Initial Module Creation (#1)

* initial module for testing

* moving terraform out to main module path

* moving terraform out to main module path

* Adding outputs

* adding vmss identity principal id to output

* fixing subnet resource

* removing bastion

* removing vnet data lookup

* adding enrichment options, updating descriptions, etc...

* making resources names more dynamic

* fmt

* removing erroneous validations

.github/ISSUE_TEMPLATE/BUG.md

@@ -0,0 +1,24 @@
+---
+name: Bug Report
+about: Report a Bug
+
+---
+
+**Describe the bug**  
+What issue did you experience? More detail the better! 
+
+**Reproducing the Bug**  
+Steps to reproduce the behavior:
+1. Using terraform version x.y.z
+2. With module version a.b.c
+3. Provider versions... 1,2,3
+4. Error looks like: <insert screenshot / copy terraform error>
+
+**Expected Behavior**  
+Describe the expected behavior.
+
+**Screenshots**  
+If applicable, add screenshots, obfuscated tf state files, etc... to help explain your issue.
+
+**Any Additional Context**  
+Add any other context about the bug that will help us troubleshoot the issue.

.github/ISSUE_TEMPLATE/FEATURE.md

@@ -0,0 +1,18 @@
+---
+name: Feature Request
+about: Suggest an feature for this project
+
+---
+
+**Is your feature request related to an ongoing bug?**  
+Please provide a clear description of the challenge you're facing.
+
+**Propose a solution**  
+Outline a solution you may have to the challenge and any tests / evidence that may help us better
+decide to take it on! 
+
+**What alternatives have you tried or considered?**  
+Outline any alternatives to the solution you're proposing in a clear and concise way.
+
+**Any additional context**  
+Add any other context or screenshots about the feature request here.

.github/PULL_REQUEST_TEMPLATE.md

@@ -0,0 +1,19 @@
+# Description
+
+Include an overview of the change and which issue it addresses. Please also include relevant
+motivation and context. List any dependencies that are required for this change.
+
+Associated it with an existing issue, i.e. - "Fixes issue #12345"
+
+## Type of change
+
+Please delete options that are not relevant.
+
+- [ ] Bug Fix
+- [ ] New Feature
+- [ ] This change requires a documentation update
+
+# How Has This Been Tested?
+
+Describe the tests that you ran to verify your changes. Provide instructions so they can be
+reproduced. Please also list any relevant details for your test configuration

.github/workflows/fmt:check.yml

@@ -0,0 +1,25 @@
+---
+name: Terraform Validation
+
+on:
+  pull_request:
+    branches:
+      - main
+
+jobs:
+  terraform:
+    name: Lint
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Install Task
+        uses: arduino/setup-task@v2
+        with:
+          version: 3.x
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+      - name: Install Terraform
+        uses: hashicorp/setup-terraform@v3
+        with:
+          terraform_version: "1.8.2"
+      - name: Terraform fmt
+        run: task fmt:check

.gitignore

@@ -0,0 +1,6 @@
+.idea**
+**/.terraform/**
+*.tfstate.*
+*.tfstate
+**.terraform*
+**tfplan**

LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2024 Corelight, Inc.
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in
+all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
+THE SOFTWARE.

README.md

@@ -1,2 +1,44 @@
 # terraform-azure-sensor
+
 Terraform for Corelight's Azure Cloud Sensor Deployment.
+
+<img src="docs/overview.svg" alt="overview">
+
+## Usage
+```hcl
+resource "sensor" {
+  source = "github.com/corelight/terraform-azure-sensor"
+
+  license_key                    = "<your Corelight sensor license key>"
+  location                       = "<Azure location to deploy resources in>"
+  resource_group_name            = "<resource group to deploy in>"
+  virtual_network_name           = "<virtual network where VMSS subnet should be deployed>"
+  virtual_network_resource_group = "<virtual network resource group>"
+  virtual_network_address_space  = "<virtual network address space (CIDR) used to create subnet>"
+  corelight_sensor_image_id      = "<image resource id from Corelight>"
+  sensor_api_password            = "<password for the sensor api>"
+  sensor_ssh_public_key          = "<path to ssh public key>"
+
+  # (Optional) Cloud Enrichment Variables
+  enrichment_storage_account_name   = "<name of the enrichment storage account>"
+  enrichment_storage_container_name = "<name of the enrichment container in the storage account>"
+  tags                              = {
+    foo: bar,
+    terraform: true,
+    purpose: Corelight
+  }
+}
+```
+
+### Deployment
+
+The variables for this module all have default values that can be overwritten
+to meet your naming and compliance standards.
+
+Deployment examples can be found [here](examples).
+
+## License
+
+The project is licensed under the [MIT][] license.
+
+[MIT]: LICENSE

