the instructions provided in Add Multiple PO Boxes in Zilla as environment variables when creating the container in next step.

Zilla_API_Key Flow: Store the Zilla_API_Key provided by Customer Success in the folder zilla → pobox-config.

  • On the Cloud Storage Overview page, click + CREATE BUCKET.

image-20250417-175421.png

  • Add a name for the bucket, click CONTINUE, and click CREATE.

image-20250417-175512.png

  • Create folders named zillapobox-config and pobox-output and store the Zilla access token provided by Support in the pobox-config folder.

image-20250417-175612.png

Create Cloud Run Job with Service Account to Pull the Image

Ensure the ZINC image is stored in Google Artifact Registry (GAR) and that you have created a service account with the Artifact Registry Reader role described in the previous steps.

  1. Expand the navigation menu by clicking the hamburger icon in the upper left corner of the page and select Cloud Run. Click DEPLOY CONTAINERJob.

image-20250218-091344.png

  1. Add a Job name, Region, Number of tasks, and click CREATE.

image-20250218-091639.png

  1. Go to Container(s), Volumes, Connections, Security section and enter pobox-container as the Container name.

image-20250417-180126.png

  1. Navigate to the VARAIBLES & SECRETS tab and add the variables listed below.

    ZILLA_URL='https://app.zillasecurity.com' TENANT_DOMAIN='<tenant domain name>' #tenant domain POLLING_INTERVAL='30' SEND_LOGS_TO_BACKEND='true' USE_FILE_SYSTEM='true' SECRETS_DIRECTORY_PATH='/mnt/Zilla/pobox-config' STORAGE_DIRECTORY_PATH='/mnt/Zilla/pobox-output' ZILLA_CLIENT_ID=<Client id provided by CS team> ZILLA_CLIENT_SECRET=<Client secret provided by CS team>
image-20250417-180407.png

  1. Navigate to the VOLUME MOUNTS tab and add name and mount path as shown below.

image-20250417-180502.png

  1. In Task capacity, add 168 in the Task timeout field.

image-20250218-092130.png

  1. Navigate to the VOLUMES tab and add cloud storage bucket with bucket name created previously.

image-20250218-092213.png

  1. Add service account created previously. This is used to pull the image.

image-20250218-092251.png
image-20250417-180753.png
image-20250417-181213.png

Set Up a cron Job and Trigger to Pull the Image Every 24 Hours

  1. Expand the navigation menu by clicking the hamburger icon in the upper left corner of the page and select Cloud Run. Click DEPLOY CONTAINERJob.

  2. Select job created in the previous step, click the TRIGGERS tab, and click + ADD SCHEDULER TRIGGER.

image-20250217-090313.png

  1. Add a Name, Region, and Frequency. Click CONTINUE and then click CREATE.

image-20250217-090428.png
image-20250217-090637.png