dsfkit with cm (#472)

examples/aws/poc/dsf_deployment/cm.tf

@@ -1,13 +1,14 @@
 locals {
   ciphertrust_manager_count = var.enable_ciphertrust ? var.ciphertrust_manager_count : 0
+  ciphertrust_cidr_list = [data.aws_subnet.ciphertrust_manager.cidr_block]
   ciphertrust_manager_web_console_username = "admin"
 }
 
 module "ciphertrust_manager" {
   # TODO sivan - change module name to ciphertrust manager
   source  = "../../../../modules/aws/ciphertrust_manager"
-#   source  = "imperva/dsf-ciphertrust-manager/aws"
-#   version = "1.7.17" # latest release tag
+  #   source  = "imperva/dsf-ciphertrust-manager/aws"
+  #   version = "1.7.17" # latest release tag
   count   = local.ciphertrust_manager_count
   ami_id  = var.ciphertrust_manager_ami_id
   friendly_name               = join("-", [local.deployment_name_salted, "ciphertrust", "manager", count.index])
@@ -18,7 +19,7 @@ module "ciphertrust_manager" {
   allowed_web_console_and_api_cidrs = var.web_console_cidr
   allowed_ssh_cidrs                 = concat(local.workstation_cidr, var.allowed_ssh_cidrs)
   allowed_cluster_nodes_cidrs       = [data.aws_subnet.ciphertrust_manager.cidr_block]
-  allowed_ddc_agents_cidrs          = []
+  allowed_ddc_agents_cidrs          = [data.aws_subnet.cte_ddc_agent.cidr_block]
   allowed_all_cidrs                 = local.workstation_cidr
   tags = local.tags
   depends_on = [
@@ -27,15 +28,15 @@ module "ciphertrust_manager" {
 }
 
 provider "ciphertrust" {
-  address  =  var.enable_ciphertrust ? "https://${module.ciphertrust_manager[0].public_ip}" : null
+  address  =  local.ciphertrust_manager_count > 0 ? "https://${module.ciphertrust_manager[0].public_ip}" : null
   username = local.ciphertrust_manager_web_console_username
   password = local.ciphertrust_manager_password
   // destroy cluster can take almost a minute so give us a bit of a buffer
   rest_api_timeout = 720
 }
 
 resource "ciphertrust_trial_license" "trial_license" {
-  count = var.enable_ciphertrust ? 1 : 0
+  count = local.ciphertrust_manager_count > 0 ? 1 : 0
   flag = "activate"
 }
 

