dsfkit with cm (#472)

examples/aws/poc/dsf_deployment/README.md

@@ -1,7 +1,7 @@
 # DSF Deployment example
 [![GitHub tag](https://img.shields.io/github/v/tag/imperva/dsfkit.svg)](https://github.com/imperva/dsfkit/tags)
 
-This example provides a full DSF (Data Security Fabric) deployment with DSF Hub, Agentless Gateways, DAM (Database Activity Monitoring), DRA (Data Risk Analytics) and Agent and Agentless audit sources.
+This example provides a full DSF (Data Security Fabric) deployment with DSF Hub, Agentless Gateways, DAM (Database Activity Monitoring), DRA (Data Risk Analytics) and Agent and Agentless audit sources, and also deploys CipherTrust Manager and CipherTrust Transparent Encryption (CTE) and/or Data Discovery and Classification (DDC) agents.
 
 ## Modularity
 The deployment is modular and allows users to deploy one or more of the following modules:
@@ -21,6 +21,9 @@ The deployment is modular and allows users to deploy one or more of the followin
 5. Audit sources
    - Agent audit sources (EC2 instances)
    - Agentless audit sources (RDS instances)
+6. CipherTrust Manager
+7. CipherTrust Transparent Encryption (CTE) and/or Data Discovery and Classification (DDC) Agents
+
 
 ### Deploying Specific Modules
 
@@ -33,9 +36,10 @@ To deploy only the DAM module, set the following variables in your Terraform con
 enable_dam = true
 enable_sonar = false
 enable_dra = false
+enable_ciphertrust = false
 ```
 
-This configuration will enable the DAM module while disabling the DSF Hub and DRA modules.
+This configuration will enable the DAM module while disabling the DSF Hub, DRA and CipherTrust modules.
 
 #### 2. DRA Only Deployment
 
@@ -44,9 +48,10 @@ To deploy only the DRA module, set the following variables in your Terraform con
 enable_dam = false
 enable_sonar = false
 enable_dra = true
+enable_ciphertrust = false
 ```
 
-This configuration will enable the DRA module while disabling the DSF Hub and DAM modules.
+This configuration will enable the DRA module while disabling the DSF Hub, DAM and CipherTrust modules.
 
