From 66e0f2ef6776101a8e4958c17f5dbfd3d1344674 Mon Sep 17 00:00:00 2001 From: Ryan Haney <25014745+thathaneydude@users.noreply.github.com> Date: Fri, 17 May 2024 14:35:49 -0500 Subject: [PATCH 01/12] initial module for testing --- .github/ISSUE_TEMPLATE/BUG.md | 24 ++++++ .github/ISSUE_TEMPLATE/FEATURE.md | 18 +++++ .github/PULL_REQUEST_TEMPLATE.md | 19 +++++ .github/workflows/fmt:check.yml | 25 ++++++ .gitignore | 6 ++ LICENSE | 21 +++++ README.md | 25 ++++++ Taskfile.yml | 13 ++++ docs/overview.svg | 1 + examples/deployment/main.tf | 50 ++++++++++++ examples/deployment/versions.tf | 16 ++++ modules/cloud_init/cloud_init.tf | 15 ++++ modules/cloud_init/outputs.tf | 3 + modules/cloud_init/sensor_init.tpl | 30 +++++++ modules/cloud_init/variables.tf | 9 +++ modules/scale_set/bastion.tf | 34 ++++++++ modules/scale_set/data.tf | 4 + modules/scale_set/load_balancer.tf | 82 +++++++++++++++++++ modules/scale_set/nat_gateway.tf | 27 +++++++ modules/scale_set/scale_set.tf | 121 +++++++++++++++++++++++++++++ modules/scale_set/subnet.tf | 8 ++ modules/scale_set/variables.tf | 106 +++++++++++++++++++++++++ 22 files changed, 657 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/BUG.md create mode 100644 .github/ISSUE_TEMPLATE/FEATURE.md create mode 100644 .github/PULL_REQUEST_TEMPLATE.md create mode 100644 .github/workflows/fmt:check.yml create mode 100644 .gitignore create mode 100644 LICENSE create mode 100644 Taskfile.yml create mode 100644 docs/overview.svg create mode 100644 examples/deployment/main.tf create mode 100644 examples/deployment/versions.tf create mode 100644 modules/cloud_init/cloud_init.tf create mode 100644 modules/cloud_init/outputs.tf create mode 100644 modules/cloud_init/sensor_init.tpl create mode 100644 modules/cloud_init/variables.tf create mode 100644 modules/scale_set/bastion.tf create mode 100644 modules/scale_set/data.tf create mode 100644 modules/scale_set/load_balancer.tf create mode 100644 modules/scale_set/nat_gateway.tf create mode 100644 modules/scale_set/scale_set.tf create mode 100644 modules/scale_set/subnet.tf create mode 100644 modules/scale_set/variables.tf diff --git a/.github/ISSUE_TEMPLATE/BUG.md b/.github/ISSUE_TEMPLATE/BUG.md new file mode 100644 index 0000000..272649d --- /dev/null +++ b/.github/ISSUE_TEMPLATE/BUG.md @@ -0,0 +1,24 @@ +--- +name: Bug Report +about: Report a Bug + +--- + +**Describe the bug** +What issue did you experience? More detail the better! + +**Reproducing the Bug** +Steps to reproduce the behavior: +1. Using terraform version x.y.z +2. With module version a.b.c +3. Provider versions... 1,2,3 +4. Error looks like: + +**Expected Behavior** +Describe the expected behavior. + +**Screenshots** +If applicable, add screenshots, obfuscated tf state files, etc... to help explain your issue. + +**Any Additional Context** +Add any other context about the bug that will help us troubleshoot the issue. \ No newline at end of file diff --git a/.github/ISSUE_TEMPLATE/FEATURE.md b/.github/ISSUE_TEMPLATE/FEATURE.md new file mode 100644 index 0000000..449a622 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/FEATURE.md @@ -0,0 +1,18 @@ +--- +name: Feature Request +about: Suggest an feature for this project + +--- + +**Is your feature request related to an ongoing bug?** +Please provide a clear description of the challenge you're facing. + +**Propose a solution** +Outline a solution you may have to the challenge and any tests / evidence that may help us better +decide to take it on! + +**What alternatives have you tried or considered?** +Outline any alternatives to the solution you're proposing in a clear and concise way. + +**Any additional context** +Add any other context or screenshots about the feature request here. \ No newline at end of file diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000..1a3d752 --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,19 @@ +# Description + +Include an overview of the change and which issue it addresses. Please also include relevant +motivation and context. List any dependencies that are required for this change. + +Associated it with an existing issue, i.e. - "Fixes issue #12345" + +## Type of change + +Please delete options