Merge remote-tracking branch 'origin/dev' into dev

imperva · Nov 20, 2023 · f48986d · f48986d
2 parents 919b31a + 19ad03d
commit f48986d
Show file tree

Hide file tree

Showing 11 changed files with 379 additions and 44 deletions.
diff --git a/modules/aws/agent-gw/variables.tf b/modules/aws/agent-gw/variables.tf
@@ -181,6 +181,10 @@ variable "dam_version" {
     condition     = can(regex("^(\\d{1,2}\\.){3}\\d{1,2}$", var.dam_version))
     error_message = "Version must be in the format dd.dd.dd.dd where each dd is a number between 1-99 (e.g 14.10.1.10)"
   }
+  validation {
+    condition     = split(".", var.dam_version)[0] == "14"
+    error_message = "DAM version not supported."
+  }
 }
 
 variable "ami" {

diff --git a/modules/aws/hub/README.md b/modules/aws/hub/README.md
@@ -7,7 +7,7 @@ This Terraform module provisions an all-in-one data security and compliance plat
 4.9 and up
 
 ## Requirements
-* Terraform, refer to [versions.tf](versions.tf) for supported versions.
+* Terraform, refer to [versions.tf](https://github.com/imperva/dsfkit/blob/master/modules/aws/hub/versions.tf) for supported versions.
 * An AWS account.
 * SSH access - key and network path to the DSF Hub instance.
 * Access to the tarball containing Sonar binaries. To request access, [click here](https://docs.google.com/forms/d/e/1FAIpQLSdnVaw48FlElP9Po_36LLsZELsanzpVnt8J08nymBqHuX_ddA/viewform).
@@ -30,52 +30,67 @@ The following input variables are **required**:
 
 * `subnet_id`: The ID of the subnet in which to launch the DSF Hub instance
 * `ssh_key_pair`: AWS key pair name and path for ssh connectivity
-* `password`: Admin password
+* `password`: Initial password for all users
 * `ebs`: AWS EBS details
 * `binaries_location`: S3 DSF installation location
-* `sonarw_public_key`: Public key of the sonarw user taken from the main DSF Hub output. This variable must only be defined for the DR DSF Hub.
-* `sonarw_private_key`: Private key of the sonarw user taken from the main DSF Hub output. This variable must only be defined for the DR DSF Hub.
+* `allowed_web_console_and_api_cidrs`: List of ingress CIDR patterns allowing web console access
+* `allowed_hub_cidrs`: List of ingress CIDR patterns allowing other hubs to access the DSF hub instance
+* `allowed_agentless_gw_cidrs`: List of ingress CIDR patterns allowing DSF Agentless Gateways to access the DSF hub instance
+* `allowed_ssh_cidrs`: List of ingress CIDR patterns allowing ssh access
 
-Refer to [variables.tf](variables.tf) for additional variables with default values and additional info.
+The following input variables are **required**: for the DR DSF Hub:
+* `hadr_dr_node`: Indicate a DR DSF Hub
+* `sonarw_public_key`: Public key of the sonarw user taken from the main DSF Hub output. This variable must only be defined for the DR DSF Hub
+* `sonarw_private_key`: Private key of the sonarw user taken from the main DSF Hub output. This variable must only be defined for the DR DSF Hub
+
+
+Refer to [inputs](https://registry.terraform.io/modules/imperva/dsf-hub/aws/latest?tab=inputs) for additional variables with default values and additional info.
 
 ## Outputs
 
-Please refer to [outputs](outputs.tf) or https://registry.terraform.io/modules/imperva/dsf-hub/aws/latest?tab=outputs
+Please refer to [outputs](https://registry.terraform.io/modules/imperva/dsf-hub/aws/latest?tab=outputs)
 
 ## Usage
 
-To use this module, add the following to your Terraform configuration:
+To utilize this module with a minimal configuration, include the following in your Terraform setup:
 
 ```
 provider "aws" {
 }
 
-module "globals" {
-  source = "imperva/dsf-globals/aws"
-}
-
 module "dsf_hub" {
   source                        = "imperva/dsf-hub/aws"
-  subnet_id                     = aws_subnet.example.id
+  subnet_id                     = "subnet-*****************"
 
   ssh_key_pair = {
-    ssh_private_key_file_path   = var.ssh_key_path
-    ssh_public_key_name         = var.ssh_name
+    ssh_private_key_file_path   = "ssh_keys/dsf_ssh_key-default"
+    ssh_public_key_name         = "imperva-dsf-1233435325235"
   }
 
-  allowed_all_cidrs = [data.aws_vpc.selected.cidr_block]
+  allowed_web_console_and_api_cidrs = ["192.168.21.0/24"]
+  allowed_hub_cidrs                 = ["10.106.108.0/24"]
+  allowed_agentless_gw_cidrs        = ["10.106.104.0/24"]
+  allowed_ssh_cidrs                 = ["192.168.21.0/24"]
 
-  password    = random_password.pass.result
-  ebs                           = {
+  password                          = random_password.pass.result
+  ebs                               = {
     disk_size        = 1000
     provisioned_iops = 0
     throughput       = 125
   }
-  binaries_location             =  module.globals.tarball_location
+  binaries_location                 = {
+    s3_bucket        = "my_S3_bucket"
+    s3_region        = "us-east-1"
+    s3_key           = "jsonar-4.13.0.10.0.tar.gz"
+  }
+  tags                              = {
+    vendor        = "Imperva"
+    product       = "DSF"
+  }
 }
 ```
 