 #### 3. Sonar Only Deployment
 
@@ -55,9 +60,22 @@ To deploy only the Sonar module, set the following variables in your Terraform c
 enable_dam = false
 enable_sonar = true
 enable_dra = false
+enable_ciphertrust = false
+```
+
+This configuration will enable the Sonar module, including the DSF Hub, while disabling the DAM, DRA and CipherTrust modules.
+
+#### 4. CipherTrust Only Deployment
+
+To deploy only the Sonar module, set the following variables in your Terraform configuration:
+```
+enable_dam = false
+enable_sonar = false
+enable_dra = false
+enable_ciphertrust = true
 ```
 
-This configuration will enable the Sonar module, including the DSF Hub, while disabling the DAM and DRA modules.
+This configuration will enable the CipherTrust module, including the CipherTrust Manager and the CTE and/or DDC agents, while disabling the DAM, DRA and Sonar modules.
 
 Feel free to customize your deployment by setting the appropriate variables based on your requirements.
 
@@ -68,11 +86,19 @@ Several variables in the `variables.tf` file are important for configuring the d
 - `enable_sonar`: Enable Sonar sub-product
 - `enable_dam`: Enable DAM sub-product
 - `enable_dra`: Enable DRA sub-product
+- `enable_ciphertrust`: Enable CipherTrust sub-product
 
 ### Server Count
 - `dra_analytics_count`: Number of DRA Analytics servers
 - `agentless_gw_count`: Number of Agentless Gateways
 - `agent_gw_count`: Number of Agent Gateways
+- `ciphertrust_manager_count`: Number of CipherTrust Manager servers (if more than one, configured as a cluster)
+- `cte_ddc_agents_linux_count`: Number of CTE-DDC agent Linux servers
+- `cte_agents_linux_count`: Number of CTE agent Linux servers
+- `ddc_agents_linux_count`: Number of DDC agent Linux servers
+- `cte_ddc_agents_windows_count`: Number of CTE-DDC agent Windows servers
+- `cte_agents_windows_count`: Number of CTE agent Windows servers
+- `ddc_agents_windows_count`: Number of DDC agent Windows servers
 
 ### High Availability (HADR)
 - `hub_hadr`: Enable DSF Hub High Availability Disaster Recovery (HADR)

examples/aws/poc/dsf_deployment/cm.tf

@@ -0,0 +1,69 @@
+locals {
+  ciphertrust_manager_count = local.enable_ciphertrust ? var.ciphertrust_manager_count : 0
+  ciphertrust_cidr_list = [data.aws_subnet.ciphertrust_manager.cidr_block]
+  ciphertrust_manager_web_console_username = "admin"
+}
+
+module "ciphertrust_manager" {
+  source  = "../../../../modules/aws/ciphertrust-manager"
+  #   source  = "imperva/dsf-ciphertrust-manager/aws"
+  #   version = "1.7.17" # latest release tag
+  count   = local.ciphertrust_manager_count
+  ami  = var.ciphertrust_manager_ami_id == null ? null : {
+    id               = var.ciphertrust_manager_ami_id
+    name_regex       = null
+    product_code     = null
+    owner_account_id = null
+  }
+  friendly_name               = join("-", [local.deployment_name_salted, "ciphertrust", "manager", count.index])
+  ebs                         = var.ciphertrust_manager_ebs_details
+  subnet_id                   = local.ciphertrust_manager_subnet_id
+  attach_persistent_public_ip = true
+  key_pair                          = module.key_pair.key_pair.key_pair_name
+  allowed_web_console_and_api_cidrs = var.web_console_cidr
+  allowed_ssh_cidrs                 = concat(local.workstation_cidr, var.allowed_ssh_cidrs)
+  allowed_cluster_nodes_cidrs       = [data.aws_subnet.ciphertrust_manager.cidr_block]
+  allowed_ddc_agents_cidrs          = [data.aws_subnet.cte_ddc_agent.cidr_block]
+  allowed_all_cidrs                 = local.workstation_cidr
+  tags = local.tags
+  depends_on = [
+    module.vpc
+  ]
+}
+
+provider "ciphertrust" {
+  address  = local.ciphertrust_manager_count > 0 ? "https://${module.ciphertrust_manager[0].public_ip}" : null
+  username = local.ciphertrust_manager_web_console_username
+  password = local.ciphertrust_manager_password
+  // destroy cluster can take almost a minute so give us a bit of a buffer
+  rest_api_timeout = 720
+}
+
+resource "ciphertrust_trial_license" "trial_license" {
+  count = local.ciphertrust_manager_count > 0 ? 1 : 0
+  flag = "activate"
+}
+
+module "ciphertrust_manager_cluster_setup" {
+  source  = "../../../../modules/null/ciphertrust-manager-cluster-setup"
+  #   source  = "imperva/dsf-ciphertrust-manager-cluster-setup/aws"
+  #   version = "1.7.17" # latest release tag
+  count   = local.ciphertrust_manager_count > 1 ? 1 : 0
+  nodes = [
+    for i in range(length(module.ciphertrust_manager)) : {
+      host = module.ciphertrust_manager[i].private_ip
+      public_address    = coalesce(module.ciphertrust_manager[i].public_ip, module.ciphertrust_manager[i].private_ip)
+    }
+  ]
+  credentials = {
+    user     = local.ciphertrust_manager_web_console_username
+    password = local.ciphertrust_manager_password
+  }
+  ddc_node_setup = {
+    enabled = true
