Sectigo.com
Shop Enterprise Partners Resources

Installing the connector

Installation is provided as a bash script. The script supports multi-region installation of the connector (the script should be run separately for each region). The number of regions isn’t limited. The script also creates the backend configuration.

The installation script does the following during execution:

  1. Checks the GCP credentials (for Terraform), GCP project, and GOOGLE_APPLICATION_CREDENTIALS environment variable (for the Google Cloud CLI)

  2. Configures a Cloud Storage bucket as a global resource for the Terraform backend configuration and another bucket as a regional resource for the acme_accounts.yaml file and source code files.

  3. Configures the workspace.

  4. Executes Terraform commands.

The script performs the following actions on GCP for certificate management:

  1. Installs the configuration file(s) and source code files in the Cloud Storage bucket.

  2. Installs the Cloud Function module.

  3. Installs the Cloud Scheduler module for logging and auto-renewal.

  4. Enables the IAM service account for accessing the Cloud Function trigger.

A Cloud Storage bucket is created for the backend configuration of Terraform. When terraform init is run for the first time, Terraform creates the first state file in the bucket. For every subsequent action (apply, change, destroy), these state files are updated. Terraform needs access to that bucket for proper operation. If the .terraform.lock.hcl file is removed accidentally, run terraform init again.

Install the connector

Execute the install.sh file in your shell to run the installation script. You can install the script for a default or specific region, including multiple regions.

  • Default region

  • Specific region

Run ./install.sh (if you haven’t provided the execute permission to the script, run bash install.sh). The script installs the connector to your default GCP region.

The script does the following:

  1. Creates a Cloud Storage bucket for the Terraform backend configuration in the default region and initializes state files in this bucket.

  2. Creates a Cloud Storage bucket for the acme_accounts.yaml file and source code files in the default region.

  3. Creates the Terraform workspace with the same name as the GCP region.

  4. Executes terraform plan && terraform apply.

Run ./install.sh <region_name>. For example, to install the connector to the us-east1 region, run ./install.sh us-east1. For multi-region installation, repeat this step for each region.

The script does the following:

  1. Creates a Cloud Storage bucket for the Terraform backend configuration in the specified region and initializes state files in this bucket.

  2. Creates a Cloud Storage bucket for the acme_accounts.yaml file and source code files in the specified region.

  3. Creates the Terraform workspace with the same name as the GCP region.

  4. Executes terraform plan && terraform apply.

GCP resources created

The script creates GCP resources with a specific naming convention to allow for multi-region installation. The script appends the region name to all resource names. For example, if you install the connector in the us-central1 region, then the GCP resources are given the following names:

  • Cloud Function: SectigoGCPCM-us-central1

  • Cloud Storage bucket: sectigo-gcp-cm-us-central1-$date (the name of the Cloud Storage bucket must be unique, therefore a timestamp is appended)

    A bucket for the Terraform backend configuration is created in Cloud Storage via install.sh in the default region. You can run gcloud config get-value functions/region to find out the default region. The backend bucket won’t be changed (created) again for the same region.

  • HTTP trigger: us-central1-local-project-340815.cloudfunctions.net/SectigoGCP-us-central1

GCP resources names

After installing the connector, the names of all important resources (the Cloud Function name, the URL of the Cloud Storage bucket, the trigger URL for an HTTP function, and more) are printed to the console. Make sure to enter the Cloud Function name correctly when you invoke the function for your region.

gcloud functions call SectigoGCPCM-us-central1 \
--data '{"action": "enroll, " "domains": "<domain_name>", "account": "<account_name>"}' \
--format=json

The logs are stored in the install-<region>.log (created by the connector) and terraform-install.txt (created by Terraform) files. The <region> part of the log filename indicates the region where the resources were installed.