Merge pull request #7 from imperva/petal/aws-aurora-sources

AWS Aurora MySQL and PostgreSQL modules
imperva · Jul 23, 2024 · 667a75c · 667a75c
2 parents acde11d + a183f81
commit 667a75c
Show file tree

Hide file tree

Showing 66 changed files with 3,887 additions and 0 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,5 +1,14 @@
 # Changelog
 
+## 1.0.3 (2024-07-22)
+
+### Features
+- Amazon RDS Aurora MySQL module
+- Amazon RDS Aurora MySQL Kinesis module
+- Amazon RDS Aurora MySQL Slow query module
+- Amazon RDS Aurora PostgreSQL module
+- Amazon RDS Aurora PostgreSQL Kinesis module
+
 ## 1.0.2 (2024-07-12)
 
 ### Features

diff --git a/DSF_VERSION_COMPATABILITY.md b/DSF_VERSION_COMPATABILITY.md
@@ -18,6 +18,26 @@ The following table lists the DSF versions that each module is tested and mainta
    <tr>
       <td>onboard-aws-rds-neptune-slow-query</td>
       <td>4.17+</td>
+   </tr>
+      <tr>
+      <td>onboard-aws-rds-aurora-mysql</td>
+      <td>4.17+</td>
+   </tr>
+      <tr>
+      <td>onboard-aws-rds-aurora-mysql-kinesis</td>
+      <td>4.17+</td>
+   </tr>
+      <tr>
+      <td>onboard-aws-rds-aurora-mysql-slowquery</td>
+      <td>4.17+</td>
+   </tr>
+      <tr>
+      <td>onboard-aws-rds-aurora-postgresql</td>
+      <td>4.17+</td>
+   </tr>
+      <tr>
+      <td>onboard-aws-rds-aurora-postgresql-kinesis</td>
+      <td>4.17+</td>
    </tr>
    <tr>
       <td>onboard-aws-rds-mariadb</td>

