From d049febd7b2df0b1b3a5fc27be9b5323f5cad0d4 Mon Sep 17 00:00:00 2001 From: mattJsonar Date: Tue, 12 Nov 2024 23:42:23 +0000 Subject: [PATCH 1/2] Apply automatic changes --- modules/dsfhub-gcp-pubsub/main.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/dsfhub-gcp-pubsub/main.tf b/modules/dsfhub-gcp-pubsub/main.tf index f4ce784..1621592 100644 --- a/modules/dsfhub-gcp-pubsub/main.tf +++ b/modules/dsfhub-gcp-pubsub/main.tf @@ -1,7 +1,7 @@ terraform { required_providers { dsfhub = { - source = "imperva/dsfhub" + source = "imperva/dsfhub" version = ">= 1.3.5" } } From e50568a107a53ed9b68ad3dadc337015b95aca0c Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Tue, 12 Nov 2024 23:43:17 +0000 Subject: [PATCH 2/2] terraform-docs: automated action --- examples/onboard-gcp-mysql/README.md | 35 ++++++++++++++ modules/dsfhub-gcp-mysql/README.md | 41 +++++++++++++++++ modules/dsfhub-gcp-pubsub/README.md | 7 ++- .../google-sql-database-instance/README.md | 42 +++++++++++++++++ modules/onboard-gcp-mysql/README.md | 46 +++++++++++++++++++ modules/onboard-gcp-pubsub/README.md | 1 + 6 files changed, 170 insertions(+), 2 deletions(-) diff --git a/examples/onboard-gcp-mysql/README.md b/examples/onboard-gcp-mysql/README.md index 6e4d4ef..ed9e377 100644 --- a/examples/onboard-gcp-mysql/README.md +++ b/examples/onboard-gcp-mysql/README.md @@ -11,3 +11,38 @@ A Google Service Account will need to be created with permissions to read from P ### Google PubSub Subscription A Google logging sink, PubSub topic, and PubSub subscription in addition to a GCP PUBSUB asset in DSF will need to be created in advance. This prerequisite is handled by the ``onboard-gcp-pubsub`` module. + + +## Requirements + +No requirements. + +## Providers + +No providers. + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [gcp-mysql-1](#module\_gcp-mysql-1) | ../../modules/onboard-gcp-mysql | n/a | +| [gcp-mysql-2](#module\_gcp-mysql-2) | ../../modules/onboard-gcp-mysql | n/a | +| [gcp-mysql-3](#module\_gcp-mysql-3) | ../../modules/onboard-gcp-mysql | n/a | +| [gcp-pubsub-1](#module\_gcp-pubsub-1) | ../../modules/onboard-gcp-pubsub | n/a | +| [gcp-pubsub-2-audit](#module\_gcp-pubsub-2-audit) | ../../modules/onboard-gcp-pubsub | n/a | +| [gcp-pubsub-2-slow-query](#module\_gcp-pubsub-2-slow-query) | ../../modules/onboard-gcp-pubsub | n/a | +| [gcp-pubsub-3](#module\_gcp-pubsub-3) | ../../modules/onboard-gcp-pubsub | n/a | +| [service-account](#module\_service-account) | ../../modules/google-service-account-dsf | n/a | + +## Resources + +No resources. + +## Inputs + +No inputs. + +## Outputs + +No outputs. + \ No newline at end of file diff --git a/modules/dsfhub-gcp-mysql/README.md b/modules/dsfhub-gcp-mysql/README.md index e69de29..e28b167 100644 --- a/modules/dsfhub-gcp-mysql/README.md +++ b/modules/dsfhub-gcp-mysql/README.md @@ -0,0 +1,41 @@ + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [dsfhub](#provider\_dsfhub) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [dsfhub_data_source.this](https://registry.terraform.io/providers/imperva/dsfhub/latest/docs/resources/data_source) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [admin\_email](#input\_admin\_email) | The email address to notify about the asset. | `string` | n/a | yes | +| [asset\_display\_name](#input\_asset\_display\_name) | User-friendly name of the asset, defined by user | `string` | n/a | yes | +| [asset\_id](#input\_asset\_id) | Unique identifier for the MySQL instance in the form '{project-id}:{instance-region}:{instance-name}'. | `string` | n/a | yes | +| [audit\_pull\_enabled](#input\_audit\_pull\_enabled) | If true, sonargateway will collect the audit logs for