From cfd9992898403632a40f2db04ee1909bddf1e94e Mon Sep 17 00:00:00 2001 From: Sivan Hajbi Date: Sun, 22 Jun 2025 15:27:06 +0300 Subject: [PATCH 01/16] dsfkit with cm (#472) --- examples/aws/poc/dsf_deployment/cm.tf | 64 ++++++++ examples/aws/poc/dsf_deployment/main.tf | 1 + examples/aws/poc/dsf_deployment/networking.tf | 5 + examples/aws/poc/dsf_deployment/outputs.tf | 26 ++++ examples/aws/poc/dsf_deployment/sonar.tf | 16 +- examples/aws/poc/dsf_deployment/variables.tf | 70 ++++++++- examples/aws/poc/dsf_deployment/versions.tf | 4 + modules/aws/ciphertrust/README.md | 5 + modules/aws/ciphertrust/ami.tf | 38 +++++ modules/aws/ciphertrust/main.tf | 51 ++++++ modules/aws/ciphertrust/outputs.tf | 35 +++++ modules/aws/ciphertrust/sg.tf | 88 +++++++++++ modules/aws/ciphertrust/variables.tf | 145 ++++++++++++++++++ modules/aws/ciphertrust/versions.tf | 14 ++ modules/aws/hub/cm_association.tf | 64 ++++++++ modules/aws/hub/variables.tf | 35 +++++ modules/null/ciphertrust_cluster/README.md | 5 + .../ddc_active_node_setup.tftpl | 55 +++++++ modules/null/ciphertrust_cluster/main.tf | 37 +++++ modules/null/ciphertrust_cluster/outputs.tf | 0 modules/null/ciphertrust_cluster/variables.tf | 36 +++++ modules/null/ciphertrust_cluster/versions.tf | 10 ++ 22 files changed, 801 insertions(+), 3 deletions(-) create mode 100644 examples/aws/poc/dsf_deployment/cm.tf create mode 100644 modules/aws/ciphertrust/README.md create mode 100644 modules/aws/ciphertrust/ami.tf create mode 100644 modules/aws/ciphertrust/main.tf create mode 100644 modules/aws/ciphertrust/outputs.tf create mode 100644 modules/aws/ciphertrust/sg.tf create mode 100644 modules/aws/ciphertrust/variables.tf create mode 100644 modules/aws/ciphertrust/versions.tf create mode 100644 modules/aws/hub/cm_association.tf create mode 100644 modules/null/ciphertrust_cluster/README.md create mode 100644 modules/null/ciphertrust_cluster/ddc_active_node_setup.tftpl create mode 100644 modules/null/ciphertrust_cluster/main.tf create mode 100644 modules/null/ciphertrust_cluster/outputs.tf create mode 100644 modules/null/ciphertrust_cluster/variables.tf create mode 100644 modules/null/ciphertrust_cluster/versions.tf diff --git a/examples/aws/poc/dsf_deployment/cm.tf b/examples/aws/poc/dsf_deployment/cm.tf new file mode 100644 index 000000000..8d62c0f05 --- /dev/null +++ b/examples/aws/poc/dsf_deployment/cm.tf @@ -0,0 +1,64 @@ +locals { + ciphertrust_manager_count = var.enable_ciphertrust ? var.ciphertrust_manager_count : 0 + ciphertrust_cidr_list = [data.aws_subnet.ciphertrust.cidr_block] + ciphertrust_web_console_username = "admin" +} + +module "ciphertrust_manager" { + source = "../../../../modules/aws/ciphertrust" +# source = "imperva/dsf-ciphertrust/aws" +# version = "1.7.17" # latest release tag + count = local.ciphertrust_manager_count + ami_id = var.ciphertrust_ami_id + friendly_name = join("-", [local.deployment_name_salted, "ciphertrust", "manager", count.index]) + ebs = var.ciphertrust_ebs_details + subnet_id = local.ciphertrust_subnet_id + attach_persistent_public_ip = true + key_pair = module.key_pair.key_pair.key_pair_name + allowed_web_console_and_api_cidrs = var.web_console_cidr + allowed_ssh_cidrs = concat(local.workstation_cidr, var.allowed_ssh_cidrs) + allowed_cluster_nodes_cidrs = [data.aws_subnet.ciphertrust.cidr_block] + allowed_ddc_agents_cidrs = [] + allowed_all_cidrs = local.workstation_cidr + tags = local.tags + depends_on = [ + module.vpc + ] +} + +provider "ciphertrust" { + address = var.enable_ciphertrust? "https://${module.ciphertrust_manager[0].public_ip}" : null + username = local.ciphertrust_web_console_username + password = local.ciphertrust_password + // destroy cluster can take almost a minute so give us a bit of a buffer + rest_api_timeout = 720 +} + +resource "ciphertrust_trial_license" "trial_license" { + count = var.enable_ciphertrust ? 1 : 0 + flag = "activate" +} + +module "ciphertrust_cluster" { + source = "../../../../modules/null/ciphertrust_cluster" + # source = "imperva/dsf-ciphertrust-cluster/aws" + # version = "1.7.17" # latest release tag + count = local.ciphertrust_manager_count > 1 ? 1 : 0 + ciphertrust_instances = [ + for i in range(length(module.ciphertrust_manager)) : { + host = module.ciphertrust_manager[i].private_ip + public_address = coalesce(module.ciphertrust_manager[i].public_ip, module.ciphertrust_manager[i].private_ip) + } + ] + cm_details = { + user = local.ciphertrust_web_console_username + password = local.ciphertrust_password + } + ddc_node_setup = { + enabled = true + node_address = coalesce(module.ciphertrust_manager[0].public_ip, module.ciphertrust_manager[0].private_ip) + } + depends_on = [ + module.ciphertrust_manager + ] +} \ No newline at end of file diff --git a/examples/aws/poc/dsf_deployment/main.tf b/examples/aws/poc/dsf_deployment/main.tf index bd5d30df9..de859bb8c 100644 --- a/examples/aws/poc/dsf_deployment/main.tf +++ b/examples/aws/poc/dsf_deployment/main.tf @@ -30,6 +30,7 @@ locals { workstation_cidr_24 = [format("%s.0/24", regex("\\d*\\.\\d*\\.\\d*", module.globals.my_ip))] deployment_name_salted = join("-", [var.deployment_name, module.globals.salt]) password = var.password != null ? var.password : module.globals.random_password + ciphertrust_password = var.ciphertrust_password != null ? var.ciphertrust_password : module.globals.random_password workstation_cidr = var.workstation_cidr != null ? var.workstation_cidr : local.workstation_cidr_24 tags = merge(module.globals.tags, var.additional_tags, { "deployment_name" = local.deployment_name_salted }) private_key_file_path = module.key_pair.private_key_file_path diff --git a/examples/aws/poc/dsf_deployment/networking.tf b/examples/aws/poc/dsf_deployment/networking.tf index 689ef3678..be0e84a9c 100644 --- a/examples/aws/poc/dsf_deployment/networking.tf +++ b/examples/aws/poc/dsf_deployment/networking.tf @@ -8,6 +8,7 @@ locals { dra_admin_subnet_id = var.subnet_ids != null ? var.subnet_ids.dra_admin_subnet_id : module.vpc[0].public_subnets[0] dra_analytics_subnet_id = var.subnet_ids != null ? var.subnet_ids.dra_analytics_subnet_id : module.vpc[0].private_subnets[0] agent_gw_subnet_id = var.subnet_ids != null ? var.subnet_ids.agent_gw_subnet_id : module.vpc[0].private_subnets[0] + ciphertrust_subnet_id = var.subnet_ids != null ? var.subnet_ids.ciphertrust_subnet_id : module.vpc[0].public_subnets[0] } module "vpc" { @@ -62,3 +63,7 @@ data "aws_subnet" "dra_admin" { data "aws_subnet" "dra_analytics" { id = local.dra_analytics_subnet_id } + +data "aws_subnet" "ciphertrust" { + id = local.ciphertrust_subnet_id +} \ No newline at end of file diff --git a/examples/aws/poc/dsf_deployment/outputs.tf b/examples/aws/poc/dsf_deployment/outputs.tf index 5a761380b..021fd5035 100644 --- a/examples/aws/poc/dsf_deployment/outputs.tf +++ b/examples/aws/poc/dsf_deployment/outputs.tf @@ -121,6 +121,23 @@ output "dra" { } : null } +output "ciphertrust" { + value = var.enable_ciphertrust ? { + ciphertrust_manager = [ + for idx, val in module.ciphertrust_manager : { + private_ip = try(val.private_ip, null) + private_dns = try(val.private_dns, null) + public_ip = try(val.public_ip, null) + public_dns = try(val.public_dns, null) + public_url = try(join("", ["https://", val.public_dns]), null) + private_url = try(join("", ["https://", val.private_dns]), null) + display_name = try(val.display_name, null) + ssh_command = try("ssh -i ${local.private_key_file_path} ${val.ssh_user}@${val.public_dns}", null) + } + ] + } : null +} + output "audit_sources" { value = { agent_sources = [ @@ -164,4 +181,13 @@ output "web_console_dam" { password = nonsensitive(local.password) user = module.mx[0].web_console_user }, null) +} + +output "web_console_ciphertrust" { + value = try({ + public_url = join("", ["https://", module.ciphertrust_manager[0].public_dns]) + private_url = join("", ["https://", module.ciphertrust_manager[0].private_dns]) + password = nonsensitive(local.ciphertrust_password) + user = local.ciphertrust_web_console_username + }, null) } \ No newline at end of file diff --git a/examples/aws/poc/dsf_deployment/sonar.tf b/examples/aws/poc/dsf_deployment/sonar.tf index e3d909e25..f0c702ef0 100644 --- a/examples/aws/poc/dsf_deployment/sonar.tf +++ b/examples/aws/poc/dsf_deployment/sonar.tf @@ -45,9 +45,23 @@ module "hub_main" { archiver_username = module.dra_analytics[0].archiver_user archiver_password = module.dra_analytics[0].archiver_password } : null + cm_details = var.enable_ciphertrust ? { + name = "CipherTrust Manager" + is_load_balancer = false + hostname = coalesce(module.ciphertrust_manager[0].public_ip, module.ciphertrust_manager[0].private_ip) + port = 443 + ddc_enabled = true + ddc_connection_hostname = null + ddc_connection_port = null + username = local.ciphertrust_web_console_username + password = local.ciphertrust_password + registration_method = "password" + registration_token = null + } : null tags = local.tags depends_on = [ - module.vpc + module.vpc, + ciphertrust_trial_license.trial_license ] } diff --git a/examples/aws/poc/dsf_deployment/variables.tf b/examples/aws/poc/dsf_deployment/variables.tf index cc1dc727d..31216789d 100644 --- a/examples/aws/poc/dsf_deployment/variables.tf +++ b/examples/aws/poc/dsf_deployment/variables.tf @@ -28,6 +28,12 @@ variable "enable_dra" { description = "Provision DRA Admin and Analytics" } +variable "enable_ciphertrust" { + type = bool + default = true + description = "Provision CipherTrust Manager" +} + variable "agentless_gw_count" { type = number default = 1 @@ -46,6 +52,12 @@ variable "dra_analytics_count" { description = "Number of DRA Analytics servers. Provisioning Analytics servers requires the enable_dra variable to be set to 'true'." } +variable "ciphertrust_manager_count" { + type = number + default = 2 + description = "Number of CipherTrust Manager servers. Provisioning CipherTrust Manager servers requires the enable_ciphertrust variable to be set to 'true'." +} + variable "password" { sensitive = true type = string @@ -59,7 +71,7 @@ variable "password" { variable "web_console_cidr" { type = list(string) default = ["0.0.0.0/0"] - description = "DSF Hub, MX and DRA Admin web consoles IPs range. Specify IPs in the following format - [\"x.x.x.x/x\", \"y.y.y.y/y\"]. The default configuration opens the DSF Hub web console as a public website. It is recommended to specify a more restricted IP and CIDR range." + description = "DSF Hub, MX, DRA Admin and CipherTrust Manager web consoles IPs range. Specify IPs in the following format - [\"x.x.x.x/x\", \"y.y.y.y/y\"]. The default configuration opens the DSF Hub web console as a public website. It is recommended to specify a more restricted IP and CIDR range." } variable "workstation_cidr" { @@ -102,12 +114,13 @@ variable "subnet_ids" { agent_gw_subnet_id = string dra_admin_subnet_id = string dra_analytics_subnet_id = string + ciphertrust_subnet_id = string db_subnet_ids = list(string) }) default = null description = "The IDs of existing subnets to deploy resources in. Keep empty if you wish to provision new VPC and subnets. db_subnet_ids can be an empty list only if no databases should be provisioned" validation { - condition = var.subnet_ids == null || try(var.subnet_ids.hub_subnet_id != null && var.subnet_ids.hub_dr_subnet_id != null && var.subnet_ids.agentless_gw_subnet_id != null && var.subnet_ids.agentless_gw_dr_subnet_id != null && var.subnet_ids.mx_subnet_id != null && var.subnet_ids.agent_gw_subnet_id != null && var.subnet_ids.dra_admin_subnet_id != null && var.subnet_ids.dra_analytics_subnet_id != null && var.subnet_ids.db_subnet_ids != null, false) + condition = var.subnet_ids == null || try(var.subnet_ids.hub_subnet_id != null && var.subnet_ids.hub_dr_subnet_id != null && var.subnet_ids.agentless_gw_subnet_id != null && var.subnet_ids.agentless_gw_dr_subnet_id != null && var.subnet_ids.mx_subnet_id != null && var.subnet_ids.agent_gw_subnet_id != null && var.subnet_ids.dra_admin_subnet_id != null && var.subnet_ids.dra_analytics_subnet_id != null && var.subnet_ids.ciphertrust_subnet_id != null && var.subnet_ids.db_subnet_ids != null, false) error_message = "Value must either be null or specified for all" } validation { @@ -338,3 +351,56 @@ variable "dra_analytics_ebs_details" { volume_type = "gp3" } } + +############################### +#### CipherTrust variables #### +############################### + +variable "ciphertrust_ebs_details" { + type = object({ + volume_size = number + volume_type = string + }) + description = "CipherTrust compute instance volume attributes" + default = { + volume_size = 256 + volume_type = "gp2" + } +} + +variable "ciphertrust_password" { + sensitive = true + type = string + default = null # Random + description = "Ciphertrust manager web console password" + validation { + condition = var.ciphertrust_password == null || try(length(var.ciphertrust_password) >= 8 && length(var.ciphertrust_password) <= 30, false) + error_message = "Password must be between 8 and 30 characters" + } + + validation { + condition = var.ciphertrust_password == null || can(regex("[A-Z]+", var.ciphertrust_password)) + error_message = "Password must include at least 1 upper-case letter.\n" + } + + validation { + condition = var.ciphertrust_password == null || can(regex("[a-z]+", var.ciphertrust_password)) + error_message = "Password must include at least 1 lower-case letter.\n" + } + + validation { + condition = var.ciphertrust_password == null || can(regex("[0-9]+", var.ciphertrust_password)) + error_message = "Password must include at least 1 decimal digit.\n" + } + + validation { + condition = var.ciphertrust_password == null || can(regex("[!@#$%^&*(),.?\":{}|<>]+", var.ciphertrust_password)) + error_message = "Password must include at least 1 special character.\n" + } +} + +variable "ciphertrust_ami_id" { + type = string + description = "Ciphertrust AMI id. If set to null, the latest AMI will be taken from AWS marketplace" + default = null +} \ No newline at end of file diff --git a/examples/aws/poc/dsf_deployment/versions.tf b/examples/aws/poc/dsf_deployment/versions.tf index 8ed85317d..07611014b 100644 --- a/examples/aws/poc/dsf_deployment/versions.tf +++ b/examples/aws/poc/dsf_deployment/versions.tf @@ -6,6 +6,10 @@ terraform { source = "hashicorp/aws" version = ">= 4.23.0" } + ciphertrust = { + source = "ThalesGroup/ciphertrust" + version = "~> 0.11.1" + } local = { version = "~> 2.1" } diff --git a/modules/aws/ciphertrust/README.md b/modules/aws/ciphertrust/README.md new file mode 100644 index 000000000..e93bd3d41 --- /dev/null +++ b/modules/aws/ciphertrust/README.md @@ -0,0 +1,5 @@ +# DSF CipherTrust Manager +[![GitHub tag](https://img.shields.io/github/v/tag/imperva/dsfkit.svg)](https://github.com/imperva/dsfkit/tags) + +This Terraform module provisions a CipherTrust Manager on AWS as an EC2 instance. + diff --git a/modules/aws/ciphertrust/ami.tf b/modules/aws/ciphertrust/ami.tf new file mode 100644 index 000000000..6070f8050 --- /dev/null +++ b/modules/aws/ciphertrust/ami.tf @@ -0,0 +1,38 @@ +locals { + ami_default = { + owner_account_id = "679593333241" // aws marketplace + name_regex = "k170v-2.19.*" + product_code = "a5j8w8j2tn9crtnai795fkf6o" + } + + ami = var.ami != null ? var.ami : local.ami_default + + ami_owner = local.ami.owner_account_id != null ? local.ami.owner_account_id : "self" + ami_name_regex = local.ami.name_regex != null ? local.ami.name_regex : ".*" + ami_product_code = local.ami.product_code != null ? local.ami.product_code : "*" + + ami_id = var.ami_id != null ? var.ami_id : data.aws_ami.selected-ami[0].image_id +} + +data "aws_ami" "selected-ami" { + count = var.ami_id == null ? 1 : 0 + most_recent = true + name_regex = local.ami_name_regex + + filter { + name = "product-code" + values = [local.ami_product_code] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } + + filter { + name = "architecture" + values = ["x86_64"] + } + + owners = [local.ami_owner] +} \ No newline at end of file diff --git a/modules/aws/ciphertrust/main.tf b/modules/aws/ciphertrust/main.tf new file mode 100644 index 000000000..88b2d8128 --- /dev/null +++ b/modules/aws/ciphertrust/main.tf @@ -0,0 +1,51 @@ +locals { + web_console_username = "admin" + + security_group_ids = concat( + [for sg in aws_security_group.sg : sg.id], + var.security_group_ids) + + public_ip = var.attach_persistent_public_ip ? aws_eip.dsf_instance_eip[0].public_ip : aws_instance.dsf_base_instance.public_ip + public_dns = var.attach_persistent_public_ip ? aws_eip.dsf_instance_eip[0].public_dns : aws_instance.dsf_base_instance.public_dns + private_ip = length(aws_network_interface.eni.private_ips) > 0 ? tolist(aws_network_interface.eni.private_ips)[0] : null +} + +resource "aws_eip" "dsf_instance_eip" { + count = var.attach_persistent_public_ip ? 1 : 0 + domain = "vpc" + tags = merge(var.tags, { Name = var.friendly_name }) +} + +resource "aws_eip_association" "eip_assoc" { + count = var.attach_persistent_public_ip ? 1 : 0 + instance_id = aws_instance.dsf_base_instance.id + allocation_id = aws_eip.dsf_instance_eip[0].id +} + +resource "aws_instance" "dsf_base_instance" { + ami = local.ami_id + instance_type = var.instance_type + key_name = var.key_pair + root_block_device { + volume_size = var.ebs.volume_size + volume_type = var.ebs.volume_type + delete_on_termination = true + } + network_interface { + network_interface_id = aws_network_interface.eni.id + device_index = 0 + } + disable_api_termination = true + metadata_options { + http_endpoint = "enabled" + http_tokens = "required" + } + tags = merge(var.tags, { Name : var.friendly_name }) + volume_tags = merge(var.tags, { Name : var.friendly_name }) +} + +resource "aws_network_interface" "eni" { + subnet_id = var.subnet_id + security_groups = local.security_group_ids + tags = var.tags +} \ No newline at end of file diff --git a/modules/aws/ciphertrust/outputs.tf b/modules/aws/ciphertrust/outputs.tf new file mode 100644 index 000000000..26ce443a1 --- /dev/null +++ b/modules/aws/ciphertrust/outputs.tf @@ -0,0 +1,35 @@ +output "public_ip" { + description = "Public elastic IP address of the CipherTrust Manager instance" + value = local.public_ip +} + +output "private_ip" { + description = "Private IP address of the CipherTrust Manager instance" + value = local.private_ip +} + +output "public_dns" { + description = "Public DNS of the elastic IP address of the CipherTrust Manager instance" + value = local.public_dns +} + +output "private_dns" { + description = "Private DNS of the IP address of the CipherTrust Manager instance" + value = aws_network_interface.eni.private_dns_name +} + +output "instance_id" { + value = aws_instance.dsf_base_instance.id +} + +output "display_name" { + value = aws_instance.dsf_base_instance.tags.Name +} + +output "ssh_user" { + value = var.ssh_user +} + +output "web_console_user" { + value = local.web_console_username +} \ No newline at end of file diff --git a/modules/aws/ciphertrust/sg.tf b/modules/aws/ciphertrust/sg.tf new file mode 100644 index 000000000..e49c77851 --- /dev/null +++ b/modules/aws/ciphertrust/sg.tf @@ -0,0 +1,88 @@ +locals { + # Skip sg creation if external sg list is given + _security_groups_config = length(var.security_group_ids) == 0 ? local.security_groups_config : [] + + security_groups_config = [ // https://thalesdocs.com/ctp/cm/2.19/get_started/deployment/hardening-guidelines/index.html + { + name = ["web", "console", "and", "api"] + internet_access = false + udp = [] + tcp = [443, 80] + cidrs = concat(var.allowed_web_console_and_api_cidrs, var.allowed_all_cidrs) + }, + { + name = ["ssh"] + internet_access = true + udp = [] + tcp = [22] + cidrs = concat(var.allowed_ssh_cidrs, var.allowed_all_cidrs) + }, + { + name = ["cluster", "nodes", "communication"] + internet_access = false + udp = [] + tcp = [5432] + cidrs = concat(var.allowed_cluster_nodes_cidrs, var.allowed_all_cidrs) + }, + { + name = ["ddc", "agents"] + internet_access = false + udp = [] + tcp = [11117] + cidrs = concat(var.allowed_ddc_agents_cidrs, var.allowed_all_cidrs) + }, + { + name = ["other"] + internet_access = false + udp = [] + tcp = [5696, 9000] + cidrs = concat(var.allowed_all_cidrs) + } + ] +} + +data "aws_subnet" "subnet" { + id = var.subnet_id +} + +############################################################################## +### Ingress security group +############################################################################## + +resource "aws_security_group" "sg" { + for_each = { for idx, config in local._security_groups_config : idx => config } + name = join("-", [var.friendly_name, join("-", each.value.name)]) + vpc_id = data.aws_subnet.subnet.vpc_id + description = format("%s - %s ingress access", var.friendly_name, join(" ", each.value.name)) + + dynamic "ingress" { + for_each = { for idx, port in each.value.tcp : idx => port } + content { + from_port = ingress.value + to_port = ingress.value + protocol = "tcp" + cidr_blocks = each.value.cidrs + } + } + + dynamic "ingress" { + for_each = { for idx, port in each.value.udp : idx => port } + content { + from_port = ingress.value + to_port = ingress.value + protocol = "udp" + cidr_blocks = each.value.cidrs + } + } + + # Conditionally assign egress rules based on a "internet_access" memeber + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = each.value.internet_access ? ["0.0.0.0/0"] : [] + ipv6_cidr_blocks = each.value.internet_access ? ["::/0"] : [] + } + + tags = merge(var.tags, { Name = join("-", [var.friendly_name, join("-", each.value.name)]) }) +} \ No newline at end of file diff --git a/modules/aws/ciphertrust/variables.tf b/modules/aws/ciphertrust/variables.tf new file mode 100644 index 000000000..faad1bed4 --- /dev/null +++ b/modules/aws/ciphertrust/variables.tf @@ -0,0 +1,145 @@ +variable "tags" { + description = "A map of tags to add to all resources" + type = map(string) + default = {} +} + +variable "friendly_name" { + type = string + description = "Friendly name to identify all resources" + default = "imperva-dsf-ciphertrust-manager" + validation { + condition = length(var.friendly_name) >= 3 + error_message = "Must be at least 3 characters long" + } + validation { + condition = can(regex("^\\p{L}.