dsfkit with cm (#472)

.github/workflows/deploy_module.yml

@@ -127,6 +127,18 @@ jobs:
             hidden_submodules: "azurerm/statistics null/statistics"
             begin_tag: 1.7.6
 
+          # CipherTrust
+          ## aws provider
+          - source_module: "aws/ciphertrust-manager"
+            destination_repo: "terraform-aws-dsf-ciphertrust-manager"
+            begin_tag: 1.7.31
+          - source_module: "aws/ciphertrust-manager-cluster-setup"
+            destination_repo: "terraform-aws-dsf-ciphertrust-manager-cluster-setup"
+            begin_tag: 1.7.31
+          - source_module: "aws/cte-ddc-agent"
+            destination_repo: "terraform-aws-dsf-cte-ddc-agent"
+            begin_tag: 1.7.31
+
           # Globals
           ## aws provider
           - source_module: "aws/core/globals"

.github/workflows/dsf_poc_cli.yml

@@ -12,7 +12,7 @@ on:
       deployment_type:
         required: false
         type: string
-        default: 'all'
+        default: 'all-permutations'
       version:
         type: string
         default: 'latest'
@@ -44,12 +44,12 @@ on:
         default: false
         required: false
       deployment_type:
-        description: 'Choose the type of deployments to run: all (default), sonar, dam, dra'
+        description: 'Choose the type of deployments to run: sonar, sonar-with-fam, dra, dam, all-products (currently does not include FAM) or all-permutations'
         type: string
-        default: 'all'
+        default: 'all-permutations'
         required: false
       product_version:
-        description: 'Product (DAM, DRA, SONAR) version to deploy, default is latest'
+        description: 'Product version to deploy. Valid for options: sonar, sonar-with-fam, dra and dam. Otherwise latest per product is used.'
         type: string
         default: 'latest'
         required: false
@@ -99,14 +99,15 @@ jobs:
       - name: Set Matrix
         id: set-matrix
         env:
-          VAR: ${{ github.event.inputs.deployment_type || 'all' }}
+          VAR: ${{ github.event.inputs.deployment_type || 'all-permutations' }}
         run: |
           MATRIX=$(jq -n --compact-output --arg var "$VAR" '{
             "include": [
-              (if $var == "all" then {"name":"DSF POC","workspace":"dsf_cli-all-","enable_sonar":true,"enable_dam":true,"enable_dra":true} else empty end),
-              (if $var == "all" or $var == "sonar" then {"name":"DSF POC - SONAR","workspace":"dsf_cli-sonar-","enable_sonar":true,"enable_dam":false,"enable_dra":false} else empty end),
-              (if $var == "all" or $var == "dam" then {"name":"DSF POC - DAM","workspace":"dsf_cli-dam-","enable_sonar":false,"enable_dam":true,"enable_dra":false} else empty end),
-              (if $var == "all" or $var == "dra" then {"name":"DSF POC - DRA","workspace":"dsf_cli-dra-","enable_sonar":false,"enable_dam":false,"enable_dra":true} else empty end)
+              (if $var == "all-permutations" or $var == "all-products" then {"name":"DSF POC","workspace":"dsf_cli-all-","enable_sonar":true,"enable_ciphertrust":false,"enable_dam":true,"enable_dra":true} else empty end),
+              (if $var == "all-permutations" or $var == "sonar" then {"name":"DSF POC - Sonar","workspace":"dsf_cli-sonar-","enable_sonar":true,"enable_ciphertrust":false,"enable_dam":false,"enable_dra":false} else empty end),
+              (if $var == "all-permutations" or $var == "sonar-with-fam" then {"name":"DSF POC - Sonar with FAM","workspace":"dsf_cli-sonar-with-fam-","enable_sonar":true,"enable_ciphertrust":true,"enable_dam":false,"enable_dra":false} else empty end),
+              (if $var == "all-permutations" or $var == "dam" then {"name":"DSF POC - DAM","workspace":"dsf_cli-dam-","enable_sonar":false,"enable_ciphertrust":false,"enable_dam":true,"enable_dra":false} else empty end),
+              (if $var == "all-permutations" or $var == "dra" then {"name":"DSF POC - DRA","workspace":"dsf_cli-dra-","enable_sonar":false,"enable_ciphertrust":false,"enable_dam":false,"enable_dra":true} else empty end)
             ]
           }')
 
