diff --git a/CHANGELOG.md b/CHANGELOG.md index 5199096..5b614e8 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,5 +1,10 @@ # Changelog +## 1.0.6 (TBD) + +### Features +- Azure SQL Server module + ## 1.0.5 (2024-08-29) ### Features diff --git a/DSF_VERSION_COMPATABILITY.md b/DSF_VERSION_COMPATABILITY.md index 6e08340..eb07528 100644 --- a/DSF_VERSION_COMPATABILITY.md +++ b/DSF_VERSION_COMPATABILITY.md @@ -79,5 +79,9 @@ The following table lists the DSF versions that each module is tested and mainta onboard-aws-rds-redshift 4.17+ + + onboard-azure-ms-sql-server + 4.17+ + \ No newline at end of file diff --git a/examples/onboard-azure-ms-sql-server/README.md b/examples/onboard-azure-ms-sql-server/README.md new file mode 100644 index 0000000..7345e0d --- /dev/null +++ b/examples/onboard-azure-ms-sql-server/README.md @@ -0,0 +1,48 @@ +# Onboard Azure SQL Server example +This example includes additional prerequisites that will need to be completed to fully utilize the module. More details can be found in the [onboarding documentation](https://docs.imperva.com/bundle/onboarding-databases-to-sonar-reference-guide/page/Azure-SQL-Server-Onboarding-Steps_48367377.html). + +This example creates both 'azurerm' and 'dsfhub' resources. More information regarding authentication to each can be found in the relevant provider documentation: +- [azurerm](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs) +- [dsfhub](https://registry.terraform.io/providers/imperva/dsfhub/latest/docs) + +## Prerequisites +This module expects an Event Hub and a Storage Account Container to have been created in advance, in addition to a corresponding existing AZURE EVENTHUB asset in DSF. Both of these prerequisites and all related resources are handled in the ``onboard-azure-eventhub`` module. + +### Azure Event Hub Namespace and Event Hub +SQL Server audit logs are sent to an Azure Event Hub and are retrieved by DSF. The Event Hubs are created within an Event Hub Namespace, which can contain one or more Event Hubs. Audit logs of multiple SQL Server instances can be sent to a single Event Hub. + +### Azure Storage Account and Container +Storage Containers are used to store transactional data for the Event Hub import processes, and one Storage Container is required for each Event Hub. These Storage Containers exists within a Storage Account, which may contain multiple Storage Containers. + + +## Requirements + +No requirements. + +## Providers + +No providers. + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [azure-ms-sql-server-1](#module\_azure-ms-sql-server-1) | ../../modules/onboard-azure-ms-sql-server | n/a | +| [azure-ms-sql-server-2](#module\_azure-ms-sql-server-2) | ../../modules/onboard-azure-ms-sql-server | n/a | +| [onboard-azure-sql-server-eventhub-1](#module\_onboard-azure-sql-server-eventhub-1) | ../../modules/onboard-azure-eventhub | n/a | + +## Resources + +No resources. + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [dsfhub\_host](#input\_dsfhub\_host) | n/a | `any` | n/a | yes | +| [dsfhub\_token](#input\_dsfhub\_token) | n/a | `any` | n/a | yes | + +## Outputs + +No outputs. + diff --git a/examples/onboard-azure-ms-sql-server/main.tf b/examples/onboard-azure-ms-sql-server/main.tf new file mode 100644 index 0000000..9b694bd --- /dev/null +++ b/examples/onboard-azure-ms-sql-server/main.tf @@ -0,0 +1,120 @@ +locals { + azure_location = "East US" + azure_resource_group_name = "My_Resource_Group" + azure_subscription_id = "123456790-wxyz-g8h9-e5f6-a1b2c3d4" + + admin_email = "test@example.com" + gateway_id = "a1b2c3d4-e5f6-g8h9-wxyz-123456790" +} + +################################################################################ +# Providers +################################################################################ +terraform { + required_providers { + dsfhub = { + source = "imperva/dsfhub" + } + } +} + +provider "azurerm" { + features {} + subscription_id = local.azure_subscription_id +} + +variable "dsfhub_host" {} # TF_VAR_dsfhub_host env variable +variable "dsfhub_token" {} # TF_VAR_dsfhub_token env variable + +provider "dsfhub" { + dsfhub_host = var.dsfhub_host + dsfhub_token = var.dsfhub_token +} + +################################################################################ +# Prerequisites +# 1. Azure Event Hub Namespace and Event Hub. Includes authorization rules for +# reading and writing to the Event Hub. +# 2. Storage Account and Container +################################################################################ +module "onboard-azure-sql-server-eventhub-1" { + source = "../../modules/onboard-azure-eventhub" + + azure_eventhub_admin_email = local.admin_email + azure_eventhub_format = "Sql" + azure_eventhub_gateway_id = local.gateway_id + + eventhub_name = "sqlservereventhub" + eventhub_namespace_location = local.azure_location + eventhub_namespace_name = "sqlservereventhubns" + eventhub_namespace_resource_group_name = local.azure_resource_group_name + + eventhub_resource_group_name = local.azure_resource_group_name + + storage_account_location = local.azure_location + storage_account_name = "sqlserverstorageacc" + storage_account_resource_group_name = local.azure_resource_group_name + storage_container_name = "sqlserverstoragecon" +} + +################################################################################ +# Azure SQL Server +################################################################################ +module "azure-ms-sql-server-1" { + source = "../../modules/onboard-azure-ms-sql-server" + + depends_on = [module.onboard-azure-sql-server-eventhub-1] + + azure_ms_sql_server_admin_email = local.admin_email + azure_ms_sql_server_audit_pull_enabled = true + azure_ms_sql_server_gateway_id = local.gateway_id + azure_ms_sql_server_location = local.azure_location + azure_ms_sql_server_logs_destination_asset_id = module.onboard-azure-sql-server-eventhub-1.azure-eventhub-asset.asset_id + + diagnostic_setting_eventhub_authorization_rule_id = module.onboard-azure-sql-server-eventhub-1.eventhub-write-authorization.id + diagnostic_setting_eventhub_name = module.onboard-azure-sql-server-eventhub-1.eventhub.name + diagnostic_setting_name = "dsfhubdiagnostic" + + server_administrator_login = "exampleadmin" + server_administrator_login_password = "Abcd1234" + server_location = local.azure_location + server_name = "example-azure-sql-server" + server_public_network_access_enabled = true + server_resource_group_name = local.azure_resource_group_name +} + +################################################################################ +# Azure SQL Server Many-to-One +################################################################################ +locals { + sql_server_types = toset([ + "dev", + "prod", + "uat" + ]) +} + +module "azure-ms-sql-server-2" { + source = "../../modules/onboard-azure-ms-sql-server" + + depends_on = [module.onboard-azure-sql-server-eventhub-1] + + for_each = local.sql_server_types + + azure_ms_sql_server_admin_email = local.admin_email + azure_ms_sql_server_audit_pull_enabled = true + azure_ms_sql_server_gateway_id = local.gateway_id + azure_ms_sql_server_location = local.azure_location + azure_ms_sql_server_logs_destination_asset_id = module.onboard-azure-sql-server-eventhub-1.azure-eventhub-asset.asset_id + + diagnostic_setting_eventhub_authorization_rule_id = module.onboard-azure-sql-server-eventhub-1.eventhub-write-authorization.id + diagnostic_setting_eventhub_name = module.onboard-azure-sql-server-eventhub-1.eventhub.name + diagnostic_setting_name = "dsfhubdiagnostic" + + server_administrator_login = "exampleadmin" + server_administrator_login_password = "Abcd1234" + server_location = local.azure_location + server_name = "example-azure-sql-server-${each.key}" + server_public_network_access_enabled = true + server_resource_group_name = local.azure_resource_group_name +} diff --git a/modules/azurerm-eventhub-namespace-authorization-rule/README.md b/modules/azurerm-eventhub-namespace-authorization-rule/README.md new file mode 100644 index 0000000..1858567 --- /dev/null +++ b/modules/azurerm-eventhub-namespace-authorization-rule/README.md @@ -0,0 +1,38 @@ + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [azurerm](#provider\_azurerm) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [azurerm_eventhub_namespace_authorization_rule.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/eventhub_namespace_authorization_rule) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [listen](#input\_listen) | Grants listen access to this Authorization Rule. Defaults to false. | `bool` | `false` | no | +| [manage](#input\_manage) | Grants manage access to this Authorization Rule. When this property is true - both listen and send must be too. Defaults to false. | `bool` | `false` | no | +| [name](#input\_name) | Specifies the name of the Authorization Rule. Changing this forces a new resource to be created. | `string` | n/a | yes | +| [namespace\_name](#input\_namespace\_name) | Specifies the name of the Event Hub Namespace. Changing this forces a new resource to be created. | `string` | n/a | yes | +| [resource\_group\_name](#input\_resource\_group\_name) | The name of the resource group in which the Event Hub Namespace exists. Changing this forces a new resource to be created. | `string` | n/a | yes | +| [send](#input\_send) | Grants send access to this Authorization Rule. Defaults to false. | `bool` | `false` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [this](#output\_this) | Authorization Rule for an Event Hub Namespace | + \ No newline at end of file diff --git a/modules/azurerm-eventhub-namespace-authorization-rule/main.tf b/modules/azurerm-eventhub-namespace-authorization-rule/main.tf new file mode 100644 index 0000000..53ea687 --- /dev/null +++ b/modules/azurerm-eventhub-namespace-authorization-rule/main.tf @@ -0,0 +1,17 @@ +resource "azurerm_eventhub_namespace_authorization_rule" "this" { + lifecycle { + # todo: add precondition ensuring atleast one of manage, send, listen is defined + + precondition { + condition = var.manage == true ? (var.listen == true && var.send == true) : true + error_message = "When manage is set to true, both listen and send must be too." + } + } + + listen = var.listen + manage = var.manage + name = var.name + namespace_name = var.namespace_name + resource_group_name = var.resource_group_name + send = var.send +} diff --git a/modules/azurerm-eventhub-namespace-authorization-rule/outputs.tf b/modules/azurerm-eventhub-namespace-authorization-rule/outputs.tf new file mode 100644 index 0000000..42837c8 --- /dev/null +++ b/modules/azurerm-eventhub-namespace-authorization-rule/outputs.tf @@ -0,0 +1,4 @@ +output "this" { + description = "Authorization Rule for an Event Hub Namespace" + value = azurerm_eventhub_namespace_authorization_rule.this +} diff --git a/modules/azurerm-eventhub-namespace-authorization-rule/variables.tf b/modules/azurerm-eventhub-namespace-authorization-rule/variables.tf new file mode 100644 index 0000000..bcd31d5 --- /dev/null +++ b/modules/azurerm-eventhub-namespace-authorization-rule/variables.tf @@ -0,0 +1,32 @@ +variable "listen" { + description = "Grants listen access to this Authorization Rule. Defaults to false." + type = bool + default = false +} + +variable "manage" { + description = "Grants manage access to this Authorization Rule. When this property is true - both listen and send must be too. Defaults to false." + type = bool + default = false +} + +variable "name" { + description = "Specifies the name of the Authorization Rule. Changing this forces a new resource to be created." + type = string +} + +variable "namespace_name" { + description = "Specifies the name of the Event Hub Namespace. Changing this forces a new resource to be created." + type = string +} + +variable "resource_group_name" { + description = "The name of the resource group in which the Event Hub Namespace exists. Changing this forces a new resource to be created." + type = string +} + +variable "send" { + description = "Grants send access to this Authorization Rule. Defaults to false." + type = bool + default = false +} diff --git a/modules/azurerm-eventhub-namespace/README.md b/modules/azurerm-eventhub-namespace/README.md new file mode 100644 index 0000000..993b9c6 --- /dev/null +++ b/modules/azurerm-eventhub-namespace/README.md @@ -0,0 +1,39 @@ + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [azurerm](#provider\_azurerm) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [azurerm_eventhub_namespace.