this system if it can. | `bool` | `false` | no | +| [gateway\_id](#input\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | +| [logs\_destination\_asset\_id](#input\_logs\_destination\_asset\_id) | The asset\_id of the GCP PUSUB asset that this asset is sending its audit logs to. | `string` | `null` | no | +| [parent\_asset\_id](#input\_parent\_asset\_id) | The asset\_id of the GCP asset representing the GCP account where this data source is located. | `string` | `null` | no | +| [server\_host\_name](#input\_server\_host\_name) | Hostname (or IP if host is unknown) of the GCP MySQL instance | `string` | n/a | yes | +| [server\_ip](#input\_server\_ip) | IP address (or hostname if IP is unknown) of the GCP MySQL instance | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [this](#output\_this) | GCP MYSQL asset | + \ No newline at end of file diff --git a/modules/dsfhub-gcp-pubsub/README.md b/modules/dsfhub-gcp-pubsub/README.md index 24d2f87..b9e3feb 100644 --- a/modules/dsfhub-gcp-pubsub/README.md +++ b/modules/dsfhub-gcp-pubsub/README.md @@ -1,13 +1,15 @@ ## Requirements -No requirements. +| Name | Version | +|------|---------| +| [dsfhub](#requirement\_dsfhub) | >= 1.3.5 | ## Providers | Name | Version | |------|---------| -| [dsfhub](#provider\_dsfhub) | n/a | +| [dsfhub](#provider\_dsfhub) | >= 1.3.5 | ## Modules @@ -29,6 +31,7 @@ No modules. | [audit\_pull\_enabled](#input\_audit\_pull\_enabled) | If true, sonargateway will collect the audit logs for this system if it can. | `bool` | `false` | no | | [audit\_type](#input\_audit\_type) | Identifier for the type of audit data contained within the PubSub Subscription. Supported values: ALLOYDB\_POSTGRESQL, BIGQUERY, BIGTABLE, MYSQL, MYSQL\_SLOW, MSSQL, POSTGRESQL, SPANNER. | `string` | `null` | no | | [auth\_mechanism](#input\_auth\_mechanism) | Specifies the auth mechanism used by the connection. Supported values: default, service\_account. | `string` | `"default"` | no | +| [content\_type](#input\_content\_type) | Desired 'parent' asset 'Server Type' which is the one tha tuses this asset as a destination for logs. NOTE: The content\_type field will take precedence on the lookup for parent\_asset\_id field when checking which server is sending logs to this asset. | `string` | `null` | no | | [gateway\_id](#input\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | | [key\_file](#input\_key\_file) | Path to JSON file with credentials info (service account's key) residing on your Agentless Gateway. File must be accessible by the sonarw OS user. Required when auth\_mechanism is set to 'service\_account'. | `string` | `null` | no | | [pubsub\_subscription](#input\_pubsub\_subscription) | ID of the Google PubSub Subscription in the form 'projects/{{project}}/subscriptions/{{name}}'. | `string` | n/a | yes | diff --git a/modules/google-sql-database-instance/README.md b/modules/google-sql-database-instance/README.md index e69de29..7a83f6a 100644 --- a/modules/google-sql-database-instance/README.md +++ b/modules/google-sql-database-instance/README.md @@ -0,0 +1,42 @@ + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [google](#provider\_google) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [google_sql_database_instance.this](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/sql_database_instance) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [authorized\_networks](#input\_authorized\_networks) | A list of authorized network blocks as defined below.

authorized\_network:
- expiration\_time: (Optional) The RFC 3339 formatted date time string indicating when this whitelist expires.
- name: (Optional) A name for this whitelist entry.