that are not relevant. + +- [ ] Bug Fix +- [ ] New Feature +- [ ] This change requires a documentation update + +# How Has This Been Tested? + +Describe the tests that you ran to verify your changes. Provide instructions so they can be +reproduced. Please also list any relevant details for your test configuration diff --git a/.github/workflows/fmt:check.yml b/.github/workflows/fmt:check.yml new file mode 100644 index 0000000..981961d --- /dev/null +++ b/.github/workflows/fmt:check.yml @@ -0,0 +1,25 @@ +--- +name: Terraform Validation + +on: + pull_request: + branches: + - main + +jobs: + terraform: + name: Lint + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Install Task + uses: arduino/setup-task@v2 + with: + version: 3.x + repo-token: ${{ secrets.GITHUB_TOKEN }} + - name: Install Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: "1.8.2" + - name: Terraform fmt + run: task fmt:check \ No newline at end of file diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..b65e6c0 --- /dev/null +++ b/.gitignore @@ -0,0 +1,6 @@ +.idea** +**/.terraform/** +*.tfstate.* +*.tfstate +**.terraform* +**tfplan** \ No newline at end of file diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..a42d1c7 --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2024 Corelight, Inc. + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. \ No newline at end of file diff --git a/README.md b/README.md index 426db06..e1bc2a2 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,27 @@ # terraform-azure-sensor + Terraform for Corelight's Azure Cloud Sensor Deployment. + +overview + +## Getting Started +```hcl +resource "sensor" { + source = "github.com/corelight/terraform-azure-sensor" + + +} +``` + +### Deployment + +The variables for this module all have default values that can be overwritten +to meet your naming and compliance standards. + +Deployment examples can be found [here](examples). + +## License + +The project is licensed under the [MIT][] license. + +[MIT]: LICENSE diff --git a/Taskfile.yml b/Taskfile.yml new file mode 100644 index 0000000..1981726 --- /dev/null +++ b/Taskfile.yml @@ -0,0 +1,13 @@ +--- +version: "3" + +tasks: + fmt: + desc: Reformat your configuration in the standard style + cmds: + - terraform fmt -recursive . + + fmt:check: + desc: Check if the input is formatted + cmds: + - terraform fmt -recursive -check -diff . \ No newline at end of file diff --git a/docs/overview.svg b/docs/overview.svg new file mode 100644 index 0000000..f5a663d --- /dev/null +++ b/docs/overview.svg @@ -0,0 +1 @@ + \ No newline at end of file diff --git a/examples/deployment/main.tf b/examples/deployment/main.tf new file mode 100644 index 0000000..9984f10 --- /dev/null +++ b/examples/deployment/main.tf @@ -0,0 +1,50 @@ +locals { + subscription_id = "" + resource_group_name = "corelight" + location = "eastus" + license = "" + tags = { + terraform : true, + purpose : "Corelight" + } +} + +#################################################################################################### +# Create a resource group for the corelight resources +#################################################################################################### +resource "azurerm_resource_group" "sensor_rg" { + location = local.location + name = local.resource_group_name + + tags = local.tags +} + +#################################################################################################### +# Get data on the existing vnet and create a subnet in that vnet for the sensor +#################################################################################################### +data "azurerm_virtual_network" "existing_vnet" { + name = "" + resource_group_name = "" +} + +#################################################################################################### +# Deploy the Sensor +#################################################################################################### +module "sensor" { + source = "../../modules/scale_set" + + license_key = local.license + location = local.location + resource_group_name = azurerm_resource_group.sensor_rg.name + virtual_network_name = data.azurerm_virtual_network.existing_vnet.name + corelight_sensor_image_id = " Date: Mon, 20 May 2024 09:32:19 -0500 Subject: [PATCH 02/12] moving terraform out to main module path --- modules/scale_set/bastion.tf => bastion.tf | 0 modules/cloud_init/cloud_init.tf => data.tf | 7 ++++++- examples/deployment/main.tf | 2 +- modules/scale_set/load_balancer.tf => load_balancer.tf | 0 modules/cloud_init/outputs.tf | 3 --- modules/cloud_init/variables.tf | 9 --------- modules/scale_set/data.tf | 4 ---- modules/scale_set/nat_gateway.tf => nat_gateway.tf | 0 modules/scale_set/subnet.tf => subnet.tf | 0 {modules/cloud_init => templates}/sensor_init.tpl | 0 modules/scale_set/variables.tf => variables.tf | 0 11 files changed, 7 insertions(+), 18 deletions(-) rename modules/scale_set/bastion.tf => bastion.tf (100%) rename modules/cloud_init/cloud_init.tf => data.tf (59%) rename modules/scale_set/load_balancer.tf => load_balancer.tf (100%) delete mode 100644 modules/cloud_init/outputs.tf delete mode 100644 modules/cloud_init/variables.tf delete mode 100644 modules/scale_set/data.tf rename modules/scale_set/nat_gateway.tf => nat_gateway.tf (100%) rename modules/scale_set/subnet.tf => subnet.tf (100%) rename {modules/cloud_init => templates}/sensor_init.tpl (100%) rename modules/scale_set/variables.tf => variables.tf (100%) diff --git a/modules/scale_set/bastion.tf b/bastion.tf similarity index 100% rename from modules/scale_set/bastion.tf rename to bastion.tf diff --git a/modules/cloud_init/cloud_init.tf b/data.tf similarity index 59% rename from modules/cloud_init/cloud_init.tf rename to data.tf index 0cd72df..5ac7213 100644 --- a/modules/cloud_init/cloud_init.tf +++ b/data.tf @@ -1,10 +1,15 @@ +data "azurerm_virtual_network" "vnet" { + name = var.virtual_network_name + resource_group_name = var.virtual_network_resource_group +} + data "cloudinit_config" "config" { gzip = true base64_encode = true part { content_type = "text/cloud-config" - content = templatefile("${path.module}/sensor_init.tpl", { + content = templatefile("${path.module}/templates/sensor_init.tpl", { api_password = var.sensor_api_password sensor_license = var.license_key mgmt_int = "eth0" diff --git a/examples/deployment/main.tf b/examples/deployment/main.tf index 9984f10..921432b 100644 --- a/examples/deployment/main.tf +++ b/examples/deployment/main.tf @@ -31,7 +31,7 @@ data "azurerm_virtual_network" "existing_vnet" { # Deploy the Sensor #################################################################################################### module "sensor" { - source = "../../modules/scale_set" + source = "../.." license_key = local.license location = local.location diff --git a/modules/scale_set/load_balancer.tf b/load_balancer.tf similarity index 100% rename from modules/scale_set/load_balancer.tf rename to load_balancer.tf diff --git a/modules/cloud_init/outputs.tf b/modules/cloud_init/outputs.tf deleted file mode 100644 index 7594520..0000000 --- a/modules/cloud_init/outputs.tf +++ /dev/null @@ -1,3 +0,0 @@ -output "rendered_cloud_init" { - value = data.cloudinit_config.config.rendered -} \ No newline at end of file diff --git a/modules/cloud_init/variables.tf b/modules/cloud_init/variables.tf deleted file mode 100644 index 23149a5..0000000 --- a/modules/cloud_init/variables.tf +++ /dev/null @@ -1,9 +0,0 @@ -variable "sensor_api_password" { - description = "The password to be used to access the Corelight sensor API" - type = string -} - -variable "license_key" { - description = "Your Corelight sensor license key" - type = string -} \ No newline at end of file diff --git a/modules/scale_set/data.tf b/modules/scale_set/data.tf deleted file mode 100644 index 173ce37..0000000 --- a/modules/scale_set/data.tf +++ /dev/null @@ -1,4 +0,0 @@ -data "azurerm_virtual_network" "vnet" { - name = var.virtual_network_name - resource_group_name = var.virtual_network_resource_group -} \ No newline at end of file diff --git a/modules/scale_set/nat_gateway.tf b/nat_gateway.tf similarity index 100% rename from modules/scale_set/nat_gateway.tf rename to nat_gateway.tf diff --git a/modules/scale_set/subnet.tf b/subnet.tf similarity index 100% rename from modules/scale_set/subnet.tf rename to subnet.tf diff --git a/modules/cloud_init/sensor_init.tpl