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/eventhub_namespace) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [capacity](#input\_capacity) | Specifies the Capacity / Throughput Units for a Standard SKU namespace. Defaults to 1. | `number` | `1` | no | +| [location](#input\_location) | Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created. | `string` | n/a | yes | +| [name](#input\_name) | Specifies the name of the Event Hub Namespace resource. Changing this forces a new resource to be created. | `string` | n/a | yes | +| [public\_network\_access\_enabled](#input\_public\_network\_access\_enabled) | Is public network access enabled for the Event Hub Namespace? Defaults to true. | `bool` | `true` | no | +| [resource\_group\_name](#input\_resource\_group\_name) | The name of the resource group in which to create the namespace. Changing this forces a new resource to be created. | `string` | n/a | yes | +| [sku](#input\_sku) | Defines which tier to use. Valid options are Basic, Standard, and Premium. Please note that setting this field to Premium will force the creation of a new resource. | `string` | `"Basic"` | no | +| [tags](#input\_tags) | A mapping of tags to assign to the resource. | `map(string)` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [this](#output\_this) | Azure Event Hub Namespace | + \ No newline at end of file diff --git a/modules/azurerm-eventhub-namespace/main.tf b/modules/azurerm-eventhub-namespace/main.tf new file mode 100644 index 0000000..9d699c4 --- /dev/null +++ b/modules/azurerm-eventhub-namespace/main.tf @@ -0,0 +1,9 @@ +resource "azurerm_eventhub_namespace" "this" { + capacity = var.capacity + location = var.location + name = var.name + public_network_access_enabled = var.public_network_access_enabled + resource_group_name = var.resource_group_name + sku = var.sku + tags = var.tags +} diff --git a/modules/azurerm-eventhub-namespace/outputs.tf b/modules/azurerm-eventhub-namespace/outputs.tf new file mode 100644 index 0000000..9a39c34 --- /dev/null +++ b/modules/azurerm-eventhub-namespace/outputs.tf @@ -0,0 +1,4 @@ +output "this" { + description = "Azure Event Hub Namespace" + value = azurerm_eventhub_namespace.this +} diff --git a/modules/azurerm-eventhub-namespace/variables.tf b/modules/azurerm-eventhub-namespace/variables.tf new file mode 100644 index 0000000..495ef05 --- /dev/null +++ b/modules/azurerm-eventhub-namespace/variables.tf @@ -0,0 +1,42 @@ +variable "capacity" { + description = "Specifies the Capacity / Throughput Units for a Standard SKU namespace. Defaults to 1." + type = number + default = 1 +} + +variable "location" { + description = "Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created." + type = string +} + +variable "name" { + description = "Specifies the name of the Event Hub Namespace resource. Changing this forces a new resource to be created." + type = string +} + +variable "public_network_access_enabled" { + description = "Is public network access enabled for the Event Hub Namespace? Defaults to true." + type = bool + default = true +} + +variable "resource_group_name" { + description = "The name of the resource group in which to create the namespace. Changing this forces a new resource to be created." + type = string +} + +variable "sku" { + description = "Defines which tier to use. Valid options are Basic, Standard, and Premium. Please note that setting this field to Premium will force the creation of a new resource." + type = string + default = "Basic" + validation { + condition = contains(["Basic", "Standard", "Premium"], var.sku) + error_message = "Invalid sku. Valid options are Basic, Standard, and Premium." + } +} + +variable "tags" { + description = "A mapping of tags to assign to the resource." + type = map(string) + default = null +} diff --git a/modules/azurerm-eventhub/README.md b/modules/azurerm-eventhub/README.md new file mode 100644 index 0000000..372ac54 --- /dev/null +++ b/modules/azurerm-eventhub/README.md @@ -0,0 +1,38 @@ + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [azurerm](#provider\_azurerm) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [azurerm_eventhub.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/eventhub) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [message\_retention](#input\_message\_retention) | Specifies the number of days to retain the events for this Event Hub. Defaults to 1. | `number` | `1` | no | +| [name](#input\_name) | Specifies the name of the Event Hub resource. Changing this forces a new resource to be created. | `string` | n/a | yes | +| [namespace\_name](#input\_namespace\_name) | Specifies the name of the Event Hub Namespace. Changing this forces a new resource to be created. | `string` | n/a | yes | +| [partition\_count](#input\_partition\_count) | Specifies the current number of shards on the Event Hub. Note: partition\_count cannot be changed unless Eventhub Namespace SKU is Premium and cannot be decreased. Defaults to 1. | `number` | `1` | no | +| [resource\_group\_name](#input\_resource\_group\_name) | The name of the resource group in which the Event Hub's parent Namespace exists. Changing this forces a new resource to be created. | `string` | n/a | yes | +| [status](#input\_status) | Specifies the status of the Event Hub resource. Possible values are Active, Disabled and SendDisabled. Defaults to Active. | `string` | `"Active"` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [this](#output\_this) | Azure Event Hub | + \ No newline at end of file diff --git a/modules/azurerm-eventhub/main.tf b/modules/azurerm-eventhub/main.tf new file mode 100644 index 0000000..25c7388 --- /dev/null +++ b/modules/azurerm-eventhub/main.tf @@ -0,0 +1,8 @@ +resource "azurerm_eventhub" "this" { + message_retention = var.message_retention + name = var.name + namespace_name = var.namespace_name + partition_count = var.partition_count + resource_group_name = var.resource_group_name + status = var.status +} diff --git a/modules/azurerm-eventhub/outputs.tf b/modules/azurerm-eventhub/outputs.tf new file mode 100644 index 0000000..3313566 --- /dev/null +++ b/modules/azurerm-eventhub/outputs.tf @@ -0,0 +1,4 @@ +output "this" { + description = "Azure Event Hub" + value = azurerm_eventhub.this +} diff --git a/modules/azurerm-eventhub/variables.tf b/modules/azurerm-eventhub/variables.tf new file mode 100644 index 0000000..a949ec1 --- /dev/null +++ b/modules/azurerm-eventhub/variables.tf @@ -0,0 +1,36 @@ +variable "message_retention" { + description = "Specifies the number of days to retain the events for this Event Hub. Defaults to 1." + type = number + default = 1 +} + +variable "name" { + description = "Specifies the name of the Event Hub resource. Changing this forces a new resource to be created." + type = string +} + +variable "namespace_name" { + description = "Specifies the name of the Event Hub Namespace. Changing this forces a new resource to be created." + type = string +} + +variable "partition_count" { + description = "Specifies the current number of shards on the Event Hub. Note: partition_count cannot be changed unless Eventhub Namespace SKU is Premium and cannot be decreased. Defaults to 1." + type = number + default = 1 +} + +variable "resource_group_name" { + description = "The name of the resource group in which the Event Hub's parent Namespace exists. Changing this forces a new resource to be created." + type = string +} + +variable "status" { + description = "Specifies the status of the Event Hub resource. Possible values are Active, Disabled and SendDisabled. Defaults to Active." + type = string + default = "Active" + validation { + condition = contains(["Active", "Disabled", "SendDisabled"], var.status) + error_message = "Invalid sku. Possible values are Active, Disabled and SendDisabled." + } +} diff --git a/modules/azurerm-monitor-diagnostic-setting/README.md b/modules/azurerm-monitor-diagnostic-setting/README.md new file mode 100644 index 0000000..1c33565 --- /dev/null +++ b/modules/azurerm-monitor-diagnostic-setting/README.md @@ -0,0 +1,39 @@ + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [azurerm](#provider\_azurerm) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [azurerm_monitor_diagnostic_setting.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/monitor_diagnostic_setting) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [enabled\_log](#input\_enabled\_log) | Map of categories/category groups to be enabled in the diagnostic setting. Only one of category and category\_group can be specified per block. | 
list(
    object(
      {
        category       = optional(string)
        category_group = optional(string)
      }
    )
  )
| `null` | no | +| [eventhub\_authorization\_rule\_id](#input\_eventhub\_authorization\_rule\_id) | Specifies the ID of an Event Hub Namespace Authorization Rule used to send Diagnostics Data. | `string` | `null` | no | +| [eventhub\_name](#input\_eventhub\_name) | Specifies the name of the Event Hub where Diagnostics Data should be sent. | `string` | `null` | no | +| [metric](#input\_metric) | Map of metric categories to be enabled in the diagnostic setting. | 
list(
    object(
      {
        category = string
        enabled  = optional(bool, true)
      }
    )
  )
