add mx machine without ftl

imperva · Nov 23, 2023 · 38a957c · 38a957c
1 parent f48986d
commit 38a957c
Show file tree

Hide file tree

Showing 16 changed files with 1,010 additions and 2 deletions.
diff --git a/examples/azure/poc/dsf_deployment/dam.tf b/examples/azure/poc/dsf_deployment/dam.tf
@@ -0,0 +1,86 @@
+locals {
+#  agent_gw_count          = var.enable_dam ? var.agent_gw_count : 0
+#  gateway_group_name      = "temporaryGatewayGroup"
+#  create_agent_gw_cluster = local.agent_gw_count >= 2 ? 1 : 0
+}
+
+# TODO sivan - fix all relative modules paths
+module "mx" {
+  source  = "../../../../modules/azurerm/mx"
+  count   = var.enable_dam ? 1 : 0
+
+  friendly_name                     = join("-", [local.deployment_name_salted, "mx"])
+  resource_group                    = local.resource_group
+  dam_version                       = var.dam_version
+  subnet_id                         = module.network[0].vnet_subnets[0]
+#  license                           = var.dam_license
+  ssh_key = {
+    ssh_public_key            = tls_private_key.ssh_key.public_key_openssh
+    ssh_private_key_file_path = local_sensitive_file.ssh_key.filename
+  }
+#  secure_password                   = local.password
+#  mx_password                       = local.password
+  allowed_web_console_and_api_cidrs = var.web_console_cidr
+  allowed_agent_gw_cidrs            = module.network[0].vnet_address_space
+  allowed_ssh_cidrs                 = local.workstation_cidr
+  allowed_hub_cidrs                 = module.network[0].vnet_address_space
+
+#  hub_details = var.enable_sonar ? {
+#    address      = coalesce(module.hub_main[0].public_dns, module.hub_main[0].private_dns)
+#    access_token = module.hub_main[0].access_tokens["archiver"].token
+#    port         = 8443
+#  } : null
+  attach_persistent_public_ip = true
+#  large_scale_mode            = var.large_scale_mode.mx
+
+#  create_server_group = length(var.simulation_db_types_for_agent) > 0
+  tags                = local.tags
+  # TODO sivan - remove and test
+#  send_usage_statistics = false
+  depends_on = [
+    module.network
+  ]
+}
+
+#module "agent_gw" {
+#  source  = "../../../../modules/aws/agent-gw"
+#  count   = local.agent_gw_count
+#
+#  friendly_name                           = join("-", [local.deployment_name_salted, "agent", "gw", count.index])
+#  dam_version                             = var.dam_version
+#  ebs                                     = var.agent_gw_ebs_details
+#  subnet_id                               = local.agent_gw_subnet_id
+#  key_pair                                = module.key_pair.key_pair.key_pair_name
+#  secure_password                         = local.password
+#  mx_password                             = local.password
+#  allowed_agent_cidrs                     = [data.aws_subnet.agent_gw.cidr_block]
+#  allowed_mx_cidrs                        = [data.aws_subnet.mx.cidr_block]
+#  allowed_ssh_cidrs                       = [data.aws_subnet.mx.cidr_block]
+#  allowed_gw_clusters_cidrs               = [data.aws_subnet.agent_gw.cidr_block]
+#  management_server_host_for_registration = module.mx[0].private_ip
+#  management_server_host_for_api_access   = module.mx[0].public_ip
+#  large_scale_mode                        = var.large_scale_mode.agent_gw
+#  gateway_group_name                      = local.gateway_group_name
+#  tags                                    = local.tags
+#  depends_on = [
+#    module.vpc
+#  ]
+#}
+#
+#module "agent_gw_cluster_setup" {
+#  source  = "../../../../modules/null/agent-gw-cluster-setup"
+#  count   = local.create_agent_gw_cluster
+#
+#  cluster_name       = join("-", [local.deployment_name_salted, "agent", "gw", "cluster"])
+#  gateway_group_name = local.gateway_group_name
+#  mx_details = {
+#    address  = module.mx[0].public_ip
+#    port     = 8083
+#    user     = module.mx[0].web_console_user
+#    password = local.password
+#  }
+#  depends_on = [
+#    module.agent_gw,
+#    module.mx
+#  ]
+#}
diff --git a/examples/azure/poc/dsf_deployment/outputs.tf b/examples/azure/poc/dsf_deployment/outputs.tf
@@ -60,6 +60,24 @@ output "sonar" {
   } : null
 }
 