*", var.friendly_name)) + error_message = "Must start with a letter" + } +} + +variable "subnet_id" { + type = string + description = "Subnet id for the CipherTrust Manager instances" + validation { + condition = length(var.subnet_id) >= 15 && substr(var.subnet_id, 0, 7) == "subnet-" + error_message = "Subnet id is invalid. Must be subnet-********" + } +} + +variable "security_group_ids" { + type = list(string) + description = "AWS security group Ids to attach to the instance. If provided, no security groups are created and all allowed_*_cidrs variables are ignored." + validation { + condition = alltrue([for item in var.security_group_ids : substr(item, 0, 3) == "sg-"]) + error_message = "One or more of the security group Ids list is invalid. Each item should be in the format of 'sg-xx..xxx'" + } + default = [] +} + +variable "allowed_web_console_and_api_cidrs" { + type = list(string) + description = "List of ingress CIDR patterns allowing web console access" + validation { + condition = alltrue([for item in var.allowed_web_console_and_api_cidrs : can(cidrnetmask(item))]) + error_message = "Each item of this list must be in a valid CIDR block format. For example: [\"10.106.108.0/25\"]" + } + default = [] +} + +variable "allowed_ssh_cidrs" { + type = list(string) + description = "List of ingress CIDR patterns allowing ssh access" + validation { + condition = alltrue([for item in var.allowed_ssh_cidrs : can(cidrnetmask(item))]) + error_message = "Each item of this list must be in a valid CIDR block format. For example: [\"10.106.108.0/25\"]" + } + default = [] +} + +variable "allowed_cluster_nodes_cidrs" { + type = list(string) + description = "List of ingress CIDR patterns allowing other CipherTrust Manager cluster nodes to access the CipherTrust Manager instance" + validation { + condition = alltrue([for item in var.allowed_cluster_nodes_cidrs : can(cidrnetmask(item))]) + error_message = "Each item of this list must be in a valid CIDR block format. For example: [\"10.106.108.0/25\"]" + } + default = [] +} + +variable "allowed_ddc_agents_cidrs" { + type = list(string) + description = "List of ingress CIDR patterns allowing DDC agents access" + validation { + condition = alltrue([for item in var.allowed_ddc_agents_cidrs : can(cidrnetmask(item))]) + error_message = "Each item of this list must be in a valid CIDR block format. For example: [\"10.106.108.0/25\"]" + } + default = [] +} + +variable "allowed_all_cidrs" { + type = list(string) + description = "List of ingress CIDR patterns allowing access to all relevant protocols (E.g vpc cidr range)" + validation { + condition = alltrue([for item in var.allowed_all_cidrs : can(cidrnetmask(item))]) + error_message = "Each item of this list must be in a valid CIDR block format. For example: [\"10.106.108.0/25\"]" + } + default = [] +} + +variable "instance_type" { + type = string + default = "t2.xlarge" + description = "EC2 instance type for the CipherTrust Manager" +} + +variable "ebs" { + type = object({ + volume_size = number + volume_type = string + }) + description = "Compute instance volume attributes for the CipherTrust Manager" +} + +variable "attach_persistent_public_ip" { + type = bool + default = false + description = "Create public elastic IP for the instance" +} + +variable "key_pair" { + type = string + description = "Key pair for the CipherTrust Manager instance" +} + +variable "ssh_user" { + type = string + default = "ksadmin" +} + +variable "ami_id" { + type = string + description = "Ciphertrust AMI id. If set to null, the AMI will be selected based on the 'ami' variable if provided, or fall back to the recommended image. If 'ami_id' is set, it takes precedence and 'ami' will be ignored." + default = null +} + +variable "ami" { + type = object({ + name_regex = string + product_code = string + owner_account_id = string + }) + description = < ${local.cm_association_log_path} 2>&1 + set -e + response=$(curl -k -s -w "\n%%{http_code}" -X POST 'https://127.0.0.1:8443/integrations/api/v1/ciphertrust' --header "Content-Type: application/json" --header "Authorization: Bearer ${module.hub_instance.access_tokens.usc.token}" --data '${replace(local.cm_payload, "'", "'\\''")}') + BODY=$(echo "$response" | sed '$d') + STATUS=$(echo "$response" | tail -n1) + if [ "$STATUS" -ge 200 ] && [ "$STATUS" -lt 300 ]; then + echo "CipherTrust Manager associated with the DSF Hub successfully." + else + echo "Request failed with HTTP status $STATUS" + echo "$BODY" + exit 1 + fi + EOF +} + +resource "null_resource" "cm_association" { + count = var.cm_details != null ? 1 : 0 + connection { + type = "ssh" + user = module.hub_instance.ssh_user + private_key = file(var.ssh_key_pair.ssh_private_key_file_path) + host = var.use_public_ip ? module.hub_instance.public_ip : module.hub_instance.private_ip + + bastion_host = local.bastion_host + bastion_private_key = local.bastion_private_key + bastion_user = local.bastion_user + + script_path = local.script_path + } + + provisioner "local-exec" { + command = "echo 'Starting association of CipherTrust Manager with the DSF Hub. Logs will be written on the DSF Hub machine at ${local.cm_association_log_path}'" + } + provisioner "remote-exec" { + inline = concat([local.cm_association_commands]) + } + depends_on = [ + module.hub_instance.ready + ] + triggers = { + command = local.cm_association_commands + } +} diff --git a/modules/aws/hub/variables.tf b/modules/aws/hub/variables.tf index 80e81ef07..34854e600 100644 --- a/modules/aws/hub/variables.tf +++ b/modules/aws/hub/variables.tf @@ -311,6 +311,41 @@ variable "dra_details" { default = null } +variable "cm_details" { + sensitive = true + description = "DSF CipherTrust Manager to onboard to Sonar Hub" + type = object({ + name = string + is_load_balancer = bool + hostname = string + port = string + ddc_enabled = string + ddc_connection_hostname = string + ddc_connection_port = string + registration_method = string + username = string + password = string + registration_token = string + }) + validation { + condition = (var.cm_details == null || (can(var.cm_details.name) && can(var.cm_details.hostname))) + error_message = "CipherTrust Manager must specify name and hostname" + } + validation { + condition = (var.cm_details == null || try(var.cm_details.registration_method == "password" || var.cm_details.registration_method == "token", false)) + error_message = "CipherTrust Manager registration_method must be either 'password' or 'token'" + } + validation { + condition = (var.cm_details == null || try(var.cm_details.registration_method != "password" || (var.cm_details.registration_method == "password" && can(var.cm_details.username) && can(var.cm_details.password)), false)) + error_message = "CipherTrust Manager must specify username and password for 'password' registration method" + } + validation { + condition = (var.cm_details == null || try(var.cm_details.registration_method != "token" || (var.cm_details.registration_method == "token" && can(var.cm_details.registration_token)), false)) + error_message = "CipherTrust Manager must specify registration_token for 'token' registration method" + } + default = null +} + variable "volume_attachment_device_name" { type = string default = null diff --git a/modules/null/ciphertrust_cluster/README.md b/modules/null/ciphertrust_cluster/README.md new file mode 100644 index 000000000..cc9cebf98 --- /dev/null +++ b/modules/null/ciphertrust_cluster/README.md @@ -0,0 +1,5 @@ +# DSF CipherTrust Manager Cluster +[![GitHub tag](https://img.shields.io/github/v/tag/imperva/dsfkit.svg)](https://github.com/imperva/dsfkit/tags) + +This Terraform module provisions a CipherTrust Manager on AWS as an EC2 instance. + diff --git a/modules/null/ciphertrust_cluster/ddc_active_node_setup.tftpl b/modules/null/ciphertrust_cluster/ddc_active_node_setup.tftpl new file mode 100644 index 000000000..0a412fe36 --- /dev/null +++ b/modules/null/ciphertrust_cluster/ddc_active_node_setup.tftpl @@ -0,0 +1,55 @@ +#!/bin/bash +# set -x +set -e + +if ! command -v jq; then + echo "jq utility is required to run this module. Refer to jq installation steps in your workstation platform." + exit 1 +fi + +TOKEN="" + +# Step 1: Get an auth token +response=$(curl -k -s -w "\n%%{http_code}" -X POST "https://${cm_node_address}/api/v1/auth/tokens" \ + --header "Content-Type: application/json" \ + --data '{ + "grant_type": "password", + "labels": [ + "terraform" + ], + "username": "'$CM_USER'", + "password": "'$CM_PASSWORD'", + "refresh_token_lifetime": 1 + }') + +BODY=$(echo "$response" | sed '$d') +STATUS=$(echo "$response" | tail -n1) + +if [ "$STATUS" -lt 200 ] || [ "$STATUS" -ge 300 ]; then + echo "Failed to retrieve token. HTTP $STATUS" + echo "$BODY" + exit 1 +fi + +TOKEN=$(echo "$BODY" | jq -r '.jwt') + +if [ -z "$TOKEN" ] || [ "$TOKEN" = "null" ]; then + echo "Failed to extract token" + exit 1 +fi + +# Step 2: Activate the DDC active node +echo "Activating DDC active node..." +response=$(curl -k -s -w "\n%%{http_code}" -X POST "https://${cm_node_address}/api/v1/ddc/active-node/register" \ + --header "Authorization: Bearer $TOKEN" \ + --header "Content-Type: application/json") + +BODY=$(echo "$response" | sed '$d') +STATUS=$(echo "$response" | tail -n1) + +if [ "$STATUS" -ge 200 ] && [ "$STATUS" -lt 300 ]; then + echo "CipherTrust DDC active node setup completed successfully." +else + echo "Failed to activate DDC active node. Status: $STATUS, Response: $BODY" + exit 1 +fi diff --git a/modules/null/ciphertrust_cluster/main.tf b/modules/null/ciphertrust_cluster/main.tf new file mode 100644 index 000000000..d3a1ed131 --- /dev/null +++ b/modules/null/ciphertrust_cluster/main.tf @@ -0,0 +1,37 @@ +locals { + web_console_username = "admin" + + ddc_active_node_commands = var.ddc_node_setup.enabled ? templatefile("${path.module}/ddc_active_node_setup.tftpl", { + cm_node_address = var.ddc_node_setup.node_address + }) : null +} + +resource "ciphertrust_cluster" "cluster" { + count = length(var.ciphertrust_instances)> 1 ? 1 : 0 + dynamic "node" { + for_each = { for index, instance in var.ciphertrust_instances : index => instance } + content { + host = node.value.host + public_address = node.value.public_address + original = node.value.host == var.ciphertrust_instances[0].host && node.value.public_address == var.ciphertrust_instances[0].public_address + } + } +} + +resource "null_resource" "ddc_active_node_setup" { + count = var.ddc_node_setup.enabled ? 1 : 0 + provisioner "local-exec" { + interpreter = ["bash", "-c"] + command = local.ddc_active_node_commands + environment = { + CM_USER = nonsensitive(var.cm_details.user) + CM_PASSWORD = nonsensitive(var.cm_details.password) + } + } + triggers = { + content = local.ddc_active_node_commands + } + depends_on = [ + ciphertrust_cluster.cluster + ] +} diff --git a/modules/null/ciphertrust_cluster/outputs.tf b/modules/null/ciphertrust_cluster/outputs.tf new file mode 100644 index 000000000..e69de29bb diff --git a/modules/null/ciphertrust_cluster/variables.tf b/modules/null/ciphertrust_cluster/variables.tf new file mode 100644 index 000000000..e70f5cd82 --- /dev/null +++ b/modules/null/ciphertrust_cluster/variables.tf @@ -0,0 +1,36 @@ +variable "ciphertrust_instances" { + type = list(object({ + host = string + public_address = string + })) + description = "List of CipherTrust Manager instances to form a cluster. Each instance should have a host and a public_address." + validation { + condition = length(var.ciphertrust_instances) > 1 + error_message = "At least two CipherTrust Manager instances are required to form a cluster." + } +} + +variable "ddc_node_setup" { + type = object({ + enabled = bool + node_address = string + }) + description = "Configuration for DDC node setup. Set 'enabled' to true to run setup for the given 'node_address' as the DDC active node in the cluster." + default = { + enabled = false + node_address = "" + } +} + +variable "cm_details" { + sensitive = true + type = object({ + user = string + password = string + }) + description = "Details for the CipherTrust Manager, including user and password." + default = { + user = null + password = null + } +} \ No newline at end of file diff --git a/modules/null/ciphertrust_cluster/versions.tf b/modules/null/ciphertrust_cluster/versions.tf new file mode 100644 index 000000000..430eed69a --- /dev/null +++ b/modules/null/ciphertrust_cluster/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.3.1, < 1.8.0" + + required_providers { + ciphertrust = { + source = "ThalesGroup/ciphertrust" + version = "~> 0.11.1" + } + } +} From 154877f67fa9141fa73b75f45a328aa10ec15b65 Mon Sep 17 00:00:00 2001 From: "sivan.hajbi" Date: Mon, 7 Jul 2025 14:03:23 +0300 Subject: [PATCH 02/16] code review comments --- examples/aws/poc/dsf_deployment/cm.tf | 36 +++++++-------- examples/aws/poc/dsf_deployment/main.tf | 14 +++--- examples/aws/poc/dsf_deployment/networking.tf | 24 +++++----- examples/aws/poc/dsf_deployment/outputs.tf | 4 +- examples/aws/poc/dsf_deployment/sonar.tf | 9 ++-- examples/aws/poc/dsf_deployment/variables.tf | 44 +++++++++---------- .../README.md | 0 .../ami.tf | 0 .../main.tf | 8 ++-- .../outputs.tf | 4 +- .../sg.tf | 2 +- .../variables.tf | 6 +-- .../versions.tf | 0 modules/aws/hub/cm_association.tf | 2 +- .../README.md | 2 +- .../ddc_active_node_setup.tftpl | 0 .../main.tf | 12 +++-- .../outputs.tf | 0 .../variables.tf | 8 ++-- .../versions.tf | 0 20 files changed, 87 insertions(+), 88 deletions(-) rename modules/aws/{ciphertrust => ciphertrust_manager}/README.md (100%) rename modules/aws/{ciphertrust => ciphertrust_manager}/ami.tf (100%) rename modules/aws/{ciphertrust => ciphertrust_manager}/main.tf (84%) rename modules/aws/{ciphertrust => ciphertrust_manager}/outputs.tf (86%) rename modules/aws/{ciphertrust => ciphertrust_manager}/sg.tf (97%) rename modules/aws/{ciphertrust => ciphertrust_manager}/variables.tf (96%) rename modules/aws/{ciphertrust => ciphertrust_manager}/versions.tf (100%) rename modules/null/{ciphertrust_cluster => ciphertrust-manager-cluster-setup}/README.md (83%) rename modules/null/{ciphertrust_cluster => ciphertrust-manager-cluster-setup}/ddc_active_node_setup.tftpl (100%) rename modules/null/{ciphertrust_cluster => ciphertrust-manager-cluster-setup}/main.tf (62%) rename modules/null/{ciphertrust_cluster => ciphertrust-manager-cluster-setup}/outputs.tf (100%) rename modules/null/{ciphertrust_cluster => ciphertrust-manager-cluster-setup}/variables.tf (79%) rename modules/null/{ciphertrust_cluster => ciphertrust-manager-cluster-setup}/versions.tf (100%) diff --git a/examples/aws/poc/dsf_deployment/cm.tf b/examples/aws/poc/dsf_deployment/cm.tf index 8d62c0f05..5db47324e 100644 --- a/examples/aws/poc/dsf_deployment/cm.tf +++ b/examples/aws/poc/dsf_deployment/cm.tf @@ -1,23 +1,23 @@ locals { ciphertrust_manager_count = var.enable_ciphertrust ? var.ciphertrust_manager_count : 0 - ciphertrust_cidr_list = [data.aws_subnet.ciphertrust.cidr_block] - ciphertrust_web_console_username = "admin" + ciphertrust_manager_web_console_username = "admin" } module "ciphertrust_manager" { - source = "../../../../modules/aws/ciphertrust" -# source = "imperva/dsf-ciphertrust/aws" + # TODO sivan - change module name to ciphertrust manager + source = "../../../../modules/aws/ciphertrust_manager" +# source = "imperva/dsf-ciphertrust-manager/aws" # version = "1.7.17" # latest release tag count = local.ciphertrust_manager_count - ami_id = var.ciphertrust_ami_id + ami_id = var.ciphertrust_manager_ami_id friendly_name = join("-", [local.deployment_name_salted, "ciphertrust", "manager", count.index]) - ebs = var.ciphertrust_ebs_details - subnet_id = local.ciphertrust_subnet_id + ebs = var.ciphertrust_manager_ebs_details + subnet_id = local.ciphertrust_manager_subnet_id attach_persistent_public_ip = true key_pair = module.key_pair.key_pair.key_pair_name allowed_web_console_and_api_cidrs = var.web_console_cidr allowed_ssh_cidrs = concat(local.workstation_cidr, var.allowed_ssh_cidrs) - allowed_cluster_nodes_cidrs = [data.aws_subnet.ciphertrust.cidr_block] + allowed_cluster_nodes_cidrs = [data.aws_subnet.ciphertrust_manager.cidr_block] allowed_ddc_agents_cidrs = [] allowed_all_cidrs = local.workstation_cidr tags = local.tags @@ -27,9 +27,9 @@ module "ciphertrust_manager" { } provider "ciphertrust" { - address = var.enable_ciphertrust? "https://${module.ciphertrust_manager[0].public_ip}" : null - username = local.ciphertrust_web_console_username - password = local.ciphertrust_password + address = var.enable_ciphertrust ? "https://${module.ciphertrust_manager[0].public_ip}" : null + username = local.ciphertrust_manager_web_console_username + password = local.ciphertrust_manager_password // destroy cluster can take almost a minute so give us a bit of a buffer rest_api_timeout = 720 } @@ -39,20 +39,20 @@ resource "ciphertrust_trial_license" "trial_license" { flag = "activate" } -module "ciphertrust_cluster" { - source = "../../../../modules/null/ciphertrust_cluster" - # source = "imperva/dsf-ciphertrust-cluster/aws" +module "ciphertrust_manager_cluster_setup" { + source = "../../../../modules/null/ciphertrust-manager-cluster-setup" + # source = "imperva/dsf-ciphertrust-manager-cluster-setup/aws" # version = "1.7.17" # latest release tag count = local.ciphertrust_manager_count > 1 ? 1 : 0 - ciphertrust_instances = [ + nodes = [ for i in range(length(module.ciphertrust_manager)) : { host = module.ciphertrust_manager[i].private_ip public_address = coalesce(module.ciphertrust_manager[i].public_ip, module.ciphertrust_manager[i].private_ip) } ] - cm_details = { - user = local.ciphertrust_web_console_username - password = local.ciphertrust_password + credentials = { + user = local.ciphertrust_manager_web_console_username + password = local.ciphertrust_manager_password } ddc_node_setup = { enabled = true diff --git a/examples/aws/poc/dsf_deployment/main.tf b/examples/aws/poc/dsf_deployment/main.tf index de859bb8c..b81fefb93 100644 --- a/examples/aws/poc/dsf_deployment/main.tf +++ b/examples/aws/poc/dsf_deployment/main.tf @@ -27,11 +27,11 @@ module "key_pair" { } locals { - workstation_cidr_24 = [format("%s.0/24", regex("\\d*\\.\\d*\\.\\d*", module.globals.my_ip))] - deployment_name_salted = join("-", [var.deployment_name, module.globals.salt]) - password = var.password != null ? var.password : module.globals.random_password - ciphertrust_password = var.ciphertrust_password != null ? var.ciphertrust_password : module.globals.random_password - workstation_cidr = var.workstation_cidr != null ? var.workstation_cidr : local.workstation_cidr_24 - tags = merge(module.globals.tags, var.additional_tags, { "deployment_name" = local.deployment_name_salted }) - private_key_file_path = module.key_pair.private_key_file_path + workstation_cidr_24 = [format("%s.0/24", regex("\\d*\\.\\d*\\.