-To see a complete example of how to use this module in a DSF deployment with other modules, check out the [examples](../../../examples/) directory.
+To see a complete example of how to use this module in a DSF deployment with other modules, check out the [examples](https://github.com/imperva/dsfkit/tree/master/examples/aws) directory.
 
 We recommend using a specific version of the module (and not the latest).
 See available released versions in the main repo README [here](https://github.com/imperva/dsfkit#version-history).
@@ -86,14 +101,50 @@ Specify the module's version by adding the version parameter. For example:
 module "dsf_hub" {
   source  = "imperva/dsf-hub/aws"
   version = "x.y.z"
+
+  # The rest of arguments are omitted for brevity
 }
 ```
 
+## DSF Hub DR Node Usage
+
+To ensure high availability and disaster recovery, deploying an additional DSF node as a DR node is necessary. Please incorporate the following into your Terraform configuration:
+
+```
+provider "aws" {
+}
+
+module "dsf_hub_dr" {
+  source              = "imperva/dsf-hub/aws"
+
+  # The rest of arguments are omitted for brevity
+
+  hadr_dr_node        = true
+  sonarw_public_key   = module.hub_main.sonarw_public_key
+  sonarw_private_key  = module.hub_main.sonarw_private_key
+}
+```
+
+To finalize the HADR registration process between the primary and DR nodes, refer to the HADR Terraform module [here](https://registry.terraform.io/modules/imperva/dsf-hadr/null/latest)
+
 ## SSH Access
-SSH access is required to provision this module. To SSH into the DSF Hub instance, you will need to provide the private key associated with the key pair specified in the key_name input variable. If direct SSH access to the DSF Hub instance is not possible, you can use a bastion host as a proxy.
+SSH access is required to provision this module. To SSH into the DSF Hub instance, you will need to provide the private key associated with the key pair specified in the 
+ssh_key_pair input variable. If direct SSH access to the DSF Hub instance is not possible, you can use a bastion host as a proxy:
+
+```
+module "dsf_hub" {
+  source              = "imperva/dsf-hub/aws"
+  # The rest of arguments are omitted for brevity
+  proxy_info = {
+    proxy_address              = "192.168.21.4"
+    proxy_private_ssh_key_path = "ssh_keys/dsf_ssh_key-default"
+    proxy_ssh_user             = "ec2-user"
+  }
+}
+```
 
 ## Additional Information
 
-For more information about the DSF Hub and its features, refer to the official documentation [here](https://docs.imperva.com/bundle/v4.12-sonar-user-guide/page/80401.htm). 
+For more information about the DSF Hub and its features, refer to the official documentation [here](https://docs.imperva.com/bundle/v4.13-sonar-user-guide/page/80401.htm). 
 
-For additional information about DSF deployment using terraform, refer to the main repo README [here](https://github.com/imperva/dsfkit/tree/1.7.0).
+For additional information about DSF deployment using terraform, refer to the main repo README [here](https://github.com/imperva/dsfkit/tree/1.7.0).
diff --git a/modules/aws/mx/configuration.tf b/modules/aws/mx/configuration.tf
@@ -1,5 +1,5 @@
 locals {
-  conf_timeout = 60 * 15
+  conf_timeout = 60 * 40
 
   configuration_elements = concat(
     local.service_group_configuration,
@@ -8,9 +8,12 @@ locals {
   )
   commands = <<-EOF
       ${templatefile("${path.module}/configure.tftpl",
-  { mx_address        = local.mx_address_for_api
-    https_auth_header = local.https_auth_header
-configuration_elements = local.configuration_elements })}
+        { mx_address        = local.mx_address_for_api
+          https_auth_header = local.https_auth_header
+          configuration_elements = local.configuration_elements
+          timeout = local.conf_timeout
+        })
+      }
     EOF
 }
 

diff --git a/modules/aws/mx/configure.tftpl b/modules/aws/mx/configure.tftpl
@@ -2,9 +2,20 @@
 set -x
 set -e
 
+start_time=$(date +%s)
+
 cookie_file=$(mktemp)
 response_file=$(mktemp)
 
+function exit_on_timeout() {
+  now=$(date +%s)
+  elapsed=$((now-start_time))