b/templates/sensor_init.tpl similarity index 100% rename from modules/cloud_init/sensor_init.tpl rename to templates/sensor_init.tpl diff --git a/modules/scale_set/variables.tf b/variables.tf similarity index 100% rename from modules/scale_set/variables.tf rename to variables.tf From 16927e497d639bc7629415af2eddbc6ef70652b5 Mon Sep 17 00:00:00 2001 From: Ryan Haney <25014745+thathaneydude@users.noreply.github.com> Date: Mon, 20 May 2024 09:32:38 -0500 Subject: [PATCH 03/12] moving terraform out to main module path --- modules/scale_set/scale_set.tf => scale_set.tf | 9 +-------- 1 file changed, 1 insertion(+), 8 deletions(-) rename modules/scale_set/scale_set.tf => scale_set.tf (93%) diff --git a/modules/scale_set/scale_set.tf b/scale_set.tf similarity index 93% rename from modules/scale_set/scale_set.tf rename to scale_set.tf index 36d476e..145d247 100644 --- a/modules/scale_set/scale_set.tf +++ b/scale_set.tf @@ -1,10 +1,3 @@ -module "cloud_init" { - source = "../cloud_init" - - license_key = var.license_key - sensor_api_password = var.sensor_api_password -} - resource "azurerm_linux_virtual_machine_scale_set" "sensor_scale_set" { admin_username = var.sensor_admin_username admin_ssh_key { @@ -16,7 +9,7 @@ resource "azurerm_linux_virtual_machine_scale_set" "sensor_scale_set" { resource_group_name = var.resource_group_name sku = var.virtual_machine_size instances = 1 - custom_data = module.cloud_init.rendered_cloud_init + custom_data = data.cloudinit_config.config.rendered source_image_id = var.corelight_sensor_image_id From 95e3fd0a7dfc3ed313df7f7842019063d964dc8a Mon Sep 17 00:00:00 2001 From: Ryan Haney <25014745+thathaneydude@users.noreply.github.com> Date: Mon, 20 May 2024 09:42:33 -0500 Subject: [PATCH 04/12] Adding outputs --- nat_gateway.tf | 6 +++--- outputs.tf | 31 +++++++++++++++++++++++++++++++ 2 files changed, 34 insertions(+), 3 deletions(-) create mode 100644 outputs.tf diff --git a/nat_gateway.tf b/nat_gateway.tf index b490503..72d1bc2 100644 --- a/nat_gateway.tf +++ b/nat_gateway.tf @@ -8,7 +8,7 @@ resource "azurerm_public_ip" "nat_gw_ip" { tags = var.tags } -resource "azurerm_nat_gateway" "my_nat_gateway" { +resource "azurerm_nat_gateway" "lb_nat_gw" { name = var.nat_gateway_name location = var.location resource_group_name = var.resource_group_name @@ -18,10 +18,10 @@ resource "azurerm_nat_gateway" "my_nat_gateway" { resource "azurerm_subnet_nat_gateway_association" "nat_gw_association" { subnet_id = azurerm_subnet.subnet.id - nat_gateway_id = azurerm_nat_gateway.my_nat_gateway.id + nat_gateway_id = azurerm_nat_gateway.lb_nat_gw.id } resource "azurerm_nat_gateway_public_ip_association" "public_ip_association" { - nat_gateway_id = azurerm_nat_gateway.my_nat_gateway.id + nat_gateway_id = azurerm_nat_gateway.lb_nat_gw.id public_ip_address_id = azurerm_public_ip.nat_gw_ip.id } \ No newline at end of file diff --git a/outputs.tf b/outputs.tf new file mode 100644 index 0000000..be5eeac --- /dev/null +++ b/outputs.tf @@ -0,0 +1,31 @@ +output "bastion_subnet_name" { + value = azurerm_subnet.bastion_subnet.name +} + +output "bastion_public_ip_name" { + value = azurerm_public_ip.bastion_ip.name +} + +output "bastion_host_name" { + value = azurerm_bastion_host.bastion.name +} + +output "internal_load_balancer_name" { + value = azurerm_lb.scale_set_lb.name +} + +output "nat_gateway_public_ip_name" { + value = azurerm_public_ip.nat_gw_ip.name +} + +output "nat_gateway_name" { + value = azurerm_nat_gateway.lb_nat_gw.name +} + +output "sensor_scale_set_name" { + value = azurerm_linux_virtual_machine_scale_set.sensor_scale_set.name +} + +output "sensor_scale_set_subnet_name" { + value = azurerm_subnet.subnet.name +} \ No newline at end of file From 34dc3b67bc1c559b662dcc597afff0375f5172db Mon Sep 17 00:00:00 2001 From: Ryan Haney <25014745+thathaneydude@users.noreply.github.com> Date: Mon, 20 May 2024 09:45:07 -0500 Subject: [PATCH 05/12] adding vmss identity principal id to output --- outputs.tf | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/outputs.tf b/outputs.tf index be5eeac..f2b13b0 100644 --- a/outputs.tf +++ b/outputs.tf @@ -22,6 +22,10 @@ output "nat_gateway_name" { value = azurerm_nat_gateway.lb_nat_gw.name } +output "sensor_identity_principal_id" { + value = azurerm_linux_virtual_machine_scale_set.sensor_scale_set.identity[0].principal_id +} + output "sensor_scale_set_name" { value = azurerm_linux_virtual_machine_scale_set.sensor_scale_set.name } From 7cc8d188d172627d8677a58ef295e80f76cad5fa Mon Sep 17 00:00:00 2001 From: Ryan Haney <25014745+thathaneydude@users.noreply.github.com> Date: Mon, 20 May 2024 09:49:15 -0500 Subject: [PATCH 06/12] fixing subnet resource --- subnet.