| `null` | no | +| [name](#input\_name) | Specifies the name of the Diagnostic Setting. Changing this forces a new resource to be created. | `string` | n/a | yes | +| [storage\_account\_id](#input\_storage\_account\_id) | The ID of the Storage Account where logs should be sent. | `string` | `null` | no | +| [target\_resource\_id](#input\_target\_resource\_id) | The ID of an existing Resource on which to configure Diagnostic Settings. Changing this forces a new resource to be created. | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [this](#output\_this) | Diagnostic Setting | + \ No newline at end of file diff --git a/modules/azurerm-monitor-diagnostic-setting/main.tf b/modules/azurerm-monitor-diagnostic-setting/main.tf new file mode 100644 index 0000000..13b9815 --- /dev/null +++ b/modules/azurerm-monitor-diagnostic-setting/main.tf @@ -0,0 +1,42 @@ +resource "azurerm_monitor_diagnostic_setting" "this" { + lifecycle { + # Ensure a target is set for the diagnostic setting + precondition { + condition = ( + var.eventhub_authorization_rule_id != null || + var.storage_account_id != null + ) + error_message = "Atleast one of eventhub_authorization_rule_id, storage_account_id must be specified" + } + + # Avoid overriding changes made automatically on the Azure side + ignore_changes = [enabled_log, metric] + } + + eventhub_authorization_rule_id = var.eventhub_authorization_rule_id + eventhub_name = var.eventhub_name + name = var.name + storage_account_id = var.storage_account_id + target_resource_id = var.target_resource_id + + dynamic "enabled_log" { + # If enabled_log is not defined, do not create + for_each = var.enabled_log != null ? var.enabled_log : [] + + content { + category = enabled_log.value.category + category_group = enabled_log.value.category_group + } + } + + dynamic "metric" { + # If metric is not defined, do not create + for_each = var.metric != null ? var.metric : [] + + content { + category = metric.value.category + enabled = metric.value.enabled + } + } +} + diff --git a/modules/azurerm-monitor-diagnostic-setting/outputs.tf b/modules/azurerm-monitor-diagnostic-setting/outputs.tf new file mode 100644 index 0000000..e8b0104 --- /dev/null +++ b/modules/azurerm-monitor-diagnostic-setting/outputs.tf @@ -0,0 +1,4 @@ +output "this" { + description = "Diagnostic Setting" + value = azurerm_monitor_diagnostic_setting.this +} diff --git a/modules/azurerm-monitor-diagnostic-setting/variables.tf b/modules/azurerm-monitor-diagnostic-setting/variables.tf new file mode 100644 index 0000000..e7f49f2 --- /dev/null +++ b/modules/azurerm-monitor-diagnostic-setting/variables.tf @@ -0,0 +1,53 @@ +variable "enabled_log" { + description = "Map of categories/category groups to be enabled in the diagnostic setting. Only one of category and category_group can be specified per block." + type = list( + object( + { + category = optional(string) + category_group = optional(string) + } + ) + ) + default = null +} + +variable "eventhub_authorization_rule_id" { + description = "Specifies the ID of an Event Hub Namespace Authorization Rule used to send Diagnostics Data. " + type = string + default = null +} + +variable "eventhub_name" { + description = "Specifies the name of the Event Hub where Diagnostics Data should be sent." + type = string + default = null +} + +variable "metric" { + description = "Map of metric categories to be enabled in the diagnostic setting." + type = list( + object( + { + category = string + enabled = optional(bool, true) + } + ) + ) + default = null +} + +variable "name" { + description = "Specifies the name of the Diagnostic Setting. Changing this forces a new resource to be created." + type = string +} + +variable "storage_account_id" { + description = "The ID of the Storage Account where logs should be sent. " + type = string + default = null +} + +variable "target_resource_id" { + description = "The ID of an existing Resource on which to configure Diagnostic Settings. Changing this forces a new resource to be created." + type = string +} diff --git a/modules/azurerm-mssql-server-extended-auditing-policy/README.md b/modules/azurerm-mssql-server-extended-auditing-policy/README.md new file mode 100644 index 0000000..e4d9b91 --- /dev/null +++ b/modules/azurerm-mssql-server-extended-auditing-policy/README.md @@ -0,0 +1,38 @@ + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [azurerm](#provider\_azurerm) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [azurerm_mssql_server_extended_auditing_policy.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_server_extended_auditing_policy) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [enabled](#input\_enabled) | Whether to enable the extended auditing policy. Defaults to true. | `bool` | `true` | no | +| [retention\_in\_days](#input\_retention\_in\_days) | The number of days to retain logs for in the storage account. | `number` | `null` | no | +| [server\_id](#input\_server\_id) | The ID of the SQL Server to set the extended auditing policy. Changing this forces a new resource to be created. | `string` | n/a | yes | +| [storage\_account\_access\_key](#input\_storage\_account\_access\_key) | The access key to use for the auditing storage account. | `string` | `null` | no | +| [storage\_account\_subscription\_id](#input\_storage\_account\_subscription\_id) | The ID of the Subscription containing the Storage Account. | `string` | `null` | no | +| [storage\_endpoint](#input\_storage\_endpoint) | The blob storage endpoint (e.g. https://example.blob.core.windows.net). This blob storage will hold all extended auditing logs. | `string` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [this](#output\_this) | Azure MS SQL Server Extended Auditing Policy. | + \ No newline at end of file diff --git a/modules/azurerm-mssql-server-extended-auditing-policy/main.tf b/modules/azurerm-mssql-server-extended-auditing-policy/main.tf new file mode 100644 index 0000000..1b2cd07 --- /dev/null +++ b/modules/azurerm-mssql-server-extended-auditing-policy/main.tf @@ -0,0 +1,8 @@ +resource "azurerm_mssql_server_extended_auditing_policy" "this" { + enabled = var.enabled + retention_in_days = var.retention_in_days + server_id = var.server_id + storage_account_access_key = var.storage_account_access_key + storage_account_subscription_id = var.storage_account_subscription_id + storage_endpoint = var.storage_endpoint +} diff --git a/modules/azurerm-mssql-server-extended-auditing-policy/outputs.tf b/modules/azurerm-mssql-server-extended-auditing-policy/outputs.tf new file mode 100644 index 0000000..136b27f --- /dev/null +++ b/modules/azurerm-mssql-server-extended-auditing-policy/outputs.tf @@ -0,0 +1,4 @@ +output "this" { + description = "Azure MS SQL Server Extended Auditing Policy." + value = azurerm_mssql_server_extended_auditing_policy.this +} diff --git a/modules/azurerm-mssql-server-extended-auditing-policy/variables.tf b/modules/azurerm-mssql-server-extended-auditing-policy/variables.tf new file mode 100644 index 0000000..c2c1a6c --- /dev/null +++ b/modules/azurerm-mssql-server-extended-auditing-policy/variables.tf @@ -0,0 +1,34 @@ +variable "enabled" { + description = "Whether to enable the extended auditing policy. Defaults to true." + type = bool + default = true +} + +variable "retention_in_days" { + description = "The number of days to retain logs for in the storage account." + type = number + default = null +} + +variable "server_id" { + description = "The ID of the SQL Server to set the extended auditing policy. Changing this forces a new resource to be created." + type = string +} + +variable "storage_account_access_key" { + description = "The access key to use for the auditing storage account." + type = string + default = null +} + +variable "storage_account_subscription_id" { + description = "The ID of the Subscription containing the Storage Account." + type = string + default = null +} + +variable "storage_endpoint" { + description = "The blob storage endpoint (e.g. https://example.blob.core.windows.net). This blob storage will hold all extended auditing logs." + type = string + default = null +} diff --git a/modules/azurerm-mssql-server/README.md b/modules/azurerm-mssql-server/README.md new file mode 100644 index 0000000..a4325d5 --- /dev/null +++ b/modules/azurerm-mssql-server/README.md @@ -0,0 +1,40 @@ + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [azurerm](#provider\_azurerm) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [azurerm_mssql_server.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/mssql_server) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [administrator\_login](#input\_administrator\_login) | The administrator login name for the new server. Changing this forces a new resource to be created. | `string` | n/a | yes | +| [administrator\_login\_password](#input\_administrator\_login\_password) | The password associated with the administrator\_login user. | `string` | n/a | yes | +| [location](#input\_location) | Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created. | `string` | n/a | yes | +| [name](#input\_name) | The name of the Microsoft SQL Server. This needs to be globally unique within Azure. Changing this forces a new resource to be created. | `string` | n/a | yes | +| [public\_network\_access\_enabled](#input\_public\_network\_access\_enabled) | Whether public network access is allowed for this server. Defaults to true. | `bool` | `true` | no | +| [resource\_group\_name](#input\_resource\_group\_name) | The name of the resource group in which to create the Microsoft SQL Server. Changing this forces a new resource to be created. | `string` | n/a | yes | +| [server\_version](#input\_server\_version) | The version for the new server. Valid values are: 2.0 (for v11 server) and 12.0 (for v12 server). Changing this forces a new resource to be created. | `string` | `"12.0"` | no | +| [tags](#input\_tags) | A mapping of tags to assign to the resource. | `map(string)` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [this](#output\_this) | Microsoft SQL Azure Database Server | + \ No newline at end of file diff --git a/modules/azurerm-mssql-server/main.tf b/modules/azurerm-mssql-server/main.tf new file mode 100644 index 0000000..8ca1fbf --- /dev/null +++ b/modules/azurerm-mssql-server/main.tf @@ -0,0 +1,10 @@ +resource "azurerm_mssql_server" "this" { + administrator_login = var.administrator_login + administrator_login_password = var.administrator_login_password + location = var.location + name = var.name + public_network_access_enabled = var.public_network_access_enabled + resource_group_name = var.resource_group_name + tags = var.tags + version = var.server_version # version is special keyword for modules +} diff --git a/modules/azurerm-mssql-server/outputs.tf b/modules/azurerm-mssql-server/outputs.tf new file mode 100644 index 0000000..b91d7fe --- /dev/null +++ b/modules/azurerm-mssql-server/outputs.tf @@ -0,0 +1,4 @@ +output "this" { + description = "Microsoft SQL Azure Database Server" + value = azurerm_mssql_server.this +} diff --git a/modules/azurerm-mssql-server/variables.tf b/modules/azurerm-mssql-server/variables.tf new file mode 100644 index 0000000..55cbc3c --- /dev/null +++ b/modules/azurerm-mssql-server/variables.tf @@ -0,0 +1,46 @@ +variable "administrator_login" { + description = "The administrator login name for the new server. Changing this forces a new resource to be created." + type = string +} + +variable "administrator_login_password" { + description = "The password associated with the administrator_login user." + type = string +} + +variable "location" { + description = "Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created." + type = string +} + +variable "name" { + description = "The name of the Microsoft SQL Server. This needs to be globally unique within Azure. Changing this forces a new resource to be created." + type = string +} + +variable "public_network_access_enabled" { + description = "Whether public network access is allowed for this server. Defaults to true." + type = bool + default = true +} + +variable "resource_group_name" { + description = "The name of the resource group in which to create the Microsoft SQL Server. Changing this forces a new resource to be created." + type = string +} + +variable "tags" { + description = "A mapping of tags to assign to the resource." + type = map(string) + default = null +} + +variable "server_version" { + description = "The version for the new server. Valid values are: 2.0 (for v11 server) and 12.0 (for v12 server). Changing this forces a new resource to be created." + type = string + default = "12.0" + validation { + condition = contains(["2.0", "12.0"], var.server_version) + error_message = "Invalid version. Valid options 2.0 (for v11 server) and 12.0 (for v12 server)." + } +} diff --git a/modules/azurerm-storage-account/README.md b/modules/azurerm-storage-account/README.md new file mode 100644 index 0000000..24b3b5c --- /dev/null +++ b/modules/azurerm-storage-account/README.md @@ -0,0 +1,37 @@ + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [azurerm](#provider\_azurerm) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [azurerm_storage_account.