@@ -123,6 +124,8 @@ jobs:
               DEPLOYMENT_VERSION="dra_version=${{ github.event.inputs.product_version }}"
             elif [[ "${{ github.event.inputs.deployment_type }}" == "sonar" ]]; then
               DEPLOYMENT_VERSION="sonar_version=${{ github.event.inputs.product_version }}"
+            elif [[ "${{ github.event.inputs.deployment_type }}" == "sonar-with-fam" ]]; then
+              DEPLOYMENT_VERSION="sonar_version=${{ github.event.inputs.product_version }}"
             fi
           fi
           echo "deployment_version=$DEPLOYMENT_VERSION" >> $GITHUB_OUTPUT
@@ -139,6 +142,7 @@ jobs:
       EXAMPLE_DIR: ./examples/aws/poc/dsf_deployment
       AWS_REGION: eu-west-2
       TF_VAR_enable_sonar: ${{ matrix.enable_sonar }}
+      TF_VAR_enable_ciphertrust: ${{ matrix.enable_ciphertrust }}
       TF_VAR_enable_dam: ${{ matrix.enable_dam }}
       TF_VAR_enable_dra: ${{ matrix.enable_dra }}
       TF_VAR_allowed_ssh_cidrs: ${{ secrets.ALLOWED_SSH_CIDRS }}
@@ -229,6 +233,9 @@ jobs:
             mv $EXAMPLE_DIR/networking.tf{,_}
             mv $EXAMPLE_DIR/agentless_sources.tf{,_}
             mv $EXAMPLE_DIR/agent_sources.tf{,_}
+            mv $EXAMPLE_DIR/versions.tf{,_}
+            mv $EXAMPLE_DIR/cm.tf{,_}
+            mv $EXAMPLE_DIR/cte_ddc_agents.tf{,_}
             terraform -chdir=$EXAMPLE_DIR destroy -var dam_license=license.mprv -auto-approve
             mv $EXAMPLE_DIR/main.tf{_,}
             mv $EXAMPLE_DIR/outputs.tf{_,}
@@ -238,6 +245,9 @@ jobs:
             mv $EXAMPLE_DIR/networking.tf{_,}
             mv $EXAMPLE_DIR/agentless_sources.tf{_,}
             mv $EXAMPLE_DIR/agent_sources.tf{_,}
+            mv $EXAMPLE_DIR/versions.tf{_,}
+            mv $EXAMPLE_DIR/cm.tf{_,}
+            mv $EXAMPLE_DIR/cte_ddc_agents.tf{_,}
           fi
 
       - name: Terraform Validate

.github/workflows/dsf_poc_standalone.yml

@@ -1,10 +1,10 @@
-name: DSF POC Standalone
+name: DSF POC Standalone - AWS and Azure
 
 on:
   workflow_dispatch:  # This allows the workflow to be manually triggered from the GitHub UI
     inputs:
       deployment_type:
-        description: "Deployment type to pass, choose: dra, dam or sonar."
+        description: "Deployment type to pass, choose: sonar, sonar-with-fam, dra or dam."
         required: true
         default: "dra"
       version:
@@ -37,7 +37,7 @@ jobs:
     with:
       use_modules_from_terraform_registry: true
       explicit_ref: master
-      deployment_type: "dra"
+      deployment_type: ${{ github.event.inputs.deployment_type }}
       product_full_version: ${{ github.event.inputs.version }}
     secrets:
       AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}

.github/workflows/release.yml

@@ -206,15 +206,15 @@ jobs:
         env:
           GH_TOKEN: ${{ github.token }}
 
-  test_apply:
-    needs: release
-    uses: ./.github/workflows/sonar_poc_cli.yml
-    with:
-      use_modules_from_terraform_registry: true
-      explicit_ref: master
-    secrets:
-      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
-      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-      SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
-      ALLOWED_SSH_CIDRS: ${{secrets.ALLOWED_SSH_CIDRS }}
-      DEPLOYMENT_TAGS: ${{ secrets.DEPLOYMENT_TAGS }}
+#  test_apply:
+#    needs: release
+#    uses: ./.github/workflows/sonar_poc_cli.yml
+#    with:
+#      use_modules_from_terraform_registry: true
+#      explicit_ref: master
+#    secrets:
+#      AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
+#      AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
+#      SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
+#      ALLOWED_SSH_CIDRS: ${{secrets.ALLOWED_SSH_CIDRS }}
+#      DEPLOYMENT_TAGS: ${{ secrets.DEPLOYMENT_TAGS }}