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/subnet.tf b/subnet.tf index 419ff76..3704f02 100644 --- a/subnet.tf +++ b/subnet.tf @@ -1,8 +1,8 @@ resource "azurerm_subnet" "subnet" { name = var.sensor_subnet_name - virtual_network_name = data.azurerm_virtual_network + virtual_network_name = data.azurerm_virtual_network.vnet.name resource_group_name = var.resource_group_name - address_prefixes = [ + address_prefixes = [ cidrsubnet(data.azurerm_virtual_network.vnet.address_space, 8, 1) ] } \ No newline at end of file From adb50b7f8d84b33826e64c8592346a2f9cceb24e Mon Sep 17 00:00:00 2001 From: Ryan Haney <25014745+thathaneydude@users.noreply.github.com> Date: Mon, 20 May 2024 09:51:58 -0500 Subject: [PATCH 07/12] removing bastion --- bastion.tf | 34 ---------------------------------- outputs.tf | 12 ------------ subnet.tf | 2 +- variables.tf | 19 +------------------ 4 files changed, 2 insertions(+), 65 deletions(-) delete mode 100644 bastion.tf diff --git a/bastion.tf b/bastion.tf deleted file mode 100644 index 43434dc..0000000 --- a/bastion.tf +++ /dev/null @@ -1,34 +0,0 @@ -resource "azurerm_subnet" "bastion_subnet" { - count = var.create_bastion_host && var.virtual_network_name != "" ? 1 : 0 - address_prefixes = [cidrsubnet(data.azurerm_virtual_network.vnet.address_space, 1, 1)] - name = "AzureBastionSubnet" - resource_group_name = var.resource_group_name - virtual_network_name = var.virtual_network_name -} - -resource "azurerm_public_ip" "bastion_ip" { - count = var.create_bastion_host && var.virtual_network_name != "" ? 1 : 0 - name = var.bastion_host_ip_name - location = var.location - resource_group_name = var.resource_group_name - allocation_method = "Static" - sku = "Standard" - - tags = var.tags -} - - -resource "azurerm_bastion_host" "bastion" { - count = var.create_bastion_host && var.virtual_network_name != "" ? 1 : 0 - name = var.bastion_host_name - location = var.location - resource_group_name = var.resource_group_name - - ip_configuration { - name = "bastion-public-cfg" - subnet_id = azurerm_subnet.bastion_subnet[count.index].id - public_ip_address_id = azurerm_public_ip.bastion_ip[count.index].id - } - - tags = var.tags -} \ No newline at end of file diff --git a/outputs.tf b/outputs.tf index f2b13b0..3ab2492 100644 --- a/outputs.tf +++ b/outputs.tf @@ -1,15 +1,3 @@ -output "bastion_subnet_name" { - value = azurerm_subnet.bastion_subnet.name -} - -output "bastion_public_ip_name" { - value = azurerm_public_ip.bastion_ip.name -} - -output "bastion_host_name" { - value = azurerm_bastion_host.bastion.name -} - output "internal_load_balancer_name" { value = azurerm_lb.scale_set_lb.name } diff --git a/subnet.tf b/subnet.tf index 3704f02..edbd633 100644 --- a/subnet.tf +++ b/subnet.tf @@ -2,7 +2,7 @@ resource "azurerm_subnet" "subnet" { name = var.sensor_subnet_name virtual_network_name = data.azurerm_virtual_network.vnet.name resource_group_name = var.resource_group_name - address_prefixes = [ + address_prefixes = [ cidrsubnet(data.azurerm_virtual_network.vnet.address_space, 8, 1) ] } \ No newline at end of file diff --git a/variables.tf b/variables.tf index 56ec741..5e53695 100644 --- a/variables.tf +++ b/variables.tf @@ -50,23 +50,6 @@ variable "sensor_admin_username" { type = string default = "corelight" } -variable "create_bastion_host" { - description = "Set to true if a bastion subnet and host should be deployed in the vnet for accessing the corelight sensors directly" - type = bool - default = false -} - -variable "bastion_host_ip_name" { - description = "The resource name of the bastion host public IP" - type = string - default = "cl-bastion-ip" -} - -variable "bastion_host_name" { - description = "The bastion host resource name" - type = string - default = "cl-bastion" -} variable "nat_gateway_ip_name" { description = "The resource name of the VMSS NAT Gateway public IP resource" @@ -101,6 +84,6 @@ variable "virtual_machine_size" { } variable "tags" { - type = object({}) + type = object({}) default = {} } \ No newline at end of file From 1f02cd80912b6d5ec505fc1e24e8d46ae1b76340 Mon Sep 17 00:00:00 2001 From: Ryan Haney <25014745+thathaneydude@users.noreply.github.com> Date: Mon, 20 May 2024 10:04:45 -0500 Subject: [PATCH 08/12] removing vnet data lookup --- data.tf | 5 ----- subnet.tf | 4 ++-- variables.tf | 7 ++++++- 3 files changed, 8 insertions(+), 8 deletions(-) diff --git a/data.tf b/data.tf index 5ac7213..9be4b72 100644 --- a/data.tf +++ b/data.tf @@ -1,8 +1,3 @@ -data "azurerm_virtual_network" "vnet" { - name = var.virtual_network_name - resource_group_name = var.virtual_network_resource_group -} - data "cloudinit_config" "config" { gzip = true base64_encode = true diff --git a/subnet.tf b/subnet.tf index edbd633..9e2f9cd 100644 --- a/subnet.tf +++ b/subnet.tf @@ -1,8 +1,8 @@ resource "azurerm_subnet" "subnet" { name = var.sensor_subnet_name - virtual_network_name = data.azurerm_virtual_network.vnet.name + virtual_network_name = var.virtual_network_name resource_group_name = var.resource_group_name address_prefixes = [ - cidrsubnet(data.azurerm_virtual_network.vnet.address_space, 8, 1) + cidrsubnet(var.virtual_network_address_space, 8, 1) ] } \ No newline at end of file diff --git a/variables.tf b/variables.tf index 5e53695..d2a6033 100644 --- a/variables.tf +++ b/variables.tf @@ -18,6 +18,11 @@ variable "virtual_network_name" { type = string } +variable "virtual_network_address_space" { + description = "The address space of the virtual network the sensor will observe traffic in" + type = string +} + variable "virtual_network_resource_group" { description = "The resource group where the virtual network is deployed" type = string @@ -84,6 +89,6 @@ variable "virtual_machine_size" { } variable "tags" { - type = object({}) + type = object({}) default = {} } \ No newline at end of file From e8c037376568b6ce7625548f8259e6538244de34 Mon Sep 17 00:00:00 2001 From: Ryan Haney <25014745+thathaneydude@users.noreply.github.com> Date: Thu, 23 May 2024 16:33:28 -0500 Subject: [PATCH 09/12] adding enrichment options, updating descriptions, etc... --- README.md | 25 +++++++++-- data.tf | 34 +++++++++++--- examples/deployment/main.tf | 21 ++++++--- scale_set.tf | 14 +++--- subnet.tf | 2 +- templates/sensor_init_with_enrichment.tpl | 33 ++++++++++++++ variables.tf | 55 ++++++++++++++++++----- versions.tf | 12 +++++ 8 files changed, 162 insertions(+), 34 deletions(-) create mode 100644 templates/sensor_init_with_enrichment.tpl create mode 100644 versions.tf diff --git a/README.md b/README.md index e1bc2a2..897cdcb 100644 --- a/README.md +++ b/README.md @@ -4,12 +4,29 @@ Terraform for Corelight's Azure Cloud Sensor Deployment. overview -## Getting Started +## Usage ```hcl resource "sensor" { - source = "github.com/corelight/terraform-azure-sensor" - - + source = "github.com/corelight/terraform-azure-sensor" + + license_key = "" + location = "" + resource_group_name = "" + virtual_network_name = "" + virtual_network_resource_group = "" + virtual_network_address_space = "" + corelight_sensor_image_id = "" + sensor_api_password = "" + sensor_ssh_public_key = "" + + # (Optional) Cloud Enrichment Variables + enrichment_storage_account_name = "" + enrichment_storage_container_name = "" + tags = { + foo: bar, + terraform: true, + purpose: Corelight + } } ``` diff --git a/data.tf b/data.tf index 9be4b72..d94f9be 100644 --- a/data.tf +++ b/data.tf @@ -4,12 +4,34 @@ data "cloudinit_config" "config" { part { content_type = "text/cloud-config" - content = templatefile("${path.module}/templates/sensor_init.tpl", { - api_password = var.sensor_api_password - sensor_license = var.license_key - mgmt_int = "eth0" - mon_int = "eth1" - }) + content = templatefile("${path.module}/templates/sensor_init.tpl", + { + api_password = var.sensor_api_password + sensor_license = var.license_key + mgmt_int = "eth0" + mon_int = "eth1" + } + ) + filename = "sensor-build.yaml" + } +} + +data "cloudinit_config" "config_with_enrichment" { + gzip = true + base64_encode = true + + part { + content_type = "text/cloud-config" + content = templatefile("${path.module}/templates/sensor_init_with_enrichment.tpl", + { + api_password = var.sensor_api_password + sensor_license = var.license_key + mgmt_int = "eth0" + mon_int = "eth1" + container_name = var.enrichment_storage_container_name + storage_account_name = var.enrichment_storage_account_name + } + ) filename = "sensor-build.yaml" } } \ No newline at end of file diff --git a/examples/deployment/main.tf b/examples/deployment/main.tf index 921432b..dfac70d 100644 --- a/examples/deployment/main.tf +++ b/examples/deployment/main.tf @@ -37,14 +37,23 @@ module "sensor" { location = local.location resource_group_name = azurerm_resource_group.sensor_rg.name virtual_network_name = data.azurerm_virtual_network.existing_vnet.name - corelight_sensor_image_id = " Date: Thu, 23 May 2024 16:53:08 -0500 Subject: [PATCH 10/12] making resources names more dynamic --- load_balancer.tf | 16 ++++++++-------- variables.tf | 50 ++++++++++++++++++++++++++++++++++++++++++++++++ 2 files changed, 58 insertions(+), 8 deletions(-) diff --git a/load_balancer.tf b/load_balancer.tf index 03e54ad..5408677 100644 --- a/load_balancer.tf +++ b/load_balancer.tf @@ -5,7 +5,7 @@ resource "azurerm_lb" "scale_set_lb" { sku = "Standard" frontend_ip_configuration { - name = "corelight-sensor-lb-ip" + name = var.lb_frontend_ip_config_name subnet_id = azurerm_subnet.subnet.id } @@ -14,17 +14,17 @@ resource "azurerm_lb" "scale_set_lb" { resource "azurerm_lb_backend_address_pool" "management_pool" { loadbalancer_id = azurerm_lb.scale_set_lb.id - name = "management-pool" + name = var.lb_mgmt_backend_address_pool_name } resource "azurerm_lb_backend_address_pool" "monitoring_pool" { loadbalancer_id = azurerm_lb.scale_set_lb.id - name = "monitoring-pool" + name = var.lb_mon_backend_address_pool_name } resource "azurerm_lb_probe" "sensor_health_check_probe" { loadbalancer_id = azurerm_lb.scale_set_lb.id - name = "health-check" + name = var.lb_health_check_probe_name port = 443 request_path = "/api/system/healthcheck/" protocol = "Https" @@ -34,7 +34,7 @@ resource "azurerm_lb_probe" "sensor_health_check_probe" { resource "azurerm_lb_rule" "monitoring_vxlan_lb_rule" { loadbalancer_id = azurerm_lb.scale_set_lb.id - name = "vxlan-lb-rule" + name = var.lb_vxlan_rule_name protocol = "Udp" backend_port = 4789 frontend_port = 4789 @@ -45,7 +45,7 @@ resource "azurerm_lb_rule" "monitoring_vxlan_lb_rule" { } resource "azurerm_lb_rule" "monitoring_geneve_lb_rule" { - name = "geneve-lb-rule" + name = var.lb_geneve_rule_name loadbalancer_id = azurerm_lb.scale_set_lb.id protocol = "Udp" backend_port = 6081 @@ -57,7 +57,7 @@ resource "azurerm_lb_rule" "monitoring_geneve_lb_rule" { } resource "azurerm_lb_rule" "monitoring_health_check_rule" { - name = "healthcheck-lb-rule" + name = var.lb_health_check_rule_name loadbalancer_id = azurerm_lb.scale_set_lb.id protocol = "Tcp" backend_port = 443 @@ -70,7 +70,7 @@ resource "azurerm_lb_rule" "monitoring_health_check_rule" { } resource "azurerm_lb_rule" "management_lb_rule" { - name = "management-ssh-lb-rule" + name = var.lb_ssh_rule_name loadbalancer_id = azurerm_lb.scale_set_lb.id frontend_ip_configuration_name = azurerm_lb.scale_set_lb.frontend_ip_configuration[0].name protocol = "Tcp" diff --git a/variables.tf b/variables.tf index 7bd82d2..0d0991b 100644 --- a/variables.tf +++ b/variables.tf @@ -118,6 +118,56 @@ variable "enrichment_storage_container_name" { } } +variable "lb_frontend_ip_config_name" { + description = "Name of the internal load balancer frontend ip configuration" + type = string + default = "corelight-sensor-lb-ip" +} + +variable "lb_mgmt_backend_address_pool_name" { + description = "Name of the load balancer management backend address pool" + type = string + default = "management-pool" +} + +variable "lb_mon_backend_address_pool_name" { + description = "Name of the load balancer monitoring backend address pool" + type = string + default = "monitoring-pool" +} + +variable "lb_health_check_probe_name" { + description = "Name of the load balancer health check probe that check the sensor healthcheck