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_account) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [account\_replication\_type](#input\_account\_replication\_type) | Defines the type of replication to use for this storage account. Valid options are LRS, GRS, RAGRS, ZRS, GZRS and RAGZRS. Changing this forces a new resource to be created when types LRS, GRS and RAGRS are changed to ZRS, GZRS or RAGZRS and vice versa. Defaults to GRS. | `string` | `"GRS"` | no | +| [account\_tier](#input\_account\_tier) | Defines the Tier to use for this storage account. Valid options are Standard and Premium. Defaults to Standard. | `string` | `"Standard"` | no | +| [location](#input\_location) | Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created. | `string` | n/a | yes | +| [name](#input\_name) | Specifies the name of the storage account. Only lowercase Alphanumeric characters allowed. Changing this forces a new resource to be created. This must be unique across the entire Azure service, not just within the resource group. | `string` | n/a | yes | +| [resource\_group\_name](#input\_resource\_group\_name) | The name of the resource group in which to create the storage account. Changing this forces a new resource to be created. | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [this](#output\_this) | Azure storage account | + \ No newline at end of file diff --git a/modules/azurerm-storage-account/main.tf b/modules/azurerm-storage-account/main.tf new file mode 100644 index 0000000..4f74eaa --- /dev/null +++ b/modules/azurerm-storage-account/main.tf @@ -0,0 +1,7 @@ +resource "azurerm_storage_account" "this" { + account_replication_type = var.account_replication_type + account_tier = var.account_tier + location = var.location + name = var.name + resource_group_name = var.resource_group_name +} diff --git a/modules/azurerm-storage-account/outputs.tf b/modules/azurerm-storage-account/outputs.tf new file mode 100644 index 0000000..a3152b9 --- /dev/null +++ b/modules/azurerm-storage-account/outputs.tf @@ -0,0 +1,4 @@ +output "this" { + description = "Azure storage account" + value = azurerm_storage_account.this +} diff --git a/modules/azurerm-storage-account/variables.tf b/modules/azurerm-storage-account/variables.tf new file mode 100644 index 0000000..2e92967 --- /dev/null +++ b/modules/azurerm-storage-account/variables.tf @@ -0,0 +1,38 @@ +variable "account_replication_type" { + description = "Defines the type of replication to use for this storage account. Valid options are LRS, GRS, RAGRS, ZRS, GZRS and RAGZRS. Changing this forces a new resource to be created when types LRS, GRS and RAGRS are changed to ZRS, GZRS or RAGZRS and vice versa. Defaults to GRS." + type = string + default = "GRS" + validation { + condition = contains(["LRS", "GRS", "RAGRS", "ZRS", "GZRS", "RAGZRS"], var.account_replication_type) + error_message = "Invalid replication type. Valid values are LRS, GRS, RAGRS, ZRS, GZRS and RAGZRS." + } +} + +variable "account_tier" { + description = "Defines the Tier to use for this storage account. Valid options are Standard and Premium. Defaults to Standard." + type = string + default = "Standard" + validation { + condition = contains(["Standard", "Premium"], var.account_tier) + error_message = "Invalid replication type. Valid options are Standard and Premium." + } +} + +variable "location" { + description = "Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created." + type = string +} + +variable "name" { + description = "Specifies the name of the storage account. Only lowercase Alphanumeric characters allowed. Changing this forces a new resource to be created. This must be unique across the entire Azure service, not just within the resource group." + type = string + validation { + condition = can(regex("^[a-z0-9]+$", var.name)) && length(var.name) >= 3 && length(var.name) <= 24 + error_message = "Invalid name. Storage account name must consist of lowercase Alphanumeric characters and be between 3 amd 24 characters long." + } +} + +variable "resource_group_name" { + description = "The name of the resource group in which to create the storage account. Changing this forces a new resource to be created." + type = string +} diff --git a/modules/azurerm-storage-container/README.md b/modules/azurerm-storage-container/README.md new file mode 100644 index 0000000..798e401 --- /dev/null +++ b/modules/azurerm-storage-container/README.md @@ -0,0 +1,35 @@ + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [azurerm](#provider\_azurerm) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [azurerm_storage_container.this](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_container) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [container\_access\_type](#input\_container\_access\_type) | The Access Level configured for this Container. Possible values are blob, container or private. Defaults to private. | `string` | `"private"` | no | +| [name](#input\_name) | The name of the Container which should be created within the Storage Account. Changing this forces a new resource to be created. | `string` | n/a | yes | +| [storage\_account\_name](#input\_storage\_account\_name) | The name of the Storage Account where the Container should be created. Changing this forces a new resource to be created. | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [this](#output\_this) | Azure storage container | + \ No newline at end of file diff --git a/modules/azurerm-storage-container/main.tf b/modules/azurerm-storage-container/main.tf new file mode 100644 index 0000000..4472eeb --- /dev/null +++ b/modules/azurerm-storage-container/main.tf @@ -0,0 +1,5 @@ +resource "azurerm_storage_container" "this" { + container_access_type = var.container_access_type + name = var.name + storage_account_name = var.storage_account_name +} diff --git a/modules/azurerm-storage-container/outputs.tf b/modules/azurerm-storage-container/outputs.tf new file mode 100644 index 0000000..5d5f390 --- /dev/null +++ b/modules/azurerm-storage-container/outputs.tf @@ -0,0 +1,4 @@ +output "this" { + description = "Azure storage container" + value = azurerm_storage_container.this +} diff --git a/modules/azurerm-storage-container/variables.tf b/modules/azurerm-storage-container/variables.tf new file mode 100644 index 0000000..cc38eab --- /dev/null +++ b/modules/azurerm-storage-container/variables.tf @@ -0,0 +1,15 @@ +variable "container_access_type" { + description = "The Access Level configured for this Container. Possible values are blob, container or private. Defaults to private." + type = string + default = "private" +} + +variable "name" { + description = "The name of the Container which should be created within the Storage Account. Changing this forces a new resource to be created." + type = string +} + +variable "storage_account_name" { + description = "The name of the Storage Account where the Container should be created. Changing this forces a new resource to be created." + type = string +} diff --git a/modules/dsfhub-azure-eventhub/README.md b/modules/dsfhub-azure-eventhub/README.md new file mode 100644 index 0000000..354c116 --- /dev/null +++ b/modules/dsfhub-azure-eventhub/README.md @@ -0,0 +1,50 @@ + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [dsfhub](#provider\_dsfhub) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [dsfhub_log_aggregator.this](https://registry.terraform.io/providers/imperva/dsfhub/latest/docs/resources/log_aggregator) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [admin\_email](#input\_admin\_email) | The email address to notify about the asset. | `string` | n/a | yes | +| [asset\_display\_name](#input\_asset\_display\_name) | User-friendly name of the asset, defined by user | `string` | n/a | yes | +| [asset\_id](#input\_asset\_id) | The Azure resource ID of the eventhub. | `string` | n/a | yes | +| [audit\_pull\_enabled](#input\_audit\_pull\_enabled) | If true, sonargateway will collect the audit logs for this system if it can. | `bool` | `false` | no | +| [auth\_mechanism](#input\_auth\_mechanism) | Specifies the auth mechanism used by the connection | `string` | `null` | no | +| [azure\_storage\_account](#input\_azure\_storage\_account) | Name of the Azure Storage Account that will be used to store a marker for the Event Hub pulls. | `string` | `null` | no | +| [azure\_storage\_container](#input\_azure\_storage\_container) | Name of the Azure Storage Container that will be used to store a marker for the Event Hub pulls. | `string` | `null` | no | +| [azure\_storage\_secret\_key](#input\_azure\_storage\_secret\_key) | Access Key with permissions to access the Storage Account. | `string` | `null` | no | +| [eventhub\_access\_key](#input\_eventhub\_access\_key) | The primary key of the shared shared access policy for the namespace containing the targeted Event Hub. | `string` | `null` | no | +| [eventhub\_access\_policy](#input\_eventhub\_access\_policy) | The name of the shared access policy for the namespace containing the targeted Event Hub. | `string` | `null` | no | +| [eventhub\_name](#input\_eventhub\_name) | Name of the Event Hub containing the audit logs. | `string` | `null` | no | +| [eventhub\_namespace](#input\_eventhub\_namespace) | Name of the Event Hub Namespace containing the Event Hub. | `string` | `null` | no | +| [format](#input\_format) | The type of audit data being sent to the Event Hub. Possible values are: AzureSQL\_Managed, Blob, Cosmos\_Mongo, Cosmos\_SQL, Data\_Explorer, Databricks\_Workspace, File, Mariadb, Mysql, Postgresql, Postgresql\_Flexible, Queue, Sql, Synapse, Table. Defaults