\\d*", module.globals.my_ip))] + deployment_name_salted = join("-", [var.deployment_name, module.globals.salt]) + password = var.password != null ? var.password : module.globals.random_password + ciphertrust_manager_password = var.ciphertrust_manager_password != null ? var.ciphertrust_manager_password : module.globals.random_password + workstation_cidr = var.workstation_cidr != null ? var.workstation_cidr : local.workstation_cidr_24 + tags = merge(module.globals.tags, var.additional_tags, { "deployment_name" = local.deployment_name_salted }) + private_key_file_path = module.key_pair.private_key_file_path } diff --git a/examples/aws/poc/dsf_deployment/networking.tf b/examples/aws/poc/dsf_deployment/networking.tf index be0e84a9c..71cd4b273 100644 --- a/examples/aws/poc/dsf_deployment/networking.tf +++ b/examples/aws/poc/dsf_deployment/networking.tf @@ -1,14 +1,14 @@ locals { - hub_subnet_id = var.subnet_ids != null ? var.subnet_ids.hub_subnet_id : module.vpc[0].public_subnets[0] - hub_dr_subnet_id = var.subnet_ids != null ? var.subnet_ids.hub_dr_subnet_id : module.vpc[0].public_subnets[1] - agentless_gw_subnet_id = var.subnet_ids != null ? var.subnet_ids.agentless_gw_subnet_id : module.vpc[0].private_subnets[0] - agentless_gw_dr_subnet_id = var.subnet_ids != null ? var.subnet_ids.agentless_gw_dr_subnet_id : module.vpc[0].private_subnets[1] - db_subnet_ids = var.subnet_ids != null ? var.subnet_ids.db_subnet_ids : module.vpc[0].public_subnets - mx_subnet_id = var.subnet_ids != null ? var.subnet_ids.mx_subnet_id : module.vpc[0].public_subnets[0] - dra_admin_subnet_id = var.subnet_ids != null ? var.subnet_ids.dra_admin_subnet_id : module.vpc[0].public_subnets[0] - dra_analytics_subnet_id = var.subnet_ids != null ? var.subnet_ids.dra_analytics_subnet_id : module.vpc[0].private_subnets[0] - agent_gw_subnet_id = var.subnet_ids != null ? var.subnet_ids.agent_gw_subnet_id : module.vpc[0].private_subnets[0] - ciphertrust_subnet_id = var.subnet_ids != null ? var.subnet_ids.ciphertrust_subnet_id : module.vpc[0].public_subnets[0] + hub_subnet_id = var.subnet_ids != null ? var.subnet_ids.hub_subnet_id : module.vpc[0].public_subnets[0] + hub_dr_subnet_id = var.subnet_ids != null ? var.subnet_ids.hub_dr_subnet_id : module.vpc[0].public_subnets[1] + agentless_gw_subnet_id = var.subnet_ids != null ? var.subnet_ids.agentless_gw_subnet_id : module.vpc[0].private_subnets[0] + agentless_gw_dr_subnet_id = var.subnet_ids != null ? var.subnet_ids.agentless_gw_dr_subnet_id : module.vpc[0].private_subnets[1] + db_subnet_ids = var.subnet_ids != null ? var.subnet_ids.db_subnet_ids : module.vpc[0].public_subnets + mx_subnet_id = var.subnet_ids != null ? var.subnet_ids.mx_subnet_id : module.vpc[0].public_subnets[0] + dra_admin_subnet_id = var.subnet_ids != null ? var.subnet_ids.dra_admin_subnet_id : module.vpc[0].public_subnets[0] + dra_analytics_subnet_id = var.subnet_ids != null ? var.subnet_ids.dra_analytics_subnet_id : module.vpc[0].private_subnets[0] + agent_gw_subnet_id = var.subnet_ids != null ? var.subnet_ids.agent_gw_subnet_id : module.vpc[0].private_subnets[0] + ciphertrust_manager_subnet_id = var.subnet_ids != null ? var.subnet_ids.ciphertrust_subnet_id : module.vpc[0].public_subnets[0] } module "vpc" { @@ -64,6 +64,6 @@ data "aws_subnet" "dra_analytics" { id = local.dra_analytics_subnet_id } -data "aws_subnet" "ciphertrust" { - id = local.ciphertrust_subnet_id +data "aws_subnet" "ciphertrust_manager" { + id = local.ciphertrust_manager_subnet_id } \ No newline at end of file diff --git a/examples/aws/poc/dsf_deployment/outputs.tf b/examples/aws/poc/dsf_deployment/outputs.tf index 021fd5035..54986a9d2 100644 --- a/examples/aws/poc/dsf_deployment/outputs.tf +++ b/examples/aws/poc/dsf_deployment/outputs.tf @@ -187,7 +187,7 @@ output "web_console_ciphertrust" { value = try({ public_url = join("", ["https://", module.ciphertrust_manager[0].public_dns]) private_url = join("", ["https://", module.ciphertrust_manager[0].private_dns]) - password = nonsensitive(local.ciphertrust_password) - user = local.ciphertrust_web_console_username + password = nonsensitive(local.ciphertrust_manager_password) + user = local.ciphertrust_manager_web_console_username }, null) } \ No newline at end of file diff --git a/examples/aws/poc/dsf_deployment/sonar.tf b/examples/aws/poc/dsf_deployment/sonar.tf index f0c702ef0..02d06759f 100644 --- a/examples/aws/poc/dsf_deployment/sonar.tf +++ b/examples/aws/poc/dsf_deployment/sonar.tf @@ -9,8 +9,9 @@ locals { } module "hub_main" { - source = "imperva/dsf-hub/aws" - version = "1.7.29" # latest release tag + source = "../../../../modules/aws/hub" +# source = "imperva/dsf-hub/aws" +# version = "1.7.29" # latest release tag count = var.enable_sonar ? 1 : 0 friendly_name = join("-", [local.deployment_name_salted, "hub", "main"]) @@ -53,8 +54,8 @@ module "hub_main" { ddc_enabled = true ddc_connection_hostname = null ddc_connection_port = null - username = local.ciphertrust_web_console_username - password = local.ciphertrust_password + username = local.ciphertrust_manager_web_console_username + password = local.ciphertrust_manager_password registration_method = "password" registration_token = null } : null diff --git a/examples/aws/poc/dsf_deployment/variables.tf b/examples/aws/poc/dsf_deployment/variables.tf index 31216789d..2b72c9d38 100644 --- a/examples/aws/poc/dsf_deployment/variables.tf +++ b/examples/aws/poc/dsf_deployment/variables.tf @@ -54,8 +54,8 @@ variable "dra_analytics_count" { variable "ciphertrust_manager_count" { type = number - default = 2 - description = "Number of CipherTrust Manager servers. Provisioning CipherTrust Manager servers requires the enable_ciphertrust variable to be set to 'true'." + default = 2 # Minimum count for a cluster + description = "Number of CipherTrust Manager servers. If more than one server is specified, they will be configured as a cluster. Provisioning CipherTrust Manager servers requires the enable_ciphertrust variable to be set to 'true'." } variable "password" { @@ -106,21 +106,21 @@ variable "public_subnets" { variable "subnet_ids" { type = object({ - hub_subnet_id = string - hub_dr_subnet_id = string - agentless_gw_subnet_id = string - agentless_gw_dr_subnet_id = string - mx_subnet_id = string - agent_gw_subnet_id = string - dra_admin_subnet_id = string - dra_analytics_subnet_id = string - ciphertrust_subnet_id = string + hub_subnet_id = string + hub_dr_subnet_id = string + agentless_gw_subnet_id = string + agentless_gw_dr_subnet_id = string + mx_subnet_id = string + agent_gw_subnet_id = string + dra_admin_subnet_id = string + dra_analytics_subnet_id = string + ciphertrust_manager_subnet_id = string db_subnet_ids = list(string) }) default = null description = "The IDs of existing subnets to deploy resources in. Keep empty if you wish to provision new VPC and subnets. db_subnet_ids can be an empty list only if no databases should be provisioned" validation { - condition = var.subnet_ids == null || try(var.subnet_ids.hub_subnet_id != null && var.subnet_ids.hub_dr_subnet_id != null && var.subnet_ids.agentless_gw_subnet_id != null && var.subnet_ids.agentless_gw_dr_subnet_id != null && var.subnet_ids.mx_subnet_id != null && var.subnet_ids.agent_gw_subnet_id != null && var.subnet_ids.dra_admin_subnet_id != null && var.subnet_ids.dra_analytics_subnet_id != null && var.subnet_ids.ciphertrust_subnet_id != null && var.subnet_ids.db_subnet_ids != null, false) + condition = var.subnet_ids == null || try(var.subnet_ids.hub_subnet_id != null && var.subnet_ids.hub_dr_subnet_id != null && var.subnet_ids.agentless_gw_subnet_id != null && var.subnet_ids.agentless_gw_dr_subnet_id != null && var.subnet_ids.mx_subnet_id != null && var.subnet_ids.agent_gw_subnet_id != null && var.subnet_ids.dra_admin_subnet_id != null && var.subnet_ids.dra_analytics_subnet_id != null && var.subnet_ids.ciphertrust_manager_subnet_id != null && var.subnet_ids.db_subnet_ids != null, false) error_message = "Value must either be null or specified for all" } validation { @@ -356,51 +356,51 @@ variable "dra_analytics_ebs_details" { #### CipherTrust variables #### ############################### -variable "ciphertrust_ebs_details" { +variable "ciphertrust_manager_ebs_details" { type = object({ volume_size = number volume_type = string }) - description = "CipherTrust compute instance volume attributes" + description = "CipherTrust Manager compute instance volume attributes" default = { volume_size = 256 volume_type = "gp2" } } -variable "ciphertrust_password" { +variable "ciphertrust_manager_password" { sensitive = true type = string default = null # Random description = "Ciphertrust manager web console password" validation { - condition = var.ciphertrust_password == null || try(length(var.ciphertrust_password) >= 8 && length(var.ciphertrust_password) <= 30, false) + condition = var.ciphertrust_manager_password == null || try(length(var.ciphertrust_manager_password) >= 8 && length(var.ciphertrust_manager_password) <= 30, false) error_message = "Password must be between 8 and 30 characters" } validation { - condition = var.ciphertrust_password == null || can(regex("[A-Z]+", var.ciphertrust_password)) + condition = var.ciphertrust_manager_password == null || can(regex("[A-Z]+", var.ciphertrust_manager_password)) error_message = "Password must include at least 1 upper-case letter.\n" } validation { - condition = var.ciphertrust_password == null || can(regex("[a-z]+", var.ciphertrust_password)) + condition = var.ciphertrust_manager_password == null || can(regex("[a-z]+", var.ciphertrust_manager_password)) error_message = "Password must include at least 1 lower-case letter.\n" } validation { - condition = var.ciphertrust_password == null || can(regex("[0-9]+", var.ciphertrust_password)) + condition = var.ciphertrust_manager_password == null || can(regex("[0-9]+", var.ciphertrust_manager_password)) error_message = "Password must include at least 1 decimal digit.\n" } validation { - condition = var.ciphertrust_password == null || can(regex("[!@#$%^&*(),.?\":{}|<>]+", var.ciphertrust_password)) + condition = var.ciphertrust_manager_password == null || can(regex("[!@#$%^&*(),.?\":{}|<>]+", var.ciphertrust_manager_password)) error_message = "Password must include at least 1 special character.\n" } } -variable "ciphertrust_ami_id" { +variable "ciphertrust_manager_ami_id" { type = string - description = "Ciphertrust AMI id. If set to null, the latest AMI will be taken from AWS marketplace" + description = "Ciphertrust Manager AMI id. If set to null, the latest AMI will be taken from AWS marketplace" default = null } \ No newline at end of file diff --git a/modules/aws/ciphertrust/README.md b/modules/aws/ciphertrust_manager/README.md similarity index 100% rename from modules/aws/ciphertrust/README.md rename to modules/aws/ciphertrust_manager/README.md diff --git a/modules/aws/ciphertrust/ami.tf b/modules/aws/ciphertrust_manager/ami.tf similarity index 100% rename from modules/aws/ciphertrust/ami.tf rename to modules/aws/ciphertrust_manager/ami.tf diff --git a/modules/aws/ciphertrust/main.tf b/modules/aws/ciphertrust_manager/main.tf similarity index 84% rename from modules/aws/ciphertrust/main.tf rename to modules/aws/ciphertrust_manager/main.tf index 88b2d8128..aba432a84 100644 --- a/modules/aws/ciphertrust/main.tf +++ b/modules/aws/ciphertrust_manager/main.tf @@ -5,8 +5,8 @@ locals { [for sg in aws_security_group.sg : sg.id], var.security_group_ids) - public_ip = var.attach_persistent_public_ip ? aws_eip.dsf_instance_eip[0].public_ip : aws_instance.dsf_base_instance.public_ip - public_dns = var.attach_persistent_public_ip ? aws_eip.dsf_instance_eip[0].public_dns : aws_instance.dsf_base_instance.public_dns + public_ip = var.attach_persistent_public_ip ? aws_eip.dsf_instance_eip[0].public_ip : aws_instance.cipthertrust_manager_instance.public_ip + public_dns = var.attach_persistent_public_ip ? aws_eip.dsf_instance_eip[0].public_dns : aws_instance.cipthertrust_manager_instance.public_dns private_ip = length(aws_network_interface.eni.private_ips) > 0 ? tolist(aws_network_interface.eni.private_ips)[0] : null } @@ -18,11 +18,11 @@ resource "aws_eip" "dsf_instance_eip" { resource "aws_eip_association" "eip_assoc" { count = var.attach_persistent_public_ip ? 1 : 0 - instance_id = aws_instance.dsf_base_instance.id + instance_id = aws_instance.cipthertrust_manager_instance.id allocation_id = aws_eip.dsf_instance_eip[0].id } -resource "aws_instance" "dsf_base_instance" { +resource "aws_instance" "cipthertrust_manager_instance" { ami = local.ami_id instance_type = var.instance_type key_name = var.key_pair diff --git a/modules/aws/ciphertrust/outputs.tf b/modules/aws/ciphertrust_manager/outputs.tf similarity index 86% rename from modules/aws/ciphertrust/outputs.tf rename to modules/aws/ciphertrust_manager/outputs.tf index 26ce443a1..0f10cee16 100644 --- a/modules/aws/ciphertrust/outputs.tf +++ b/modules/aws/ciphertrust_manager/outputs.tf @@ -19,11 +19,11 @@ output "private_dns" { } output "instance_id" { - value = aws_instance.dsf_base_instance.id + value = aws_instance.cipthertrust_manager_instance.id } output "display_name" { - value = aws_instance.dsf_base_instance.tags.Name + value = aws_instance.cipthertrust_manager_instance.tags.Name } output "ssh_user" { diff --git a/modules/aws/ciphertrust/sg.tf b/modules/aws/ciphertrust_manager/sg.tf similarity index 97% rename from modules/aws/ciphertrust/sg.tf rename to modules/aws/ciphertrust_manager/sg.tf index e49c77851..7d91ce372 100644 --- a/modules/aws/ciphertrust/sg.tf +++ b/modules/aws/ciphertrust_manager/sg.tf @@ -18,7 +18,7 @@ locals { cidrs = concat(var.allowed_ssh_cidrs, var.allowed_all_cidrs) }, { - name = ["cluster", "nodes", "communication"] + name = ["cluster", "nodes"] internet_access = false udp = [] tcp = [5432] diff --git a/modules/aws/ciphertrust/variables.tf b/modules/aws/ciphertrust_manager/variables.tf similarity index 96% rename from modules/aws/ciphertrust/variables.tf rename to modules/aws/ciphertrust_manager/variables.tf index faad1bed4..6529f701f 100644 --- a/modules/aws/ciphertrust/variables.tf +++ b/modules/aws/ciphertrust_manager/variables.tf @@ -39,7 +39,7 @@ variable "security_group_ids" { variable "allowed_web_console_and_api_cidrs" { type = list(string) - description = "List of ingress CIDR patterns allowing web console access" + description = "List of ingress CIDR patterns allowing web console and api access" validation { condition = alltrue([for item in var.allowed_web_console_and_api_cidrs : can(cidrnetmask(item))]) error_message = "Each item of this list must be in a valid CIDR block format. For example: [\"10.106.108.0/25\"]" @@ -69,7 +69,7 @@ variable "allowed_cluster_nodes_cidrs" { variable "allowed_ddc_agents_cidrs" { type = list(string) - description = "List of ingress CIDR patterns allowing DDC agents access" + description = "List of ingress CIDR patterns allowing DDC agents to access the CipherTrust Manager instance" validation { condition = alltrue([for item in var.allowed_ddc_agents_cidrs : can(cidrnetmask(item))]) error_message = "Each item of this list must be in a valid CIDR block format. For example: [\"10.106.108.0/25\"]" @@ -79,7 +79,7 @@ variable "allowed_ddc_agents_cidrs" { variable "allowed_all_cidrs" { type = list(string) - description = "List of ingress CIDR patterns allowing access to all relevant protocols (E.g vpc cidr range)" + description = "List of ingress CIDR patterns allowing all types of access: ssh, API, web console, etc." validation { condition = alltrue([for item in var.allowed_all_cidrs : can(cidrnetmask(item))]) error_message = "Each item of this list must be in a valid CIDR block format. For example: [\"10.106.108.0/25\"]" diff --git a/modules/aws/ciphertrust/versions.tf b/modules/aws/ciphertrust_manager/versions.tf similarity index 100% rename from modules/aws/ciphertrust/versions.tf rename to modules/aws/ciphertrust_manager/versions.tf diff --git a/modules/aws/hub/cm_association.tf b/modules/aws/hub/cm_association.tf index 3330753c6..08cc63672 100644 --- a/modules/aws/hub/cm_association.tf +++ b/modules/aws/hub/cm_association.tf @@ -25,7 +25,7 @@ locals { BODY=$(echo "$response" | sed '$d') STATUS=$(echo "$response" | tail -n1) if [ "$STATUS" -ge 200 ] && [ "$STATUS" -lt 300 ]; then - echo "CipherTrust Manager associated with the DSF Hub successfully." + echo "CipherTrust Manager successfully associated with the DSF Hub." else echo "Request failed with HTTP status $STATUS" echo "$BODY" diff --git a/modules/null/ciphertrust_cluster/README.md b/modules/null/ciphertrust-manager-cluster-setup/README.md similarity index 83% rename from modules/null/ciphertrust_cluster/README.md rename to modules/null/ciphertrust-manager-cluster-setup/README.md index cc9cebf98..dd9413f0c 100644 --- a/modules/null/ciphertrust_cluster/README.md +++ b/modules/null/ciphertrust-manager-cluster-setup/README.md @@ -1,4 +1,4 @@ -# DSF CipherTrust Manager Cluster +# DSF CipherTrust Manager Cluster Setup [![GitHub tag](https://img.shields.io/github/v/tag/imperva/dsfkit.svg)](https://github.com/imperva/dsfkit/tags) This Terraform module provisions a CipherTrust Manager on AWS as an EC2 instance. diff --git a/modules/null/ciphertrust_cluster/ddc_active_node_setup.tftpl b/modules/null/ciphertrust-manager-cluster-setup/ddc_active_node_setup.tftpl similarity index 100% rename from modules/null/ciphertrust_cluster/ddc_active_node_setup.tftpl rename to modules/null/ciphertrust-manager-cluster-setup/ddc_active_node_setup.tftpl diff --git a/modules/null/ciphertrust_cluster/main.tf b/modules/null/ciphertrust-manager-cluster-setup/main.tf similarity index 62% rename from modules/null/ciphertrust_cluster/main.tf rename to modules/null/ciphertrust-manager-cluster-setup/main.tf index d3a1ed131..30ab301b7 100644 --- a/modules/null/ciphertrust_cluster/main.tf +++ b/modules/null/ciphertrust-manager-cluster-setup/main.tf @@ -1,19 +1,17 @@ locals { - web_console_username = "admin" - ddc_active_node_commands = var.ddc_node_setup.enabled ? templatefile("${path.module}/ddc_active_node_setup.tftpl", { cm_node_address = var.ddc_node_setup.node_address }) : null } resource "ciphertrust_cluster" "cluster" { - count = length(var.ciphertrust_instances)> 1 ? 1 : 0 + count = length(var.nodes)> 1 ? 