+  if [ $elapsed -gt ${timeout} ]; then
+    echo "Timeout reached."
+    exit 1
+  fi
+}
+
 http_code=$(curl -k -s --cookie-jar $cookie_file -o $response_file -w "%%{http_code}" \
   --request POST 'https://${mx_address}:8083/SecureSphere/api/v1/auth/session' \
   --header "Authorization: Basic ${https_auth_header}")
@@ -27,6 +38,7 @@ while true; do
     fi
   fi
 
+  exit_on_timeout
   echo "sleep 1m"
   sleep 60
 done
@@ -52,6 +64,8 @@ while true; do
       break
     fi
   fi
+
+  exit_on_timeout
   echo "sleep 1m"
   sleep 60
 done

diff --git a/modules/aws/mx/hub.tf b/modules/aws/mx/hub.tf
@@ -1,9 +1,18 @@
 locals {
   default_audit_policy  = "Default Rule - All Events"
-  hub_action_set        = "Send to DSF Hub"
-  hub_action_set_action = local.hub_action_set
+  _hub_action_set        = "Send to DSF Hub"
+  _hub_action_set_action = local._hub_action_set
+  _hub_action_set147        = "Default Archive Action Set"
+  _hub_action_set_action147 = local._hub_action_set147
+  hub_action_set = local.dam_version != "14.7" ? local._hub_action_set : local._hub_action_set147
+  hub_action_set_action = local.dam_version != "14.7" ? local._hub_action_set_action : local._hub_action_set_action147
 
-  hub_configuration = var.hub_details == null ? [] : concat([{
+  # Archiving action set is created differently on 14.7
+  dam_version_major = split(".", var.dam_version)[0]
+  dam_version_minor = split(".", var.dam_version)[1]
+  dam_version = "${local.dam_version_major}.${local.dam_version_minor}"
+
+  action_set_item = var.hub_details == null ? [] : local.dam_version != "14.7" ? [{
     name     = "send_to_hub_action_set" # https://docs.imperva.com/bundle/v14.11-database-activity-monitoring-user-guide/page/78508.htm
     method   = "PUT"
     url_path = "SecureSphere/api/v1/conf/actionSets/${local.hub_action_set}/${local.hub_action_set_action}"
@@ -12,13 +21,26 @@ locals {
       "host" : try(var.hub_details.address, null),
       "port" : try(var.hub_details.port, null),
       "apiToken" : try(var.hub_details.access_token, null)
-      # "encryptedToken": false
       "enabled" : true
       "strictCertificateChecking" : false
       }
     )
+  }] : [{
+    name     = "default_archive_action_set" # https://docs.imperva.com/bundle/v14.7-database-activity-monitoring-user-guide/page/78508.htm
+    method   = "POST"
+    url_path = "SecureSphere/api/v1/conf/actionSets/${local.hub_action_set}/${local.hub_action_set_action}"
+    payload = jsonencode({
+      "type" : "SonarArchiver",
+      "host" : try(var.hub_details.address, null),
+      "port" : try(var.hub_details.port, null),
+      "apiToken" : try(var.hub_details.access_token, null)
+      "strictCertificateChecking" : false
+      "actionInterface": "Send to Sonar"
+      }
+    )
     }]
-    ,
+
+  hub_configuration = var.hub_details == null ? [] : concat(local.action_set_item,
     var.large_scale_mode == true ? [] : [{
       name     = "archive_default_audit_policy_to_hub" # https://docs.imperva.com/bundle/v14.11-database-activity-monitoring-user-guide/page/78508.htm
       method   = "PUT"

diff --git a/modules/aws/mx/main.tf b/modules/aws/mx/main.tf
@@ -62,7 +62,7 @@ locals {
   ]
 
   https_auth_header = base64encode("admin:${var.mx_password}")
-  timeout           = 60 * 35
+  timeout           = 60 * 40
 
   readiness_commands = templatefile("${path.module}/readiness.tftpl", {
     mx_address        = local.mx_address_for_api

diff --git a/modules/aws/mx/variables.tf b/modules/aws/mx/variables.tf
@@ -179,7 +179,11 @@ variable "dam_version" {
   description = "The DAM version to install"
   validation {
     condition     = can(regex("^(\\d{1,2}\\.){3}\\d{1,2}$", var.dam_version))
-    error_message = "Version must be in the format dd.dd.dd.dd where each dd is a number between 1-99 (e.g 14.10.1.10)"
+    error_message = "Version must be in the format dd.dd.dd.dd where each dd is a number between 1-99 (e.g 14.10.1.10)."
+  }
+  validation {
+    condition     = split(".", var.dam_version)[0] == "14"
+    error_message = "DAM version not supported."
   }
 }