+    node_address = coalesce(module.ciphertrust_manager[0].public_ip, module.ciphertrust_manager[0].private_ip)
+  }
+  depends_on = [
+    module.ciphertrust_manager
+  ]
+}

examples/aws/poc/dsf_deployment/cte_ddc_agents.tf

@@ -0,0 +1,114 @@
+locals {
+  cte_ddc_linux_count = local.ciphertrust_manager_count > 0 ? var.cte_ddc_agents_linux_count : 0
+  cte_linux_count = local.ciphertrust_manager_count > 0 ? var.cte_agents_linux_count : 0
+  ddc_linux_count = local.ciphertrust_manager_count > 0 ? var.ddc_agents_linux_count : 0
+  cte_ddc_windows_count = local.ciphertrust_manager_count > 0 ? var.cte_ddc_agents_windows_count : 0
+  cte_windows_count = local.ciphertrust_manager_count > 0 ? var.cte_agents_windows_count : 0
+  ddc_windows_count = local.ciphertrust_manager_count > 0 ? var.ddc_agents_windows_count : 0
+
+  installation_map = {
+    "Red Hat" = {
+      cte_installation_path = var.cte_agent_linux_installation_file
+      ddc_installation_path = var.ddc_agent_linux_installation_file
+    },
+    "Windows" = {
+      cte_installation_path = var.cte_agent_windows_installation_file
+      ddc_installation_path = var.ddc_agent_windows_installation_file
+    }
+  }
+
+  # Prepare Linux Agent Instances
+  linux_cte_ddc_instances = [for i in range(local.cte_ddc_linux_count) : {
+    id                = "cte-ddc-agent-linux-${i}"
+    os_type           = "Red Hat"
+    install_cte       = true
+    install_ddc       = true
+  }]
+  linux_cte_only_instances = [for i in range(local.cte_linux_count) : {
+    id                = "cte-agent-linux-${i}"
+    os_type           = "Red Hat"
+    install_cte       = true
+    install_ddc       = false
+  }]
+  linux_ddc_only_instances = [for i in range(local.ddc_linux_count) : {
+    id                = "ddc-agent-linux-${i}"
+    os_type           = "Red Hat"
+    install_cte       = false
+    install_ddc       = true
+  }]
+  # Prepare Windows Agent Instances
+  windows_cte_ddc_instances = [for i in range(local.cte_ddc_windows_count) : {
+    id                = "cte-ddc-agent-windows-${i}"
+    os_type           = "Windows"
+    install_cte       = true
+    install_ddc       = true
+  }]
+  windows_cte_only_instances = [for i in range(local.cte_windows_count) : {
+    id                = "cte-agent-windows-${i}"
+    os_type           = "Windows"
+    install_cte       = true
+    install_ddc       = false
+  }]
+  windows_ddc_only_instances = [for i in range(local.ddc_windows_count) : {
+    id                = "ddc-agent-windows-${i}"
+    os_type           = "Windows"
+    install_cte       = false
+    install_ddc       = true
+  }]
+
+
+  # Concatenate all agent lists and convert to a map for for_each
+  all_agent_instances_map = {
+    for instance in concat(
+      local.linux_cte_ddc_instances,
+      local.linux_cte_only_instances,
+      local.linux_ddc_only_instances,
+      local.windows_cte_ddc_instances,
+      local.windows_cte_only_instances,
+      local.windows_ddc_only_instances
+    ) : instance.id => instance
+  }
+}
+
+resource "ciphertrust_cte_registration_token" "reg_token" {
+  count = length(local.all_agent_instances_map) > 0 ? 1 : 0
+  lifetime = "24h"
+  max_clients = 100
+  name_prefix = "dsf-agent"
+}
+
+module "cte_ddc_agents" {
+  source  = "../../../../modules/aws/cte-ddc-agent"
+#   source  = "imperva/dsf-cte-ddc-agent/aws"
+#   version = "1.7.17" # latest release tag
+#   count   = local.cte_ddc_linux_count
+  for_each = local.all_agent_instances_map
+  friendly_name               = join("-", [local.deployment_name_salted, each.value.id])
+  subnet_id                   = local.cte_ddc_agent_subnet_id
+  ssh_key_pair = {
+    ssh_private_key_file_path = module.key_pair.private_key_file_path
+    ssh_public_key_name       = module.key_pair.key_pair.key_pair_name
+  }
+  os_type                     = each.value.os_type
+  attach_persistent_public_ip = true
+  use_public_ip               = true
+  allowed_ssh_cidrs           = concat(local.workstation_cidr, var.allowed_ssh_cidrs)
+  allowed_rdp_cidrs           = each.value.os_type == "Windows" ? concat(local.workstation_cidr, var.allowed_ssh_cidrs) : null
+  cipher_trust_manager_address = module.ciphertrust_manager[0].private_ip
+  agent_installation = {
+    registration_token = ciphertrust_cte_registration_token.reg_token[0].token
+    install_cte = each.value.install_cte
+    install_ddc = each.value.install_ddc
+    cte_agent_installation_file  = each.value.install_cte ? local.installation_map[each.value.os_type].cte_installation_path : null
+    ddc_agent_installation_file  = each.value.install_ddc ? local.installation_map[each.value.os_type].ddc_installation_path : null
+  }
+  tags = local.tags
+  depends_on = [
+    module.vpc,
+    module.ciphertrust_manager,
+    ciphertrust_trial_license.trial_license,
+    module.ciphertrust_manager_cluster_setup
+  ]
+}
