1. Creating the CSC PriCPA for Google Cloud

Important: Google announced the deprecation of Google Deployment Manager, with end-of-support in December 2025 and end-of-life on March 31, 2026. The Google Deployment Manager was a helpful tool that provided a GUI for deployments via the Marketplace.


As a replacement, Google recommends using Terraform. Terraform doesn't provide a "nice GUI", but it is straightforward and powerful when the templates (.tf files) are correct. In this section, we will provide the templates and instructions for deploying the CSC PriCPA on GCP using the Terraform CLI.


Note: Google Cloud Shell has already installed Terraform and "gcloud cli


1.1 Prerequisites

Before launching the CSC PriCPA for Google Cloud, you need to have these elements ready:

  1. Terraform & gcloud cli: Install Terraform and "gcloud cli" on a Computer.

  2. GCP General Values: Project Name, Instance Name, Region, Zone and Machine Type.

  3. CSC Values: SSH Key, VPC/Subnet for External Services, VPC/Subnet for Internal, VPC/Subnet for PriCPA and OutboundFW. See following picture: 



Note: The CSC PriCPA for GCP has three interfaces. Google Cloud requires that each interface must be in a different VPC. VPCs and Subnets must be created in advance.


1.2 Getting the Terraform template from GCP Marketplace

Go to: CLICK HERE to GCP Marketplace offer. 

→ Click "Get Started"

→ Accept (select) Terms and agreements and Click "Agree". The following screen will appear:

→ Click "Deploy". In the next screen, go to the bottom to download the Terraform file.

→ Click "Download". Download the .zip file and extract the files inside a directory.

The Zip file contains the following files:



1.3 Deploying the CSC PriCPA using Terraform

1.3.1 What is Terraform?

Terraform is a tool that lets you define and build your cloud infrastructure using code, so you can manage it in a safe, consistent, and repeatable way.


The key benefits of Terraform are:


  • Automation and Speed.

  • Consistency and Repeatability.

  • Version Control.

  • Multi-Cloud Management.

  • State Management.


5.3.2Terraform, Providers, API and Target

Terraform helps you write your infrastructure as code using a specific Provider, and finally, the API executes the commands to apply the changes to the target.

In short, what Terraform does is to run the "gcloud cli" commands required to create the resources you want.

1.3.3 Using a PC or Google Cloud Shell

Depending your circumstances, you can use a PC or the Google Cloud Shell. The Google Cloud Shell has installed Terraform and "gcloud cli". If you want to use a PC, you need to install Terraform and "gcloud cli" in the PC.

Instructions to install Terraform: https://developer.hashicorp.com/terraform/install

Instruction to install "gcloud cli": https://cloud.google.com/sdk/docs/install (and run "gcloud auth login" after the installation)

1.3.4 Deploy the CSC PriCPA

For each CSC you want to deploy, the steps are the same.

  1. Create a new directory. Example: csc-pricpa-a

  2. Unzip the template downloaded into the new directory created.

  3. Edit the file " csc_terraform_auto.tfvars" and complete all values. See example below

  4. (optional) If you want to pass configuration values to the CSC, fill the file: "configUserData.json"

  5. Open CMD or Console in the directory, and run the following commands:

    1. terraform init (initializes the directory for Terraform)

    2. terraform plan --var-file csc_terraform_auto.tfvars (Checks the install before deploy).

    3. terraform deploy --var-file csc_terraform_auto.tfvars (Deploy)

  6. Done! Your CSC is deploy. As output you will receive the values of the "instance_name", "instance_machine_type ", etc.

Example:

Outputs :


instance_machine_type = "e2-highcpu-4"

instance_name = "pricpa-gcp-csc-test-2-public"

instance_self_link = "https://www.googleapis.com/compute/v1/projects/maidenheadbridge-dev/zones/europe-west2-a/instances/pricpa-gcp-csc-test-2-public"

instance_zone = "europe-west2-a"

private_ip_address-internal = "10.101.20.18"

public_ip_address-pricpa-fw = "34.39.98.253"

public_ip_address-services = "34.147.174.198"



5.3.4.1 csc_terraform_auto.tfvars file



csc_terraform_auto.tfvars

# version 2.0

# ---------------------------------------------------------------------

# Copyright © 2025 Maidenhead Bridge Limited

# Contact: support@maidenheadbridge.com

#

# All rights reserved

# ----------------------------------------------------------------------

#=======================================================

## Project

project_id = "PASTE-PROJECT-NAME-HERE"