1 : 0 dynamic "node" { - for_each = { for index, instance in var.ciphertrust_instances : index => instance } + for_each = { for index, instance in var.nodes : index => instance } content { host = node.value.host public_address = node.value.public_address - original = node.value.host == var.ciphertrust_instances[0].host && node.value.public_address == var.ciphertrust_instances[0].public_address + original = node.value.host == var.nodes[0].host && node.value.public_address == var.nodes[0].public_address } } } @@ -24,8 +22,8 @@ resource "null_resource" "ddc_active_node_setup" { interpreter = ["bash", "-c"] command = local.ddc_active_node_commands environment = { - CM_USER = nonsensitive(var.cm_details.user) - CM_PASSWORD = nonsensitive(var.cm_details.password) + CM_USER = nonsensitive(var.credentials.user) + CM_PASSWORD = nonsensitive(var.credentials.password) } } triggers = { diff --git a/modules/null/ciphertrust_cluster/outputs.tf b/modules/null/ciphertrust-manager-cluster-setup/outputs.tf similarity index 100% rename from modules/null/ciphertrust_cluster/outputs.tf rename to modules/null/ciphertrust-manager-cluster-setup/outputs.tf diff --git a/modules/null/ciphertrust_cluster/variables.tf b/modules/null/ciphertrust-manager-cluster-setup/variables.tf similarity index 79% rename from modules/null/ciphertrust_cluster/variables.tf rename to modules/null/ciphertrust-manager-cluster-setup/variables.tf index e70f5cd82..1b539c9cd 100644 --- a/modules/null/ciphertrust_cluster/variables.tf +++ b/modules/null/ciphertrust-manager-cluster-setup/variables.tf @@ -1,11 +1,11 @@ -variable "ciphertrust_instances" { +variable "nodes" { type = list(object({ host = string public_address = string })) description = "List of CipherTrust Manager instances to form a cluster. Each instance should have a host and a public_address." validation { - condition = length(var.ciphertrust_instances) > 1 + condition = length(var.nodes) > 1 error_message = "At least two CipherTrust Manager instances are required to form a cluster." } } @@ -22,13 +22,13 @@ variable "ddc_node_setup" { } } -variable "cm_details" { +variable "credentials" { sensitive = true type = object({ user = string password = string }) - description = "Details for the CipherTrust Manager, including user and password." + description = "Credentials for the CipherTrust Manager api, including user and password." default = { user = null password = null diff --git a/modules/null/ciphertrust_cluster/versions.tf b/modules/null/ciphertrust-manager-cluster-setup/versions.tf similarity index 100% rename from modules/null/ciphertrust_cluster/versions.tf rename to modules/null/ciphertrust-manager-cluster-setup/versions.tf From dd4852f67daf4daf5b99c0323fbe5e258f5cb9e3 Mon Sep 17 00:00:00 2001 From: "sivan.hajbi" Date: Mon, 7 Jul 2025 22:37:50 +0300 Subject: [PATCH 03/16] add cte ddc agents --- examples/aws/poc/dsf_deployment/cm.tf | 11 +- .../aws/poc/dsf_deployment/cte_ddc_agents.tf | 115 ++++++++++++++ examples/aws/poc/dsf_deployment/networking.tf | 7 +- examples/aws/poc/dsf_deployment/outputs.tf | 38 +++++ examples/aws/poc/dsf_deployment/sonar.tf | 18 ++- examples/aws/poc/dsf_deployment/variables.tf | 65 +++++++- examples/aws/poc/dsf_deployment/versions.tf | 1 + modules/aws/agentless-gw/main.tf | 7 + modules/aws/agentless-gw/variables.tf | 10 ++ modules/aws/ciphertrust_manager/main.tf | 4 + modules/aws/cte-ddc-agent/ami.tf | 51 ++++++ .../cte-ddc-agent/cte_agent_reg_params.tftpl | 4 + modules/aws/cte-ddc-agent/dummy.txt | 0 modules/aws/cte-ddc-agent/linux.tf | 27 ++++ modules/aws/cte-ddc-agent/main.tf | 120 ++++++++++++++ modules/aws/cte-ddc-agent/outputs.tf | 31 ++++ modules/aws/cte-ddc-agent/sg.tf | 75 +++++++++ modules/aws/cte-ddc-agent/variables.tf | 147 ++++++++++++++++++ modules/aws/cte-ddc-agent/versions.tf | 10 ++ modules/aws/cte-ddc-agent/windows.tf | 73 +++++++++ 20 files changed, 800 insertions(+), 14 deletions(-) create mode 100644 examples/aws/poc/dsf_deployment/cte_ddc_agents.tf create mode 100644 modules/aws/cte-ddc-agent/ami.tf create mode 100644 modules/aws/cte-ddc-agent/cte_agent_reg_params.tftpl create mode 100644 modules/aws/cte-ddc-agent/dummy.txt create mode 100644 modules/aws/cte-ddc-agent/linux.tf create mode 100644 modules/aws/cte-ddc-agent/main.tf create mode 100644 modules/aws/cte-ddc-agent/outputs.tf create mode 100644 modules/aws/cte-ddc-agent/sg.tf create mode 100644 modules/aws/cte-ddc-agent/variables.tf create mode 100644 modules/aws/cte-ddc-agent/versions.tf create mode 100644 modules/aws/cte-ddc-agent/windows.tf diff --git a/examples/aws/poc/dsf_deployment/cm.tf b/examples/aws/poc/dsf_deployment/cm.tf index 5db47324e..4f0151afd 100644 --- a/examples/aws/poc/dsf_deployment/cm.tf +++ b/examples/aws/poc/dsf_deployment/cm.tf @@ -1,13 +1,14 @@ locals { ciphertrust_manager_count = var.enable_ciphertrust ? var.ciphertrust_manager_count : 0 + ciphertrust_cidr_list = [data.aws_subnet.ciphertrust_manager.cidr_block] ciphertrust_manager_web_console_username = "admin" } module "ciphertrust_manager" { # TODO sivan - change module name to ciphertrust manager source = "../../../../modules/aws/ciphertrust_manager" -# source = "imperva/dsf-ciphertrust-manager/aws" -# version = "1.7.17" # latest release tag + # source = "imperva/dsf-ciphertrust-manager/aws" + # version = "1.7.17" # latest release tag count = local.ciphertrust_manager_count ami_id = var.ciphertrust_manager_ami_id friendly_name = join("-", [local.deployment_name_salted, "ciphertrust", "manager", count.index]) @@ -18,7 +19,7 @@ module "ciphertrust_manager" { allowed_web_console_and_api_cidrs = var.web_console_cidr allowed_ssh_cidrs = concat(local.workstation_cidr, var.allowed_ssh_cidrs) allowed_cluster_nodes_cidrs = [data.aws_subnet.ciphertrust_manager.cidr_block] - allowed_ddc_agents_cidrs = [] + allowed_ddc_agents_cidrs = [data.aws_subnet.cte_ddc_agent.cidr_block] allowed_all_cidrs = local.workstation_cidr tags = local.tags depends_on = [ @@ -27,7 +28,7 @@ module "ciphertrust_manager" { } provider "ciphertrust" { - address = var.enable_ciphertrust ? "https://${module.ciphertrust_manager[0].public_ip}" : null + address = local.ciphertrust_manager_count > 0 ? "https://${module.ciphertrust_manager[0].public_ip}" : null username = local.ciphertrust_manager_web_console_username password = local.ciphertrust_manager_password // destroy cluster can take almost a minute so give us a bit of a buffer @@ -35,7 +36,7 @@ provider "ciphertrust" { } resource "ciphertrust_trial_license" "trial_license" { - count = var.enable_ciphertrust ? 1 : 0 + count = local.ciphertrust_manager_count > 0 ? 1 : 0 flag = "activate" } diff --git a/examples/aws/poc/dsf_deployment/cte_ddc_agents.tf b/examples/aws/poc/dsf_deployment/cte_ddc_agents.tf new file mode 100644 index 000000000..eadb74917 --- /dev/null +++ b/examples/aws/poc/dsf_deployment/cte_ddc_agents.tf @@ -0,0 +1,115 @@ +locals { + cte_ddc_linux_count = local.ciphertrust_manager_count > 0 ? var.cte_ddc_agents_linux_count : 0 + cte_linux_count = local.ciphertrust_manager_count > 0 ? var.cte_agents_linux_count : 0 + ddc_linux_count = local.ciphertrust_manager_count > 0 ? var.ddc_agents_linux_count : 0 + cte_ddc_windows_count = local.ciphertrust_manager_count > 0 ? var.cte_ddc_agents_windows_count : 0 + cte_windows_count = local.ciphertrust_manager_count > 0 ? var.cte_agents_windows_count : 0 + ddc_windows_count = local.ciphertrust_manager_count > 0 ? var.ddc_agents_windows_count : 0 + total_agents_count = local.cte_ddc_linux_count + local.cte_ddc_windows_count + + installation_map = { + "Red Hat" = { + cte_installation_path = var.cte_agent_linux_installation_file + ddc_installation_path = var.ddc_agent_linux_installation_file + }, + "Windows" = { + cte_installation_path = var.cte_agent_windows_installation_file + ddc_installation_path = var.ddc_agent_windows_installation_file + } + } + + # Prepare Linux Agent Instances + linux_cte_ddc_instances = [for i in range(local.cte_ddc_linux_count) : { + id = "cte-ddc-agent-linux-${i}" + os_type = "Red Hat" + install_cte = true + install_ddc = true + }] + linux_cte_only_instances = [for i in range(var.cte_agents_linux_count) : { + id = "cte-agent-linux-${i}" + os_type = "Red Hat" + install_cte = true + install_ddc = false + }] + linux_ddc_only_instances = [for i in range(var.ddc_agents_linux_count) : { + id = "ddc-agent-linux-${i}" + os_type = "Red Hat" + install_cte = false + install_ddc = true + }] + # Prepare Windows Agent Instances + windows_cte_ddc_instances = [for i in range(local.cte_ddc_windows_count) : { + id = "cte-ddc-agent-windows-${i}" + os_type = "Windows" + install_cte = true + install_ddc = true + }] + windows_cte_only_instances = [for i in range(var.cte_agents_windows_count) : { + id = "cte-agent-windows-${i}" + os_type = "Windows" + install_cte = true + install_ddc = false + }] + windows_ddc_only_instances = [for i in range(var.ddc_agents_windows_count) : { + id = "ddc-agent-windows-${i}" + os_type = "Windows" + install_cte = false + install_ddc = true + }] + + + # Concatenate all ahent lists and convert to a map for for_each + all_agent_instances_map = { + for instance in concat( + local.linux_cte_ddc_instances, + local.linux_cte_only_instances, + local.linux_ddc_only_instances, + local.windows_cte_ddc_instances, + local.windows_cte_only_instances, + local.windows_ddc_only_instances + ) : instance.id => instance + } +} + +resource "ciphertrust_cte_registration_token" "reg_token" { + count = length(local.all_agent_instances_map) > 0 ? 1 : 0 + lifetime = "24h" + max_clients = 100 + name_prefix = "cte-agent" +} + +module "cte_ddc_agents" { + source = "../../../../modules/aws/cte-ddc-agent" +# source = "imperva/dsf-cte-ddc-agent/aws" +# version = "1.7.17" # latest release tag +# count = local.cte_ddc_linux_count + for_each = local.all_agent_instances_map + friendly_name = join("-", [local.deployment_name_salted, each.value.id]) + subnet_id = local.cte_ddc_agent_subnet_id + ssh_key_pair = { + ssh_private_key_file_path = module.key_pair.private_key_file_path + ssh_public_key_name = module.key_pair.key_pair.key_pair_name + } + os_type = each.value.os_type + attach_persistent_public_ip = true + use_public_ip = true + allowed_ssh_cidrs = concat(local.workstation_cidr, var.allowed_ssh_cidrs) + allowed_rdp_cidrs = each.value.os_type == "Windows" ? concat(local.workstation_cidr, var.allowed_ssh_cidrs) : null + cipher_trust_manager_address = module.ciphertrust_manager[0].private_ip + agent_installation = { + registration_token = ciphertrust_cte_registration_token.reg_token[0].token + install_cte = each.value.install_cte + install_ddc = each.value.install_ddc + cte_agent_installation_file = each.value.install_cte ? local.installation_map[each.value.os_type].cte_installation_path : null + ddc_agent_installation_file = each.value.install_ddc ? local.installation_map[each.value.os_type].ddc_installation_path : null + } + tags = local.tags + depends_on = [ + module.vpc, + module.ciphertrust_manager, + ciphertrust_trial_license.trial_license, + module.ciphertrust_manager_cluster_setup + ] +} + + diff --git a/examples/aws/poc/dsf_deployment/networking.tf b/examples/aws/poc/dsf_deployment/networking.tf index 71cd4b273..d40e5e277 100644 --- a/examples/aws/poc/dsf_deployment/networking.tf +++ b/examples/aws/poc/dsf_deployment/networking.tf @@ -9,6 +9,7 @@ locals { dra_analytics_subnet_id = var.subnet_ids != null ? var.subnet_ids.dra_analytics_subnet_id : module.vpc[0].private_subnets[0] agent_gw_subnet_id = var.subnet_ids != null ? var.subnet_ids.agent_gw_subnet_id : module.vpc[0].private_subnets[0] ciphertrust_manager_subnet_id = var.subnet_ids != null ? var.subnet_ids.ciphertrust_subnet_id : module.vpc[0].public_subnets[0] + cte_ddc_agent_subnet_id = var.subnet_ids != null ? var.subnet_ids.cte_ddc_agent_subnet_id : module.vpc[0].public_subnets[0] } module "vpc" { @@ -66,4 +67,8 @@ data "aws_subnet" "dra_analytics" { data "aws_subnet" "ciphertrust_manager" { id = local.ciphertrust_manager_subnet_id -} \ No newline at end of file +} + +data "aws_subnet" "cte_ddc_agent" { + id = local.cte_ddc_agent_subnet_id +} diff --git a/examples/aws/poc/dsf_deployment/outputs.tf b/examples/aws/poc/dsf_deployment/outputs.tf index 54986a9d2..d7ccb1660 100644 --- a/examples/aws/poc/dsf_deployment/outputs.tf +++ b/examples/aws/poc/dsf_deployment/outputs.tf @@ -138,6 +138,44 @@ output "ciphertrust" { } : null } +output "cte_ddc_agents" { + value = var.enable_ciphertrust ? { + cte_agents = [ + for val in concat(local.linux_cte_only_instances, local.windows_cte_only_instances) : + { + private_ip = module.cte_ddc_agents[val.id].private_ip + private_dns = module.cte_ddc_agents[val.id].private_dns + public_ip = module.cte_ddc_agents[val.id].public_ip + public_dns = module.cte_ddc_agents[val.id].public_dns + display_name = try(module.cte_ddc_agents[val.id].display_name, null) + ssh_command = try("ssh -i ${local.private_key_file_path} ${module.cte_ddc_agents[val.id].ssh_user}@${module.cte_ddc_agents[val.id].public_ip}", null) + } + ] + ddc_agents = [ + for val in concat(local.linux_ddc_only_instances, local.windows_ddc_only_instances) : + { + private_ip = module.cte_ddc_agents[val.id].private_ip + private_dns = module.cte_ddc_agents[val.id].private_dns + public_ip = module.cte_ddc_agents[val.id].public_ip + public_dns = module.cte_ddc_agents[val.id].public_dns + display_name = try(module.cte_ddc_agents[val.id].display_name, null) + ssh_command = try("ssh -i ${local.private_key_file_path} ${module.cte_ddc_agents[val.id].ssh_user}@${module.cte_ddc_agents[val.id].public_ip}", null) + } + ] + cte_ddc_windows_agents = [ + for val in concat(local.linux_cte_ddc_instances, local.windows_cte_ddc_instances) : + { + private_ip = module.cte_ddc_agents[val.id].private_ip + private_dns = module.cte_ddc_agents[val.id].private_dns + public_ip = module.cte_ddc_agents[val.id].public_ip + public_dns = module.cte_ddc_agents[val.id].public_dns + display_name = try(module.cte_ddc_agents[val.id].display_name, null) + ssh_command = try("ssh -i ${local.private_key_file_path} ${module.cte_ddc_agents[val.id].ssh_user}@${module.cte_ddc_agents[val.id].public_ip}", null) + } + ] + } : null +} + output "audit_sources" { value = { agent_sources = [ diff --git a/examples/aws/poc/dsf_deployment/sonar.tf b/examples/aws/poc/dsf_deployment/sonar.tf index 02d06759f..060c0eaf7 100644 --- a/examples/aws/poc/dsf_deployment/sonar.tf +++ b/examples/aws/poc/dsf_deployment/sonar.tf @@ -6,6 +6,7 @@ locals { hub_dr_public_ip = var.enable_sonar && var.hub_hadr ? (length(module.hub_dr[0].public_ip) > 0 ? format("%s/32", module.hub_dr[0].public_ip) : null) : null hub_cidr_list = compact([data.aws_subnet.hub.cidr_block, data.aws_subnet.hub_dr.cidr_block, local.hub_public_ip, local.hub_dr_public_ip]) agentless_gw_cidr_list = [data.aws_subnet.agentless_gw.cidr_block, data.aws_subnet.agentless_gw_dr.cidr_block] + cte_agents_cidr_list = var.enable_ciphertrust ? [data.aws_subnet.cte_ddc_agent.cidr_block] : [] } module "hub_main" { @@ -67,8 +68,9 @@ module "hub_main" { } module "hub_dr" { - source = "imperva/dsf-hub/aws" - version = "1.7.29" # latest release tag + source = "../../../../modules/aws/hub" +# source = "imperva/dsf-hub/aws" +# version = "1.7.29" # latest release tag count = var.enable_sonar && var.hub_hadr ? 1 : 0 friendly_name = join("-", [local.deployment_name_salted, "hub", "DR"]) @@ -118,8 +120,9 @@ module "hub_hadr" { } module "agentless_gw_main" { - source = "imperva/dsf-agentless-gw/aws" - version = "1.7.29" # latest release tag + source = "../../../../modules/aws/agentless-gw" +# source = "imperva/dsf-agentless-gw/aws" +# version = "1.7.29" # latest release tag count = local.agentless_gw_count friendly_name = join("-", [local.deployment_name_salted, "agentless", "gw", count.index, "main"]) @@ -135,6 +138,7 @@ module "agentless_gw_main" { } allowed_agentless_gw_cidrs = [data.aws_subnet.agentless_gw_dr.cidr_block] allowed_hub_cidrs = [data.aws_subnet.hub.cidr_block, data.aws_subnet.hub_dr.cidr_block] + allowed_cte_agents_cidrs = local.cte_agents_cidr_list allowed_all_cidrs = local.workstation_cidr allowed_ssh_cidrs = var.allowed_ssh_cidrs ingress_communication_via_proxy = { @@ -149,8 +153,9 @@ module "agentless_gw_main" { } module "agentless_gw_dr" { - source = "imperva/dsf-agentless-gw/aws" - version = "1.7.29" # latest release tag + source = "../../../../modules/aws/agentless-gw" +# source = "imperva/dsf-agentless-gw/aws" +# version = "1.7.29" # latest release tag count = var.agentless_gw_hadr ? local.agentless_gw_count : 0 friendly_name = join("-", [local.deployment_name_salted, "agentless", "gw", count.index, "DR"]) @@ -169,6 +174,7 @@ module "agentless_gw_dr" { } allowed_agentless_gw_cidrs = [data.aws_subnet.agentless_gw.cidr_block] allowed_hub_cidrs = [data.aws_subnet.hub.cidr_block, data.aws_subnet.hub_dr.cidr_block] + allowed_cte_agents_cidrs = local.cte_agents_cidr_list allowed_all_cidrs = local.workstation_cidr allowed_ssh_cidrs = var.allowed_ssh_cidrs ingress_communication_via_proxy = { diff --git a/examples/aws/poc/dsf_deployment/variables.tf b/examples/aws/poc/dsf_deployment/variables.tf index 2b72c9d38..1006e17ea 100644 --- a/examples/aws/poc/dsf_deployment/variables.tf +++ b/examples/aws/poc/dsf_deployment/variables.tf @@ -115,12 +115,13 @@ variable "subnet_ids" { dra_admin_subnet_id = string dra_analytics_subnet_id = string ciphertrust_manager_subnet_id = string - db_subnet_ids = list(string) + cte_ddc_agent_subnet_id = string + db_subnet_ids = list(string) }) default = null description = "The IDs of existing subnets to deploy resources in. Keep empty if you wish to provision new VPC and subnets. db_subnet_ids can be an empty list only if no databases should be provisioned" validation { - condition = var.subnet_ids == null || try(var.subnet_ids.hub_subnet_id != null && var.subnet_ids.hub_dr_subnet_id != null && var.subnet_ids.agentless_gw_subnet_id != null && var.subnet_ids.agentless_gw_dr_subnet_id != null && var.subnet_ids.mx_subnet_id != null && var.subnet_ids.agent_gw_subnet_id != null && var.subnet_ids.dra_admin_subnet_id != null && var.subnet_ids.dra_analytics_subnet_id != null && var.subnet_ids.ciphertrust_manager_subnet_id != null && var.subnet_ids.db_subnet_ids != null, false) + condition = var.subnet_ids == null || try(var.subnet_ids.hub_subnet_id != null && var.subnet_ids.hub_dr_subnet_id != null && var.subnet_ids.agentless_gw_subnet_id != null && var.subnet_ids.agentless_gw_dr_subnet_id != null && var.subnet_ids.mx_subnet_id != null && var.subnet_ids.agent_gw_subnet_id != null && var.subnet_ids.dra_admin_subnet_id != null && var.subnet_ids.dra_analytics_subnet_id != null && var.subnet_ids.ciphertrust_manager_subnet_id != null && var.subnet_ids.cte_ddc_agent_subnet_id != null && var.subnet_ids.db_subnet_ids != null, false) error_message = "Value must either be null or specified for all" } validation { @@ -403,4 +404,64 @@ variable "ciphertrust_manager_ami_id" { type = string description = "Ciphertrust Manager AMI id. If set to null, the latest AMI will be taken from AWS marketplace" default = null +} + +variable "cte_agent_linux_installation_file" { + type = string + description = "Path to the CTE agent linux installation file" + default = null +} + +variable "ddc_agent_linux_installation_file" { + type = string + description = "Path to the DDC agent linux installation file" + default = null +} + +variable "cte_agent_windows_installation_file" { + type = string + description = "Path to the CTE agent windows installation file" + default = null +} + +variable "ddc_agent_windows_installation_file" { + type = string + description = "Path to the DDC agent windows installation file" + default = null +} + +variable "cte_ddc_agents_linux_count" { + type = number + default = 1 + description = "Number of CTE-DDC agent linux servers. Provisioning CTE-DDC agent servers requires the enable_ciphertrust variable to be set to 'true'." +} + +variable "cte_agents_linux_count" { + type = number + default = 0 + description = "Number of CTE agent linux servers. Provisioning CTE-DDC agent servers requires the enable_ciphertrust variable to be set to 'true'." +} + +variable "ddc_agents_linux_count" { + type = number + default = 0 + description = "Number of DDC agent linux servers. Provisioning CTE-DDC agent servers requires the enable_ciphertrust variable to be set to 'true'." +} + +variable "cte_ddc_agents_windows_count" { + type = number + default = 1 + description = "Number of CTE-DDC agent windows servers. Provisioning CTE-DDC agent servers requires the enable_ciphertrust variable to be set to 'true'." +} + +variable "cte_agents_windows_count" { + type = number + default = 0 + description = "Number of CTE agent windows servers. Provisioning CTE-DDC agent servers requires the enable_ciphertrust variable to be set to 'true'." +} + +variable "ddc_agents_windows_count" { + type = number + default = 0 + description = "Number of DDC agent windows servers. Provisioning CTE-DDC agent servers requires the enable_ciphertrust variable to be set to 'true'." } \ No newline at end of file diff --git a/examples/aws/poc/dsf_deployment/versions.tf b/examples/aws/poc/dsf_deployment/versions.tf index 07611014b..f9892b80e 100644 --- a/examples/aws/poc/dsf_deployment/versions.tf +++ b/examples/aws/poc/dsf_deployment/versions.tf @@ -8,6 +8,7 @@ terraform { } ciphertrust = { source = "ThalesGroup/ciphertrust" +# version = "1.0.0-pre3" version = "~> 0.11.1" } local = { diff --git a/modules/aws/agentless-gw/main.tf b/modules/aws/agentless-gw/main.tf index 191ba93a2..f14aca0d1 100644 --- a/modules/aws/agentless-gw/main.tf +++ b/modules/aws/agentless-gw/main.tf @@ -20,6 +20,13 @@ locals { udp = [] tcp = [3030, 27117, 22] cidrs = concat(var.allowed_agentless_gw_cidrs, var.allowed_all_cidrs) + }, + { + name = ["cte", "agents"] + internet_access = false + udp = [] + tcp = [11570, 10570] # syslog TLS port 11570, TCP is 10570 + cidrs = concat(var.allowed_cte_agents_cidrs, var.allowed_all_cidrs) } ] } diff --git a/modules/aws/agentless-gw/variables.tf b/modules/aws/agentless-gw/variables.tf index 4d94f42d7..570dd85b8 100644 --- a/modules/aws/agentless-gw/variables.tf +++ b/modules/aws/agentless-gw/variables.tf @@ -53,6 +53,16 @@ variable "allowed_hub_cidrs" { default = [] } +variable "allowed_cte_agents_cidrs" { + type = list(string) + description = "List of ingress CIDR patterns allowing CTE agents to access the Agentless Gateway instance" + validation { + condition = alltrue([for item in var.allowed_cte_agents_cidrs : can(cidrnetmask(item))]) + error_message = "Each item of this list must be in a valid CIDR block format. For example: [\"10.106.108.0/25\"]" + } + default = [] +} + variable "allowed_ssh_cidrs" { type = list(string) description = "List of ingress CIDR patterns allowing ssh access" diff --git a/modules/aws/ciphertrust_manager/main.tf b/modules/aws/ciphertrust_manager/main.tf index aba432a84..ccfb9c6e6 100644 --- a/modules/aws/ciphertrust_manager/main.tf +++ b/modules/aws/ciphertrust_manager/main.tf @@ -42,6 +42,10 @@ resource "aws_instance" "cipthertrust_manager_instance" { } tags = merge(var.tags, { Name : var.friendly_name }) volume_tags = merge(var.tags, { Name : var.friendly_name }) + + lifecycle { + ignore_changes = [ami] + } } resource "aws_network_interface" "eni" { diff --git a/modules/aws/cte-ddc-agent/ami.tf b/modules/aws/cte-ddc-agent/ami.tf new file mode 100644 index 000000000..ef39acc8c --- /dev/null +++ b/modules/aws/cte-ddc-agent/ami.tf @@ -0,0 +1,51 @@ +locals { + agent_ami_owner_linux = "309956199498" // aws + agent_ami_name_linux = "RHEL-8.9.