to Sql. | `string` | `"Sql"` | no | +| [gateway\_id](#input\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | +| [parent\_asset\_id](#input\_parent\_asset\_id) | The asset\_id of the azure asset that is sending its audit logs to this AZURE EVENTHUB asset. | `string` | `null` | no | +| [reason](#input\_reason) | Used to differentiate connections that belong to the same asset | `string` | `"default"` | no | +| [region](#input\_region) | Azure region containing the Event Hub. | `string` | `null` | no | +| [server\_host\_name](#input\_server\_host\_name) | Event Hub Namespace's service bus endpoint, e.g. mynamespace.servicebus.windows.net | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [this](#output\_this) | AZURE EVENTHUB asset | + \ No newline at end of file diff --git a/modules/dsfhub-azure-eventhub/main.tf b/modules/dsfhub-azure-eventhub/main.tf new file mode 100644 index 0000000..1fb4797 --- /dev/null +++ b/modules/dsfhub-azure-eventhub/main.tf @@ -0,0 +1,39 @@ +terraform { + required_providers { + dsfhub = { + source = "imperva/dsfhub" + } + } +} + +resource "dsfhub_log_aggregator" "this" { + server_type = "AZURE EVENTHUB" + + admin_email = var.admin_email + asset_display_name = var.asset_display_name + asset_id = var.asset_id + audit_pull_enabled = var.audit_pull_enabled + gateway_id = var.gateway_id + parent_asset_id = var.parent_asset_id + region = var.region + server_host_name = var.server_host_name + server_port = "443" + + dynamic "asset_connection" { + # If auth_mechanism is not defined, do not create a connection + for_each = var.auth_mechanism != null ? [0] : [] + + content { + auth_mechanism = var.auth_mechanism + azure_storage_account = var.azure_storage_account + azure_storage_container = var.azure_storage_container + azure_storage_secret_key = var.auth_mechanism == "default" ? var.azure_storage_secret_key : null + eventhub_access_key = var.auth_mechanism == "default" ? var.eventhub_access_key : null + eventhub_access_policy = var.auth_mechanism == "default" ? var.eventhub_access_policy : null + eventhub_name = var.eventhub_name + eventhub_namespace = var.eventhub_namespace + format = var.format + reason = var.reason + } + } +} diff --git a/modules/dsfhub-azure-eventhub/outputs.tf b/modules/dsfhub-azure-eventhub/outputs.tf new file mode 100644 index 0000000..86bc120 --- /dev/null +++ b/modules/dsfhub-azure-eventhub/outputs.tf @@ -0,0 +1,4 @@ +output "this" { + description = "AZURE EVENTHUB asset" + value = dsfhub_log_aggregator.this +} diff --git a/modules/dsfhub-azure-eventhub/variables.tf b/modules/dsfhub-azure-eventhub/variables.tf new file mode 100644 index 0000000..0fcf28c --- /dev/null +++ b/modules/dsfhub-azure-eventhub/variables.tf @@ -0,0 +1,125 @@ +variable "admin_email" { + description = "The email address to notify about the asset." + type = string +} + +variable "asset_display_name" { + description = "User-friendly name of the asset, defined by user" + type = string +} + +variable "asset_id" { + description = "The Azure resource ID of the eventhub." + type = string +} + +variable "audit_pull_enabled" { + description = "If true, sonargateway will collect the audit logs for this system if it can." + type = bool + default = false +} + +variable "auth_mechanism" { + description = "Specifies the auth mechanism used by the connection" + type = string + default = null +} + +variable "azure_storage_account" { + description = "Name of the Azure Storage Account that will be used to store a marker for the Event Hub pulls." + type = string + default = null +} + +variable "azure_storage_container" { + description = "Name of the Azure Storage Container that will be used to store a marker for the Event Hub pulls." + type = string + default = null +} + +variable "azure_storage_secret_key" { + description = "Access Key with permissions to access the Storage Account." + type = string + default = null +} + +variable "eventhub_access_key" { + description = "The primary key of the shared shared access policy for the namespace containing the targeted Event Hub." + type = string + default = null +} + +variable "eventhub_access_policy" { + description = "The name of the shared access policy for the namespace containing the targeted Event Hub." + type = string + default = null +} + +variable "eventhub_name" { + description = "Name of the Event Hub containing the audit logs." + type = string + default = null +} + +variable "eventhub_namespace" { + description = "Name of the Event Hub Namespace containing the Event Hub." + type = string + default = null +} + +variable "format" { + description = "The type of audit data being sent to the Event Hub. Possible values are: AzureSQL_Managed, Blob, Cosmos_Mongo, Cosmos_SQL, Data_Explorer, Databricks_Workspace, File, Mariadb, Mysql, Postgresql, Postgresql_Flexible, Queue, Sql, Synapse, Table. Defaults to Sql." + type = string + default = "Sql" + validation { + condition = contains( + [ + "AzureSQL_Managed", + "Blob", + "Cosmos_Mongo", + "Cosmos_SQL", + "Data_Explorer", + "Databricks_Workspace", + "File", + "Mariadb", + "Mysql", + "Postgresql", + "Postgresql_Flexible", + "Queue", + "Sql", + "Synapse", + "Table" + ], + var.format + ) + error_message = "Invalid format. Possible values are: AzureSQL_Managed, Blob, Cosmos_Mongo, Cosmos_SQL, Data_Explorer, Databricks_Workspace, File, Mariadb, Mysql, Postgresql, Postgresql_Flexible, Queue, Sql, Synapse, Table." + } +} + +variable "gateway_id" { + description = "Unique identifier (UID) attached to the jSonar machine controlling the asset" + type = string +} + +variable "parent_asset_id" { + description = "The asset_id of the azure asset that is sending its audit logs to this AZURE EVENTHUB asset." + type = string + default = null +} + +variable "reason" { + description = "Used to differentiate connections that belong to the same asset" + type = string + default = "default" +} + +variable "region" { + description = "Azure region containing the Event Hub." + type = string + default = null +} + +variable "server_host_name" { + description = "Event Hub Namespace's service bus endpoint, e.g. mynamespace.servicebus.windows.net" + type = string +} diff --git a/modules/dsfhub-azure-ms-sql-server/README.md b/modules/dsfhub-azure-ms-sql-server/README.md new file mode 100644 index 0000000..32434e6 --- /dev/null +++ b/modules/dsfhub-azure-ms-sql-server/README.md @@ -0,0 +1,48 @@ + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [dsfhub](#provider\_dsfhub) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [dsfhub_data_source.this](https://registry.terraform.io/providers/imperva/dsfhub/latest/docs/resources/data_source) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [admin\_email](#input\_admin\_email) | The email address to notify about the asset. | `string` | n/a | yes | +| [asset\_display\_name](#input\_asset\_display\_name) | User-friendly name of the asset, defined by user | `string` | n/a | yes | +| [asset\_id](#input\_asset\_id) | The Azure resource ID of the SQL Server instance. | `string` | n/a | yes | +| [audit\_pull\_enabled](#input\_audit\_pull\_enabled) | If true, sonargateway will collect the audit logs for this system if it can. | `bool` | `false` | no | +| [auth\_mechanism](#input\_auth\_mechanism) | Specifies the auth mechanism used by the connection | `string` | `null` | no | +| [database\_name](#input\_database\_name) | Specifies the name of the database to connect to (or default DB). | `string` | `"master"` | no | +| [gateway\_id](#input\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | +| [location](#input\_location) | Physical location/region of the SQL Server instance, e.g. "EAST US" | `string` | `null` | no | +| [logs\_destination\_asset\_id](#input\_logs\_destination\_asset\_id) | The asset\_id of the AZURE EVENTHUB asset that this instance is sending its audit logs to. | `string` | `null` | no | +| [parent\_asset\_id](#input\_parent\_asset\_id) | The asset\_id of the AZURE asset representing the Azure account where this server is located. | `string` | `null` | no | +| [password](#input\_password) | Password to use to connect to the SQL Server instance. | `string` | `null` | no | +| [reason](#input\_reason) | Used to differentiate connections that belong to the same asset | `string` | `"default"` | no | +| [server\_host\_name](#input\_server\_host\_name) | Hostname of the SQL Server instance. | `string` | n/a | yes | +| [server\_ip](#input\_server\_ip) | IP address / hostname of the SQL Server instance. | `string` | n/a | yes | +| [server\_port](#input\_server\_port) | Port that the SQL Server instance listens on. | `string` | `"1433"` | no | +| [username](#input\_username) | Username of SQL Server database user to connect with. | `string` | `null` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [this](#output\_this) | AZURE MS SQL SERVER asset | + \ No newline at end of file diff --git a/modules/dsfhub-azure-ms-sql-server/main.tf b/modules/dsfhub-azure-ms-sql-server/main.tf new file mode 100644 index 0000000..63ad622 --- /dev/null +++ b/modules/dsfhub-azure-ms-sql-server/main.tf @@ -0,0 +1,36 @@ +terraform { + required_providers { + dsfhub = { + source = "imperva/dsfhub" + } + } +} + +resource "dsfhub_data_source" "this" { + server_type = "AZURE MS SQL SERVER" + + admin_email = var.admin_email + asset_display_name = var.asset_display_name + asset_id = var.asset_id + audit_pull_enabled = var.audit_pull_enabled + database_name = var.database_name + gateway_id = var.gateway_id + location = var.location + logs_destination_asset_id = var.logs_destination_asset_id + parent_asset_id = var.parent_asset_id + server_host_name = var.server_host_name + server_ip = var.server_ip + server_port = var.server_port + + dynamic "asset_connection" { + # If auth_mechanism is not defined, do not create a connection + for_each = var.auth_mechanism != null ? [0] : [] + + content { + auth_mechanism = var.auth_mechanism + password = var.password + reason = var.reason + username = var.username + } + } +} diff --git a/modules/dsfhub-azure-ms-sql-server/outputs.tf b/modules/dsfhub-azure-ms-sql-server/outputs.tf new file mode 100644 index 0000000..d9d22a8 --- /dev/null +++ b/modules/dsfhub-azure-ms-sql-server/outputs.tf @@ -0,0 +1,4 @@ +output "this" { + description = "AZURE MS SQL SERVER asset" + value = dsfhub_data_source.this +} diff --git a/modules/dsfhub-azure-ms-sql-server/variables.tf b/modules/dsfhub-azure-ms-sql-server/variables.tf new file mode 100644 index 0000000..0b0ae1d --- /dev/null +++ b/modules/dsfhub-azure-ms-sql-server/variables.tf @@ -0,0 +1,96 @@ +variable "admin_email" { + description = "The email address to notify about the asset." + type = string +} + +variable "asset_display_name" { + description = "User-friendly name of the asset, defined by user" + type = string +} + +variable "asset_id" { + description = "The Azure resource ID of the SQL Server instance." + type = string +} + +variable "audit_pull_enabled" { + description = "If true, sonargateway will collect the audit logs for this system if it can." + type = bool + default = false +} + +variable "auth_mechanism" { + description = "Specifies the auth mechanism used by the connection" + type = string + default = null + validation { + condition = ( + var.auth_mechanism == null || + can(contains(["password"], var.auth_mechanism)) + ) + error_message = "Invalid authentication mechanism. Supported values: password" + } +} + +variable "database_name" { + description = "Specifies the name of the database to connect to (or default DB)." + type = string + default = "master" +} + +variable "gateway_id" { + description = "Unique identifier (UID) attached to the jSonar machine controlling the asset" + type = string +} + +variable "location" { + description = "Physical location/region of the SQL Server instance, e.g. \"EAST US\"" + type = string + default = null +} + +variable "logs_destination_asset_id" { + description = "The asset_id of the AZURE EVENTHUB asset that this instance is sending its audit logs to." + type = string + default = null +} + +variable "password" { + description = "Password to use to connect to the SQL Server instance." + type = string + default = null +} + +variable "parent_asset_id" { + description = "The asset_id of the AZURE asset representing the Azure account where this server is located." + type = string + default = null +} + +variable "reason" { + description = "Used to differentiate connections that belong to the same asset" + type = string + default = "default" +} + +variable "server_host_name" { + description = "Hostname of the SQL Server instance." + type = string +} + +variable "server_ip" { + description = "IP address / hostname of the SQL Server instance." + type = string +} + +variable "server_port" { + description = "Port that the SQL Server instance listens on." + type = string + default = "1433" +} + +variable "username" { + description = "Username of SQL Server database user to connect with." + type = string + default = null +} diff --git a/modules/onboard-azure-eventhub/README.md b/modules/onboard-azure-eventhub/README.md new file mode 100644 index 0000000..dc2894b --- /dev/null +++ b/modules/onboard-azure-eventhub/README.md @@ -0,0 +1,68 @@ +# onboard-azure-eventhub +Creates and onboards an Azure Event Hub to DSF Hub using the default authentication mechanism (relying on access and secret keys), alongside creating the Storage Account used by DSF to store a marker when pulling data from the Event Hub. + + + +## Requirements + +No requirements. + +## Providers + +No providers. + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [azure-eventhub-asset](#module\_azure-eventhub-asset) | ../dsfhub-azure-eventhub | n/a | +| [eventhub](#module\_eventhub) | ../azurerm-eventhub | n/a | +| [eventhub-authorizations](#module\_eventhub-authorizations) | ../azurerm-eventhub-namespace-authorization-rule | n/a | +| [eventhub-namespace](#module\_eventhub-namespace) | ../azurerm-eventhub-namespace | n/a | +| [storage-account](#module\_storage-account) | ../azurerm-storage-account | n/a | +| [storage-container](#module\_storage-container) | ../azurerm-storage-container | n/a | + +## Resources + +No resources. + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [azure\_eventhub\_admin\_email](#input\_azure\_eventhub\_admin\_email) | The email address to notify about the asset. | `string` | n/a | yes | +| [azure\_eventhub\_format](#input\_azure\_eventhub\_format) | The type of audit data being sent to the Event Hub. Possible values are: AzureSQL\_Managed, Blob, Cosmos\_Mongo, Cosmos\_SQL, Data\_Explorer, Databricks\_Workspace, File, Mariadb, Mysql, Postgresql, Postgresql\_Flexible, Queue, Sql, Synapse, Table. Defaults to Sql. | `string` | `"Sql"` | no | +| [azure\_eventhub\_gateway\_id](#input\_azure\_eventhub\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | +| [azure\_eventhub\_parent\_asset\_id](#input\_azure\_eventhub\_parent\_asset\_id) | The asset\_id of the azure asset that is sending its audit logs to this AZURE EVENTHUB asset. | `string` | `null` | no | +| [azure\_eventhub\_region](#input\_azure\_eventhub\_region) | Azure region containing the Event Hub. | `string` | `null` | no | +| [eventhub\_message\_retention](#input\_eventhub\_message\_retention) | Specifies the number of days to retain the events for this Event Hub. Maximum value is 7 days. Defaults to 1. | `number` | `1` | no | +| [eventhub\_name](#input\_eventhub\_name) | Specifies the name of the Event Hub resource. Changing this forces a new resource to be created. | `string` | n/a | yes | +| [eventhub\_namespace\_capacity](#input\_eventhub\_namespace\_capacity) | Specifies the Capacity / Throughput Units for a Standard SKU namespace. Defaults to 1. | `number` | `1` | no | +| [eventhub\_namespace\_location](#input\_eventhub\_namespace\_location) | Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created. | `string` | n/a | yes | +| [eventhub\_namespace\_name](#input\_eventhub\_namespace\_name) | Specifies the name of the Event Hub Namespace resource. Changing this forces a new resource to be created. | `string` | n/a | yes | +| [eventhub\_namespace\_public\_network\_access\_enabled](#input\_eventhub\_namespace\_public\_network\_access\_enabled) | Is public network access enabled for the Event Hub Namespace? Defaults to true. | `bool` | `true` | no | +| [eventhub\_namespace\_resource\_group\_name](#input\_eventhub\_namespace\_resource\_group\_name) | The name of the resource group in which to create the namespace. Changing this forces a new resource to be created. | `string` | n/a | yes | +| [eventhub\_namespace\_sku](#input\_eventhub\_namespace\_sku) | Defines which tier to use. Valid options are Basic, Standard, and Premium. Please note that setting this field to Premium will force the creation of a new resource. Defaults to Basic. | `string` | `"Basic"` | no | +| [eventhub\_namespace\_tags](#input\_eventhub\_namespace\_tags) | A mapping of tags to assign to the resource. | `map(string)` | `null` | no | +| [eventhub\_partition\_count](#input\_eventhub\_partition\_count) | Specifies the current number of shards on the Event Hub. Note: partition\_count cannot be changed unless Eventhub Namespace SKU is Premium and cannot be decreased. Maximum value is 32. Defaults to 1. | `number` | `1` | no | +| [eventhub\_resource\_group\_name](#input\_eventhub\_resource\_group\_name) | The name of the resource group in which the Event Hub's parent Namespace exists. Changing this forces a new resource to be created. | `string` | n/a | yes | +| [eventhub\_status](#input\_eventhub\_status) | Specifies the status of the Event Hub resource. Possible values are Active, Disabled and SendDisabled. Defaults to Active. | `string` | `"Active"` | no | +| [storage\_account\_location](#input\_storage\_account\_location) | Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created. | `string` | n/a | yes | +| [storage\_account\_name](#input\_storage\_account\_name) | Specifies the name of the storage account. Only lowercase Alphanumeric characters allowed. Changing this forces a new resource to be created. This must be unique across the entire Azure service, not just within the resource group. | `string` | n/a | yes | +| [storage\_account\_replication\_type](#input\_storage\_account\_replication\_type) | Defines the type of replication to use for this storage account. Valid options are LRS, GRS, RAGRS, ZRS, GZRS and RAGZRS. Changing this forces a new resource to be created when types LRS, GRS and RAGRS are changed to ZRS, GZRS or RAGZRS and vice versa. Defaults to GRS. | `string` | `"GRS"` | no | +| [storage\_account\_resource\_group\_name](#input\_storage\_account\_resource\_group\_name) | The name of the resource group in which to create the storage account. Changing this forces a new resource to be created. | `string` | n/a | yes | +| [storage\_account\_tier](#input\_storage\_account\_tier) | Defines the Tier to use for this storage account. Valid options are Standard and Premium. | `string` | `"Standard"` | no | +| [storage\_container\_name](#input\_storage\_container\_name) | The name of the Container which should be created within the Storage Account. Changing this forces a new resource to be created. | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [azure-eventhub-asset](#output\_azure-eventhub-asset) | AZURE EVENTHUB asset. | +| [eventhub](#output\_eventhub) | Azure Event Hub. | +| [eventhub-namespace](#output\_eventhub-namespace) | Azure Event Hub Namespace. | +| [eventhub-read-authorization](#output\_eventhub-read-authorization) | Read authorization for the Event Hub Namespace. | +| [eventhub-write-authorization](#output\_eventhub-write-authorization) | Write authorization for the Event Hub Namespace. | +| [storage-account](#output\_storage-account) | Azure Storage Account. | +| [storage-container](#output\_storage-container) | Azure Storage Container. | + \ No newline at end of file diff --git a/modules/onboard-azure-eventhub/main.tf b/modules/onboard-azure-eventhub/main.tf new file mode 100644 index 0000000..9d6e818 --- /dev/null +++ b/modules/onboard-azure-eventhub/main.tf @@ -0,0 +1,102 @@ +terraform { + required_providers { + dsfhub = { + source = "imperva/dsfhub" + } + } +} + +module "storage-account" { + source = "../azurerm-storage-account" + + account_replication_type = var.storage_account_replication_type + account_tier = var.storage_account_tier + location = var.storage_account_location + name = var.storage_account_name + resource_group_name = var.storage_account_resource_group_name +} + +module "storage-container" { + source = "../azurerm-storage-container" + + name = var.storage_container_name + storage_account_name = module.storage-account.this.name +} + +module "eventhub-namespace" { + source = "../azurerm-eventhub-namespace" + + capacity = var.eventhub_namespace_capacity + location = var.eventhub_namespace_location + name = var.eventhub_namespace_name + public_network_access_enabled = var.eventhub_namespace_public_network_access_enabled + resource_group_name = var.eventhub_namespace_resource_group_name + sku = var.eventhub_namespace_sku + tags = var.eventhub_namespace_tags +} + +module "eventhub" { + source = "../azurerm-eventhub" + + message_retention = var.eventhub_message_retention + name = var.eventhub_name + namespace_name = module.eventhub-namespace.this.name + partition_count = var.eventhub_partition_count + resource_group_name = var.eventhub_resource_group_name + status = var.eventhub_status +} + +locals { + permissions = [ + { + id = "write" + listen = false + manage = false + send = true + }, + { + id = "read" + listen = true + manage = false + send = false + } + ] +} + +module "eventhub-authorizations" { + source = "../azurerm-eventhub-namespace-authorization-rule" + + for_each = { for permission in local.permissions : permission.id => permission } + + listen = each.value.listen + manage = each.value.manage + name = "dsfhub_${each.key}_permissions" + namespace_name = module.eventhub-namespace.this.name + resource_group_name = var.eventhub_namespace_resource_group_name + send = each.value.send +} + +module "azure-eventhub-asset" { + source = "../dsfhub-azure-eventhub" + + admin_email = var.azure_eventhub_admin_email + asset_display_name = module.eventhub.this.name + asset_id = module.eventhub.this.id + # audit_pull_enabled set to 'null' so as to be treated as a computed value + # eventhub asset will be connected when assets using this eventhub as a log aggregator are connected + audit_pull_enabled = null + auth_mechanism = "default" + azure_storage_account = module.storage-account.this.name + azure_storage_container = module.storage-container.this.name + azure_storage_secret_key = module.storage-account.this.primary_access_key + eventhub_access_key = module.eventhub-authorizations["read"].this.primary_key + eventhub_access_policy = module.eventhub-authorizations["read"].this.name + eventhub_name = module.eventhub.this.name + eventhub_namespace = module.eventhub.this.namespace_name + format = var.azure_eventhub_format + gateway_id = var.azure_eventhub_gateway_id + parent_asset_id = var.azure_eventhub_parent_asset_id + reason = "default" + region = var.azure_eventhub_region + server_host_name = "${module.eventhub-namespace.this.name}.servicebus.windows.net" +} diff --git a/modules/onboard-azure-eventhub/outputs.tf b/modules/onboard-azure-eventhub/outputs.tf new file mode 100644 index 0000000..b6d7573 --- /dev/null +++ b/modules/onboard-azure-eventhub/outputs.tf @@ -0,0 +1,34 @@ +output "storage-account" { + description = "Azure Storage Account." + value = module.storage-account.this +} + +output "storage-container" { + description = "Azure Storage Container." + value = module.storage-container.this +} + +output "eventhub-namespace" { + description = "Azure Event Hub Namespace." + value = module.eventhub-namespace.this +} + +output "eventhub" { + description = "Azure Event Hub." + value = module.eventhub.this +} + +output "eventhub-read-authorization" { + description = "Read authorization for the Event Hub Namespace." + value = module.eventhub-authorizations["read"].this +} + +output "eventhub-write-authorization" { + description = "Write authorization for the Event Hub Namespace." + value = module.eventhub-authorizations["write"].this +} + +output "azure-eventhub-asset" { + description = "AZURE EVENTHUB asset." + value = module.azure-eventhub-asset.this +} diff --git a/modules/onboard-azure-eventhub/variables.tf b/modules/onboard-azure-eventhub/variables.tf new file mode 100644 index 0000000..f894dfe --- /dev/null +++ b/modules/onboard-azure-eventhub/variables.tf @@ -0,0 +1,177 @@ +variable "azure_eventhub_admin_email" { + description = "The email address to notify about the asset." + type = string +} + +variable "azure_eventhub_format" { + description = "The type of audit data being sent to the Event Hub. Possible values are: AzureSQL_Managed, Blob, Cosmos_Mongo, Cosmos_SQL, Data_Explorer, Databricks_Workspace, File, Mariadb, Mysql, Postgresql, Postgresql_Flexible, Queue, Sql, Synapse, Table. Defaults to Sql." + type = string + default = "Sql" + validation { + condition = contains( + [ + "AzureSQL_Managed", + "Blob", + "Cosmos_Mongo", + "Cosmos_SQL", + "Data_Explorer", + "Databricks_Workspace", + "File", + "Mariadb", + "Mysql", + "Postgresql", + "Postgresql_Flexible", + "Queue", + "Sql", + "Synapse", + "Table" + ], + var.azure_eventhub_format + ) + error_message = "Invalid format. Possible values are: AzureSQL_Managed, Blob, Cosmos_Mongo, Cosmos_SQL, Data_Explorer, Databricks_Workspace, File, Mariadb, Mysql, Postgresql, Postgresql_Flexible, Queue, Sql, Synapse, Table." + } +} + +variable "azure_eventhub_gateway_id" { + description = "Unique identifier (UID) attached to the jSonar machine controlling the asset" + type = string +} + +variable "azure_eventhub_parent_asset_id" { + description = "The asset_id of the azure asset that is sending its audit logs to this AZURE EVENTHUB asset." + type = string + default = null +} + +variable "azure_eventhub_region" { + description = "Azure region containing the Event Hub." + type = string + default = null +} + +variable "eventhub_message_retention" { + description = "Specifies the number of days to retain the events for this Event Hub. Maximum value is 7 days. Defaults to 1." + type = number + default = 1 + validation { + condition = var.eventhub_message_retention <= 7 + error_message = "Maximum Event Hub message retention is 7 days." + } +} + +variable "eventhub_name" { + description = "Specifies the name of the Event Hub resource. Changing this forces a new resource to be created." + type = string +} + +variable "eventhub_partition_count" { + description = "Specifies the current number of shards on the Event Hub. Note: partition_count cannot be changed unless Eventhub Namespace SKU is Premium and cannot be decreased. Maximum value is 32. Defaults to 1." + type = number + default = 1 + validation { + condition = var.eventhub_partition_count <= 32 + error_message = "Maximum Event Hub partition count is 32." + } +} + +variable "eventhub_resource_group_name" { + description = "The name of the resource group in which the Event Hub's parent Namespace exists. Changing this forces a new resource to be created." + type = string +} + +variable "eventhub_status" { + description = "Specifies the status of the Event Hub resource. Possible values are Active, Disabled and SendDisabled. Defaults to Active." + type = string + default = "Active" + validation { + condition = contains(["Active", "Disabled", "SendDisabled"], var.eventhub_status) + error_message = "Invalid sku. Possible values are Active, Disabled and SendDisabled." + } +} + +variable "eventhub_namespace_capacity" { + description = "Specifies the Capacity / Throughput Units for a Standard SKU namespace. Defaults to 1." + type = number + default = 1 +} + +variable "eventhub_namespace_location" { + description = "Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created." + type = string +} + +variable "eventhub_namespace_name" { + description = "Specifies the name of the Event Hub Namespace resource. Changing this forces a new resource to be created." + type = string +} + +variable "eventhub_namespace_public_network_access_enabled" { + description = "Is public network access enabled for the Event Hub Namespace? Defaults to true." + type = bool + default = true +} + +variable "eventhub_namespace_resource_group_name" { + description = "The name of the resource group in which to create the namespace. Changing this forces a new resource to be created." + type = string +} + +variable "eventhub_namespace_sku" { + description = "Defines which tier to use. Valid options are Basic, Standard, and Premium. Please note that setting this field to Premium will force the creation of a new resource. Defaults to Basic." + type = string + default = "Basic" + validation { + condition = contains(["Basic", "Standard", "Premium"], var.eventhub_namespace_sku) + error_message = "Invalid sku. Valid options are Basic, Standard, and Premium." + } +} + +variable "eventhub_namespace_tags" { + description = "A mapping of tags to assign to the resource." + type = map(string) + default = null +} + +variable "storage_account_replication_type" { + description = "Defines the type of replication to use for this storage account. Valid options are LRS, GRS, RAGRS, ZRS, GZRS and RAGZRS. Changing this forces a new resource to be created when types LRS, GRS and RAGRS are changed to ZRS, GZRS or RAGZRS and vice versa. Defaults to GRS." + type = string + default = "GRS" + validation { + condition = contains(["LRS", "GRS", "RAGRS", "ZRS", "GZRS", "RAGZRS"], var.storage_account_replication_type) + error_message = "Invalid replication type. Valid values are LRS, GRS, RAGRS, ZRS, GZRS and RAGZRS." + } +} + +variable "storage_account_tier" { + description = "Defines the Tier to use for this storage account. Valid options are Standard and Premium." + type = string + default = "Standard" + validation { + condition = contains(["Standard", "Premium"], var.storage_account_tier) + error_message = "Invalid replication type. Valid options are Standard and Premium." + } +} + +variable "storage_account_location" { + description = "Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created." + type = string +} + +variable "storage_account_name" { + description = "Specifies the name of the storage account. Only lowercase Alphanumeric characters allowed. Changing this forces a new resource to be created. This must be unique across the entire Azure service, not just within the resource group." + type = string + validation { + condition = can(regex("^[a-z0-9]+$", var.storage_account_name)) && length(var.storage_account_name) >= 3 && length(var.storage_account_name) <= 24 + error_message = "Invalid name. Storage account name must consist of lowercase Alphanumeric characters and be between 3 amd 24 characters long." + } +} + +variable "storage_account_resource_group_name" { + description = "The name of the resource group in which to create the storage account. Changing this forces a new resource to be created." + type = string +} + +variable "storage_container_name" { + description = "The name of the Container which should be created within the Storage Account. Changing this forces a new resource to be created." + type = string +} diff --git a/modules/onboard-azure-ms-sql-server/README.md b/modules/onboard-azure-ms-sql-server/README.md new file mode 100644 index 0000000..8e332e2 --- /dev/null +++ b/modules/onboard-azure-ms-sql-server/README.md @@ -0,0 +1,73 @@ +# onboard-azure-ms-sql-server +Onboard Azure SQL Server to DSF Hub. + +## Notes +There are two prerequisites for using this module: +1. An Azure Event Hub Namespace and Event Hub. +2. An Azure Storage Account and Container. This is used by DSF to store a marker which keeps track of what data in the Event Hub has been consumed. + +These can be created along with an AZURE EVENTHUB asset via the ``onboard-azure-eventhub`` module. + +See the corresponding example for more details. + + +## Requirements + +No requirements. + +## Providers + +| Name | Version | +|------|---------| +| [azurerm](#provider\_azurerm) | n/a | +| [time](#provider\_time) | n/a | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [azure-ms-sql-server-asset](#module\_azure-ms-sql-server-asset) | ../dsfhub-azure-ms-sql-server | n/a | +| [sql-server-diagnostic-setting](#module\_sql-server-diagnostic-setting) | ../azurerm-monitor-diagnostic-setting | n/a | +| [sql-server-extended-server-audit-policy](#module\_sql-server-extended-server-audit-policy) | ../azurerm-mssql-server-extended-auditing-policy | n/a | +| [sql-server-instance](#module\_sql-server-instance) | ../azurerm-mssql-server | n/a | + +## Resources + +| Name | Type | +|------|------| +| [time_sleep.wait](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | +| [azurerm_mssql_database.master](https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/data-sources/mssql_database) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [audit\_policy\_enabled](#input\_audit\_policy\_enabled) | Whether to enable the extended auditing policy on the SQL Server instance. Defaults to true. | `bool` | `true` | no | +| [azure\_ms\_sql\_server\_admin\_email](#input\_azure\_ms\_sql\_server\_admin\_email) | The email address to notify about