- value: A CIDR notation IPv4 or IPv6 address that is allowed to access this instance. | 
list(
    object(
      {
        expiration_time = optional(string)
        name            = optional(string)
        value           = string
      }
    )
  )
| `null` | no | +| [database\_flags](#input\_database\_flags) | List of database flags to assign to the instance. | 
list(
    object(
      {
        name  = string
        value = string
      }
    )
  )
| `null` | no | +| [database\_version](#input\_database\_version) | The MySQL, PostgreSQL or SQL Server version to use. The full list of supported versions can be found at https://cloud.google.com/sql/docs/db-versions. | `string` | n/a | yes | +| [deletion\_protection](#input\_deletion\_protection) | Whether Terraform will be prevented from destroying the instance. When the field is set to true or unset in Terraform state, a terraform apply or terraform destroy that would delete the instance will fail. When the field is set to false, deleting the instance is allowed. | `bool` | `false` | no | +| [name](#input\_name) | The name of the instance. | `string` | n/a | yes | +| [project](#input\_project) | The ID of the project that the service account will be created in. | `string` | `null` | no | +| [region](#input\_region) | The region the instance will sit in. If a region is not provided in the resource definition, the provider region will be used instead. | `string` | `null` | no | +| [root\_password](#input\_root\_password) | Initial root password. Can be updated. Required for MS SQL Server. | `string` | `null` | no | +| [sql\_server\_audit\_config](#input\_sql\_server\_audit\_config) | A block describing a SQL Server audit configuration as described below.

- bucket: (Optional) The name of the destination bucket (e.g., gs://mybucket).
- upload\_interval: (Optional) How often to upload generated audit files. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s".
- retention\_interval: (Optional) How long to keep generated audit files. A duration in seconds with up to nine fractional digits, terminated by 's'. Example: "3.5s". | 
object({
    bucket             = optional(string)
    upload_interval    = optional(string)
    retention_interval = optional(string)
  })
| `null` | no | +| [tier](#input\_tier) | The machine type to use. See [tiers](https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/tiers) for more details and supported versions | `string` | `"db-f1-micro"` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [this](#output\_this) | Google SQL database instance | + \ No newline at end of file diff --git a/modules/onboard-gcp-mysql/README.md b/modules/onboard-gcp-mysql/README.md index 0cb5678..c5848fb 100644 --- a/modules/onboard-gcp-mysql/README.md +++ b/modules/onboard-gcp-mysql/README.md @@ -8,3 +8,49 @@ There are two prerequisites for using this module: 2. A Google logging sink, PubSub topic, and PubSub subscription in addition to a GCP PUBSUB asset in DSF Hub. See the corresponding example for more details. + + +## Requirements + +No requirements. + +## Providers + +No providers. + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [gcp-mysql-asset](#module\_gcp-mysql-asset) | ../dsfhub-gcp-mysql | n/a | +| [gcp-mysql-instance](#module\_gcp-mysql-instance) | ../google-sql-database-instance | n/a | + +## Resources + +No resources. + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [gcp\_mysql\_admin\_email](#input\_gcp\_mysql\_admin\_email) | The email address to notify about the asset. | `string` | n/a | yes | +| [gcp\_mysql\_audit\_pull\_enabled](#input\_gcp\_mysql\_audit\_pull\_enabled) | If true, sonargateway will collect the audit logs for this system if it can. | `bool` | `false` | no | +| [gcp\_mysql\_gateway\_id](#input\_gcp\_mysql\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | +| [gcp\_mysql\_logs\_destination\_asset\_id](#input\_gcp\_mysql\_logs\_destination\_asset\_id) | The asset\_id of the GCP PUSUB asset that this asset is sending its audit logs to. | `string` | n/a | yes | +| [gcp\_mysql\_parent\_asset\_id](#input\_gcp\_mysql\_parent\_asset\_id) | The asset\_id of the GCP asset representing the GCP account where this data source is located. | `string` | `null` | no | +| [instance\_authorized\_networks](#input\_instance\_authorized\_networks) | A list of authorized network blocks as defined below.

authorized\_network:
- expiration\_time: (Optional) The RFC 3339 formatted date time string indicating when this whitelist expires.