examples/aws/poc/dsf_deployment/cte_ddc_agents.tf

@@ -0,0 +1,115 @@
+locals {
+  cte_ddc_linux_count = local.ciphertrust_manager_count > 0 ? var.cte_ddc_agents_linux_count : 0
+  cte_linux_count = local.ciphertrust_manager_count > 0 ? var.cte_agents_linux_count : 0
+  ddc_linux_count = local.ciphertrust_manager_count > 0 ? var.ddc_agents_linux_count : 0
+  cte_ddc_windows_count = local.ciphertrust_manager_count > 0 ? var.cte_ddc_agents_windows_count : 0
+  cte_windows_count = local.ciphertrust_manager_count > 0 ? var.cte_agents_windows_count : 0
+  ddc_windows_count = local.ciphertrust_manager_count > 0 ? var.ddc_agents_windows_count : 0
+  total_agents_count = local.cte_ddc_linux_count + local.cte_ddc_windows_count
+
+  installation_map = {
+    "Red Hat" = {
+      cte_installation_path = var.cte_agent_linux_installation_file
+      ddc_installation_path = var.ddc_agent_linux_installation_file
+    },
+    "Windows" = {
+      cte_installation_path = var.cte_agent_windows_installation_file
+      ddc_installation_path = var.ddc_agent_windows_installation_file
+    }
+  }
+
+  # Prepare Linux Agent Instances
+  linux_cte_ddc_instances = [for i in range(local.cte_ddc_linux_count) : {
+    id                = "cte-ddc-agent-linux-${i}"
+    os_type           = "Red Hat"
+    install_cte       = true
+    install_ddc       = true
+  }]
+  linux_cte_only_instances = [for i in range(var.cte_agents_linux_count) : {
+    id                = "cte-agent-linux-${i}"
+    os_type           = "Red Hat"
+    install_cte       = true
+    install_ddc       = false
+  }]
+  linux_ddc_only_instances = [for i in range(var.ddc_agents_linux_count) : {
+    id                = "ddc-agent-linux-${i}"
+    os_type           = "Red Hat"
+    install_cte       = false
+    install_ddc       = true
+  }]
+  # Prepare Windows Agent Instances
+  windows_cte_ddc_instances = [for i in range(local.cte_ddc_windows_count) : {
+    id                = "cte-ddc-agent-windows-${i}"
+    os_type           = "Windows"
+    install_cte       = true
+    install_ddc       = true
+  }]
+  windows_cte_only_instances = [for i in range(var.cte_agents_windows_count) : {
+    id                = "cte-agent-windows-${i}"
+    os_type           = "Windows"
+    install_cte       = true
+    install_ddc       = false
+  }]
+  windows_ddc_only_instances = [for i in range(var.ddc_agents_windows_count) : {
+    id                = "ddc-agent-windows-${i}"
+    os_type           = "Windows"
+    install_cte       = false
+    install_ddc       = true
+  }]
+
+
+  # Concatenate all ahent lists and convert to a map for for_each
+  all_agent_instances_map = {
+    for instance in concat(
+      local.linux_cte_ddc_instances,
+      local.linux_cte_only_instances,
+      local.linux_ddc_only_instances,
+      local.windows_cte_ddc_instances,
+      local.windows_cte_only_instances,
+      local.windows_ddc_only_instances
+    ) : instance.id => instance
+  }
+}
+
+resource "ciphertrust_cte_registration_token" "reg_token" {
+  count = length(local.all_agent_instances_map) > 0 ? 1 : 0
+  lifetime = "24h"
+  max_clients = 100
+  name_prefix = "cte-agent"
+}
+
+module "cte_ddc_agents" {
+  source  = "../../../../modules/aws/cte-ddc-agent"
+#   source  = "imperva/dsf-cte-ddc-agent/aws"
+#   version = "1.7.17" # latest release tag
+#   count   = local.cte_ddc_linux_count
+  for_each = local.all_agent_instances_map
+  friendly_name               = join("-", [local.deployment_name_salted, each.value.id])
+  subnet_id                   = local.cte_ddc_agent_subnet_id
+  ssh_key_pair = {
+    ssh_private_key_file_path = module.key_pair.private_key_file_path
+    ssh_public_key_name       = module.key_pair.key_pair.key_pair_name
+  }
+  os_type                     = each.value.os_type
+  attach_persistent_public_ip = true
+  use_public_ip               = true
+  allowed_ssh_cidrs           = concat(local.workstation_cidr, var.allowed_ssh_cidrs)
+  allowed_rdp_cidrs           = each.value.os_type == "Windows" ? concat(local.workstation_cidr, var.allowed_ssh_cidrs) : null
+  cipher_trust_manager_address = module.ciphertrust_manager[0].private_ip
+  agent_installation = {
+    registration_token = ciphertrust_cte_registration_token.reg_token[0].token
+    install_cte = each.value.install_cte
+    install_ddc = each.value.install_ddc
+    cte_agent_installation_file  = each.value.install_cte ? local.installation_map[each.value.os_type].cte_installation_path : null
+    ddc_agent_installation_file  = each.value.install_ddc ? local.installation_map[each.value.os_type].ddc_installation_path : null
+  }
+  tags = local.tags
+  depends_on = [
+    module.vpc,
+    module.ciphertrust_manager,
+    ciphertrust_trial_license.trial_license,
+    module.ciphertrust_manager_cluster_setup
+  ]
+}
+
+