the asset. | `string` | n/a | yes | +| [azure\_ms\_sql\_server\_audit\_pull\_enabled](#input\_azure\_ms\_sql\_server\_audit\_pull\_enabled) | If true, sonargateway will collect the audit logs for this system if it can. | `bool` | `false` | no | +| [azure\_ms\_sql\_server\_database\_name](#input\_azure\_ms\_sql\_server\_database\_name) | Specifies the name of the database to connect to (or default DB). | `string` | `"master"` | no | +| [azure\_ms\_sql\_server\_gateway\_id](#input\_azure\_ms\_sql\_server\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes | +| [azure\_ms\_sql\_server\_location](#input\_azure\_ms\_sql\_server\_location) | Physical location/region of the SQL Server instance, e.g. "EAST US" | `string` | `null` | no | +| [azure\_ms\_sql\_server\_logs\_destination\_asset\_id](#input\_azure\_ms\_sql\_server\_logs\_destination\_asset\_id) | The asset\_id of the AZURE EVENTHUB asset that this instance is sending its audit logs to. | `string` | n/a | yes | +| [azure\_ms\_sql\_server\_parent\_asset\_id](#input\_azure\_ms\_sql\_server\_parent\_asset\_id) | The asset\_id of the AZURE asset representing the Azure account where this server is located. | `string` | `null` | no | +| [diagnostic\_setting\_eventhub\_authorization\_rule\_id](#input\_diagnostic\_setting\_eventhub\_authorization\_rule\_id) | Specifies the ID of an Event Hub Namespace Authorization Rule used to send Diagnostics Data. Must have write access. | `string` | n/a | yes | +| [diagnostic\_setting\_eventhub\_name](#input\_diagnostic\_setting\_eventhub\_name) | Specifies the name of the Event Hub where Diagnostics Data should be sent. | `string` | n/a | yes | +| [diagnostic\_setting\_name](#input\_diagnostic\_setting\_name) | Specifies the name of the Diagnostic Setting. Changing this forces a new resource to be created. | `string` | `"dsfhubdiagnostic"` | no | +| [server\_administrator\_login](#input\_server\_administrator\_login) | The administrator login name for the new server. Changing this forces a new resource to be created. | `string` | n/a | yes | +| [server\_administrator\_login\_password](#input\_server\_administrator\_login\_password) | The password associated with the administrator\_login user. | `string` | n/a | yes | +| [server\_location](#input\_server\_location) | Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created. | `string` | n/a | yes | +| [server\_name](#input\_server\_name) | The name of the Microsoft SQL Server. This needs to be globally unique within Azure. Changing this forces a new resource to be created. | `string` | n/a | yes | +| [server\_public\_network\_access\_enabled](#input\_server\_public\_network\_access\_enabled) | Whether public network access is allowed for this server. Defaults to true. | `bool` | `true` | no | +| [server\_resource\_group\_name](#input\_server\_resource\_group\_name) | The name of the resource group in which to create the Microsoft SQL Server. Changing this forces a new resource to be created. | `string` | n/a | yes | +| [server\_tags](#input\_server\_tags) | A mapping of tags to assign to the resource. | `map(string)` | `null` | no | +| [server\_version](#input\_server\_version) | The version for the new server. Valid values are: 2.0 (for v11 server) and 12.0 (for v12 server). Changing this forces a new resource to be created. | `string` | `"12.0"` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| [azure-ms-sql-server-asset](#output\_azure-ms-sql-server-asset) | AZURE MS SQL SERVER asset. | +| [sql-server-diagnostic-setting](#output\_sql-server-diagnostic-setting) | Diagnostic Setting. | +| [sql-server-extended-server-audit-policy](#output\_sql-server-extended-server-audit-policy) | Azure MS SQL Server Extended Auditing Policy. | +| [sql-server-instance](#output\_sql-server-instance) | Azure SQL Server instance. | + \ No newline at end of file diff --git a/modules/onboard-azure-ms-sql-server/main.tf b/modules/onboard-azure-ms-sql-server/main.tf new file mode 100644 index 0000000..ac71fc5 --- /dev/null +++ b/modules/onboard-azure-ms-sql-server/main.tf @@ -0,0 +1,70 @@ +terraform { + required_providers { + dsfhub = { + source = "imperva/dsfhub" + } + } +} + +module "sql-server-instance" { + source = "../azurerm-mssql-server" + + administrator_login = var.server_administrator_login + administrator_login_password = var.server_administrator_login_password + location = var.server_location + name = var.server_name + public_network_access_enabled = var.server_public_network_access_enabled + resource_group_name = var.server_resource_group_name + server_version = var.server_version + tags = var.server_tags +} + +module "sql-server-extended-server-audit-policy" { + source = "../azurerm-mssql-server-extended-auditing-policy" + + enabled = var.audit_policy_enabled + server_id = module.sql-server-instance.this.id +} + +# Allow time for 'master' database to initialize before creating diagnostic setting +resource "time_sleep" "wait" { + depends_on = [module.sql-server-instance] + + create_duration = "5m" +} + +data "azurerm_mssql_database" "master" { + depends_on = [time_sleep.wait] + + server_id = module.sql-server-instance.this.id + name = "master" +} + +module "sql-server-diagnostic-setting" { + source = "../azurerm-monitor-diagnostic-setting" + + enabled_log = [{ category = "SQLSecurityAuditEvents" }] + eventhub_authorization_rule_id = var.diagnostic_setting_eventhub_authorization_rule_id + eventhub_name = var.diagnostic_setting_eventhub_name + metric = [{ category = "AllMetrics" }] + name = var.diagnostic_setting_name + target_resource_id = data.azurerm_mssql_database.master.id +} + +module "azure-ms-sql-server-asset" { + depends_on = [module.sql-server-diagnostic-setting] + source = "../dsfhub-azure-ms-sql-server" + + admin_email = var.azure_ms_sql_server_admin_email + asset_display_name = module.sql-server-instance.this.name + asset_id = module.sql-server-instance.this.id + audit_pull_enabled = var.azure_ms_sql_server_audit_pull_enabled + database_name = var.azure_ms_sql_server_database_name + gateway_id = var.azure_ms_sql_server_gateway_id + location = var.azure_ms_sql_server_location + logs_destination_asset_id = var.azure_ms_sql_server_logs_destination_asset_id + parent_asset_id = var.azure_ms_sql_server_parent_asset_id + server_host_name = module.sql-server-instance.this.fully_qualified_domain_name + server_ip = module.sql-server-instance.this.fully_qualified_domain_name + server_port = "1433" +} diff --git a/modules/onboard-azure-ms-sql-server/outputs.tf b/modules/onboard-azure-ms-sql-server/outputs.tf new file mode 100644 index 0000000..04fc0b5 --- /dev/null +++ b/modules/onboard-azure-ms-sql-server/outputs.tf @@ -0,0 +1,19 @@ +output "sql-server-instance" { + description = "Azure SQL Server instance." + value = module.sql-server-instance.this +} + +output "sql-server-extended-server-audit-policy" { + description = "Azure MS SQL Server Extended Auditing Policy." + value = module.sql-server-extended-server-audit-policy.this +} + +output "sql-server-diagnostic-setting" { + description = "Diagnostic Setting." + value = module.sql-server-diagnostic-setting.this +} + +output "azure-ms-sql-server-asset" { + description = "AZURE MS SQL SERVER asset." + value = module.azure-ms-sql-server-asset.this +} diff --git a/modules/onboard-azure-ms-sql-server/variables.tf b/modules/onboard-azure-ms-sql-server/variables.tf new file mode 100644 index 0000000..bcf65ce --- /dev/null +++ b/modules/onboard-azure-ms-sql-server/variables.tf @@ -0,0 +1,107 @@ +variable "audit_policy_enabled" { + description = "Whether to enable the extended auditing policy on the SQL Server instance. Defaults to true." + type = bool + default = true +} + +variable "azure_ms_sql_server_admin_email" { + description = "The email address to notify about the asset." + type = string +} + +variable "azure_ms_sql_server_audit_pull_enabled" { + description = "If true, sonargateway will collect the audit logs for this system if it can." + type = bool + default = false +} + +variable "azure_ms_sql_server_database_name" { + description = "Specifies the name of the database to connect to (or default DB)." + type = string + default = "master" +} + +variable "azure_ms_sql_server_gateway_id" { + description = "Unique identifier (UID) attached to the jSonar machine controlling the asset" + type = string +} + +variable "azure_ms_sql_server_location" { + description = "Physical location/region of the SQL Server instance, e.g. \"EAST US\"" + type = string + default = null +} + +variable "azure_ms_sql_server_logs_destination_asset_id" { + description = "The asset_id of the AZURE EVENTHUB asset that this instance is sending its audit logs to." + type = string +} + +variable "azure_ms_sql_server_parent_asset_id" { + description = "The asset_id of the AZURE asset representing the Azure account where this server is located." + type = string + default = null +} + +variable "diagnostic_setting_eventhub_authorization_rule_id" { + description = "Specifies the ID of an Event Hub Namespace Authorization Rule used to send Diagnostics Data. Must have write access." + type = string +} + +variable "diagnostic_setting_eventhub_name" { + description = "Specifies the name of the Event Hub where Diagnostics Data should be sent." + type = string +} + +variable "diagnostic_setting_name" { + description = "Specifies the name of the Diagnostic Setting. Changing this forces a new resource to be created." + type = string + default = "dsfhubdiagnostic" +} + +variable "server_administrator_login" { + description = "The administrator login name for the new server. Changing this forces a new resource to be created." + type = string +} + +variable "server_administrator_login_password" { + description = "The password associated with the administrator_login user." + type = string +} + +variable "server_location" { + description = "Specifies the supported Azure location where the resource exists. Changing this forces a new resource to be created." + type = string +} + +variable "server_name" { + description = "The name of the Microsoft SQL Server. This needs to be globally unique within Azure. Changing this forces a new resource to be created." + type = string +} + +variable "server_public_network_access_enabled" { + description = "Whether public network access is allowed for this server. Defaults to true." + type = bool + default = true +} + +variable "server_resource_group_name" { + description = "The name of the resource group in which to create the Microsoft SQL Server. Changing this forces a new resource to be created." + type = string +} + +variable "server_tags" { + description = "A mapping of tags to assign to the resource." + type = map(string) + default = null +} + +variable "server_version" { + description = "The version for the new server. Valid values are: 2.0 (for v11 server) and 12.0 (for v12 server). Changing this forces a new resource to be created." + type = string + default = "12.0" + validation { + condition = contains(["2.0", "12.0"], var.server_version) + error_message = "Invalid version. Valid options 2.0 (for v11 server) and 12.0 (for v12 server)." + } +}