+
+

examples/aws/poc/dsf_deployment/main.tf

@@ -15,6 +15,7 @@ module "globals" {
 
   sonar_version = var.sonar_version
   dra_version   = var.dra_version
+  installation_s3_key = var.tarball_location != null ? var.tarball_location.s3_key : null
 }
 
 module "key_pair" {
@@ -27,10 +28,13 @@ module "key_pair" {
 }
 
 locals {
-  workstation_cidr_24    = [format("%s.0/24", regex("\\d*\\.\\d*\\.\\d*", module.globals.my_ip))]
-  deployment_name_salted = join("-", [var.deployment_name, module.globals.salt])
-  password               = var.password != null ? var.password : module.globals.random_password
-  workstation_cidr       = var.workstation_cidr != null ? var.workstation_cidr : local.workstation_cidr_24
-  tags                   = merge(module.globals.tags, var.additional_tags, { "deployment_name" = local.deployment_name_salted })
-  private_key_file_path  = module.key_pair.private_key_file_path
+  workstation_cidr_24          = [format("%s.0/24", regex("\\d*\\.\\d*\\.\\d*", module.globals.my_ip))]
+  deployment_name_salted       = join("-", [var.deployment_name, module.globals.salt])
+  password                     = var.password != null ? var.password : module.globals.random_password
+  ciphertrust_manager_password = var.ciphertrust_manager_password != null ? var.ciphertrust_manager_password : module.globals.random_password
+  workstation_cidr             = var.workstation_cidr != null ? var.workstation_cidr : local.workstation_cidr_24
+  tags                         = merge(module.globals.tags, var.additional_tags, { "deployment_name" = local.deployment_name_salted })
+  private_key_file_path        = module.key_pair.private_key_file_path
+  # Minimal sonar version that supports CipherTrust Manager is 4.18
+  enable_ciphertrust           = var.enable_ciphertrust && !contains(["4.17", "4.16", "4.15", "4.14", "4.13", "4.12", "4.11", "4.10", "4.9"], module.globals.tarball_location.version)
 }

examples/aws/poc/dsf_deployment/networking.tf

@@ -1,13 +1,15 @@
 locals {
-  hub_subnet_id             = var.subnet_ids != null ? var.subnet_ids.hub_subnet_id : module.vpc[0].public_subnets[0]
-  hub_dr_subnet_id          = var.subnet_ids != null ? var.subnet_ids.hub_dr_subnet_id : module.vpc[0].public_subnets[1]
-  agentless_gw_subnet_id    = var.subnet_ids != null ? var.subnet_ids.agentless_gw_subnet_id : module.vpc[0].private_subnets[0]
-  agentless_gw_dr_subnet_id = var.subnet_ids != null ? var.subnet_ids.agentless_gw_dr_subnet_id : module.vpc[0].private_subnets[1]
-  db_subnet_ids             = var.subnet_ids != null ? var.subnet_ids.db_subnet_ids : module.vpc[0].public_subnets
-  mx_subnet_id              = var.subnet_ids != null ? var.subnet_ids.mx_subnet_id : module.vpc[0].public_subnets[0]
-  dra_admin_subnet_id       = var.subnet_ids != null ? var.subnet_ids.dra_admin_subnet_id : module.vpc[0].public_subnets[0]
-  dra_analytics_subnet_id   = var.subnet_ids != null ? var.subnet_ids.dra_analytics_subnet_id : module.vpc[0].private_subnets[0]
-  agent_gw_subnet_id        = var.subnet_ids != null ? var.subnet_ids.agent_gw_subnet_id : module.vpc[0].private_subnets[0]
+  hub_subnet_id                  = var.subnet_ids != null ? var.subnet_ids.hub_subnet_id : module.vpc[0].public_subnets[0]
+  hub_dr_subnet_id               = var.subnet_ids != null ? var.subnet_ids.hub_dr_subnet_id : module.vpc[0].public_subnets[1]
+  agentless_gw_subnet_id         = var.subnet_ids != null ? var.subnet_ids.agentless_gw_subnet_id : module.vpc[0].private_subnets[0]
+  agentless_gw_dr_subnet_id      = var.subnet_ids != null ? var.subnet_ids.agentless_gw_dr_subnet_id : module.vpc[0].private_subnets[1]
+  db_subnet_ids                  = var.subnet_ids != null ? var.subnet_ids.db_subnet_ids : module.vpc[0].public_subnets
+  mx_subnet_id                   = var.subnet_ids != null ? var.subnet_ids.mx_subnet_id : module.vpc[0].public_subnets[0]
+  dra_admin_subnet_id            = var.subnet_ids != null ? var.subnet_ids.dra_admin_subnet_id : module.vpc[0].public_subnets[0]
+  dra_analytics_subnet_id        = var.subnet_ids != null ? var.subnet_ids.dra_analytics_subnet_id : module.vpc[0].private_subnets[0]
+  agent_gw_subnet_id             = var.subnet_ids != null ? var.subnet_ids.agent_gw_subnet_id : module.vpc[0].private_subnets[0]
+  ciphertrust_manager_subnet_id  = var.subnet_ids != null ? var.subnet_ids.ciphertrust_subnet_id : module.vpc[0].public_subnets[0]
+  cte_ddc_agent_subnet_id        = var.subnet_ids != null ? var.subnet_ids.cte_ddc_agent_subnet_id : module.vpc[0].public_subnets[0]
 }
 
 module "vpc" {
@@ -62,3 +64,11 @@ data "aws_subnet" "dra_admin" {
 data "aws_subnet" "dra_analytics" {
   id = local.dra_analytics_subnet_id
 }
+
+data "aws_subnet" "ciphertrust_manager" {
+  id = local.ciphertrust_manager_subnet_id
+}
+
+data "aws_subnet" "cte_ddc_agent" {
+  id = local.cte_ddc_agent_subnet_id
+}