examples/aws/poc/dsf_deployment/networking.tf

@@ -9,6 +9,7 @@ locals {
   dra_analytics_subnet_id        = var.subnet_ids != null ? var.subnet_ids.dra_analytics_subnet_id : module.vpc[0].private_subnets[0]
   agent_gw_subnet_id             = var.subnet_ids != null ? var.subnet_ids.agent_gw_subnet_id : module.vpc[0].private_subnets[0]
   ciphertrust_manager_subnet_id  = var.subnet_ids != null ? var.subnet_ids.ciphertrust_subnet_id : module.vpc[0].public_subnets[0]
+  cte_ddc_agent_subnet_id        = var.subnet_ids != null ? var.subnet_ids.cte_ddc_agent_subnet_id : module.vpc[0].public_subnets[0]
 }
 
 module "vpc" {
@@ -66,4 +67,8 @@ data "aws_subnet" "dra_analytics" {
 
 data "aws_subnet" "ciphertrust_manager" {
   id = local.ciphertrust_manager_subnet_id
-}
+}
+
+data "aws_subnet" "cte_ddc_agent" {
+  id = local.cte_ddc_agent_subnet_id
+}

examples/aws/poc/dsf_deployment/outputs.tf

@@ -138,6 +138,44 @@ output "ciphertrust" {
   } : null
 }
 
+output "cte_ddc_agents" {
+  value = var.enable_ciphertrust ? {
+    cte_agents = [
+      for val in concat(local.linux_cte_only_instances, local.windows_cte_only_instances) :
+      {
+        private_ip    = module.cte_ddc_agents[val.id].private_ip
+        private_dns   = module.cte_ddc_agents[val.id].private_dns
+        public_ip     = module.cte_ddc_agents[val.id].public_ip
+        public_dns    = module.cte_ddc_agents[val.id].public_dns
+        display_name  = try(module.cte_ddc_agents[val.id].display_name, null)
+        ssh_command   = try("ssh -i ${local.private_key_file_path} ${module.cte_ddc_agents[val.id].ssh_user}@${module.cte_ddc_agents[val.id].public_ip}", null)
+      }
+    ]
+    ddc_agents = [
+      for val in concat(local.linux_ddc_only_instances, local.windows_ddc_only_instances) :
+      {
+        private_ip    = module.cte_ddc_agents[val.id].private_ip
+        private_dns   = module.cte_ddc_agents[val.id].private_dns
+        public_ip     = module.cte_ddc_agents[val.id].public_ip
+        public_dns    = module.cte_ddc_agents[val.id].public_dns
+        display_name  = try(module.cte_ddc_agents[val.id].display_name, null)
+        ssh_command   = try("ssh -i ${local.private_key_file_path} ${module.cte_ddc_agents[val.id].ssh_user}@${module.cte_ddc_agents[val.id].public_ip}", null)
+      }
+    ]
+    cte_ddc_windows_agents = [
+      for val in concat(local.linux_cte_ddc_instances, local.windows_cte_ddc_instances) :
+      {
+        private_ip    = module.cte_ddc_agents[val.id].private_ip
+        private_dns   = module.cte_ddc_agents[val.id].private_dns
+        public_ip     = module.cte_ddc_agents[val.id].public_ip
+        public_dns    = module.cte_ddc_agents[val.id].public_dns
+        display_name  = try(module.cte_ddc_agents[val.id].display_name, null)
+        ssh_command   = try("ssh -i ${local.private_key_file_path} ${module.cte_ddc_agents[val.id].ssh_user}@${module.cte_ddc_agents[val.id].public_ip}", null)
+      }
+    ]
+  } : null
+}
+
 output "audit_sources" {
   value = {
     agent_sources = [

examples/aws/poc/dsf_deployment/sonar.tf

@@ -6,6 +6,7 @@ locals {
   hub_dr_public_ip       = var.enable_sonar && var.hub_hadr ? (length(module.hub_dr[0].public_ip) > 0 ? format("%s/32", module.hub_dr[0].public_ip) : null) : null
   hub_cidr_list          = compact([data.aws_subnet.hub.cidr_block, data.aws_subnet.hub_dr.cidr_block, local.hub_public_ip, local.hub_dr_public_ip])
   agentless_gw_cidr_list = [data.aws_subnet.agentless_gw.cidr_block, data.aws_subnet.agentless_gw_dr.cidr_block]
+  cte_agents_cidr_list   = var.enable_ciphertrust ? [data.aws_subnet.cte_ddc_agent.cidr_block] : []
 }
 