Taskfile.yml

@@ -0,0 +1,13 @@
+---
+version: "3"
+
+tasks:
+  fmt:
+    desc: Reformat your configuration in the standard style
+    cmds:
+      - terraform fmt -recursive .
+
+  fmt:check:
+    desc: Check if the input is formatted
+    cmds:
+      - terraform fmt -recursive -check -diff .

data.tf

@@ -0,0 +1,37 @@
+data "cloudinit_config" "config" {
+  gzip          = true
+  base64_encode = true
+
+  part {
+    content_type = "text/cloud-config"
+    content = templatefile("${path.module}/templates/sensor_init.tpl",
+      {
+        api_password   = var.sensor_api_password
+        sensor_license = var.license_key
+        mgmt_int       = "eth0"
+        mon_int        = "eth1"
+      }
+    )
+    filename = "sensor-build.yaml"
+  }
+}
+
+data "cloudinit_config" "config_with_enrichment" {
+  gzip          = true
+  base64_encode = true
+
+  part {
+    content_type = "text/cloud-config"
+    content = templatefile("${path.module}/templates/sensor_init_with_enrichment.tpl",
+      {
+        api_password         = var.sensor_api_password
+        sensor_license       = var.license_key
+        mgmt_int             = "eth0"
+        mon_int              = "eth1"
+        container_name       = var.enrichment_storage_container_name
+        storage_account_name = var.enrichment_storage_account_name
+      }
+    )
+    filename = "sensor-build.yaml"
+  }
+}

examples/deployment/main.tf

@@ -0,0 +1,59 @@
+locals {
+  subscription_id     = "<your subscription uuid>"
+  resource_group_name = "corelight"
+  location            = "eastus"
+  license             = "<your corelight sensor license key>"
+  tags = {
+    terraform : true,
+    purpose : "Corelight"
+  }
+}
+
+####################################################################################################
+# Create a resource group for the corelight resources
+####################################################################################################
+resource "azurerm_resource_group" "sensor_rg" {
+  location = local.location
+  name     = local.resource_group_name
+
+  tags = local.tags
+}
+
+####################################################################################################
+# Get data on the existing vnet and create a subnet in that vnet for the sensor
+####################################################################################################
+data "azurerm_virtual_network" "existing_vnet" {
+  name                = "<vnet name>"
+  resource_group_name = "<vnet resource group>"
+}
+
+####################################################################################################
+# Deploy the Sensor
+####################################################################################################
+module "sensor" {
+  source = "../.."
+
+  license_key                    = local.license
+  location                       = local.location
+  resource_group_name            = azurerm_resource_group.sensor_rg.name
+  virtual_network_name           = data.azurerm_virtual_network.existing_vnet.name
+  virtual_network_resource_group = "<vnet resource group>"
+  virtual_network_address_space  = "<vnet address space (CIDR)>"
+  corelight_sensor_image_id      = "<image resource id from Corelight>"
+  sensor_api_password            = "<password for the sensor api>"
+  sensor_ssh_public_key          = "<path to ssh public key>"
+
+  # (Optional) Cloud Enrichment Variables
+  enrichment_storage_account_name   = "<name of the enrichment storage account>"
+  enrichment_storage_container_name = "<name of the enrichment container in the storage account>"
+  tags                              = local.tags
+}
+
+####################################################################################################
+# (Optional) Assign the VMSS identity access to the enrichment bucket if enabled
+####################################################################################################
+resource "azurerm_role_assignment" "enrichment_data_access" {
+  principal_id         = module.sensor.sensor_identity_principal_id
+  scope                = "<resource id of the enrichment storage account>"
+  role_definition_name = "Storage Blob Data Reader"
+}

