From 4199cd2e7e7a52c826d1504d4e381079c7386ac0 Mon Sep 17 00:00:00 2001 From: John Dewey Date: Tue, 4 Jun 2024 15:34:59 -0700 Subject: [PATCH] init add of config sensor tf module currently supports the Azure cloud enrichment service. --- .github/ISSUE_TEMPLATE/BUG.md | 24 +++++++++++ .github/ISSUE_TEMPLATE/FEATURE.md | 18 ++++++++ .github/PULL_REQUEST_TEMPLATE.md | 19 ++++++++ .github/workflows/fmt:check.yml | 25 +++++++++++ .gitignore | 6 +++ LICENSE | 21 +++++++++ README.md | 37 ++++++++++++++++ Taskfile.yml | 13 ++++++ cloud-config/init.tpl | 39 +++++++++++++++++ data.tf | 26 +++++++++++ examples/deployment/main.tf | 32 ++++++++++++++ examples/deployment/versions.tf | 3 ++ outputs.tf | 3 ++ variables.tf | 72 +++++++++++++++++++++++++++++++ 14 files changed, 338 insertions(+) create mode 100644 .github/ISSUE_TEMPLATE/BUG.md create mode 100644 .github/ISSUE_TEMPLATE/FEATURE.md create mode 100644 .github/PULL_REQUEST_TEMPLATE.md create mode 100644 .github/workflows/fmt:check.yml create mode 100644 .gitignore create mode 100644 LICENSE create mode 100644 Taskfile.yml create mode 100644 cloud-config/init.tpl create mode 100644 data.tf create mode 100644 examples/deployment/main.tf create mode 100644 examples/deployment/versions.tf create mode 100644 outputs.tf create mode 100644 variables.tf diff --git a/.github/ISSUE_TEMPLATE/BUG.md b/.github/ISSUE_TEMPLATE/BUG.md new file mode 100644 index 0000000..272649d --- /dev/null +++ b/.github/ISSUE_TEMPLATE/BUG.md @@ -0,0 +1,24 @@ +--- +name: Bug Report +about: Report a Bug + +--- + +**Describe the bug** +What issue did you experience? More detail the better! + +**Reproducing the Bug** +Steps to reproduce the behavior: +1. Using terraform version x.y.z +2. With module version a.b.c +3. Provider versions... 1,2,3 +4. Error looks like: + +**Expected Behavior** +Describe the expected behavior. + +**Screenshots** +If applicable, add screenshots, obfuscated tf state files, etc... to help explain your issue. + +**Any Additional Context** +Add any other context about the bug that will help us troubleshoot the issue. \ No newline at end of file diff --git a/.github/ISSUE_TEMPLATE/FEATURE.md b/.github/ISSUE_TEMPLATE/FEATURE.md new file mode 100644 index 0000000..449a622 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/FEATURE.md @@ -0,0 +1,18 @@ +--- +name: Feature Request +about: Suggest an feature for this project + +--- + +**Is your feature request related to an ongoing bug?** +Please provide a clear description of the challenge you're facing. + +**Propose a solution** +Outline a solution you may have to the challenge and any tests / evidence that may help us better +decide to take it on! + +**What alternatives have you tried or considered?** +Outline any alternatives to the solution you're proposing in a clear and concise way. + +**Any additional context** +Add any other context or screenshots about the feature request here. \ No newline at end of file diff --git a/.github/PULL_REQUEST_TEMPLATE.md b/.github/PULL_REQUEST_TEMPLATE.md new file mode 100644 index 0000000..1a3d752 --- /dev/null +++ b/.github/PULL_REQUEST_TEMPLATE.md @@ -0,0 +1,19 @@ +# Description + +Include an overview of the change and which issue it addresses. Please also include relevant +motivation and context. List any dependencies that are required for this change. + +Associated it with an existing issue, i.e. - "Fixes issue #12345" + +## Type of change + +Please delete options that are not relevant. + +- [ ] Bug Fix +- [ ] New Feature +- [ ] This change requires a documentation update + +# How Has This Been Tested? + +Describe the tests that you ran to verify your changes. Provide instructions so they can be +reproduced. Please also list any relevant details for your test configuration diff --git a/.github/workflows/fmt:check.yml b/.github/workflows/fmt:check.yml new file mode 100644 index 0000000..17cf997 --- /dev/null +++ b/.github/workflows/fmt:check.yml @@ -0,0 +1,25 @@ +--- +name: Terraform Validation + +on: + pull_request: + branches: + - main + +jobs: + terraform: + name: Lint + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + - name: Install Task + uses: arduino/setup-task@v2 + with: + version: 3.x + repo-token: ${{ secrets.GITHUB_TOKEN }} + - name: Install Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: "1.8.2" + - name: Terraform fmt + run: task fmt:check diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..b65e6c0 --- /dev/null +++ b/.gitignore @@ -0,0 +1,6 @@ +.idea** +**/.terraform/** +*.tfstate.