*" + agent_ami_ssh_user_linux = "ec2-user" + + agent_ami_owner_windows = "amazon" + agent_ami_name_windows = "Windows_Server-2022-English-Full-Base-*" + agent_ami_ssh_user_windows = "Administrator" + + agent_ami_ssh_user = var.os_type == "Windows" ? local.agent_ami_ssh_user_windows : local.agent_ami_ssh_user_linux +} + +data "aws_ami" "agent_ami_linux" { + count = var.os_type == "Windows" ? 0 : 1 + most_recent = true + name_regex = local.agent_ami_name_linux + + filter { + name = "virtualization-type" + values = ["hvm"] + } + + filter { + name = "architecture" + values = ["x86_64"] + } + + owners = [local.agent_ami_owner_linux] +} + +data "aws_ami" "agent_ami_windows" { + count = var.os_type == "Windows" ? 1 : 0 + most_recent = true + + filter { + name = "name" + values = [local.agent_ami_name_windows] + } + + filter { + name = "virtualization-type" + values = ["hvm"] + } + + filter { + name = "architecture" + values = ["x86_64"] + } + + owners = [local.agent_ami_owner_windows] +} diff --git a/modules/aws/cte-ddc-agent/cte_agent_reg_params.tftpl b/modules/aws/cte-ddc-agent/cte_agent_reg_params.tftpl new file mode 100644 index 000000000..ac0e17534 --- /dev/null +++ b/modules/aws/cte-ddc-agent/cte_agent_reg_params.tftpl @@ -0,0 +1,4 @@ +SERVER_HOSTNAME=${server_hostname} +REG_TOKEN=${registration_token} +ENABLE_LDT=${enable_ldt} +ENABLE_FAM=${enable_fam} \ No newline at end of file diff --git a/modules/aws/cte-ddc-agent/dummy.txt b/modules/aws/cte-ddc-agent/dummy.txt new file mode 100644 index 000000000..e69de29bb diff --git a/modules/aws/cte-ddc-agent/linux.tf b/modules/aws/cte-ddc-agent/linux.tf new file mode 100644 index 000000000..69d6e1cee --- /dev/null +++ b/modules/aws/cte-ddc-agent/linux.tf @@ -0,0 +1,27 @@ +locals { + ddc_agent_inline_commands_linux = var.agent_installation.ddc_agent_installation_file != null ? [ + "set -xe", + "sudo yum install -y https://dl.fedoraproject.org/pub/epel/epel-release-latest-8.noarch.rpm", + "sudo yum install libxml2 libgsasl openssl libcurl libuuid protobuf krb5-libs libaio libnsl -y", + "sudo rpm -ivh ${basename(var.agent_installation.ddc_agent_installation_file)}", + "sudo er2-config -i ${var.cipher_trust_manager_address}", + "sudo er2-config -t", + "sudo /etc/init.d/er2-agent restart" + ] : [] + cte_agent_inline_commands_linux = var.agent_installation.cte_agent_installation_file != null ? [ + "sudo yum install lsof -y", + "sudo chmod +x ${basename(var.agent_installation.cte_agent_installation_file)}", + "sudo ./${basename(var.agent_installation.cte_agent_installation_file)} -i -y", + "sudo /opt/vormetric/DataSecurityExpert/agent/vmd/bin/register_host silent ${local.reg_params_template_name}" + ] : [] + reboot_inline_commands_linux = [ + "echo 'Attempting to schedule reboot using systemd-run...'", + # This command creates a temporary systemd service that will run /sbin/reboot after 10 seconds. + # The 10-second delay gives Terraform enough time to register the successful execution of + # systemd-run and disconnect gracefully before the actual reboot begins. + "sudo systemd-run --on-active=10 --unit=terraform-reboot-service /sbin/reboot", + "echo 'Reboot command scheduled. Terraform will now proceed.'", + "sleep 2" # A small additional pause to ensure full detachment. + ] +} + diff --git a/modules/aws/cte-ddc-agent/main.tf b/modules/aws/cte-ddc-agent/main.tf new file mode 100644 index 000000000..38ef821ea --- /dev/null +++ b/modules/aws/cte-ddc-agent/main.tf @@ -0,0 +1,120 @@ +locals { + enable_ldt = 0 + enable_fam = 1 + + reg_params_template_name = "cte_agent_reg_params.tftpl" + + bastion_host = try(var.ingress_communication_via_proxy.proxy_address, null) + bastion_private_key = try(file(var.ingress_communication_via_proxy.proxy_private_ssh_key_path), "") + bastion_user = try(var.ingress_communication_via_proxy.proxy_ssh_user, null) + script_path = var.terraform_script_path_folder == null ? null : (join("/", [var.terraform_script_path_folder, "terraform_%RAND%.sh"])) + + public_ip = var.attach_persistent_public_ip ? aws_eip.dsf_instance_eip[0].public_ip : aws_instance.cte_ddc_agent.public_ip + public_dns = var.attach_persistent_public_ip ? aws_eip.dsf_instance_eip[0].public_dns : aws_instance.cte_ddc_agent.public_dns + private_ip = length(aws_network_interface.eni.private_ips) > 0 ? tolist(aws_network_interface.eni.private_ips)[0] : null + instance_address = var.use_public_ip ? local.public_ip : local.private_ip + + security_group_ids = concat( + [for sg in aws_security_group.dsf_agent_sg : sg.id], + var.security_group_ids) + + # Determine the values based on the OS type + ami_id = var.os_type == "Windows" ? data.aws_ami.agent_ami_windows[0].id : data.aws_ami.agent_ami_linux[0].id + user_data = var.os_type == "Windows" ? local.user_data_windows : null + reboot_commands = var.os_type == "Windows" ? local.reboot_inline_commands_windows : local.reboot_inline_commands_linux + ddc_agent_inline_commands = var.os_type == "Windows" ? local.ddc_agent_inline_commands_windows : local.ddc_agent_inline_commands_linux + cte_agent_inline_commands = var.os_type == "Windows" ? local.cte_agent_inline_commands_windows : local.cte_agent_inline_commands_linux + target_platform = var.os_type == "Windows" ? "windows" : null + + dummy_file_path = "${path.module}/dummy.txt" +} + +resource "aws_eip" "dsf_instance_eip" { + count = var.attach_persistent_public_ip ? 1 : 0 + domain = "vpc" + tags = merge(var.tags, { Name = var.friendly_name }) +} + +resource "aws_eip_association" "eip_assoc" { + count = var.attach_persistent_public_ip ? 1 : 0 + instance_id = aws_instance.cte_ddc_agent.id + allocation_id = aws_eip.dsf_instance_eip[0].id +} + +resource "aws_network_interface" "eni" { + subnet_id = var.subnet_id + security_groups = local.security_group_ids + tags = var.tags +} + +resource "aws_instance" "cte_ddc_agent" { + ami = local.ami_id + instance_type = var.instance_type + key_name = var.ssh_key_pair.ssh_public_key_name + user_data = local.user_data + network_interface { + network_interface_id = aws_network_interface.eni.id + device_index = 0 + } + metadata_options { + http_endpoint = "enabled" + http_tokens = "required" + } + tags = merge(var.tags, { Name : var.friendly_name }) + volume_tags = merge(var.tags, { Name : var.friendly_name }) + depends_on = [aws_eip.dsf_instance_eip] + + lifecycle { + ignore_changes = [ami] + } +} + +resource "null_resource" "cte_ddc_copy_file" { + provisioner "file" { + source = var.agent_installation.install_cte ? var.agent_installation.cte_agent_installation_file : local.dummy_file_path + destination = basename(var.agent_installation.install_cte ? var.agent_installation.cte_agent_installation_file : local.dummy_file_path) + } + + provisioner "file" { + content = var.agent_installation.install_cte ? templatefile("${path.module}/${local.reg_params_template_name}", { + server_hostname = var.cipher_trust_manager_address + registration_token = var.agent_installation.registration_token + enable_ldt = local.enable_ldt + enable_fam = local.enable_fam + }) : "" + destination = var.agent_installation.install_cte ? local.reg_params_template_name : basename(local.dummy_file_path) + } + + provisioner "remote-exec" { + inline = var.agent_installation.install_cte ? local.cte_agent_inline_commands : ["echo 'No CTE agent installation required'"] + } + + provisioner "file" { + source = var.agent_installation.install_ddc ? var.agent_installation.ddc_agent_installation_file : local.dummy_file_path + destination = basename(var.agent_installation.install_ddc ? var.agent_installation.ddc_agent_installation_file : local.dummy_file_path) + } + + provisioner "remote-exec" { + inline = var.agent_installation.install_ddc ? local.ddc_agent_inline_commands : ["echo 'No DDC agent installation required'"] + } + + # reboot the host to activate the FAM feature + provisioner "remote-exec" { + inline = local.reboot_commands + } + + connection { + type = "ssh" + user = local.agent_ami_ssh_user + private_key = file(var.ssh_key_pair.ssh_private_key_file_path) + host = local.instance_address + target_platform = local.target_platform + + bastion_host = local.bastion_host + bastion_private_key = local.bastion_private_key + bastion_user = local.bastion_user + + script_path = local.script_path + } + depends_on = [aws_instance.cte_ddc_agent, aws_eip_association.eip_assoc] +} diff --git a/modules/aws/cte-ddc-agent/outputs.tf b/modules/aws/cte-ddc-agent/outputs.tf new file mode 100644 index 000000000..09f78d0ad --- /dev/null +++ b/modules/aws/cte-ddc-agent/outputs.tf @@ -0,0 +1,31 @@ +output "public_ip" { + description = "Public elastic IP address of the agent instance" + value = local.public_ip +} + +output "private_ip" { + description = "Private IP address of the agent instance" + value = local.private_ip +} + +output "public_dns" { + description = "Public DNS of the elastic IP address of the agent instance" + value = local.public_dns +} + +output "private_dns" { + description = "Private DNS of the IP address of the agent instance" + value = aws_network_interface.eni.private_dns_name +} + +output "instance_id" { + value = aws_instance.cte_ddc_agent.id +} + +output "display_name" { + value = aws_instance.cte_ddc_agent.tags.Name +} + +output "ssh_user" { + value = local.agent_ami_ssh_user +} diff --git a/modules/aws/cte-ddc-agent/sg.tf b/modules/aws/cte-ddc-agent/sg.tf new file mode 100644 index 000000000..5a2bca8cf --- /dev/null +++ b/modules/aws/cte-ddc-agent/sg.tf @@ -0,0 +1,75 @@ +locals { + # Skip sg creation if external sg list is given + _security_groups_config = length(var.security_group_ids) == 0 ? local.security_groups_config : [] + + security_groups_config = var.os_type == "Windows" ? [ + { + name = ["ssh"] + internet_access = true + udp = [] + tcp = [22] + cidrs = concat(var.allowed_ssh_cidrs) + }, + { + name = ["rdp"] + internet_access = false + udp = [] + tcp = [3389] + cidrs = concat(var.allowed_rdp_cidrs) + } + ] : [ + { + name = ["ssh"] + internet_access = true + udp = [] + tcp = [22] + cidrs = concat(var.allowed_ssh_cidrs) + } + ] +} + +data "aws_subnet" "subnet" { + id = var.subnet_id +} + +############################################################################## +### Ingress security group +############################################################################## + +resource "aws_security_group" "dsf_agent_sg" { + for_each = { for idx, config in local._security_groups_config : idx => config } + name = join("-", [var.friendly_name, join("-", each.value.name)]) + vpc_id = data.aws_subnet.subnet.vpc_id + description = format("%s - %s ingress access", var.friendly_name, join(" ", each.value.name)) + + dynamic "ingress" { + for_each = { for idx, port in each.value.tcp : idx => port } + content { + from_port = ingress.value + to_port = ingress.value + protocol = "tcp" + cidr_blocks = each.value.cidrs + } + } + + dynamic "ingress" { + for_each = { for idx, port in each.value.udp : idx => port } + content { + from_port = ingress.value + to_port = ingress.value + protocol = "udp" + cidr_blocks = each.value.cidrs + } + } + + # Conditionally assign egress rules based on a "internet_access" memeber + egress { + from_port = 0 + to_port = 0 + protocol = "-1" + cidr_blocks = each.value.internet_access ? ["0.0.0.0/0"] : [] + ipv6_cidr_blocks = each.value.internet_access ? ["::/0"] : [] + } + + tags = merge(var.tags, { Name = join("-", [var.friendly_name, join("-", each.value.name)]) }) +} \ No newline at end of file diff --git a/modules/aws/cte-ddc-agent/variables.tf b/modules/aws/cte-ddc-agent/variables.tf new file mode 100644 index 000000000..2d388df9d --- /dev/null +++ b/modules/aws/cte-ddc-agent/variables.tf @@ -0,0 +1,147 @@ +variable "tags" { + description = "A map of tags to add to all resources" + type = map(string) + default = {} +} + +variable "friendly_name" { + type = string + description = "Friendly name to identify all resources" + default = "imperva-dsf-cte-ddc-agent" + validation { + condition = length(var.friendly_name) >= 3 + error_message = "Must be at least 3 characters long" + } + validation { + condition = can(regex("^\\p{L}.*", var.friendly_name)) + error_message = "Must start with a letter" + } +} + +variable "subnet_id" { + type = string + description = "Subnet id for the DSF MX instance" + validation { + condition = length(var.subnet_id) >= 15 && substr(var.subnet_id, 0, 7) == "subnet-" + error_message = "Subnet id is invalid. Must be subnet-********" + } +} + +variable "security_group_ids" { + type = list(string) + description = "AWS security group Ids to attach to the instance. If provided, no security groups are created and all allowed_*_cidrs variables are ignored." + validation { + condition = alltrue([for item in var.security_group_ids : substr(item, 0, 3) == "sg-"]) + error_message = "One or more of the security group Ids list is invalid. Each item should be in the format of 'sg-xx..xxx'" + } + default = [] +} + +variable "attach_persistent_public_ip" { + type = bool + default = false + description = "Create and attach elastic public IP for the instance" +} + +variable "allowed_ssh_cidrs" { + type = list(string) + description = "List of allowed ingress CIDR patterns allowing ssh protocols to the ec2 instance" + default = [] +} + +variable "allowed_rdp_cidrs" { + type = list(string) + description = "List of allowed ingress CIDR patterns allowing rdp protocols to the ec2 instance" + default = [] +} + +variable "ssh_key_pair" { + type = object({ + ssh_public_key_name = string + ssh_private_key_file_path = string + }) + description = "SSH materials to access machine" + + nullable = false +} + +variable "cipher_trust_manager_address" { + type = string + description = "CipherTrust Manager address to register to" + nullable = false +} + +variable "os_type" { + type = string + description = "Os type to provision as EC2, available types are: ['Red Hat', 'Windows']" + nullable = false + validation { + condition = var.os_type == null || try(contains(["Red Hat", "Windows"], var.os_type), false) + error_message = "Valid values should contain at least one of the following: 'Red Hat', 'Windows']" + } +} + +variable "agent_installation" { + type = object({ + registration_token = string + install_cte = bool + install_ddc = bool + cte_agent_installation_file = string + ddc_agent_installation_file = string + }) + description = "Agent installation files to use for the agent installation and registration token for the CTE agent. The files should be accessible from the machine where Terraform is running." + nullable = false + validation { + condition = var.agent_installation.install_cte || var.agent_installation.install_ddc + error_message = "At least one of install_cte or install_ddc must be true" + } + validation { + condition = var.agent_installation.install_cte == false || var.agent_installation.cte_agent_installation_file != null + error_message = "CTE agent installation file must be provided if install_cte is true" + } + validation { + condition = var.agent_installation.install_ddc == false || var.agent_installation.ddc_agent_installation_file != null + error_message = "DDC agent installation file must be provided if install_ddc is true" + } + validation { + condition = var.agent_installation.cte_agent_installation_file == null || try(fileexists(var.agent_installation.cte_agent_installation_file), false) + error_message = "CTE agent installation file does not exist at the specified path." + } + validation { + condition = var.agent_installation.ddc_agent_installation_file == null || try(fileexists(var.agent_installation.ddc_agent_installation_file), false) + error_message = "DDC agent installation file does not exist at the specified path" + } +} + +variable "instance_type" { + type = string + description = "Instance type to use for the agent instances" + default = "t2.large" + nullable = false +} + +variable "use_public_ip" { + type = bool + default = false + description = "Whether to use the agent instance's public or private IP for ssh access" +} + +variable "ingress_communication_via_proxy" { + type = object({ + proxy_address = string + proxy_private_ssh_key_path = string + proxy_ssh_user = string + }) + description = "Proxy address used for ssh for private CTE-DDC agent (Usually hub address), Proxy ssh key file path and Proxy ssh user. Keep empty if no proxy is in use" + default = null +} + +variable "terraform_script_path_folder" { + type = string + description = "Terraform script path folder to create terraform temporary script files on the CTE-DDC agent instance. Use '.' to represent the instance home directory" + default = null + validation { + condition = var.terraform_script_path_folder != "" + error_message = "Terraform script path folder cannot be an empty string" + } +} \ No newline at end of file diff --git a/modules/aws/cte-ddc-agent/versions.tf b/modules/aws/cte-ddc-agent/versions.tf new file mode 100644 index 000000000..272db1955 --- /dev/null +++ b/modules/aws/cte-ddc-agent/versions.tf @@ -0,0 +1,10 @@ +terraform { + required_version = ">= 1.3.1, < 1.8.0" + + required_providers { + aws = { + source = "hashicorp/aws" + version = ">= 4.23.0" + } + } +} diff --git a/modules/aws/cte-ddc-agent/windows.tf b/modules/aws/cte-ddc-agent/windows.tf new file mode 100644 index 000000000..bffae7ef0 --- /dev/null +++ b/modules/aws/cte-ddc-agent/windows.tf @@ -0,0 +1,73 @@ +locals { + user_data_windows = <<-EOF + + # Install OpenSSH Server + Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 + + # Start and configure OpenSSH Server + Start-Service sshd + Set-Service -Name sshd -StartupType 'Automatic' + + # Configure firewall to allow SSH + if (!(Get-NetFirewallRule -Name "OpenSSH-Server-In-TCP" -ErrorAction SilentlyContinue | Select-Object Name, Enabled)) { + Write-Output "Firewall Rule 'OpenSSH-Server-In-TCP' does not exist, creating it..." + New-NetFirewallRule -Name 'OpenSSH-Server-In-TCP' -DisplayName 'OpenSSH Server (sshd)' -Enabled True -Direction Inbound -Protocol TCP -Action Allow -LocalPort 22 + } else { + Write-Output "Firewall rule 'OpenSSH-Server-In-TCP' has been created and exists." + } + + # Create .ssh directory for Administrator + $adminSshDir = "$env:SystemDrive\\Users\\Administrator\\.ssh" + New-Item -ItemType Directory -Force -Path $adminSshDir + + # Retrieve the SSH public key from instance metadata + $token = Invoke-RestMethod -Uri "http://169.254.169.254/latest/api/token" -Method PUT -Headers @{ "X-aws-ec2-metadata-token-ttl-seconds" = "21600" } + $instanceMetadataUri = "http://169.254.169.254/latest/meta-data/public-keys/0/openssh-key" + $authorizedKey = Invoke-RestMethod -Uri $instanceMetadataUri -Method Get -Headers @{ "X-aws-ec2-metadata-token" = $token } + + # Add the SSH key to administrators_authorized_keys + $authorizedKeysPath = "$env:ProgramData\\ssh\\administrators_authorized_keys" + Add-Content -Force -Path $authorizedKeysPath -Value $authorizedKey + icacls $authorizedKeysPath /inheritance:r /grant "Administrators:F" /grant "SYSTEM:F" + + # Restart SSH service to apply changes + Restart-Service sshd + + EOF + + cte_agent_install_command_windows_msi = ( + var.agent_installation.cte_agent_installation_file != null + ? + "msiexec.exe /i \"${basename(var.agent_installation.cte_agent_installation_file)}\" /qn /norestart registerhostopts=\"${var.cipher_trust_manager_address} -fam -token=${var.agent_installation.registration_token}\"" + : "" + ) + cte_agent_install_command_windows_exe = ( + var.agent_installation.cte_agent_installation_file != null + ? + "${basename(var.agent_installation.cte_agent_installation_file)} /s /v\" /qn /norestart registerhostopts=\\\"${var.cipher_trust_manager_address} -fam -token=${var.agent_installation.registration_token}\\\"\"" + : "" + ) + cte_agent_install_command_windows = ( + var.agent_installation.cte_agent_installation_file != null + ? ( + can(regex(".