README.md

@@ -586,7 +586,7 @@ The following table lists the _latest_ DSF Kit releases, their release date and
     </td>
   </tr>
   <tr>
-    <td>TBD
+    <td>23 June 2025
     </td>
     <td>1.7.30
     </td>
@@ -595,6 +595,16 @@ The following table lists the _latest_ DSF Kit releases, their release date and
       <br/>2. Added internal support for DRA version 15.0. Set the variable ‘dra_version’ to 15.0 to use it.
     </td>
   </tr>
+  <tr>
+    <td>15 Jul 2025
+    </td>
+    <td>1.7.31
+    </td>
+    <td>
+      1. Added support for CipherTrust in AWS.
+      <br/>2. Updated the AWS POC dsf_deployment example.
+    </td>
+  </tr>
 
 </table>
 

examples/aws/poc/dsf_deployment/README.md

@@ -1,7 +1,7 @@
 # DSF Deployment example
 [![GitHub tag](https://img.shields.io/github/v/tag/imperva/dsfkit.svg)](https://github.com/imperva/dsfkit/tags)
 
-This example provides a full DSF (Data Security Fabric) deployment with DSF Hub, Agentless Gateways, DAM (Database Activity Monitoring), DRA (Data Risk Analytics) and Agent and Agentless audit sources.
+This example provides a full DSF (Data Security Fabric) deployment with DSF Hub, Agentless Gateways, DAM (Database Activity Monitoring), DRA (Data Risk Analytics) and Agent and Agentless audit sources, and also deploys CipherTrust Manager and CipherTrust Transparent Encryption (CTE) and/or Data Discovery and Classification (DDC) agents.
 
 ## Modularity
 The deployment is modular and allows users to deploy one or more of the following modules:
@@ -21,6 +21,9 @@ The deployment is modular and allows users to deploy one or more of the followin
 5. Audit sources
    - Agent audit sources (EC2 instances)
    - Agentless audit sources (RDS instances)
+6. CipherTrust Manager
+7. CipherTrust Transparent Encryption (CTE) and/or Data Discovery and Classification (DDC) Agents
+
 
 ### Deploying Specific Modules
 
@@ -33,9 +36,10 @@ To deploy only the DAM module, set the following variables in your Terraform con
 enable_dam = true
 enable_sonar = false
 enable_dra = false
+enable_ciphertrust = false
 ```
 
-This configuration will enable the DAM module while disabling the DSF Hub and DRA modules.
+This configuration will enable the DAM module while disabling the DSF Hub, DRA and CipherTrust modules.
 
 #### 2. DRA Only Deployment
 
@@ -44,9 +48,10 @@ To deploy only the DRA module, set the following variables in your Terraform con
 enable_dam = false
 enable_sonar = false
 enable_dra = true
+enable_ciphertrust = false
 ```
 
-This configuration will enable the DRA module while disabling the DSF Hub and DAM modules.
+This configuration will enable the DRA module while disabling the DSF Hub, DAM and CipherTrust modules.
 