* +*.tfstate +**.terraform* +**tfplan** \ No newline at end of file diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..4b3acbf --- /dev/null +++ b/LICENSE @@ -0,0 +1,21 @@ +The MIT License (MIT) + +Copyright (c) 2024 Corelight, Inc. + +Permission is hereby granted, free of charge, to any person obtaining a copy +of this software and associated documentation files (the "Software"), to deal +in the Software without restriction, including without limitation the rights +to use, copy, modify, merge, publish, distribute, sublicense, and/or sell +copies of the Software, and to permit persons to whom the Software is +furnished to do so, subject to the following conditions: + +The above copyright notice and this permission notice shall be included in +all copies or substantial portions of the Software. + +THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR +IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, +FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE +AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER +LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, +OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN +THE SOFTWARE. diff --git a/README.md b/README.md index 44ef243..5fa8cb9 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,39 @@ # terraform-config-sensor + Terraform for Corelight's Sensor Configuration. + +## Usage + +```hcl +module "sensor_config" { + source = "../../" + + fleet_community_string = "" + sensor_license = "" + sensor_management_interface_name = "" + sensor_monitoring_interface_name = "" + sensor_health_check_probe_source_ranges_cidr = " + subnetwork_monitoring_cidr = "" + subnetwork_monitoring_gateway = "" + + # Optional - Enrichment Service + enrichment_cloud_provider_name = "" + enrichment_storage_container_name = "" + + # Optional - Enrichment Service Azure + enrichment_storage_account_name = "" +} +``` + +## Deployment + +The variables for this module all have default values that can be overwritten +to meet your naming and compliance standards. + +Deployment examples can be found [here](examples). + +## License + +The project is licensed under the MIT license. + +[MIT]: LICENSE diff --git a/Taskfile.yml b/Taskfile.yml new file mode 100644 index 0000000..1684a3a --- /dev/null +++ b/Taskfile.yml @@ -0,0 +1,13 @@ +--- +version: "3" + +tasks: + fmt: + desc: Reformat your configuration in the standard style + cmds: + - terraform fmt -recursive . + + fmt:check: + desc: Check if the input is formatted + cmds: + - terraform fmt -recursive -check -diff . diff --git a/cloud-config/init.tpl b/cloud-config/init.tpl new file mode 100644 index 0000000..91f70ec --- /dev/null +++ b/cloud-config/init.tpl @@ -0,0 +1,39 @@ +#cloud-config + +write_files: + - content: | + sensor: + api: + password: ${community_string} + license_key: ${license} + management_interface: + name: ${mgmt_int} + wait: true + monitoring_interface: + name: ${mon_int} + wait: true +%{ if mon_subnet != "" && mon_gateway != "" ~} + health_check: + port: ${health_port} + subnet: ${mon_subnet} + gateway: ${mon_gateway} +%{ endif ~} + kubernetes: + allow_ports: +%{ for probe in probe_ranges ~} + - protocol: tcp + port: ${health_port} + net: ${probe} +%{ endfor ~} + + owner: root:root + path: /etc/corelight/corelightctl.yaml + permissions: '0644' + +runcmd: + - corelightctl sensor bootstrap -v + - corelightctl sensor deploy -v +%{ if cloud_provider == "azure" ~} + - | + echo '{"cloud_enrichment.enable": "true", "cloud_enrichment.cloud_provider": "azure","cloud_enrichment.bucket_name": "${container_name}", "cloud_enrichment.azure_storage_account": "${storage_account_name}"}' | corelightctl sensor cfg put +%{ endif ~} diff --git a/data.tf b/data.tf new file mode 100644 index 0000000..bd21db6 --- /dev/null +++ b/data.tf @@ -0,0 +1,26 @@ +data "cloudinit_config" "config" { + gzip = false + base64_encode = false + + part { + content_type = "text/cloud-config" + content = templatefile("${path.module}/cloud-config/init.tpl", { + community_string = var.fleet_community_string + license = var.sensor_license + mgmt_int = var.sensor_management_interface_name + mon_int = var.sensor_monitoring_interface_name + health_port = var.sensor_health_check_http_port + probe_ranges = var.sensor_health_check_probe_source_ranges_cidr + mon_subnet = var.subnetwork_monitoring_cidr + mon_gateway = var.subnetwork_monitoring_gateway + + # enrichment service + cloud_provider = var.enrichment_cloud_provider_name + container_name = var.enrichment_storage_container_name + + # enrichment service - azure + storage_account_name = var.enrichment_storage_account_name + }) + filename = "sensor-build.yaml" + } +} diff --git a/examples/deployment/main.tf b/examples/deployment/main.tf new file mode 100644 index 0000000..3e259e2 --- /dev/null +++ b/examples/deployment/main.tf @@ -0,0 +1,32 @@ +locals { + community_string = "abc123" + license = file("~/corelight-license.txt") + mgmt_interface = "eth0" + mon_interface = "eth1" + probe_source_ranges_cidr = ["130.211.0.0/22", "35.191.0.0/16"] + mon_cidr = "10.3.0.0/24" + mon_gateway = "10.3.0.1" + + enrichment_cloud_provider = "azure" + enrichment_storage_account_name = "account-foo" + enrichment_storage_container_name = "bucket-bar" +} + +module "sensor_config" { + source = "../../" + + fleet_community_string = local.community_string + sensor_license = local.license + sensor_management_interface_name = local.mgmt_interface + sensor_monitoring_interface_name = local.mon_interface + sensor_health_check_probe_source_ranges_cidr = local.probe_source_ranges_cidr + subnetwork_monitoring_cidr = local.mon_cidr + subnetwork_monitoring_gateway = local.mon_gateway + + # Optional - Enrichment Service + enrichment_cloud_provider_name = local.enrichment_cloud_provider + enrichment_storage_container_name = local.enrichment_storage_container_name + + # Optional - Enrichment Service Azure + enrichment_storage_account_name = local.enrichment_storage_account_name +} diff --git a/examples/deployment/versions.tf b/examples/deployment/versions.tf new file mode 100644 index 0000000..deaa9dd --- /dev/null +++ b/examples/deployment/versions.tf @@ -0,0 +1,3 @@ +terraform { + required_version = ">=1.3.2" +} diff --git a/outputs.tf b/outputs.tf new file mode 100644 index 0000000..bffa87c --- /dev/null +++ b/outputs.tf @@ -0,0 +1,3 @@ +output "cloudinit_config" { + value = data.cloudinit_config.config +} diff --git a/variables.tf b/variables.tf new file mode 100644 index 0000000..3522c7b --- /dev/null +++ b/variables.tf @@ -0,0 +1,72 @@ +variable "fleet_community_string" { + type = string + sensitive = true + description = "the Fleet Manager community string (api string)" +} + +variable "sensor_license" { + type = string + sensitive = true + description = "path to the Corelight sensor license file" +} + +variable "sensor_management_interface_name" { + type = string + description = "the sensor(s) management interface name" +} + +variable "sensor_monitoring_interface_name" { + type = string + description = "the sensor(s) monitoring interface name" +} + +variable "sensor_health_check_http_port" { + type = string + default = "41080" + description = "the port number for the HTTP health check request" +} + +variable "sensor_health_check_probe_source_ranges_cidr" { + type = list(string) + default = [""] + description = "(optional) the health check probe ranges" +} + +variable "subnetwork_monitoring_cidr" { + type = string + default = "" + description = "(optional) the monitoring subnet for the sensor(s), leaving this empty will result in no sensor.monitoring_interface.health_check section being rendered into user data." +} + +variable "subnetwork_monitoring_gateway" { + type = string + default = "" + description = "(optional) the monitoring subnet's gateway address, leaving this empty will result in no sensor.monitoring_interface.health_check section being rendered into user data." +} + +# Enrichment Service + +variable "enrichment_cloud_provider_name" { + description = "(optional) the cloud provider name" + type = string + default = "" + + validation { + condition = contains(["", "aws", "azure", "gcp"], var.enrichment_cloud_provider_name) + error_message = "allowed options: \"aws\", \"azure\", \"gcp\"." + } +} + +# Enrichment Service -- Azure + +variable "enrichment_storage_account_name" { + description = "(optional) the azure storage account where enrichment data is stored" + type = string + default = "" +} + +variable "enrichment_storage_container_name" { + description = "(optional) the container where enrichment data is stored" + type = string + default = "" +}