examples/deployment/versions.tf

@@ -0,0 +1,16 @@
+terraform {
+  required_version = ">=1.3.2"
+
+  required_providers {
+    azurerm = {
+      source  = "hashicorp/azurerm"
+      version = ">=3.97.1"
+    }
+  }
+}
+
+provider "azurerm" {
+  features {}
+  subscription_id = local.subscription_id
+}
+

load_balancer.tf

@@ -0,0 +1,82 @@
+resource "azurerm_lb" "scale_set_lb" {
+  location            = var.location
+  name                = var.load_balancer_name
+  resource_group_name = var.resource_group_name
+  sku                 = "Standard"
+
+  frontend_ip_configuration {
+    name      = var.lb_frontend_ip_config_name
+    subnet_id = azurerm_subnet.subnet.id
+  }
+
+  tags = var.tags
+}
+
+resource "azurerm_lb_backend_address_pool" "management_pool" {
+  loadbalancer_id = azurerm_lb.scale_set_lb.id
+  name            = var.lb_mgmt_backend_address_pool_name
+}
+
+resource "azurerm_lb_backend_address_pool" "monitoring_pool" {
+  loadbalancer_id = azurerm_lb.scale_set_lb.id
+  name            = var.lb_mon_backend_address_pool_name
+}
+
+resource "azurerm_lb_probe" "sensor_health_check_probe" {
+  loadbalancer_id     = azurerm_lb.scale_set_lb.id
+  name                = var.lb_health_check_probe_name
+  port                = 443
+  request_path        = "/api/system/healthcheck/"
+  protocol            = "Https"
+  interval_in_seconds = 30
+  probe_threshold     = 3
+}
+
+resource "azurerm_lb_rule" "monitoring_vxlan_lb_rule" {
+  loadbalancer_id                = azurerm_lb.scale_set_lb.id
+  name                           = var.lb_vxlan_rule_name
+  protocol                       = "Udp"
+  backend_port                   = 4789
+  frontend_port                  = 4789
+  frontend_ip_configuration_name = azurerm_lb.scale_set_lb.frontend_ip_configuration[0].name
+  backend_address_pool_ids = [
+    azurerm_lb_backend_address_pool.monitoring_pool.id
+  ]
+}
+
+resource "azurerm_lb_rule" "monitoring_geneve_lb_rule" {
+  name                           = var.lb_geneve_rule_name
+  loadbalancer_id                = azurerm_lb.scale_set_lb.id
+  protocol                       = "Udp"
+  backend_port                   = 6081
+  frontend_port                  = 6081
+  frontend_ip_configuration_name = azurerm_lb.scale_set_lb.frontend_ip_configuration[0].name
+  backend_address_pool_ids = [
+    azurerm_lb_backend_address_pool.monitoring_pool.id
+  ]
+}
+
+resource "azurerm_lb_rule" "monitoring_health_check_rule" {
+  name                           = var.lb_health_check_rule_name
+  loadbalancer_id                = azurerm_lb.scale_set_lb.id
+  protocol                       = "Tcp"
+  backend_port                   = 443
+  frontend_port                  = 443
+  frontend_ip_configuration_name = azurerm_lb.scale_set_lb.frontend_ip_configuration[0].name
+  backend_address_pool_ids = [
+    azurerm_lb_backend_address_pool.management_pool.id
+  ]
+  probe_id = azurerm_lb_probe.sensor_health_check_probe.id
+}
+
+resource "azurerm_lb_rule" "management_lb_rule" {
+  name                           = var.lb_ssh_rule_name
+  loadbalancer_id                = azurerm_lb.scale_set_lb.id
+  frontend_ip_configuration_name = azurerm_lb.scale_set_lb.frontend_ip_configuration[0].name
+  protocol                       = "Tcp"
+  backend_port                   = 22
+  frontend_port                  = 22
+  backend_address_pool_ids = [
+    azurerm_lb_backend_address_pool.management_pool.id
+  ]
+}