Deploy an Ubuntu/Debian Google Cloud Platform Server with Userdata and an Enrollment Token

Overviews

This guide provides the information you need to deploy an Ubuntu/Debian Google Cloud Platform Server with systemd using Userdata and an Advanced Server Access enrollment token. Depending on your target server and enrollment type some topics in this guide may not apply to you, such as if your team's project will not be using enrollment tokens or if you plan to add a different server type to your project. Modify your steps as needed to fit your team or refer to a different guide on the cloud deployments page.

Creating a cloud server with Userdata means installing the Advanced Server AccessAgent simultaneously while you create a server with a cloud provider. Using user data to install software on a new cloud server can be done through any cloud provider, although user data helps dictate the specific software that you want on your servers. Installing the Advanced Server Access AgentA software agent is a lightweight program that runs as a service outside of Okta. It is typically installed behind a firewall and allows Okta to tunnel communication between an on-premises service and Okta's cloud service. Okta employs several agent types: Active Directory, LDAP, RADIUS, RSA, Active Directory Password Sync, and IWA. For example, users can install multiple Active Directory agents to ensure that the integration is robust and highly available across geographic locations. on a Cloud Server doesn't have to be done when the cloud server is created, but running the installation as a startup script alongside a server's creation ensures that your Cloud Deployment is as safe and secure as possible.

Prerequisites

You need the following permissions you need to deploy an Amazon Web Services Server with Terraform

Google Cloud Platform

Requirement Description
Google Cloud Platform Account A Google Cloud Platform account is needed to access the AWS Management console, where you can create a Virtual Machine for your team.

Advanced Server Access

Requirement Description
Advanced Server Access Team This is the top-level object that is representing an organization within Advanced Server Access.
Advanced Server Access Project This is the authorization-scope of your team, organizing your Users, Groups, and Servers.

Procedures

Deploying an Amazon Web Services Server with Terraform can be done in the following steps:

  1. Create an Advanced Server Access Enrollment Token
  2. Create a Google Cloud Platform Project
  3. Create and Enroll a Virtual Machine using Userdata

Create an Advanced Server Access Enrollment Token

  1. Within the Advanced Server Access console, select the Projects header at the top of the page
  2. Select the project you want to add your server to
  3. Click the Enrollment tab within that Project's console and click the Create an Enrollment Token button

    Note: You can use the same enrollment token every time you add a server to your team. If you have already created an enrollment token, skip this step.

  4. Create a description for your new Enrollment token if prompted, and click Submit
  5. Once the token has been successfully created, copy the string of characters in the Token field and store it in a safe location

Create a Google Cloud Platform Project

  1. Navigate to the Google Cloud Platform console and log in to your account
  2. Use the Select a project dropdown at the top of the page to click the New Project button

  3. Create a new name for your project and use the Location field to set it's parent organization or folder
  4. Click the Create button when you are finished creating your project
  5. In your new Project's Dashboard, copy the Project ID number listed in the Project Info section and store it in a safe location

    Note: To find your project's dashboard, use the Select a project dropdown at the top of the console

Create and Enroll a Virtual Machine using Userdata

  1. Use the bar on the left side of the Google Cloud Platform Console to select Compute Engine and then VM instances
  2. If prompted, use the Select a project dropdown menu to choose your newly created project
  3. Click the Create button
  4. Create a name for your new server and set it's Region and Zone using their respective dropdown menus. These options dictate where your server is located
  5. Expand the Management, security, disks, networking, sole tenancy dropdown by clicking it
  6. In the Startup Script text field, copy and paste the following text:

    #!/bin/bash
    
    echo "Add an enrollment token"
    sudo mkdir -p /var/lib/sftd
    echo "<enrollment-token>" | sudo tee /var/lib/sftd/enrollment.token
    					
    export DEBIAN_FRONTEND=noninteractive
    					
    echo "Add a basic sftd configuration"
    sudo mkdir -p /etc/sft/
    sftcfg=$(cat <<EOF
    ---
    # CanonicalName: Specifies the name clients should use/see when connecting to this host.
    CanonicalName:            "ubuntu-target"
    EOF
    )
    					
    echo -e "$sftcfg" | sudo tee /etc/sft/sftd.yaml
    					
    echo "Retrieve information about new packages"
    sudo apt-get update
    					
    sudo apt-get install -y curl
    					
    echo "Add the ScaleFT testing apt repo to your /etc/apt/sources.list system config file"
    echo "deb http://pkg.scaleft.com/deb/ linux main" | sudo tee -a /etc/apt/sources.list
    					
    echo "Trust the repository signing key"
    curl -C - https://dist.scaleft.com/pki/scaleft_deb_key.asc | sudo apt-key add -
    					
    echo "Retrieve information about new packages"
    sudo apt-get update
    					
    echo "Install sftd"
    sudo apt-get install scaleft-server-tools

    Note: This script creates a sftd.yaml file for your server and uses ubuntu-target as its CanonicalName. Modify and generate this information as needed to fit your teams and project environments.

  7. Replace <enrollment-token> with the enrollment token you created in the Create an Advanced Server Access Enrollment Token section
  8. Click the Create button at the bottom of the page

Once your server is finished being created on the VM instances page, navigate to the Advanced Server Access console to confirm that your server has been created and enrolled within your Advanced Server Access project. You have now finished deploying an Ubuntu/Debian Server for Advanced Server Access with Userdata and a Enrollment token.

Top