Running the Tpot honeypot on Google Cloud Platform — Part 1

Philip Chyla
2 min readOct 11, 2021

This post appeared first on my blog

Deploying the Tpot honeypot on Google Cloud using Terraform

tldr: “Clone repository, fill in variables, run terraform”


A honeypot is a computer security mechanism set to detect, deflect, or, in some manner, counteract attempts at unauthorized use of information systems.

One flavor of a honeypot that is actively maintained is TPot by a team at T-Mobile. The source is available at GitHub It comes with an AWS and Open Telekom Cloud (OTC) Terraform deployment but no GCP.

In this post, I want to introduce a way to install Tpot on Google Cloud Platform. Future posts will go over the functionality and configuration options.

I created using which you can deploy TPot to a GCE instance.


1. Clone repository

2. Create terraform.tfvars using example.tfvars as a template

3. The defaults use a GCS bucket so store state edit as necessary

4. Run terraform init -backend-config=”bucket=<GCS_tfstate_bucket_name>” -backend-config=”prefix=tpot/state” to initialize terraform, you can run terraform init if you do not have a remote state back

5. Run terraform plan -out tf_tpot.tfplan to create a plan

6. Run terraform apply tf_tpot.tfplan

7. Outputs after a successful run will provide you with the connection strings

Things to look out for

  • The GCE instance used is a n2-highmem-2 with 16GB of RAM; the instance took a very long time with only 8GB (as recommended in the Tpot readme)
  • Tpot instance runs under a dedicated service account with only logging and metricWriter roles, you create the service account via terraform
  • use a new ssh-key, for this instance, you might want to use an inconspicuous username; you pass the ssh public key as a string.
  • GCE Debian 10 image does not have cloud-init installed the script will install missing components and reboot the instance, and the cloud-init from Tpot will setup the server
  • During installation, Tpot sets a random hostname; if you want to install the GoogleOps monitoring agent, you will have to fix the hostname