## Instance Specific variables

instance_name = "PASTE-INSTANCE-NAME-HERE" ## Sample values: csc-pricpa-01, csc-pricpa-02 and so on.

region = "PASTE-REGION-NAME-HERE" ## Sample values: us-east1, europe-west2

zone = "PASTE-ZONE-NAME-HERE" ## Sample values: us-east1-b, europe-west2-a

machine_type = "PASTE-MACHINE-TYPE-NAME-HERE" ## Sample values: e2-highcpu-4


## Paste here SSH key for user cscadmin

# Important: Create the SSH Key with comment value: cscadmin. Example: ssh-keygen -C "cscadmin"

# If you want to use a key already created, remove all comments and put cscadmin

# Example: "ssh-rsa AAAAB3NzaC1yc2EAAAADAQ........T+CtJqVok2ia20JFUOYfNf/mk= cscadmin"

ssh_key  = "PASTE-SSH-KEY-HERE cscadmin" ## Public SSH Key + cscadmin


## Network specific variables

network-external-services = "PASTE-VPC-NETWORK-NAME-HERE" ## VPC Network Name for External Interface Services (eth0)

subnetwork-external-services = "PASTE-SUBNET-NETWORK-NAME-HERE" ## Subnet Network Name for External Interface Services (eth0)

network-internal = "PASTE-VPC-NETWORK-NAME-HERE" ## VPC Network Name for Internal Interface (eth1)

subnetwork-internal = "PASTE-SUBNET-NETWORK-NAME-HERE" ## Subnet Network Name for Internal Interface (eth1)

network-external-pricpa-fw = "PASTE-VPC-NETWORK-NAME-HERE" ## VPC Network Name for External Interface PriCPA & FW (eth2)

subnetwork-external-pricpa-fw = "PASTE-SUBNET-NETWORK-NAME-HERE" ## Subnet Network Name for External Interface PriCPA & FW (eth2)


1.3.4.2 configUserdata.json file


IMPORTANT: See Appendix B of the Admin Guide for format and examples of the configUserdata.json file.


Via configUserData.json file, you can pass values to parameters during the installation of the CSC. You can setup:

  1. AWS SSM agent registration values.

  2. DNS servers

  3. Syslog servers and traffic log configuration.

  4. Outbound FW configuration. Enable and JSON URL.

  5. PriCPA Local configuration values, Peers URL and Remote Management Networks.

  6. SSH Restrictions via eth1 and wg0.

  7. Admin Management: Enable csccli user and SSH Key.

configUserData.json (blank)

The fields in bold are not configurable. So please, do not modify.

configUserData.json

{

"model": "csc-pricpa-gcp",

"type": "configUserData",

"version": "2.0.0",

"awsSsmAgent": {

"enable": "no",

"activationCode": "",

"activationId": "",

"awsRegion": ""

},

"dns": {

"useCloudDns": "yes",

"primaryDnsIp": "",

"secondaryDnsIp": ""

},

"syslog": {

"enable": "no",

"primaryServer": {

"ip": "",

"port": ""

},

"secondaryServer": {

"ip": "",

"port": ""

},

"trafficLogs": {

"enable": "no"

}

},

"outboundFw": {

"enable": "no",

"fwRules": {

"jsonUrl": "",

"rulesQty": ""

}

},

"priCPA": {

"enable": "no",

"nodeName": "",

"location": "",

"description": "",

"publicUdpPort": "51820",

"privateCirdIp": "",

"persistentKeepAlive": "no",

"peersJsonFileUrl": "",

"remoteManagementNetworks": []

},

"sshRestrictions": {

"eth1": {

"enable": "no",

"allowedNetworks": []

},

"wg0": {

"enable": "no",

"allowedNetworks": []

}

},

"adminManagement": {

"csccli": {

"enable": "no",

"sshPublicKey": ""

}

}

}




1.3.5 Removing the CSC PriCPA

In the case you need to remove the CSC PriCPA, do the following:

  1. Open CMD or Console in the directory, and run the following commands:

    1. terraform destroy --var-file csc_terraform_auto.tfvars (removes all resources creates previously.)