 module "hub_main" {
@@ -67,8 +68,9 @@ module "hub_main" {
 }
 
 module "hub_dr" {
-  source  = "imperva/dsf-hub/aws"
-  version = "1.7.29" # latest release tag
+  source = "../../../../modules/aws/hub"
+#   source  = "imperva/dsf-hub/aws"
+#   version = "1.7.29" # latest release tag
   count   = var.enable_sonar && var.hub_hadr ? 1 : 0
 
   friendly_name                = join("-", [local.deployment_name_salted, "hub", "DR"])
@@ -118,8 +120,9 @@ module "hub_hadr" {
 }
 
 module "agentless_gw_main" {
-  source  = "imperva/dsf-agentless-gw/aws"
-  version = "1.7.29" # latest release tag
+  source = "../../../../modules/aws/agentless-gw"
+#   source  = "imperva/dsf-agentless-gw/aws"
+#   version = "1.7.29" # latest release tag
   count   = local.agentless_gw_count
 
   friendly_name         = join("-", [local.deployment_name_salted, "agentless", "gw", count.index, "main"])
@@ -135,6 +138,7 @@ module "agentless_gw_main" {
   }
   allowed_agentless_gw_cidrs = [data.aws_subnet.agentless_gw_dr.cidr_block]
   allowed_hub_cidrs          = [data.aws_subnet.hub.cidr_block, data.aws_subnet.hub_dr.cidr_block]
+  allowed_cte_agents_cidrs   = local.cte_agents_cidr_list
   allowed_all_cidrs          = local.workstation_cidr
   allowed_ssh_cidrs          = var.allowed_ssh_cidrs
   ingress_communication_via_proxy = {
@@ -149,8 +153,9 @@ module "agentless_gw_main" {
 }
 
 module "agentless_gw_dr" {
-  source  = "imperva/dsf-agentless-gw/aws"
-  version = "1.7.29" # latest release tag
+  source = "../../../../modules/aws/agentless-gw"
+#   source  = "imperva/dsf-agentless-gw/aws"
+#   version = "1.7.29" # latest release tag
   count   = var.agentless_gw_hadr ? local.agentless_gw_count : 0
 
   friendly_name                = join("-", [local.deployment_name_salted, "agentless", "gw", count.index, "DR"])
@@ -169,6 +174,7 @@ module "agentless_gw_dr" {
   }
   allowed_agentless_gw_cidrs = [data.aws_subnet.agentless_gw.cidr_block]
   allowed_hub_cidrs          = [data.aws_subnet.hub.cidr_block, data.aws_subnet.hub_dr.cidr_block]
+  allowed_cte_agents_cidrs   = local.cte_agents_cidr_list
   allowed_all_cidrs          = local.workstation_cidr
   allowed_ssh_cidrs          = var.allowed_ssh_cidrs
   ingress_communication_via_proxy = {