API" + type = string + default = "health-check" +} + +variable "lb_vxlan_rule_name" { + description = "Name of the load balancer rule for VXLAN traffic" + type = string + default = "vxlan-lb-rule" +} + +variable "lb_geneve_rule_name" { + description = "Name of the load balancer rule for Geneve traffic" + type = string + default = "geneve-lb-rule" +} + +variable "lb_health_check_rule_name" { + description = "Name of the load balancer rule for health check traffic" + type = string + default = "healthcheck-lb-rule" +} + +variable "lb_ssh_rule_name" { + description = "Name of the load balancer rule for SSH traffic" + type = string + default = "management-ssh-lb-rule" +} + + + variable "tags" { description = "Any tags that should be applied to resources deployed by the module" type = object({}) From 160e64eb85b713c0d2658a83b6b137bb9e7cbe86 Mon Sep 17 00:00:00 2001 From: Ryan Haney <25014745+thathaneydude@users.noreply.github.com> Date: Thu, 23 May 2024 16:53:20 -0500 Subject: [PATCH 11/12] fmt --- variables.tf | 32 ++++++++++++++++---------------- 1 file changed, 16 insertions(+), 16 deletions(-) diff --git a/variables.tf b/variables.tf index 0d0991b..a86ffde 100644 --- a/variables.tf +++ b/variables.tf @@ -120,50 +120,50 @@ variable "enrichment_storage_container_name" { variable "lb_frontend_ip_config_name" { description = "Name of the internal load balancer frontend ip configuration" - type = string - default = "corelight-sensor-lb-ip" + type = string + default = "corelight-sensor-lb-ip" } variable "lb_mgmt_backend_address_pool_name" { description = "Name of the load balancer management backend address pool" - type = string - default = "management-pool" + type = string + default = "management-pool" } variable "lb_mon_backend_address_pool_name" { description = "Name of the load balancer monitoring backend address pool" - type = string - default = "monitoring-pool" + type = string + default = "monitoring-pool" } variable "lb_health_check_probe_name" { description = "Name of the load balancer health check probe that check the sensor healthcheck API" - type = string - default = "health-check" + type = string + default = "health-check" } variable "lb_vxlan_rule_name" { description = "Name of the load balancer rule for VXLAN traffic" - type = string - default = "vxlan-lb-rule" + type = string + default = "vxlan-lb-rule" } variable "lb_geneve_rule_name" { description = "Name of the load balancer rule for Geneve traffic" - type = string - default = "geneve-lb-rule" + type = string + default = "geneve-lb-rule" } variable "lb_health_check_rule_name" { description = "Name of the load balancer rule for health check traffic" - type = string - default = "healthcheck-lb-rule" + type = string + default = "healthcheck-lb-rule" } variable "lb_ssh_rule_name" { description = "Name of the load balancer rule for SSH traffic" - type = string - default = "management-ssh-lb-rule" + type = string + default = "management-ssh-lb-rule" } From ce0cad77c6c692826311a63e068d8b37b1a90603 Mon Sep 17 00:00:00 2001 From: Ryan Haney <25014745+thathaneydude@users.noreply.github.com> Date: Thu, 23 May 2024 17:03:38 -0500 Subject: [PATCH 12/12] removing erroneous validations --- variables.tf | 8 -------- 1 file changed, 8 deletions(-) diff --git a/variables.tf b/variables.tf index a86ffde..024aa2b 100644 --- a/variables.tf +++ b/variables.tf @@ -102,20 +102,12 @@ variable "enrichment_storage_account_name" { description = "(optional) the azure storage account where enrichment data is stored" type = string default = "" - validation { - condition = var.enrichment_storage_account_name != "" && var.enrichment_storage_container_name == "" - error_message = "enrichment_storage_account_name and enrichment_storage_container_name must both be populated" - } } variable "enrichment_storage_container_name" { description = "(optional) the container where enrichment data is stored" type = string default = "" - validation { - condition = var.enrichment_storage_container_name != "" && var.enrichment_storage_account_name == "" - error_message = "enrichment_storage_account_name and enrichment_storage_container_name must both be populated" - } } variable "lb_frontend_ip_config_name" {