 #### 3. Sonar Only Deployment
 
@@ -55,9 +60,22 @@ To deploy only the Sonar module, set the following variables in your Terraform c
 enable_dam = false
 enable_sonar = true
 enable_dra = false
+enable_ciphertrust = false
+```
+
+This configuration will enable the Sonar module, including the DSF Hub, while disabling the DAM, DRA and CipherTrust modules.
+
+#### 4. CipherTrust Only Deployment
+
+To deploy only the Sonar module, set the following variables in your Terraform configuration:
+```
+enable_dam = false
+enable_sonar = false
+enable_dra = false
+enable_ciphertrust = true
 ```
 
-This configuration will enable the Sonar module, including the DSF Hub, while disabling the DAM and DRA modules.
+This configuration will enable the CipherTrust module, including the CipherTrust Manager and the CTE and/or DDC agents, while disabling the DAM, DRA and Sonar modules.
 
 Feel free to customize your deployment by setting the appropriate variables based on your requirements.
 
@@ -68,11 +86,19 @@ Several variables in the `variables.tf` file are important for configuring the d
 - `enable_sonar`: Enable Sonar sub-product
 - `enable_dam`: Enable DAM sub-product
 - `enable_dra`: Enable DRA sub-product
+- `enable_ciphertrust`: Enable CipherTrust sub-product
 
 ### Server Count
 - `dra_analytics_count`: Number of DRA Analytics servers
 - `agentless_gw_count`: Number of Agentless Gateways
 - `agent_gw_count`: Number of Agent Gateways
+- `ciphertrust_manager_count`: Number of CipherTrust Manager servers (if more than one, configured as a cluster)
+- `cte_ddc_agents_linux_count`: Number of CTE-DDC agent Linux servers
+- `cte_agents_linux_count`: Number of CTE agent Linux servers
+- `ddc_agents_linux_count`: Number of DDC agent Linux servers
+- `cte_ddc_agents_windows_count`: Number of CTE-DDC agent Windows servers
+- `cte_agents_windows_count`: Number of CTE agent Windows servers
+- `ddc_agents_windows_count`: Number of DDC agent Windows servers
 
 ### High Availability (HADR)
 - `hub_hadr`: Enable DSF Hub High Availability Disaster Recovery (HADR)

examples/aws/poc/dsf_deployment/cm.tf

@@ -0,0 +1,69 @@
+locals {
+  ciphertrust_manager_count = var.enable_ciphertrust ? var.ciphertrust_manager_count : 0
+  ciphertrust_cidr_list = [data.aws_subnet.ciphertrust_manager.cidr_block]
+  ciphertrust_manager_web_console_username = "admin"
+}
+
+module "ciphertrust_manager" {
+  source  = "../../../../modules/aws/ciphertrust-manager"
+  #   source  = "imperva/dsf-ciphertrust-manager/aws"
+  #   version = "1.7.17" # latest release tag
+  count   = local.ciphertrust_manager_count
+  ami  = var.ciphertrust_manager_ami_id == null ? null : {
+    id               = var.ciphertrust_manager_ami_id
+    name_regex       = null
+    product_code     = null
+    owner_account_id = null
+  }
+  friendly_name               = join("-", [local.deployment_name_salted, "ciphertrust", "manager", count.index])
+  ebs                         = var.ciphertrust_manager_ebs_details
+  subnet_id                   = local.ciphertrust_manager_subnet_id
+  attach_persistent_public_ip = true
+  key_pair                          = module.key_pair.key_pair.key_pair_name
+  allowed_web_console_and_api_cidrs = var.web_console_cidr
+  allowed_ssh_cidrs                 = concat(local.workstation_cidr, var.allowed_ssh_cidrs)
+  allowed_cluster_nodes_cidrs       = [data.aws_subnet.ciphertrust_manager.cidr_block]
+  allowed_ddc_agents_cidrs          = [data.aws_subnet.cte_ddc_agent.cidr_block]
+  allowed_all_cidrs                 = local.workstation_cidr
+  tags = local.tags
+  depends_on = [
+    module.vpc
+  ]
+}
+
+provider "ciphertrust" {
+  address  = local.ciphertrust_manager_count > 0 ? "https://${module.ciphertrust_manager[0].public_ip}" : null
+  username = local.ciphertrust_manager_web_console_username
+  password = local.ciphertrust_manager_password
+  // destroy cluster can take almost a minute so give us a bit of a buffer
+  rest_api_timeout = 720
+}
+
+resource "ciphertrust_trial_license" "trial_license" {
+  count = local.ciphertrust_manager_count > 0 ? 1 : 0
+  flag = "activate"
+}
+
+module "ciphertrust_manager_cluster_setup" {
+  source  = "../../../../modules/null/ciphertrust-manager-cluster-setup"
+  #   source  = "imperva/dsf-ciphertrust-manager-cluster-setup/aws"
+  #   version = "1.7.17" # latest release tag
+  count   = local.ciphertrust_manager_count > 1 ? 1 : 0
+  nodes = [
+    for i in range(length(module.ciphertrust_manager)) : {
+      host = module.ciphertrust_manager[i].private_ip
+      public_address    = coalesce(module.ciphertrust_manager[i].public_ip, module.ciphertrust_manager[i].private_ip)
+    }
+  ]
+  credentials = {
+    user     = local.ciphertrust_manager_web_console_username
+    password = local.ciphertrust_manager_password
+  }
+  ddc_node_setup = {
+    enabled = true
+    node_address = coalesce(module.ciphertrust_manager[0].public_ip, module.ciphertrust_manager[0].private_ip)
+  }
+  depends_on = [
+    module.ciphertrust_manager
+  ]
+}