*\\.exe$", var.agent_installation.cte_agent_installation_file)) + ? local.cte_agent_install_command_windows_exe + : local.cte_agent_install_command_windows_msi + ) + : "" + ) + + ddc_agent_inline_commands_windows = var.agent_installation.ddc_agent_installation_file != null ? [ + "msiexec.exe /i \"${basename(var.agent_installation.ddc_agent_installation_file)}\" /qn /norestart TARGETIP=${var.cipher_trust_manager_address}", + "\"C:\\Program Files (x86)\\Ground Labs\\Enterprise Recon 2\\er2_config_cmd.exe\" -t" # test connection from DDC to CM + ] : [] + cte_agent_inline_commands_windows = var.agent_installation.cte_agent_installation_file != null ? [ + local.cte_agent_install_command_windows, + "if %ERRORLEVEL% EQU 3010 (echo Reboot required, resetting errorlevel && exit /b 0) else (exit /b %ERRORLEVEL%)" + ] : [] + reboot_inline_commands_windows = [ + "echo 'About to reboot the host'", + "shutdown /r /t 0" + ] +} + From 20b5a34fe2e437f04c24d386c65b1de3fbc69702 Mon Sep 17 00:00:00 2001 From: "sivan.hajbi" Date: Sun, 13 Jul 2025 21:59:48 +0300 Subject: [PATCH 04/16] fix ami_id, ciphertrust deplyment based on sonar version and some fixes --- examples/aws/poc/dsf_deployment/cm.tf | 11 ++- .../aws/poc/dsf_deployment/cte_ddc_agents.tf | 11 +-- examples/aws/poc/dsf_deployment/main.tf | 3 + examples/aws/poc/dsf_deployment/outputs.tf | 4 +- examples/aws/poc/dsf_deployment/sonar.tf | 4 +- examples/aws/poc/dsf_deployment/variables.tf | 4 +- modules/aws/ciphertrust_manager/README.md | 98 +++++++++++++++++++ modules/aws/ciphertrust_manager/ami.tf | 5 +- modules/aws/ciphertrust_manager/variables.tf | 17 ++-- modules/aws/ciphertrust_manager/versions.tf | 4 - modules/aws/hub/cm_association.tf | 6 +- modules/aws/hub/variables.tf | 2 +- .../ciphertrust-manager-cluster-setup/main.tf | 1 + 13 files changed, 134 insertions(+), 36 deletions(-) diff --git a/examples/aws/poc/dsf_deployment/cm.tf b/examples/aws/poc/dsf_deployment/cm.tf index 4f0151afd..772494296 100644 --- a/examples/aws/poc/dsf_deployment/cm.tf +++ b/examples/aws/poc/dsf_deployment/cm.tf @@ -1,5 +1,5 @@ locals { - ciphertrust_manager_count = var.enable_ciphertrust ? var.ciphertrust_manager_count : 0 + ciphertrust_manager_count = local.enable_ciphertrust ? var.ciphertrust_manager_count : 0 ciphertrust_cidr_list = [data.aws_subnet.ciphertrust_manager.cidr_block] ciphertrust_manager_web_console_username = "admin" } @@ -10,7 +10,12 @@ module "ciphertrust_manager" { # source = "imperva/dsf-ciphertrust-manager/aws" # version = "1.7.17" # latest release tag count = local.ciphertrust_manager_count - ami_id = var.ciphertrust_manager_ami_id + ami = var.ciphertrust_manager_ami_id == null ? null : { + id = var.ciphertrust_manager_ami_id + name_regex = null + product_code = null + owner_account_id = null + } friendly_name = join("-", [local.deployment_name_salted, "ciphertrust", "manager", count.index]) ebs = var.ciphertrust_manager_ebs_details subnet_id = local.ciphertrust_manager_subnet_id @@ -28,7 +33,7 @@ module "ciphertrust_manager" { } provider "ciphertrust" { - address = local.ciphertrust_manager_count > 0 ? "https://${module.ciphertrust_manager[0].public_ip}" : null + address = local.ciphertrust_manager_count > 0 ? "https://${module.ciphertrust_manager[0].public_ip}" : null username = local.ciphertrust_manager_web_console_username password = local.ciphertrust_manager_password // destroy cluster can take almost a minute so give us a bit of a buffer diff --git a/examples/aws/poc/dsf_deployment/cte_ddc_agents.tf b/examples/aws/poc/dsf_deployment/cte_ddc_agents.tf index eadb74917..73fe7ca70 100644 --- a/examples/aws/poc/dsf_deployment/cte_ddc_agents.tf +++ b/examples/aws/poc/dsf_deployment/cte_ddc_agents.tf @@ -5,7 +5,6 @@ locals { cte_ddc_windows_count = local.ciphertrust_manager_count > 0 ? var.cte_ddc_agents_windows_count : 0 cte_windows_count = local.ciphertrust_manager_count > 0 ? var.cte_agents_windows_count : 0 ddc_windows_count = local.ciphertrust_manager_count > 0 ? var.ddc_agents_windows_count : 0 - total_agents_count = local.cte_ddc_linux_count + local.cte_ddc_windows_count installation_map = { "Red Hat" = { @@ -25,13 +24,13 @@ locals { install_cte = true install_ddc = true }] - linux_cte_only_instances = [for i in range(var.cte_agents_linux_count) : { + linux_cte_only_instances = [for i in range(local.cte_linux_count) : { id = "cte-agent-linux-${i}" os_type = "Red Hat" install_cte = true install_ddc = false }] - linux_ddc_only_instances = [for i in range(var.ddc_agents_linux_count) : { + linux_ddc_only_instances = [for i in range(local.ddc_linux_count) : { id = "ddc-agent-linux-${i}" os_type = "Red Hat" install_cte = false @@ -44,13 +43,13 @@ locals { install_cte = true install_ddc = true }] - windows_cte_only_instances = [for i in range(var.cte_agents_windows_count) : { + windows_cte_only_instances = [for i in range(local.cte_windows_count) : { id = "cte-agent-windows-${i}" os_type = "Windows" install_cte = true install_ddc = false }] - windows_ddc_only_instances = [for i in range(var.ddc_agents_windows_count) : { + windows_ddc_only_instances = [for i in range(local.ddc_windows_count) : { id = "ddc-agent-windows-${i}" os_type = "Windows" install_cte = false @@ -58,7 +57,7 @@ locals { }] - # Concatenate all ahent lists and convert to a map for for_each + # Concatenate all agent lists and convert to a map for for_each all_agent_instances_map = { for instance in concat( local.linux_cte_ddc_instances, diff --git a/examples/aws/poc/dsf_deployment/main.tf b/examples/aws/poc/dsf_deployment/main.tf index b81fefb93..ef55ec397 100644 --- a/examples/aws/poc/dsf_deployment/main.tf +++ b/examples/aws/poc/dsf_deployment/main.tf @@ -15,6 +15,7 @@ module "globals" { sonar_version = var.sonar_version dra_version = var.dra_version + installation_s3_key = var.tarball_location != null ? var.tarball_location.s3_key : null } module "key_pair" { @@ -34,4 +35,6 @@ locals { workstation_cidr = var.workstation_cidr != null ? var.workstation_cidr : local.workstation_cidr_24 tags = merge(module.globals.tags, var.additional_tags, { "deployment_name" = local.deployment_name_salted }) private_key_file_path = module.key_pair.private_key_file_path + # Minimal sonar version that supports CipherTrust Manager is 4.18 + enable_ciphertrust = var.enable_ciphertrust && !contains(["4.17", "4.16", "4.15", "4.14", "4.13", "4.12", "4.11", "4.10", "4.9"], module.globals.tarball_location.version) } diff --git a/examples/aws/poc/dsf_deployment/outputs.tf b/examples/aws/poc/dsf_deployment/outputs.tf index d7ccb1660..bb555c857 100644 --- a/examples/aws/poc/dsf_deployment/outputs.tf +++ b/examples/aws/poc/dsf_deployment/outputs.tf @@ -122,7 +122,7 @@ output "dra" { } output "ciphertrust" { - value = var.enable_ciphertrust ? { + value = local.enable_ciphertrust ? { ciphertrust_manager = [ for idx, val in module.ciphertrust_manager : { private_ip = try(val.private_ip, null) @@ -139,7 +139,7 @@ output "ciphertrust" { } output "cte_ddc_agents" { - value = var.enable_ciphertrust ? { + value = local.enable_ciphertrust ? { cte_agents = [ for val in concat(local.linux_cte_only_instances, local.windows_cte_only_instances) : { diff --git a/examples/aws/poc/dsf_deployment/sonar.tf b/examples/aws/poc/dsf_deployment/sonar.tf index 060c0eaf7..b593c2b36 100644 --- a/examples/aws/poc/dsf_deployment/sonar.tf +++ b/examples/aws/poc/dsf_deployment/sonar.tf @@ -6,7 +6,7 @@ locals { hub_dr_public_ip = var.enable_sonar && var.hub_hadr ? (length(module.hub_dr[0].public_ip) > 0 ? format("%s/32", module.hub_dr[0].public_ip) : null) : null hub_cidr_list = compact([data.aws_subnet.hub.cidr_block, data.aws_subnet.hub_dr.cidr_block, local.hub_public_ip, local.hub_dr_public_ip]) agentless_gw_cidr_list = [data.aws_subnet.agentless_gw.cidr_block, data.aws_subnet.agentless_gw_dr.cidr_block] - cte_agents_cidr_list = var.enable_ciphertrust ? [data.aws_subnet.cte_ddc_agent.cidr_block] : [] + cte_agents_cidr_list = local.enable_ciphertrust ? [data.aws_subnet.cte_ddc_agent.cidr_block] : [] } module "hub_main" { @@ -47,7 +47,7 @@ module "hub_main" { archiver_username = module.dra_analytics[0].archiver_user archiver_password = module.dra_analytics[0].archiver_password } : null - cm_details = var.enable_ciphertrust ? { + cm_details = local.enable_ciphertrust ? { name = "CipherTrust Manager" is_load_balancer = false hostname = coalesce(module.ciphertrust_manager[0].public_ip, module.ciphertrust_manager[0].private_ip) diff --git a/examples/aws/poc/dsf_deployment/variables.tf b/examples/aws/poc/dsf_deployment/variables.tf index 1006e17ea..1cdb70da5 100644 --- a/examples/aws/poc/dsf_deployment/variables.tf +++ b/examples/aws/poc/dsf_deployment/variables.tf @@ -432,7 +432,7 @@ variable "ddc_agent_windows_installation_file" { variable "cte_ddc_agents_linux_count" { type = number - default = 1 + default = 0 description = "Number of CTE-DDC agent linux servers. Provisioning CTE-DDC agent servers requires the enable_ciphertrust variable to be set to 'true'." } @@ -450,7 +450,7 @@ variable "ddc_agents_linux_count" { variable "cte_ddc_agents_windows_count" { type = number - default = 1 + default = 0 description = "Number of CTE-DDC agent windows servers. Provisioning CTE-DDC agent servers requires the enable_ciphertrust variable to be set to 'true'." } diff --git a/modules/aws/ciphertrust_manager/README.md b/modules/aws/ciphertrust_manager/README.md index e93bd3d41..48c2d3309 100644 --- a/modules/aws/ciphertrust_manager/README.md +++ b/modules/aws/ciphertrust_manager/README.md @@ -3,3 +3,101 @@ This Terraform module provisions a CipherTrust Manager on AWS as an EC2 instance. +## CipherTrust Manager Versions +2.19 and up + +## Requirements +* Terraform — refer to [versions.tf](https://github.com/imperva/dsfkit/blob/master/modules/aws/ciphertrust-manager/versions.tf) for supported versions. +* An AWS account. +* Access to the CipherTrust AMI from AWS Marketplace (product code: `a5j8w8j2tn9crtnai795fkf6o`). + +**NOTE:** For CipherTrust licensing or access questions, contact your Thales representative. + +## Resources Provisioned +This Terraform module provisions the following resources on AWS: + +* An EC2 instance running the CipherTrust Manager software. +* An EBS volume for storage. +* A network interface attached to the specified subnet and security groups. +* Optional Elastic IP and EIP association if `attach_persistent_public_ip` is enabled. +* A security group (if not provided) to allow the required network access to and from the CipherTrust Manager instance. + +The EC2 instance and EBS volume provide the computing and storage resources needed to run the CipherTrust Manager software. The security group controls the inbound and outbound traffic to the instance. + +## Inputs + +The following input variables are **required**: + +* `subnet_id`: The subnet ID to attach the CipherTrust instance to. +* `key_pair`: Name of the AWS EC2 key pair used for SSH access. +* `ebs`: AWS EBS details. + +Additionally, the following variables are often **required unless defaults suffice**: + +* `allowed_web_console_and_api_cidrs`: CIDRs for web console and API access (ports 443, 80). +* `allowed_ssh_cidrs`: CIDRs allowed to SSH into the instance (port 22). +* `allowed_cluster_nodes_cidrs`: CIDRs for cluster communication (port 5432). +* `allowed_ddc_agents_cidrs`: CIDRs for DDC agent access (port 11117). +* `allowed_all_cidrs`: Additional CIDRs applied to all types of access (optional). +* `ami`: Optional override for selecting a specific AMI using filters or ID. +* `instance_type`: EC2 instance type (default: `t2.xlarge`). +* `attach_persistent_public_ip`: Whether to allocate and attach an Elastic IP (default: `false`). + +Refer to [inputs](https://registry.terraform.io/modules/imperva/dsf-ciphertrust-manager/aws/latest?tab=inputs) for additional variables with default values and additional info. + +## Outputs + +Refer to [outputs](https://registry.terraform.io/modules/imperva/dsf-ciphertrust-manager/aws/latest?tab=outputs). + +## Usage + +To utilize this module with a minimal configuration, include the following in your Terraform setup: + +```hcl +provider "aws" {} + +module "dsf_ciphertrust_manager" { + source = "imperva/dsf-ciphertrust-manager/aws" + + subnet_id = "subnet-xxxxxxxxxxxxxxx" + key_pair = "my-keypair-name" + + ebs = { + volume_size = 256 + volume_type = "gp2" + } + + allowed_web_console_and_api_cidrs = ["10.0.0.0/24"] + allowed_ssh_cidrs = ["10.0.0.0/24"] + allowed_cluster_nodes_cidrs = ["10.0.1.0/24"] + allowed_ddc_agents_cidrs = ["10.0.2.0/24"] +} +``` + +To see a complete example of how to use this module in a DSF deployment with other modules, check out the [examples](https://github.com/imperva/dsfkit/tree/master/examples/aws) directory. + +We recommend using a specific version of the module (and not the latest). +See available released versions in the main repo README [here](https://github.com/imperva/dsfkit#version-history). + +Specify the module's version by adding the version parameter. For example: + +``` +module "dsf_ciphertrust_manager" { + source = "imperva/dsf-ciphertrust-manager/aws" + version = "x.y.z" + + # The rest of arguments are omitted for brevity +} +``` + +## CipherTrust Manager High Availability + +To ensure high availability and disaster recovery, deploying multiple CipherTrust Manager instances. + +To finalize the cluster nodes setup, refer to the ciphertrust-manager-cluster-setup Terraform module [here](https://registry.terraform.io/modules/imperva/ciphertrust-manager-cluster-setup/null/latest) + +## Additional Information + +For additional information about DSF deployment using terraform, refer to the main repo README [here](https://github.com/imperva/dsfkit/tree/1.7.29). + + diff --git a/modules/aws/ciphertrust_manager/ami.tf b/modules/aws/ciphertrust_manager/ami.tf index 6070f8050..c6c8232b5 100644 --- a/modules/aws/ciphertrust_manager/ami.tf +++ b/modules/aws/ciphertrust_manager/ami.tf @@ -1,5 +1,6 @@ locals { ami_default = { + id = null owner_account_id = "679593333241" // aws marketplace name_regex = "k170v-2.19.*" product_code = "a5j8w8j2tn9crtnai795fkf6o" @@ -11,11 +12,11 @@ locals { ami_name_regex = local.ami.name_regex != null ? local.ami.name_regex : ".*" ami_product_code = local.ami.product_code != null ? local.ami.product_code : "*" - ami_id = var.ami_id != null ? var.ami_id : data.aws_ami.selected-ami[0].image_id + ami_id = local.ami.id != null ? local.ami.id : data.aws_ami.selected-ami[0].image_id } data "aws_ami" "selected-ami" { - count = var.ami_id == null ? 1 : 0 + count = local.ami.id == null ? 1 : 0 most_recent = true name_regex = local.ami_name_regex diff --git a/modules/aws/ciphertrust_manager/variables.tf b/modules/aws/ciphertrust_manager/variables.tf index 6529f701f..011cd3d54 100644 --- a/modules/aws/ciphertrust_manager/variables.tf +++ b/modules/aws/ciphertrust_manager/variables.tf @@ -117,29 +117,24 @@ variable "ssh_user" { default = "ksadmin" } -variable "ami_id" { - type = string - description = "Ciphertrust AMI id. If set to null, the AMI will be selected based on the 'ami' variable if provided, or fall back to the recommended image. If 'ami_id' is set, it takes precedence and 'ami' will be ignored." - default = null -} - variable "ami" { type = object({ + id = string name_regex = string product_code = string owner_account_id = string }) description = < ${local.cm_association_log_path} 2>&1 + exec > ${local.cm_association_log_path_in_hub} 2>&1 set -e response=$(curl -k -s -w "\n%%{http_code}" -X POST 'https://127.0.0.1:8443/integrations/api/v1/ciphertrust' --header "Content-Type: application/json" --header "Authorization: Bearer ${module.hub_instance.access_tokens.usc.token}" --data '${replace(local.cm_payload, "'", "'\\''")}') BODY=$(echo "$response" | sed '$d') @@ -50,7 +50,7 @@ resource "null_resource" "cm_association" { } provisioner "local-exec" { - command = "echo 'Starting association of CipherTrust Manager with the DSF Hub. Logs will be written on the DSF Hub machine at ${local.cm_association_log_path}'" + command = "echo 'Starting association of CipherTrust Manager with the DSF Hub. Logs will be written on the DSF Hub machine at ${local.cm_association_log_path_in_hub}'" } provisioner "remote-exec" { inline = concat([local.cm_association_commands]) diff --git a/modules/aws/hub/variables.tf b/modules/aws/hub/variables.tf index 34854e600..1d96caa9b 100644 --- a/modules/aws/hub/variables.tf +++ b/modules/aws/hub/variables.tf @@ -313,7 +313,7 @@ variable "dra_details" { variable "cm_details" { sensitive = true - description = "DSF CipherTrust Manager to onboard to Sonar Hub" + description = "DSF CipherTrust Manager to onboard with the Sonar Hub. Supported in Sonar Hub version 4.18 and above. If null, no CipherTrust Manager will be onboarded." type = object({ name = string is_load_balancer = bool diff --git a/modules/null/ciphertrust-manager-cluster-setup/main.tf b/modules/null/ciphertrust-manager-cluster-setup/main.tf index 30ab301b7..251eb3067 100644 --- a/modules/null/ciphertrust-manager-cluster-setup/main.tf +++ b/modules/null/ciphertrust-manager-cluster-setup/main.tf @@ -21,6 +21,7 @@ resource "null_resource" "ddc_active_node_setup" { provisioner "local-exec" { interpreter = ["bash", "-c"] command = local.ddc_active_node_commands + # Using env vars for credentials instead of template vars for security reasons environment = { CM_USER = nonsensitive(var.credentials.user) CM_PASSWORD = nonsensitive(var.credentials.password) From bea073e36ab3526f83afa2256a47137e8f3f9f95 Mon Sep 17 00:00:00 2001 From: "sivan.hajbi" Date: Sun, 13 Jul 2025 22:04:23 +0300 Subject: [PATCH 05/16] fix ciphertrust manager module folder name --- examples/aws/poc/dsf_deployment/cm.tf | 2 +- .../aws/{ciphertrust_manager => ciphertrust-manager}/README.md | 0 modules/aws/{ciphertrust_manager => ciphertrust-manager}/ami.tf | 0 .../aws/{ciphertrust_manager => ciphertrust-manager}/main.tf | 0 .../aws/{ciphertrust_manager => ciphertrust-manager}/outputs.tf | 0 modules/aws/{ciphertrust_manager => ciphertrust-manager}/sg.tf | 0 .../{ciphertrust_manager => ciphertrust-manager}/variables.tf | 0 .../{ciphertrust_manager => ciphertrust-manager}/versions.tf | 0 8 files changed, 1 insertion(+), 1 deletion(-) rename modules/aws/{ciphertrust_manager => ciphertrust-manager}/README.md (100%) rename modules/aws/{ciphertrust_manager => ciphertrust-manager}/ami.tf (100%) rename modules/aws/{ciphertrust_manager => ciphertrust-manager}/main.tf (100%) rename modules/aws/{ciphertrust_manager => ciphertrust-manager}/outputs.tf (100%) rename modules/aws/{ciphertrust_manager => ciphertrust-manager}/sg.tf (100%) rename modules/aws/{ciphertrust_manager => ciphertrust-manager}/variables.tf (100%) rename modules/aws/{ciphertrust_manager => ciphertrust-manager}/versions.tf (100%) diff --git a/examples/aws/poc/dsf_deployment/cm.tf b/examples/aws/poc/dsf_deployment/cm.tf index 772494296..382fe5c4c 100644 --- a/examples/aws/poc/dsf_deployment/cm.tf +++ b/examples/aws/poc/dsf_deployment/cm.tf @@ -6,7 +6,7 @@ locals { module "ciphertrust_manager" { # TODO sivan - change module name to ciphertrust manager - source = "../../../../modules/aws/ciphertrust_manager" + source = "../../../../modules/aws/ciphertrust-manager" # source = "imperva/dsf-ciphertrust-manager/aws" # version = "1.7.17" # latest release tag count = local.ciphertrust_manager_count diff --git a/modules/aws/ciphertrust_manager/README.md b/modules/aws/ciphertrust-manager/README.md similarity index 100% rename from modules/aws/ciphertrust_manager/README.md rename to modules/aws/ciphertrust-manager/README.md diff --git a/modules/aws/ciphertrust_manager/ami.tf b/modules/aws/ciphertrust-manager/ami.tf similarity index 100% rename from modules/aws/ciphertrust_manager/ami.tf rename to modules/aws/ciphertrust-manager/ami.tf diff --git a/modules/aws/ciphertrust_manager/main.tf b/modules/aws/ciphertrust-manager/main.tf similarity index 100% rename from modules/aws/ciphertrust_manager/main.tf rename to modules/aws/ciphertrust-manager/main.tf diff --git a/modules/aws/ciphertrust_manager/outputs.tf b/modules/aws/ciphertrust-manager/outputs.tf similarity index 100% rename from modules/aws/ciphertrust_manager/outputs.tf rename to modules/aws/ciphertrust-manager/outputs.tf diff --git a/modules/aws/ciphertrust_manager/sg.tf b/modules/aws/ciphertrust-manager/sg.tf similarity index 100% rename from modules/aws/ciphertrust_manager/sg.tf rename to modules/aws/ciphertrust-manager/sg.tf diff --git a/modules/aws/ciphertrust_manager/variables.tf b/modules/aws/ciphertrust-manager/variables.tf similarity index 100% rename from modules/aws/ciphertrust_manager/variables.tf rename to modules/aws/ciphertrust-manager/variables.tf diff --git a/modules/aws/ciphertrust_manager/versions.tf b/modules/aws/ciphertrust-manager/versions.tf similarity index 100% rename from modules/aws/ciphertrust_manager/versions.tf rename to modules/aws/ciphertrust-manager/versions.tf From 99fefbfb231af43ccb0786406570b6e7521c545e Mon Sep 17 00:00:00 2001 From: "sivan.hajbi" Date: Mon, 14 Jul 2025 00:17:29 +0300 Subject: [PATCH 06/16] add readme --- examples/aws/poc/dsf_deployment/README.md | 34 +++++- examples/aws/poc/dsf_deployment/cm.tf | 1 - .../aws/poc/dsf_deployment/cte_ddc_agents.tf | 2 +- modules/aws/ciphertrust-manager/README.md | 7 +- modules/aws/cte-ddc-agent/README.md | 106 ++++++++++++++++++ .../README.md | 94 +++++++++++++++- 6 files changed, 234 insertions(+), 10 deletions(-) create mode 100644 modules/aws/cte-ddc-agent/README.md diff --git a/examples/aws/poc/dsf_deployment/README.md b/examples/aws/poc/dsf_deployment/README.md index a1c4252e5..bc3a3fc4f 100644 --- a/examples/aws/poc/dsf_deployment/README.md +++ b/examples/aws/poc/dsf_deployment/README.md @@ -1,7 +1,7 @@ # DSF Deployment example [![GitHub tag](https://img.shields.io/github/v/tag/imperva/dsfkit.svg)](https://github.com/imperva/dsfkit/tags) -This example provides a full DSF (Data Security Fabric) deployment with DSF Hub, Agentless Gateways, DAM (Database Activity Monitoring), DRA (Data Risk Analytics) and Agent and Agentless audit sources. +This example provides a full DSF (Data Security Fabric) deployment with DSF Hub, Agentless Gateways, DAM (Database Activity Monitoring), DRA (Data Risk Analytics) and Agent and Agentless audit sources, and also deploys CipherTrust Manager and CipherTrust Transparent Encryption (CTE) and/or Data Discovery and Classification (DDC) agents. ## Modularity The deployment is modular and allows users to deploy one or more of the following modules: @@ -21,6 +21,9 @@ The deployment is modular and allows users to deploy one or more of the followin 5. Audit sources - Agent audit sources (EC2 instances) - Agentless audit sources (RDS instances) +6. CipherTrust Manager +7. CipherTrust Transparent Encryption (CTE) and/or Data Discovery and Classification (DDC) Agents + ### Deploying Specific Modules @@ -33,9 +36,10 @@ To deploy only the DAM module, set the following variables in your Terraform con enable_dam = true enable_sonar = false enable_dra = false +enable_ciphertrust = false ``` -This configuration will enable the DAM module while disabling the DSF Hub and DRA modules. +This configuration will enable the DAM module while disabling the DSF Hub, DRA and CipherTrust modules. #### 2. DRA Only Deployment @@ -44,9 +48,10 @@ To deploy only the DRA module, set the following variables in your Terraform con enable_dam = false enable_sonar = false enable_dra = true +enable_ciphertrust = false ``` -This configuration will enable the DRA module while disabling the DSF Hub and DAM modules. +This configuration will enable the DRA module while disabling the DSF Hub, DAM and CipherTrust modules. #### 3. Sonar Only Deployment @@ -55,9 +60,22 @@ To deploy only the Sonar module, set the following variables in your Terraform c enable_dam = false enable_sonar = true enable_dra = false +enable_ciphertrust = false +``` + +This configuration will enable the Sonar module, including the DSF Hub, while disabling the DAM, DRA and CipherTrust modules. + +#### 4. CipherTrust Only Deployment + +To deploy only the Sonar module, set the following variables in your Terraform configuration: +``` +enable_dam = false +enable_sonar = false +enable_dra = false +enable_ciphertrust = true ``` -This configuration will enable the Sonar module, including the DSF Hub, while disabling the DAM and DRA modules. +This configuration will enable the CipherTrust module, including the CipherTrust Manager and the CTE and/or DDC agents, while disabling the DAM, DRA and Sonar modules. Feel free to customize your deployment by setting the appropriate variables based on your requirements. @@ -68,11 +86,19 @@ Several variables in the `variables.tf` file are important for configuring the d - `enable_sonar`: Enable Sonar sub-product - `enable_dam`: Enable DAM sub-product - `enable_dra`: Enable DRA sub-product +- `enable_ciphertrust`: Enable CipherTrust sub-product ### Server Count - `dra_analytics_count`: Number of DRA Analytics servers - `agentless_gw_count`: Number of Agentless Gateways - `agent_gw_count`: Number of Agent Gateways +- `ciphertrust_manager_count`: Number of CipherTrust Manager servers (if more than one, configured as a cluster) +- `cte_ddc_agents_linux_count`: Number of CTE-DDC agent Linux servers +- `cte_agents_linux_count`: Number of CTE agent Linux servers +- `ddc_agents_linux_count`: Number of DDC agent Linux servers +- `cte_ddc_agents_windows_count`: Number of CTE-DDC agent Windows servers +- `cte_agents_windows_count`: Number of CTE agent Windows servers +- `ddc_agents_windows_count`: Number of DDC agent Windows servers ### High Availability (HADR) - `hub_hadr`: Enable DSF Hub High Availability Disaster Recovery (HADR) diff --git a/examples/aws/poc/dsf_deployment/cm.tf b/examples/aws/poc/dsf_deployment/cm.tf index 382fe5c4c..b1b1da1f7 100644 --- a/examples/aws/poc/dsf_deployment/cm.tf +++ b/examples/aws/poc/dsf_deployment/cm.tf @@ -5,7 +5,6 @@ locals { } module "ciphertrust_manager" { - # TODO sivan - change module name to ciphertrust manager source = "../../../../modules/aws/ciphertrust-manager" # source = "imperva/dsf-ciphertrust-manager/aws" # version = "1.7.17" # latest release tag diff --git a/examples/aws/poc/dsf_deployment/cte_ddc_agents.tf b/examples/aws/poc/dsf_deployment/cte_ddc_agents.tf index 73fe7ca70..39fb5e22c 100644 --- a/examples/aws/poc/dsf_deployment/cte_ddc_agents.tf +++ b/examples/aws/poc/dsf_deployment/cte_ddc_agents.tf @@ -74,7 +74,7 @@ resource "ciphertrust_cte_registration_token" "reg_token" { count = length(local.all_agent_instances_map) > 0 ? 1 : 0 lifetime = "24h" max_clients = 100 - name_prefix = "cte-agent" + name_prefix = "dsf-agent" } module "cte_ddc_agents" { diff --git a/modules/aws/ciphertrust-manager/README.md b/modules/aws/ciphertrust-manager/README.md index 48c2d3309..f313430db 100644 --- a/modules/aws/ciphertrust-manager/README.md +++ b/modules/aws/ciphertrust-manager/README.md @@ -14,8 +14,7 @@ This Terraform module provisions a CipherTrust Manager on AWS as an EC2 instance **NOTE:** For CipherTrust licensing or access questions, contact your Thales representative. ## Resources Provisioned -This Terraform module provisions the following resources on AWS: - +This Terraform module provisions several resources on AWS to create the CipherTrust Manager instance. These resources include: * An EC2 instance running the CipherTrust Manager software. * An EBS volume for storage. * A network interface attached to the specified subnet and security groups. @@ -94,10 +93,12 @@ module "dsf_ciphertrust_manager" { To ensure high availability and disaster recovery, deploying multiple CipherTrust Manager instances. -To finalize the cluster nodes setup, refer to the ciphertrust-manager-cluster-setup Terraform module [here](https://registry.terraform.io/modules/imperva/ciphertrust-manager-cluster-setup/null/latest) +To finalize the cluster nodes setup, refer to the dsf-ciphertrust-manager-cluster-setup Terraform module [here](https://registry.terraform.io/modules/imperva/ciphertrust-manager-cluster-setup/null/latest) ## Additional Information +For more information about the CipherTrust Manager and its features, refer to the official documentation [here](https://thalesdocs.com/ctp/cm/2.19/). + For additional information about DSF deployment using terraform, refer to the main repo README [here](https://github.com/imperva/dsfkit/tree/1.7.29). diff --git a/modules/aws/cte-ddc-agent/README.md b/modules/aws/cte-ddc-agent/README.md new file mode 100644 index 000000000..9d5cc2c23 --- /dev/null +++ b/modules/aws/cte-ddc-agent/README.md @@ -0,0 +1,106 @@ +# DSF CTE-DDC Agent +[![GitHub tag](https://img.shields.io/github/v/tag/imperva/dsfkit.svg)](https://github.com/imperva/dsfkit/tags) + +This Terraform module provisions a CipherTrust Transparent Encryption (CTE) and/or Data Discovery and Classification (DDC) agent instance on AWS EC2, installs the required agent packages, registers them with a CipherTrust Manager, and handles connectivity, registration, and reboot where required. The module supports both Linux (RHEL 8.9) and Windows Server 2022. + +## Requirements +* Terraform, refer to [versions.tf](https://github.com/imperva/dsfkit/blob/master/modules/aws/cte-ddc-agent/versions.tf) for supported versions. +* An AWS account. +* SSH access to the EC2 instance. +* Access from the agent instance to the CipherTrust Manager instance. +* Access to the local installer files for CTE and/or DDC agent. + +## Resources Provisioned +This Terraform module provisions several resources on AWS to create the DSF CTE-DDC Agent instance. These resources include: +* An EC2 instance running Linux (RHEL 8.9) or Windows Server 2022. +* A network interface (ENI). +* A security group, unless a list of security groups is provided. +* An optional elastic public IP. +* Provisioners to install and register the CTE and/or DDC agents. + +The EC2 instance provide the computing needed to run the CTE and/or DDC software. The security group controls the inbound and outbound traffic to the instance. + +## Inputs + +The following input variables are **required**: + +* `subnet_id`: The ID of the subnet in which to launch the EC2 instance. +* `ssh_key_pair`: AWS key pair name and path for ssh connectivity. +* `cipher_trust_manager_address`: CipherTrust Manager address for agent registration. +* `os_type`: The OS to use for the agent instance. Supported values: `Red Hat`, `Windows`. +* `agent_installation`: Object indicating which agent(s) to install and the relevant installation files. + +Additionally, the following variables are often **required unless defaults suffice**: + +* `allowed_ssh_cidrs`: CIDRs allowed to SSH into Linux/Windows agent instance (port 22). +* `allowed_rdp_cidrs`: CIDRs allowed to RDP into Windows agent instance (port 3389). +* `attach_persistent_public_ip`: Whether to allocate and attach an Elastic IP (default: `false`). +* `use_public_ip`: Whether to use the public IP for remote SSH access (default: `false`). + +Refer to [inputs](https://registry.terraform.io/modules/imperva/dsf-cte-ddc-agent/aws/latest?tab=inputs) for additional variables with default values and additional info. + +## Outputs + +Refer to [outputs](https://registry.terraform.io/modules/imperva/dsf-cte-ddc-agent/aws/latest?tab=outputs). + +## Usage + +To utilize this module with a minimal configuration, include the following in your Terraform setup: + +```hcl +provider "aws" {} + +module "cte_ddc_agent" { + source = "imperva/dsf-cte-ddc-agent/aws" + + subnet_id = "subnet-xxxxxxxxxxxxxxx" + + ssh_key_pair = { + ssh_public_key_name = "my-keypair-name" + ssh_private_key_file_path = "/path/to/my-private-key.pem" + } + + cipher_trust_manager_address = "ciphertrust-manager.example.com" + + os_type = "Red Hat" # or "Windows" + + agent_installation = { + registration_token = "your-registration-token" + install_cte = true + install_ddc = true + cte_agent_installation_file = "/path/to/cte-agent-installation.rpm" # or .msi/.exe for Windows + ddc_agent_installation_file = "/path/to/ddc-agent-installation.rpm" # or .msi/.exe for Windows + } + + allowed_ssh_cidrs = ["10.0.0.0/24"] + allowed_rdp_cidrs = ["10.0.0.0/24"] # only needed for Windows + + instance_type = "t2.large" + +} +``` + +To see a complete example of how to use this module in a DSF deployment with other modules, check out the [examples](https://github.com/imperva/dsfkit/tree/master/examples/aws) directory. + +We recommend using a specific version of the module (and not the latest). +See available released versions in the main repo README [here](https://github.com/imperva/dsfkit#version-history). + +Specify the module's version by adding the version parameter. For example: + +``` +module "dsf_cte_ddc_agent" { + source = "imperva/dsf-cte-ddc-agent/aws" + version = "x.y.z" + + # The rest of arguments are omitted for brevity +} +``` + +## Additional Information + +For more information about the CipherTrust Transparent Encryption (CTE) agent and its features, refer to the official documentation [here](https://thalesdocs.com/ctp/cm/2.19/admin/cte_ag/). +For more information about the Data Discovery and Classification (DDC) agent and its features, refer to the official documentation [here](https://thalesdocs.com/ctp/cm/2.19/admin/ddc_ag/). + +For additional information about DSF deployment using terraform, refer to the main repo README [here](https://github.com/imperva/dsfkit/tree/1.7.29). + + diff --git a/modules/null/ciphertrust-manager-cluster-setup/README.md b/modules/null/ciphertrust-manager-cluster-setup/README.md index dd9413f0c..6508a7d62 100644 --- a/modules/null/ciphertrust-manager-cluster-setup/README.md +++ b/modules/null/ciphertrust-manager-cluster-setup/README.md @@ -1,5 +1,97 @@ # DSF CipherTrust Manager Cluster Setup [![GitHub tag](https://img.shields.io/github/v/tag/imperva/dsfkit.svg)](https://github.com/imperva/dsfkit/tags) -This Terraform module provisions a CipherTrust Manager on AWS as an EC2 instance. +This Terraform module configures a CipherTrust Manager Cluster, connecting multiple CipherTrust Manager nodes into a single secure cluster. +## Requirements +* Terraform — refer to [versions.tf](https://github.com/imperva/dsfkit/blob/master/modules/null/ciphertrust-manager-cluster-setup/versions.tf) for supported versions. +* Two or more running CipherTrust Manager servers. +* Network access between the cluster nodes on the required ports (e.g., 5432). +* API credentials (username & password) with permissions to manage DDC settings. +* `jq` utility installed on the system executing Terraform (used in DDC node activation). + +## Resources Provisioned + +This module provisions the following: + +* A `ciphertrust_cluster` resource defining and forming the CipherTrust cluster. +* Optional activation of the DDC Active Node using the CipherTrust REST API. + +The module does **not** provision CipherTrust Manager instances — it assumes the CipherTrust Manager instances already exist and are accessible. + +## Inputs + +The following input variables are **required**: + +* `nodes`: A list of CipherTrust Manager instances to form the cluster. Each entry must include: + * `host` – Internal hostname or IP used for cluster joining. + * `public_address` – Public DNS/IP used for reaching the node externally. + +Additionally, the following variables are often **required unless defaults suffice**: + +* `ddc_node_setup`: Configuration for registering a DDC Active Node in the cluster. + * `enabled`: If `true`, will attempt to activate the DDC node. + * `node_address`: The node address (typically the same as `public_address`) to register as the active node. + +* `credentials`: A sensitive object containing: + * `user`: CipherTrust API user. + * `password`: CipherTrust API password. + +Refer to [inputs](https://registry.terraform.io/modules/imperva/dsf-ciphertrust-manager-cluster-setup/null/latest?tab=inputs) for additional variables with default values and additional info. + +## Outputs + +This module currently defines no outputs. + +## Usage + +To utilize this module with a minimal configuration, include the following in your Terraform setup: + +```hcl +module "ciphertrust_cluster" { + source = "imperva/dsf-ciphertrust-manager-cluster/null" + + nodes = [ + { + host = "10.0.0.10" + public_address = "3.91.122.10" + }, + { + host = "10.0.0.11" + public_address = "3.91.122.11" + } + ] + + ddc_node_setup = { + enabled = true + node_address = "3.91.122.10" + } + + credentials = { + user = "admin" + password = "password" + } +} +``` + +To see a complete example of how to use this module in a DSF deployment with other modules, check out the [examples](https://github.com/imperva/dsfkit/tree/master/examples/aws) directory. + +We recommend using a specific version of the module (and not the latest). +See available released versions in the main repo README [here](https://github.com/imperva/dsfkit#version-history). + +Specify the module's version by adding the version parameter. For example: + +``` +module "dsf_ciphertrust_manager_cluster_setup" { + source = "imperva/dsf-ciphertrust-manager-cluster-setup/aws" + version = "x.y.z" + + # The rest of arguments are omitted for brevity +} +``` + +## Additional Information + +For more information about the DSF Hub and its features, refer to the official documentation [here](https://docs.imperva.com/bundle/v4.13-sonar-user-guide/page/80401.htm). + +For additional information about DSF deployment using terraform, refer to the main repo README [here](https://github.com/imperva/dsfkit/tree/1.7.29). From 592b2f8fdd2e356754b3b1b9ceba90051bcf66d7 Mon Sep 17 00:00:00 2001 From: "sivan.hajbi" Date: Mon, 14 Jul 2025 09:32:53 +0300 Subject: [PATCH 07/16] fix sonar version --- examples/aws/poc/dsf_deployment/cm.tf | 2 +- examples/aws/poc/dsf_deployment/main.tf | 2 -- examples/aws/poc/dsf_deployment/outputs.tf | 4 ++-- examples/aws/poc/dsf_deployment/sonar.tf | 7 +++++-- 4 files changed, 8 insertions(+), 7 deletions(-) diff --git a/examples/aws/poc/dsf_deployment/cm.tf b/examples/aws/poc/dsf_deployment/cm.tf index b1b1da1f7..29b370c1f 100644 --- a/examples/aws/poc/dsf_deployment/cm.tf +++ b/examples/aws/poc/dsf_deployment/cm.tf @@ -1,5 +1,5 @@ locals { - ciphertrust_manager_count = local.enable_ciphertrust ? var.ciphertrust_manager_count : 0 + ciphertrust_manager_count = var.enable_ciphertrust ? var.ciphertrust_manager_count : 0 ciphertrust_cidr_list = [data.aws_subnet.ciphertrust_manager.cidr_block] ciphertrust_manager_web_console_username = "admin" } diff --git a/examples/aws/poc/dsf_deployment/main.tf b/examples/aws/poc/dsf_deployment/main.tf index ef55ec397..2fbd203af 100644 --- a/examples/aws/poc/dsf_deployment/main.tf +++ b/examples/aws/poc/dsf_deployment/main.tf @@ -35,6 +35,4 @@ locals { workstation_cidr = var.workstation_cidr != null ? var.workstation_cidr : local.workstation_cidr_24 tags = merge(module.globals.tags, var.additional_tags, { "deployment_name" = local.deployment_name_salted }) private_key_file_path = module.key_pair.private_key_file_path - # Minimal sonar version that supports CipherTrust Manager is 4.18 - enable_ciphertrust = var.enable_ciphertrust && !contains(["4.17", "4.16", "4.15", "4.14", "4.13", "4.12", "4.11", "4.10", "4.9"], module.globals.tarball_location.version) } diff --git a/examples/aws/poc/dsf_deployment/outputs.tf b/examples/aws/poc/dsf_deployment/outputs.tf index bb555c857..d7ccb1660 100644 --- a/examples/aws/poc/dsf_deployment/outputs.tf +++ b/examples/aws/poc/dsf_deployment/outputs.tf @@ -122,7 +122,7 @@ output "dra" { } output "ciphertrust" { - value = local.enable_ciphertrust ? { + value = var.enable_ciphertrust ? { ciphertrust_manager = [ for idx, val in module.ciphertrust_manager : { private_ip = try(val.private_ip, null) @@ -139,7 +139,7 @@ output "ciphertrust" { } output "cte_ddc_agents" { - value = local.enable_ciphertrust ? { + value = var.enable_ciphertrust ? { cte_agents = [ for val in concat(local.linux_cte_only_instances, local.windows_cte_only_instances) : { diff --git a/examples/aws/poc/dsf_deployment/sonar.tf b/examples/aws/poc/dsf_deployment/sonar.tf index b593c2b36..8982bbef7 100644 --- a/examples/aws/poc/dsf_deployment/sonar.tf +++ b/examples/aws/poc/dsf_deployment/sonar.tf @@ -2,11 +2,14 @@ locals { tarball_location = var.tarball_location != null ? var.tarball_location : module.globals.tarball_location agentless_gw_count = var.enable_sonar ? var.agentless_gw_count : 0 + # Minimal sonar version that supports CipherTrust Manager is 4.18 + is_sonar_supports_cm_integration = !contains(["4.17", "4.16", "4.15", "4.14", "4.13", "4.12", "4.11", "4.10", "4.9"], module.globals.tarball_location.version) + hub_public_ip = var.enable_sonar ? (length(module.hub_main[0].public_ip) > 0 ? format("%s/32", module.hub_main[0].public_ip) : null) : null hub_dr_public_ip = var.enable_sonar && var.hub_hadr ? (length(module.hub_dr[0].public_ip) > 0 ? format("%s/32", module.hub_dr[0].public_ip) : null) : null hub_cidr_list = compact([data.aws_subnet.hub.cidr_block, data.aws_subnet.hub_dr.cidr_block, local.hub_public_ip, local.hub_dr_public_ip]) agentless_gw_cidr_list = [data.aws_subnet.agentless_gw.cidr_block, data.aws_subnet.agentless_gw_dr.cidr_block] - cte_agents_cidr_list = local.enable_ciphertrust ? [data.aws_subnet.cte_ddc_agent.cidr_block] : [] + cte_agents_cidr_list = var.enable_ciphertrust && local.is_sonar_supports_cm_integration ? [data.aws_subnet.cte_ddc_agent.cidr_block] : [] } module "hub_main" { @@ -47,7 +50,7 @@ module "hub_main" { archiver_username = module.dra_analytics[0].archiver_user archiver_password = module.dra_analytics[0].archiver_password } : null - cm_details = local.enable_ciphertrust ? { + cm_details = var.enable_ciphertrust && local.is_sonar_supports_cm_integration ? { name = "CipherTrust Manager" is_load_balancer = false hostname = coalesce(module.ciphertrust_manager[0].public_ip, module.ciphertrust_manager[0].private_ip) From c7a2de8346cd4ebe5b77384e0c6e21bd387e359e Mon Sep 17 00:00:00 2001 From: lindanasredin Date: Mon, 14 Jul 2025 13:48:45 +0300 Subject: [PATCH 08/16] Commit on behalf of Sivan: In CM integration, temporarily support Sonar version 15 only (not 4.19 or 4.18) until compability issue is resolved --- examples/aws/poc/dsf_deployment/sonar.