+output "dam" {
+  value = var.enable_dam ? {
+    mx = {
+      public_ip        = try(module.mx[0].public_ip, null)
+      private_ip       = try(module.mx[0].private_ip, null)
+      display_name     = try(module.mx[0].display_name, null)
+      principal_id     = try(module.mx[0].principal_id, null)
+      ssh_command      = try("ssh -i ${local.private_key_file_path} ${module.mx[0].ssh_user}@${module.mx[0].public_ip}", null)
+      public_url       = try(join("", ["https://", module.mx[0].public_ip, ":8083/"]), null)
+      private_url      = try(join("", ["https://", module.mx[0].private_ip, ":8083/"]), null)
+      password         = nonsensitive(local.password)
+      user             = module.mx[0].web_console_user
+#      large_scale_mode = module.mx[0].large_scale_mode
+    }
+    # TODO sivan add GWs
+  } : null
+}
+
 output "web_console_dsf_hub" {
   value = try({
     user        = module.hub_main[0].web_console_user
@@ -68,3 +86,8 @@ output "web_console_dsf_hub" {
     private_url = join("", ["https://", module.hub_main[0].private_ip, ":8443/"])
   }, null)
 }
+
+# TODO sivan - remove
+output "dam_vm_image" {
+  value = module.mx[0].vm_image
+}
diff --git a/examples/azure/poc/dsf_deployment/variables.tf b/examples/azure/poc/dsf_deployment/variables.tf
@@ -6,13 +6,13 @@ variable "tags" {
 
 variable "resource_group" {
   type        = string
-  description = "Azure exisiting resource group. Keep empty if you wish to create a new resource group"
+  description = "Azure existing resource group. Keep empty if you wish to create a new resource group"
   default     = null
 }
 
 variable "resource_group_location" {
   type        = string
-  description = "In case var.resource_group is not provided and a new resource group is created. It will be created in this location (e.g 'East US')"
+  description = "In case var.resource_group is not provided and a new resource group is created, the new resource group will be created in this location (e.g 'East US'). The resource group location can be different from the Blob location defined via 'tarball_location' variable)"
   default     = null
 }
 
@@ -28,12 +28,24 @@ variable "enable_sonar" {
   description = "Provision DSF Hub and Agentless Gateways (formerly Sonar). To provision only a DSF Hub, set agentless_gw_count to 0."
 }
 
+variable "enable_dam" {
+  type        = bool
+  default     = true
+  description = "Provision DAM MX and Agent Gateways"
+}
+
 variable "agentless_gw_count" {
   type        = number
   default     = 1
   description = "Number of Agentless Gateways. Provisioning Agentless Gateways requires the enable_sonar variable to be set to 'true'."
 }
 
+variable "agent_gw_count" {
+  type        = number
+  default     = 2 # Minimum count for a cluster
+  description = "Number of Agent Gateways. Provisioning Agent Gateways requires the enable_dam variable to be set to 'true'."
+}
+
 variable "password" {
   sensitive   = true
   type        = string
@@ -81,6 +93,46 @@ variable "subnet_ids" {
   }
 }
 
+
+##############################
+####    DAM variables     ####
+##############################
+
+variable "dam_version" {
+  type        = string
+  description = "The DAM version to install"
+  default     = "14.13.1.10"
+  validation {
+    condition     = can(regex("^(\\d{1,2}\\.){3}\\d{1,2}$", var.dam_version))
+    error_message = "Version must be in the format dd.dd.dd.dd where each dd is a number between 1-99 (e.g 14.10.1.10)"
+  }
+}
+
+variable "dam_license" {
+  description = <<EOF
+  DAM license information. Must be one of the following:
+  1. Activation code (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)
+  2. License file path (Make sure it allows AWS DAM models (AV2500/AV6500))
+  EOF
+  type        = string
+}
+
+variable "large_scale_mode" {
+  type = object({
+    mx       = bool
+    agent_gw = bool
+  })
+  description = "DAM large scale mode"
+  validation {
+    condition     = var.large_scale_mode.mx == false || var.large_scale_mode.agent_gw == true
+    error_message = "MX large scale mode requires setting large scale mode in the Agentless Gateway as well"
+  }
+  default = {
+    mx       = false
+    agent_gw = false
+  }
+}
+
 ##############################
 ####    Sonar variables   ####
 ##############################