examples/aws/poc/dsf_deployment/variables.tf

@@ -115,12 +115,13 @@ variable "subnet_ids" {
     dra_admin_subnet_id           = string
     dra_analytics_subnet_id       = string
     ciphertrust_manager_subnet_id = string
-    db_subnet_ids             = list(string)
+    cte_ddc_agent_subnet_id       = string
+    db_subnet_ids                 = list(string)
   })
   default     = null
   description = "The IDs of existing subnets to deploy resources in. Keep empty if you wish to provision new VPC and subnets. db_subnet_ids can be an empty list only if no databases should be provisioned"
   validation {
-    condition     = var.subnet_ids == null || try(var.subnet_ids.hub_subnet_id != null && var.subnet_ids.hub_dr_subnet_id != null && var.subnet_ids.agentless_gw_subnet_id != null && var.subnet_ids.agentless_gw_dr_subnet_id != null && var.subnet_ids.mx_subnet_id != null && var.subnet_ids.agent_gw_subnet_id != null && var.subnet_ids.dra_admin_subnet_id != null && var.subnet_ids.dra_analytics_subnet_id != null && var.subnet_ids.ciphertrust_manager_subnet_id != null && var.subnet_ids.db_subnet_ids != null, false)
+    condition     = var.subnet_ids == null || try(var.subnet_ids.hub_subnet_id != null && var.subnet_ids.hub_dr_subnet_id != null && var.subnet_ids.agentless_gw_subnet_id != null && var.subnet_ids.agentless_gw_dr_subnet_id != null && var.subnet_ids.mx_subnet_id != null && var.subnet_ids.agent_gw_subnet_id != null && var.subnet_ids.dra_admin_subnet_id != null && var.subnet_ids.dra_analytics_subnet_id != null && var.subnet_ids.ciphertrust_manager_subnet_id != null && var.subnet_ids.cte_ddc_agent_subnet_id != null && var.subnet_ids.db_subnet_ids != null, false)
     error_message = "Value must either be null or specified for all"
   }
   validation {
@@ -403,4 +404,64 @@ variable "ciphertrust_manager_ami_id" {
   type        = string
   description = "Ciphertrust Manager AMI id. If set to null, the latest AMI will be taken from AWS marketplace"
   default     = null
+}
+
+variable "cte_agent_linux_installation_file" {
+  type        = string
+  description = "Path to the CTE agent linux installation file"
+  default     = null
+}
+
+variable "ddc_agent_linux_installation_file" {
+  type        = string
+  description = "Path to the DDC agent linux installation file"
+  default     = null
+}
+
+variable "cte_agent_windows_installation_file" {
+  type        = string
+  description = "Path to the CTE agent windows installation file"
+  default     = null
+}
+
+variable "ddc_agent_windows_installation_file" {
+  type        = string
+  description = "Path to the DDC agent windows installation file"
+  default     = null
+}
+
+variable "cte_ddc_agents_linux_count" {
+  type        = number
+  default     = 1
+  description = "Number of CTE-DDC agent linux servers. Provisioning CTE-DDC agent servers requires the enable_ciphertrust variable to be set to 'true'."
+}
+
+variable "cte_agents_linux_count" {
+  type        = number
+  default     = 0
+  description = "Number of CTE agent linux servers. Provisioning CTE-DDC agent servers requires the enable_ciphertrust variable to be set to 'true'."
+}
+
+variable "ddc_agents_linux_count" {
+  type        = number
+  default     = 0
+  description = "Number of DDC agent linux servers. Provisioning CTE-DDC agent servers requires the enable_ciphertrust variable to be set to 'true'."
+}
+
+variable "cte_ddc_agents_windows_count" {
+  type        = number
+  default     = 1
+  description = "Number of CTE-DDC agent windows servers. Provisioning CTE-DDC agent servers requires the enable_ciphertrust variable to be set to 'true'."
+}
+
+variable "cte_agents_windows_count" {
+  type        = number
+  default     = 0
+  description = "Number of CTE agent windows servers. Provisioning CTE-DDC agent servers requires the enable_ciphertrust variable to be set to 'true'."
+}
+
+variable "ddc_agents_windows_count" {
+  type        = number
+  default     = 0
+  description = "Number of DDC agent windows servers. Provisioning CTE-DDC agent servers requires the enable_ciphertrust variable to be set to 'true'."
 }

examples/aws/poc/dsf_deployment/versions.tf

@@ -8,6 +8,7 @@ terraform {
     }
     ciphertrust = {
       source  = "ThalesGroup/ciphertrust"
+#       version = "1.0.0-pre3"
       version = "~> 0.11.1"
     }
     local = {

modules/aws/agentless-gw/main.tf

@@ -20,6 +20,13 @@ locals {
       udp             = []
       tcp             = [3030, 27117, 22]
       cidrs           = concat(var.allowed_agentless_gw_cidrs, var.allowed_all_cidrs)
+    },
+    {
+      name            = ["cte", "agents"]
+      internet_access = false
+      udp             = []
+      tcp             = [11570, 10570] # syslog TLS port 11570, TCP is 10570
+      cidrs           = concat(var.allowed_cte_agents_cidrs, var.allowed_all_cidrs)
     }
   ]
 }