- name: (Optional) A name for this whitelist entry.
- value: A CIDR notation IPv4 or IPv6 address that is allowed to access this instance. | 
list(
    object(
      {
        expiration_time = optional(string)
        name            = optional(string)
        value           = string
      }
    )
  )
| n/a | yes | +| [instance\_database\_flags](#input\_instance\_database\_flags) | List of database flags to assign to the instance. | 
list(
    object(
      {
        name  = string
        value = string
      }
    )
  )
| 
[
  {
    "name": "log_output",
    "value": "FILE"
  },
  {
    "name": "general_log",
    "value": "on"
  }
]
| no | +| [instance\_database\_version](#input\_instance\_database\_version) | The MySQL version to use. The full list of supported versions can be found at https://cloud.google.com/sql/docs/db-versions. | `string` | `"MYSQL_8_0"` | no | +| [instance\_deletion\_protection](#input\_instance\_deletion\_protection) | Whether Terraform will be prevented from destroying the instance. When the field is set to true or unset in Terraform state, a terraform apply or terraform destroy that would delete the instance will fail. When the field is set to false, deleting the instance is allowed. | `bool` | `false` | no | +| [instance\_name](#input\_instance\_name) | The name of the instance. | `string` | n/a | yes | +| [instance\_project](#input\_instance\_project) | The ID of the project that the service account will be created in. | `string` | `null` | no | +| [instance\_region](#input\_instance\_region) | The region the instance will sit in. If a region is not provided in the resource definition, the provider region will be used instead. | `string` | `null` | no | +| [instance\_tier](#input\_instance\_tier) | The machine type to use. See [tiers](https://cloud.google.com/sql/docs/mysql/admin-api/rest/v1beta4/tiers) for more details and supported versions | `string` | `"db-f1-micro"` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [gcp-mysql-asset](#output\_gcp-mysql-asset) | GCP MYSQL asset | +| [gcp-mysql-instance](#output\_gcp-mysql-instance) | Google MySQL database instance | + \ No newline at end of file diff --git a/modules/onboard-gcp-pubsub/README.md b/modules/onboard-gcp-pubsub/README.md index 9b6c9c7..9c4725b 100644 --- a/modules/onboard-gcp-pubsub/README.md +++ b/modules/onboard-gcp-pubsub/README.md @@ -35,6 +35,7 @@ No requirements. | [gcp\_pubsub\_audit\_pull\_enabled](#input\_gcp\_pubsub\_audit\_pull\_enabled) | If true, sonargateway will collect the audit logs for this system if it can. | `bool` | `null` | no | | [gcp\_pubsub\_audit\_type](#input\_gcp\_pubsub\_audit\_type) | Identifier for the type of audit data contained within the PubSub Subscription. Supported values: ALLOYDB\_POSTGRESQL, BIGQUERY, BIGTABLE, MYSQL, MYSQL\_SLOW, MSSQL, POSTGRESQL, SPANNER. | `string` | `null` | no | | [gcp\_pubsub\_auth\_mechanism](#input\_gcp\_pubsub\_auth\_mechanism) | Specifies the auth mechanism used by the connection. Supported values: default, service\_account. | `string` | `"default"` | no | +| [gcp\_pubsub\_content\_type](#input\_gcp\_pubsub\_content\_type) | Desired 'parent' asset 'Server Type' which is the one tha tuses this asset as a destination for logs. NOTE: The content\_type field will take precedence on the lookup for parent\_asset\_id field when checking which server is sending logs to this asset. | `string` | `null` | no | | [gcp\_pubsub\_gateway\_id](#input\_gcp\_pubsub\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | | [gcp\_pubsub\_key\_file](#input\_gcp\_pubsub\_key\_file) | Path to JSON file with credentials info (service account's key) residing on your Agentless Gateway. File must be accessible by the sonarw OS user. Required when auth\_mechanism is set to 'service\_account'. | `string` | `null` | no | | [gcp\_pubsub\_reason](#input\_gcp\_pubsub\_reason) | Used to differentiate connections that belong to the same asset | `string` | `"default"` | no |