diff --git a/modules/azurerm/dam-base-instance/README.md b/modules/azurerm/dam-base-instance/README.md
@@ -0,0 +1,2 @@
+# DSF DAM Node
+[![GitHub tag](https://img.shields.io/github/v/tag/imperva/dsfkit.svg)](https://github.com/imperva/dsfkit/tags)
diff --git a/modules/azurerm/dam-base-instance/image.tf b/modules/azurerm/dam-base-instance/image.tf
@@ -0,0 +1,15 @@
+locals {
+  # vm image
+  version_parts = split(".", var.dam_version)
+  dam_major_version = element(local.version_parts, 0)
+  dam_azure_image_version   = join(".", [element(local.version_parts, 0), element(local.version_parts, 1), element(local.version_parts, 3)])
+  is_lts_version = false # TODO sivan - lts?
+
+  default_vm_image =  {
+    publisher = "imperva"
+    offer     = join("", ["imperva-dam-v", local.dam_major_version, local.is_lts_version? "-lts" : ""])
+    sku       = join("-", ["securesphere-imperva-dam", local.dam_major_version])
+    version   = local.dam_azure_image_version
+  }
+  vm_image = var.vm_image != null ? var.vm_image : local.default_vm_image
+}
diff --git a/modules/azurerm/dam-base-instance/main.tf b/modules/azurerm/dam-base-instance/main.tf
@@ -0,0 +1,123 @@
+locals {
+  public_ip  = azurerm_linux_virtual_machine.dsf_base_instance.public_ip_address
+  private_ip = azurerm_linux_virtual_machine.dsf_base_instance.private_ip_address
+
+  # root volume details
+  root_volume_size  = 160
+  root_volume_type  = "Standard_LRS"
+  root_volume_cache = "ReadWrite"
+
+  security_group_id = length(var.security_group_ids) == 0 ? azurerm_network_security_group.dsf_base_sg.id : var.security_group_ids[0]
+
+  mapper = {
+    # TODO sivan - decide instance types
+    instance_type = {
+      AV2500 = "Standard_E4s_v5",
+      AV6500 = "Standard_E4s_v5",
+      AVM150 = "Standard_E4s_v5"
+    }
+    product_role = {
+      mx       = "server",
+      agent-gw = "gateway"
+    }
+  }
+}
+
+
+# TODO sivan - storage?
+
+resource "azurerm_public_ip" "vm_public_ip" {
+  count               = var.attach_persistent_public_ip ? 1 : 0
+  name                = join("-", [var.name, "public", "ip"])
+  location            = var.resource_group.location
+  resource_group_name = var.resource_group.name
+  sku                 = "Standard"
+  allocation_method   = "Static"
+  tags                = var.tags
+}
+
+data "azurerm_public_ip" "vm_public_ip" {
+  count               = var.attach_persistent_public_ip ? 1 : 0
+  name                = join("-", [var.name, "public", "ip"])
+  resource_group_name = var.resource_group.name
+  depends_on = [
+    azurerm_linux_virtual_machine.dsf_base_instance
+  ]
+}
+
+resource "azurerm_linux_virtual_machine" "dsf_base_instance" {
+  name                = var.name
+  resource_group_name = var.resource_group.name
+  location            = var.resource_group.location
+  size                = local.mapper.instance_type[var.dam_model]
+  admin_username      = var.vm_user
+
+#  custom_data = base64encode(local.userdata)
+
+  network_interface_ids = [
+    azurerm_network_interface.nic.id,
+  ]
+
+  admin_ssh_key {
+    username   = var.vm_user
+    public_key = var.public_ssh_key
+  }
+
+  os_disk {
+    disk_size_gb         = local.root_volume_size
+    caching              = local.root_volume_cache
+    storage_account_type = local.root_volume_type
+  }
+
+  source_image_reference {
+    publisher = local.vm_image.publisher
+    offer     = local.vm_image.offer
+    sku       = local.vm_image.sku
+    version   = local.vm_image.version
+  }
+
+  plan {
+    publisher = local.vm_image.publisher
+    product   = local.vm_image.offer
+    name      = local.vm_image.sku
+  }
+
+  # TODO sivan - ask Eytan
+  identity {
+    type         = "UserAssigned"
+    identity_ids = [azurerm_user_assigned_identity.dsf_base.id]
+  }
+  tags = merge(var.tags, { Name = var.name })
+
+  # Ignore changes to the custom_data attribute (Don't replace on userdata change)
+  lifecycle {
+    ignore_changes = [
+      custom_data
+    ]
+  }
+}
+
+resource "azurerm_user_assigned_identity" "dsf_base" {
+  name                = var.name
+  resource_group_name = var.resource_group.name
+  location            = var.resource_group.location
+}
+
+resource "azurerm_network_interface" "nic" {
+  name                = join("-", [var.name, "nic"])
+  location            = var.resource_group.location
+  resource_group_name = var.resource_group.name
+
+  ip_configuration {
+    name                          = join("-", [var.name, "nic"])
+    subnet_id                     = var.subnet_id
+    private_ip_address_allocation = "Dynamic"
+    public_ip_address_id          = try(azurerm_public_ip.vm_public_ip[0].id, null)
+  }
+  tags = var.tags
+}
+
+resource "azurerm_network_interface_security_group_association" "nic_ip_association" {
+  network_interface_id      = azurerm_network_interface.nic.id
+  network_security_group_id = local.security_group_id
+}
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		# DSF DAM Node
		[![GitHub tag](https://img.shields.io/github/v/tag/imperva/dsfkit.svg)](https://github.com/imperva/dsfkit/tags)