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/aws/poc/dsf_deployment/sonar.tf b/examples/aws/poc/dsf_deployment/sonar.tf index 8982bbef7..0209446e4 100644 --- a/examples/aws/poc/dsf_deployment/sonar.tf +++ b/examples/aws/poc/dsf_deployment/sonar.tf @@ -3,7 +3,7 @@ locals { agentless_gw_count = var.enable_sonar ? var.agentless_gw_count : 0 # Minimal sonar version that supports CipherTrust Manager is 4.18 - is_sonar_supports_cm_integration = !contains(["4.17", "4.16", "4.15", "4.14", "4.13", "4.12", "4.11", "4.10", "4.9"], module.globals.tarball_location.version) + is_sonar_supports_cm_integration = !contains(["4.19", "4.18", "4.17", "4.16", "4.15", "4.14", "4.13", "4.12", "4.11", "4.10", "4.9"], module.globals.tarball_location.version) hub_public_ip = var.enable_sonar ? (length(module.hub_main[0].public_ip) > 0 ? format("%s/32", module.hub_main[0].public_ip) : null) : null hub_dr_public_ip = var.enable_sonar && var.hub_hadr ? (length(module.hub_dr[0].public_ip) > 0 ? format("%s/32", module.hub_dr[0].public_ip) : null) : null From ebb94ed2a0878f3e580b7693c56e28c76e1fcc30 Mon Sep 17 00:00:00 2001 From: lindanasredin Date: Mon, 14 Jul 2025 14:09:37 +0300 Subject: [PATCH 09/16] Set default value of enable_ciphertrust to false until dsf_poc_cli action will be handled --- examples/aws/poc/dsf_deployment/variables.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/examples/aws/poc/dsf_deployment/variables.tf b/examples/aws/poc/dsf_deployment/variables.tf index 1cdb70da5..0af2afcf0 100644 --- a/examples/aws/poc/dsf_deployment/variables.tf +++ b/examples/aws/poc/dsf_deployment/variables.tf @@ -30,7 +30,7 @@ variable "enable_dra" { variable "enable_ciphertrust" { type = bool - default = true + default = false description = "Provision CipherTrust Manager" } From 0aa1257be8476a6d5b6cbb2c228e4c839bc8376f Mon Sep 17 00:00:00 2001 From: lindanasredin Date: Mon, 14 Jul 2025 14:56:07 +0300 Subject: [PATCH 10/16] Added sonar-with-fam test --- .github/workflows/dsf_poc_cli.yml | 20 +++++++++++++++----- .github/workflows/dsf_poc_standalone.yml | 2 +- 2 files changed, 16 insertions(+), 6 deletions(-) diff --git a/.github/workflows/dsf_poc_cli.yml b/.github/workflows/dsf_poc_cli.yml index c42fc0088..58cd48d48 100644 --- a/.github/workflows/dsf_poc_cli.yml +++ b/.github/workflows/dsf_poc_cli.yml @@ -44,12 +44,12 @@ on: default: false required: false deployment_type: - description: 'Choose the type of deployments to run: all (default), sonar, dam, dra' + description: 'Choose the type of deployments to run: all (default, currently does not include FAM), sonar, sonar-with-fam, dam, dra' type: string default: 'all' required: false product_version: - description: 'Product (DAM, DRA, SONAR) version to deploy, default is latest' + description: 'Product (Sonar with/without FAM, DAM, DRA) version to deploy, default is latest' type: string default: 'latest' required: false @@ -104,9 +104,10 @@ jobs: MATRIX=$(jq -n --compact-output --arg var "$VAR" '{ "include": [ (if $var == "all" then {"name":"DSF POC","workspace":"dsf_cli-all-","enable_sonar":true,"enable_dam":true,"enable_dra":true} else empty end), - (if $var == "all" or $var == "sonar" then {"name":"DSF POC - SONAR","workspace":"dsf_cli-sonar-","enable_sonar":true,"enable_dam":false,"enable_dra":false} else empty end), - (if $var == "all" or $var == "dam" then {"name":"DSF POC - DAM","workspace":"dsf_cli-dam-","enable_sonar":false,"enable_dam":true,"enable_dra":false} else empty end), - (if $var == "all" or $var == "dra" then {"name":"DSF POC - DRA","workspace":"dsf_cli-dra-","enable_sonar":false,"enable_dam":false,"enable_dra":true} else empty end) + (if $var == "sonar" then {"name":"DSF POC - Sonar","workspace":"dsf_cli-sonar-","enable_sonar":true,"enable_dam":false,"enable_dra":false} else empty end), + (if $var == "sonar-with-fam" then {"name":"DSF POC - Sonar with FAM","workspace":"dsf_cli-sonar-with-fam-","enable_sonar":true,"enable_ciphertrust":true,"enable_dam":false,"enable_dra":false} else empty end), + (if $var == "dam" then {"name":"DSF POC - DAM","workspace":"dsf_cli-dam-","enable_sonar":false,"enable_dam":true,"enable_dra":false} else empty end), + (if $var == "dra" then {"name":"DSF POC - DRA","workspace":"dsf_cli-dra-","enable_sonar":false,"enable_dam":false,"enable_dra":true} else empty end) ] }') @@ -123,6 +124,8 @@ jobs: DEPLOYMENT_VERSION="dra_version=${{ github.event.inputs.product_version }}" elif [[ "${{ github.event.inputs.deployment_type }}" == "sonar" ]]; then DEPLOYMENT_VERSION="sonar_version=${{ github.event.inputs.product_version }}" + elif [[ "${{ github.event.inputs.deployment_type }}" == "sonar-with-fam" ]]; then + DEPLOYMENT_VERSION="sonar_version=${{ github.event.inputs.product_version }}" fi fi echo "deployment_version=$DEPLOYMENT_VERSION" >> $GITHUB_OUTPUT @@ -139,6 +142,7 @@ jobs: EXAMPLE_DIR: ./examples/aws/poc/dsf_deployment AWS_REGION: eu-west-2 TF_VAR_enable_sonar: ${{ matrix.enable_sonar }} + TF_VAR_enable_ciphertrust: ${{ matrix.enable_ciphertrust }} TF_VAR_enable_dam: ${{ matrix.enable_dam }} TF_VAR_enable_dra: ${{ matrix.enable_dra }} TF_VAR_allowed_ssh_cidrs: ${{ secrets.ALLOWED_SSH_CIDRS }} @@ -229,6 +233,9 @@ jobs: mv $EXAMPLE_DIR/networking.tf{,_} mv $EXAMPLE_DIR/agentless_sources.tf{,_} mv $EXAMPLE_DIR/agent_sources.tf{,_} + mv $EXAMPLE_DIR/versions.tf{,_} + mv $EXAMPLE_DIR/cm.tf{,_} + mv $EXAMPLE_DIR/cte_ddc_agents.tf{,_} terraform -chdir=$EXAMPLE_DIR destroy -var dam_license=license.mprv -auto-approve mv $EXAMPLE_DIR/main.tf{_,} mv $EXAMPLE_DIR/outputs.tf{_,} @@ -238,6 +245,9 @@ jobs: mv $EXAMPLE_DIR/networking.tf{_,} mv $EXAMPLE_DIR/agentless_sources.tf{_,} mv $EXAMPLE_DIR/agent_sources.tf{_,} + mv $EXAMPLE_DIR/versions.tf{_,} + mv $EXAMPLE_DIR/cm.tf{_,} + mv $EXAMPLE_DIR/cte_ddc_agents.tf{_,} fi - name: Terraform Validate diff --git a/.github/workflows/dsf_poc_standalone.yml b/.github/workflows/dsf_poc_standalone.yml index 56d019f58..ce6dd2492 100644 --- a/.github/workflows/dsf_poc_standalone.yml +++ b/.github/workflows/dsf_poc_standalone.yml @@ -4,7 +4,7 @@ on: workflow_dispatch: # This allows the workflow to be manually triggered from the GitHub UI inputs: deployment_type: - description: "Deployment type to pass, choose: dra, dam or sonar." + description: "Deployment type to pass, choose: sonar, sonar-with-fam, dra or dam." required: true default: "dra" version: From 8eb14cacc805eb03e17a6f2b9c6c860c40d3eb3f Mon Sep 17 00:00:00 2001 From: "sivan.hajbi" Date: Mon, 14 Jul 2025 15:53:59 +0300 Subject: [PATCH 11/16] fix module paths --- .github/workflows/deploy_module.yml | 12 ++++++++++++ README.md | 12 +++++++++++- examples/aws/poc/dsf_deployment/sonar.tf | 20 ++++++++------------ sed.expr | 3 +++ 4 files changed, 34 insertions(+), 13 deletions(-) diff --git a/.github/workflows/deploy_module.yml b/.github/workflows/deploy_module.yml index 388107699..f1085983f 100644 --- a/.github/workflows/deploy_module.yml +++ b/.github/workflows/deploy_module.yml @@ -127,6 +127,18 @@ jobs: hidden_submodules: "azurerm/statistics null/statistics" begin_tag: 1.7.6 + # CipherTrust + ## aws provider + - source_module: "aws/ciphertrust-manager" + destination_repo: "terraform-aws-dsf-ciphertrust-manager" + begin_tag: 1.7.31 + - source_module: "aws/ciphertrust-manager-cluster-setup" + destination_repo: "terraform-aws-dsf-ciphertrust-manager-cluster-setup" + begin_tag: 1.7.31 + - source_module: "aws/cte-ddc-agent" + destination_repo: "terraform-aws-dsf-cte-ddc-agent" + begin_tag: 1.7.31 + # Globals ## aws provider - source_module: "aws/core/globals" diff --git a/README.md b/README.md index e0e45b17e..9875cac6d 100644 --- a/README.md +++ b/README.md @@ -586,7 +586,7 @@ The following table lists the _latest_ DSF Kit releases, their release date and - TBD + 23 June 2025 1.7.30 @@ -595,6 +595,16 @@ The following table lists the _latest_ DSF Kit releases, their release date and
2. Added internal support for DRA version 15.0. Set the variable ‘dra_version’ to 15.0 to use it. + + 15 May 2025 + + 1.7.31 + + + 1. Added support for CipherTrust in AWS. +
2. Updated the AWS POC dsf_deployment example. + + diff --git a/examples/aws/poc/dsf_deployment/sonar.tf b/examples/aws/poc/dsf_deployment/sonar.tf index 0209446e4..1f26842d5 100644 --- a/examples/aws/poc/dsf_deployment/sonar.tf +++ b/examples/aws/poc/dsf_deployment/sonar.tf @@ -13,9 +13,8 @@ locals { } module "hub_main" { - source = "../../../../modules/aws/hub" -# source = "imperva/dsf-hub/aws" -# version = "1.7.29" # latest release tag + source = "imperva/dsf-hub/aws" + version = "1.7.29" # latest release tag count = var.enable_sonar ? 1 : 0 friendly_name = join("-", [local.deployment_name_salted, "hub", "main"]) @@ -71,9 +70,8 @@ module "hub_main" { } module "hub_dr" { - source = "../../../../modules/aws/hub" -# source = "imperva/dsf-hub/aws" -# version = "1.7.29" # latest release tag + source = "imperva/dsf-hub/aws" + version = "1.7.29" # latest release tag count = var.enable_sonar && var.hub_hadr ? 1 : 0 friendly_name = join("-", [local.deployment_name_salted, "hub", "DR"]) @@ -123,9 +121,8 @@ module "hub_hadr" { } module "agentless_gw_main" { - source = "../../../../modules/aws/agentless-gw" -# source = "imperva/dsf-agentless-gw/aws" -# version = "1.7.29" # latest release tag + source = "imperva/dsf-agentless-gw/aws" + version = "1.7.29" # latest release tag count = local.agentless_gw_count friendly_name = join("-", [local.deployment_name_salted, "agentless", "gw", count.index, "main"]) @@ -156,9 +153,8 @@ module "agentless_gw_main" { } module "agentless_gw_dr" { - source = "../../../../modules/aws/agentless-gw" -# source = "imperva/dsf-agentless-gw/aws" -# version = "1.7.29" # latest release tag + source = "imperva/dsf-agentless-gw/aws" + version = "1.7.29" # latest release tag count = var.agentless_gw_hadr ? local.agentless_gw_count : 0 friendly_name = join("-", [local.deployment_name_salted, "agentless", "gw", count.index, "DR"]) diff --git a/sed.expr b/sed.expr index ffa1f1e08..d380750a7 100644 --- a/sed.expr +++ b/sed.expr @@ -25,4 +25,7 @@ s;imperva/dsf-agent-gw/azurerm;../../../../modules/azurerm/agent-gw; s;imperva/dsf-db-with-agent/azurerm;../../../../modules/azurerm/db-with-agent; s;imperva/dsf-dra-admin/azurerm;../../../../modules/azurerm/dra-admin; s;imperva/dsf-dra-analytics/azurerm;../../../../modules/azurerm/dra-analytics; +s;imperva/dsf-ciphertrust-manager/aws;../../../../modules/aws/ciphertrust-manager; +s;imperva/dsf-ciphertrust-manager-cluster-setup/aws;../../../../modules/aws/ciphertrust-manager-cluster-setup; +s;imperva/dsf-cte-ddc-agent/aws;../../../../modules/aws/cte-ddc-agent; /latest release tag/c\ \ No newline at end of file From 61dbe58915bd7a37c4512a5c7bcfd4168869a480 Mon Sep 17 00:00:00 2001 From: "sivan.hajbi" Date: Mon, 14 Jul 2025 16:45:07 +0300 Subject: [PATCH 12/16] disable test_apply in release.yml --- .github/workflows/release.yml | 24 ++++++++++++------------ README.md | 2 +- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml index 8cd675972..89d14e3aa 100644 --- a/.github/workflows/release.yml +++ b/.github/workflows/release.yml @@ -206,15 +206,15 @@ jobs: env: GH_TOKEN: ${{ github.token }} - test_apply: - needs: release - uses: ./.github/workflows/sonar_poc_cli.yml - with: - use_modules_from_terraform_registry: true - explicit_ref: master - secrets: - AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} - ALLOWED_SSH_CIDRS: ${{secrets.ALLOWED_SSH_CIDRS }} - DEPLOYMENT_TAGS: ${{ secrets.DEPLOYMENT_TAGS }} +# test_apply: +# needs: release +# uses: ./.github/workflows/sonar_poc_cli.yml +# with: +# use_modules_from_terraform_registry: true +# explicit_ref: master +# secrets: +# AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} +# AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} +# SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }} +# ALLOWED_SSH_CIDRS: ${{secrets.ALLOWED_SSH_CIDRS }} +# DEPLOYMENT_TAGS: ${{ secrets.DEPLOYMENT_TAGS }} diff --git a/README.md b/README.md index 9875cac6d..446e2c65b 100644 --- a/README.md +++ b/README.md @@ -596,7 +596,7 @@ The following table lists the _latest_ DSF Kit releases, their release date and - 15 May 2025 + 15 Jul 2025 1.7.31 From a2e855564ddf060457ae0c09c80eda14a8e40fd0 Mon Sep 17 00:00:00 2001 From: lindanasredin Date: Mon, 14 Jul 2025 17:38:36 +0300 Subject: [PATCH 13/16] Added 'all-permutations' option to AWS POC CLI action + other changes --- .github/workflows/dsf_poc_cli.yml | 20 ++++++++++---------- .github/workflows/dsf_poc_standalone.yml | 4 ++-- 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/.github/workflows/dsf_poc_cli.yml b/.github/workflows/dsf_poc_cli.yml index 58cd48d48..68dab61b5 100644 --- a/.github/workflows/dsf_poc_cli.yml +++ b/.github/workflows/dsf_poc_cli.yml @@ -12,7 +12,7 @@ on: deployment_type: required: false type: string - default: 'all' + default: 'all-permutations' version: type: string default: 'latest' @@ -44,12 +44,12 @@ on: default: false required: false deployment_type: - description: 'Choose the type of deployments to run: all (default, currently does not include FAM), sonar, sonar-with-fam, dam, dra' + description: 'Choose the type of deployments to run: sonar, sonar-with-fam, dra, dam, all-products (currently does not include FAM) or all-permutations' type: string - default: 'all' + default: 'all-permutations' required: false product_version: - description: 'Product (Sonar with/without FAM, DAM, DRA) version to deploy, default is latest' + description: 'Product (Sonar with/without FAM, DRA, DAM) version to deploy' type: string default: 'latest' required: false @@ -99,15 +99,15 @@ jobs: - name: Set Matrix id: set-matrix env: - VAR: ${{ github.event.inputs.deployment_type || 'all' }} + VAR: ${{ github.event.inputs.deployment_type || 'all-permutations' }} run: | MATRIX=$(jq -n --compact-output --arg var "$VAR" '{ "include": [ - (if $var == "all" then {"name":"DSF POC","workspace":"dsf_cli-all-","enable_sonar":true,"enable_dam":true,"enable_dra":true} else empty end), - (if $var == "sonar" then {"name":"DSF POC - Sonar","workspace":"dsf_cli-sonar-","enable_sonar":true,"enable_dam":false,"enable_dra":false} else empty end), - (if $var == "sonar-with-fam" then {"name":"DSF POC - Sonar with FAM","workspace":"dsf_cli-sonar-with-fam-","enable_sonar":true,"enable_ciphertrust":true,"enable_dam":false,"enable_dra":false} else empty end), - (if $var == "dam" then {"name":"DSF POC - DAM","workspace":"dsf_cli-dam-","enable_sonar":false,"enable_dam":true,"enable_dra":false} else empty end), - (if $var == "dra" then {"name":"DSF POC - DRA","workspace":"dsf_cli-dra-","enable_sonar":false,"enable_dam":false,"enable_dra":true} else empty end) + (if $var == "all-permutations" or $var == "all-products" then {"name":"DSF POC","workspace":"dsf_cli-all-","enable_sonar":true,"enable_dam":true,"enable_dra":true} else empty end), + (if $var == "all-permutations" or $var == "sonar" then {"name":"DSF POC - Sonar","workspace":"dsf_cli-sonar-","enable_sonar":true,"enable_dam":false,"enable_dra":false} else empty end), + (if $var == "all-permutations" or $var == "sonar-with-fam" then {"name":"DSF POC - Sonar with FAM","workspace":"dsf_cli-sonar-with-fam-","enable_sonar":true,"enable_ciphertrust":true,"enable_dam":false,"enable_dra":false} else empty end), + (if $var == "all-permutations" or $var == "dam" then {"name":"DSF POC - DAM","workspace":"dsf_cli-dam-","enable_sonar":false,"enable_dam":true,"enable_dra":false} else empty end), + (if $var == "all-permutations" or $var == "dra" then {"name":"DSF POC - DRA","workspace":"dsf_cli-dra-","enable_sonar":false,"enable_dam":false,"enable_dra":true} else empty end) ] }') diff --git a/.github/workflows/dsf_poc_standalone.yml b/.github/workflows/dsf_poc_standalone.yml index ce6dd2492..c9408b347 100644 --- a/.github/workflows/dsf_poc_standalone.yml +++ b/.github/workflows/dsf_poc_standalone.yml @@ -1,4 +1,4 @@ -name: DSF POC Standalone +name: DSF POC Standalone - AWS and Azure on: workflow_dispatch: # This allows the workflow to be manually triggered from the GitHub UI @@ -37,7 +37,7 @@ jobs: with: use_modules_from_terraform_registry: true explicit_ref: master - deployment_type: "dra" + deployment_type: ${{ github.event.inputs.deployment_type }} product_full_version: ${{ github.event.inputs.version }} secrets: AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }} From 134a77d3153ad33e808a795199f196eae6ad841e Mon Sep 17 00:00:00 2001 From: lindanasredin Date: Mon, 14 Jul 2025 17:50:34 +0300 Subject: [PATCH 14/16] Changed description of DSF POC CLI action input --- .github/workflows/dsf_poc_cli.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dsf_poc_cli.yml b/.github/workflows/dsf_poc_cli.yml index 68dab61b5..8ac4e4887 100644 --- a/.github/workflows/dsf_poc_cli.yml +++ b/.github/workflows/dsf_poc_cli.yml @@ -49,7 +49,7 @@ on: default: 'all-permutations' required: false product_version: - description: 'Product (Sonar with/without FAM, DRA, DAM) version to deploy' + description: 'Product version to deploy. Valid for options: sonar, sonar-with-fam, dra, dam. Otherwise latest per product is used.' type: string default: 'latest' required: false From 4428968b73a60dfe5cb43c7f5245be65788bad09 Mon Sep 17 00:00:00 2001 From: lindanasredin Date: Mon, 14 Jul 2025 17:51:33 +0300 Subject: [PATCH 15/16] Changed description of DSF POC CLI action input --- .github/workflows/dsf_poc_cli.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/dsf_poc_cli.yml b/.github/workflows/dsf_poc_cli.yml index 8ac4e4887..836179f8b 100644 --- a/.github/workflows/dsf_poc_cli.yml +++ b/.github/workflows/dsf_poc_cli.yml @@ -49,7 +49,7 @@ on: default: 'all-permutations' required: false product_version: - description: 'Product version to deploy. Valid for options: sonar, sonar-with-fam, dra, dam. Otherwise latest per product is used.' + description: 'Product version to deploy. Valid for options: sonar, sonar-with-fam, dra and dam. Otherwise latest per product is used.' type: string default: 'latest' required: false From af754a3e9aa1f07f7c1dfbc19bf16ab9eaa4a170 Mon Sep 17 00:00:00 2001 From: lindanasredin Date: Mon, 14 Jul 2025 18:10:31 +0300 Subject: [PATCH 16/16] Fixed DSF POC CLI yaml issue + changed enable_ciphertrust default to true --- .github/workflows/dsf_poc_cli.yml | 8 ++++---- examples/aws/poc/dsf_deployment/variables.tf | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/.github/workflows/dsf_poc_cli.yml b/.github/workflows/dsf_poc_cli.yml index 836179f8b..f22067269 100644 --- a/.github/workflows/dsf_poc_cli.yml +++ b/.github/workflows/dsf_poc_cli.yml @@ -103,11 +103,11 @@ jobs: run: | MATRIX=$(jq -n --compact-output --arg var "$VAR" '{ "include": [ - (if $var == "all-permutations" or $var == "all-products" then {"name":"DSF POC","workspace":"dsf_cli-all-","enable_sonar":true,"enable_dam":true,"enable_dra":true} else empty end), - (if $var == "all-permutations" or $var == "sonar" then {"name":"DSF POC - Sonar","workspace":"dsf_cli-sonar-","enable_sonar":true,"enable_dam":false,"enable_dra":false} else empty end), + (if $var == "all-permutations" or $var == "all-products" then {"name":"DSF POC","workspace":"dsf_cli-all-","enable_sonar":true,"enable_ciphertrust":false,"enable_dam":true,"enable_dra":true} else empty end), + (if $var == "all-permutations" or $var == "sonar" then {"name":"DSF POC - Sonar","workspace":"dsf_cli-sonar-","enable_sonar":true,"enable_ciphertrust":false,"enable_dam":false,"enable_dra":false} else empty end), (if $var == "all-permutations" or $var == "sonar-with-fam" then {"name":"DSF POC - Sonar with FAM","workspace":"dsf_cli-sonar-with-fam-","enable_sonar":true,"enable_ciphertrust":true,"enable_dam":false,"enable_dra":false} else empty end), - (if $var == "all-permutations" or $var == "dam" then {"name":"DSF POC - DAM","workspace":"dsf_cli-dam-","enable_sonar":false,"enable_dam":true,"enable_dra":false} else empty end), - (if $var == "all-permutations" or $var == "dra" then {"name":"DSF POC - DRA","workspace":"dsf_cli-dra-","enable_sonar":false,"enable_dam":false,"enable_dra":true} else empty end) + (if $var == "all-permutations" or $var == "dam" then {"name":"DSF POC - DAM","workspace":"dsf_cli-dam-","enable_sonar":false,"enable_ciphertrust":false,"enable_dam":true,"enable_dra":false} else empty end), + (if $var == "all-permutations" or $var == "dra" then {"name":"DSF POC - DRA","workspace":"dsf_cli-dra-","enable_sonar":false,"enable_ciphertrust":false,"enable_dam":false,"enable_dra":true} else empty end) ] }') diff --git a/examples/aws/poc/dsf_deployment/variables.tf b/examples/aws/poc/dsf_deployment/variables.tf index 0af2afcf0..1cdb70da5 100644 --- a/examples/aws/poc/dsf_deployment/variables.tf +++ b/examples/aws/poc/dsf_deployment/variables.tf @@ -30,7 +30,7 @@ variable "enable_dra" { variable "enable_ciphertrust" { type = bool - default = false + default = true description = "Provision CipherTrust Manager" }