diff --git a/examples/onboard-aws-rds-aurora-mysql-kinesis/README.md b/examples/onboard-aws-rds-aurora-mysql-kinesis/README.md
@@ -0,0 +1,42 @@
+# Onboard Amazon Aurora MySQL via Kinesis example
+This example includes additional prerequisites that will need to be completed to fully utilize the module. More details can be found in the [onboarding documentation](https://docs.imperva.com/bundle/onboarding-databases-to-sonar-reference-guide/page/Amazon-Aurora-MySQL-Onboarding-Steps_48366913.html).
+
+It creates both 'aws' and 'dsfhub' resources. More information regarding authentication to each one can be found in the relevant provider documentation:
+- [aws](https://registry.terraform.io/providers/hashicorp/aws/latest/docs)
+- [dsfhub](https://registry.terraform.io/providers/imperva/dsfhub/latest/docs)
+
+## Prerequisites
+### Account Asset Permissions
+An AWS account asset will need to be onboarded to your DSF hub prior to using this module. The account asset will need to be granted permissions to be able to read from the newly created kinesis stream.
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_aws-aurora-mysql-kinesis"></a> [aws-aurora-mysql-kinesis](#module\_aws-aurora-mysql-kinesis) | ../../modules/onboard-aws-rds-aurora-mysql-kinesis | n/a |
+| <a name="module_aws-default-account-asset"></a> [aws-default-account-asset](#module\_aws-default-account-asset) | imperva/agentless-onboarding/dsfhub//modules/dsfhub-aws-cloud-account | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_dsfhub_host"></a> [dsfhub\_host](#input\_dsfhub\_host) | n/a | `any` | n/a | yes |
+| <a name="input_dsfhub_token"></a> [dsfhub\_token](#input\_dsfhub\_token) | n/a | `any` | n/a | yes |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->
diff --git a/examples/onboard-aws-rds-aurora-mysql-kinesis/main.tf b/examples/onboard-aws-rds-aurora-mysql-kinesis/main.tf
@@ -0,0 +1,76 @@
+locals {
+  aws_region        = "us-east-2"
+  apply_immediately = true
+  master_user       = "admin"
+  master_password   = "Abcd1234"
+
+  admin_email = "[email protected]"
+  gateway_id  = "a1b2c3d4-e5f6-g8h9-wxyz-123456790"
+}
+
+################################################################################
+# Providers
+################################################################################
+terraform {
+  required_providers {
+    dsfhub = {
+      source = "imperva/dsfhub"
+    }
+  }
+}
+
+provider "aws" {
+  region = local.aws_region
+}
+
+variable "dsfhub_host" {}  # TF_VAR_dsfhub_host env variable
+variable "dsfhub_token" {} # TF_VAR_dsfhub_token env variable
+
+provider "dsfhub" {
+  dsfhub_host  = var.dsfhub_host
+  dsfhub_token = var.dsfhub_token
+}
+
+################################################################################
+# Prerequisites
+# 1. AWS cloud account
+################################################################################
+# 1. AWS cloud account
+module "aws-default-account-asset" {
+  source = "imperva/agentless-onboarding/dsfhub//modules/dsfhub-aws-cloud-account"
+
+  admin_email        = local.admin_email
+  asset_display_name = "aws-account-asset"
+  asset_id           = "arn:aws:iam::1234567890"
+  auth_mechanism     = "default"
+  gateway_id         = local.gateway_id
+  region             = local.aws_region
+}
+
+################################################################################
+# Amazon Aurora MySQL via kinesis stream
+################################################################################
+module "aws-aurora-mysql-kinesis" {
+  source = "../../modules/onboard-aws-rds-aurora-mysql-kinesis"
+
+  aws_aurora_mysql_cluster_admin_email     = local.admin_email
+  aws_aurora_mysql_cluster_gateway_id      = local.gateway_id
+  aws_aurora_mysql_cluster_parent_asset_id = module.aws-default-account-asset.this.asset_id
+  aws_aurora_mysql_cluster_region          = local.aws_region
+
+  aws_kinesis_admin_email        = local.admin_email
+  aws_kinesis_audit_pull_enabled = true
+  aws_kinesis_gateway_id         = local.gateway_id
+  aws_kinesis_reason             = "default"
+  aws_kinesis_region             = local.aws_region
+
+  cluster_apply_immediately  = local.apply_immediately
+  cluster_db_master_password = local.master_password
+  cluster_db_master_username = local.master_user
+  cluster_id                 = "tf-aurora-mysql-kinesis-cluster"
+  cluster_final_snapshot     = true
+
+  instance_apply_immediately   = local.apply_immediately
+  instance_identifier          = "tf-aurora-mysql-kinesis-instance"
+  instance_publicly_accessible = true
+}
diff --git a/examples/onboard-aws-rds-aurora-mysql-slowquery/README.md b/examples/onboard-aws-rds-aurora-mysql-slowquery/README.md
@@ -0,0 +1,42 @@
+# Onboard Amazon Aurora MySQL Slow Query example
+This example includes additional prerequisites that will need to be completed to fully utilize the module. More details can be found in the [onboarding documentation](https://docs.imperva.com/bundle/onboarding-databases-to-sonar-reference-guide/page/Amazon-Aurora-MySQL-Onboarding-Steps_48366913.html).
+
+This example creates both 'aws' and 'dsfhub' resources. More information regarding authentication to each can be found in the relevant provider documentation:
+- [aws](https://registry.terraform.io/providers/hashicorp/aws/latest/docs)
+- [dsfhub](https://registry.terraform.io/providers/imperva/dsfhub/latest/docs)
+
+## Prerequisites
+### Account Asset Permissions
+An AWS account asset will need to be onboarded to your DSF hub prior to using this module. The account asset will need to be granted permissions to be able to read from the newly created CloudWatch log group.
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_aws-aurora-mysql-slowquery"></a> [aws-aurora-mysql-slowquery](#module\_aws-aurora-mysql-slowquery) | ../../modules/onboard-aws-rds-aurora-mysql-slowquery | n/a |
+| <a name="module_aws-default-account-asset"></a> [aws-default-account-asset](#module\_aws-default-account-asset) | imperva/agentless-onboarding/dsfhub//modules/dsfhub-aws-cloud-account | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_dsfhub_host"></a> [dsfhub\_host](#input\_dsfhub\_host) | n/a | `any` | n/a | yes |
+| <a name="input_dsfhub_token"></a> [dsfhub\_token](#input\_dsfhub\_token) | n/a | `any` | n/a | yes |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->
diff --git a/examples/onboard-aws-rds-aurora-mysql-slowquery/main.tf b/examples/onboard-aws-rds-aurora-mysql-slowquery/main.tf
@@ -0,0 +1,101 @@
+locals {
+  aws_region = "us-east-2"
+  vpc_security_group_ids = [
+    "sg-12a345678912b1c2a",
+    "sg-34b456789c12b231e"
+  ]
+  subnet_group_name = "my-subnet-group"
+  admin_email       = "[email protected]"
+  gateway_id        = "a1b2c3d4-1234-5678-9123-cd1edcef7642"
+}
+
+################################################################################
+# Providers
+################################################################################
+terraform {
+  required_providers {
+    dsfhub = {
+      source = "imperva/dsfhub"
+    }
+  }
+}
+
+provider "aws" {
+  region = local.aws_region
+}
+
+variable "dsfhub_host" {}  # TF_VAR_dsfhub_host env variable
+variable "dsfhub_token" {} # TF_VAR_dsfhub_token env variable
+
+provider "dsfhub" {
+  dsfhub_host  = var.dsfhub_host
+  dsfhub_token = var.dsfhub_token
+}
+
+################################################################################
+# Prerequisites
+# AWS cloud account
+################################################################################
+
+module "aws-default-account-asset" {
+  source = "imperva/agentless-onboarding/dsfhub//modules/dsfhub-aws-cloud-account"
+
+  admin_email        = local.admin_email
+  asset_display_name = "aws-account-asset"
+  asset_id           = "arn:aws:iam::123456789101:role/iam-role"
+  auth_mechanism     = "default"
+  gateway_id         = local.gateway_id
+  region             = local.aws_region
+}
+
+################################################################################
+# Amazon Aurora MySQL Slow query
+################################################################################
+
+module "aws-aurora-mysql-slowquery" {
+  source = "../../modules/onboard-aws-rds-aurora-mysql-slowquery"
+
+  cluster_parameter_group_name = "aurora-mysql-cpg-tf"
+  cluster_parameter_group_parameters = [
+    {
+      name  = "server_audit_logging"
+      value = 1
+    },
+    {
+      name  = "server_audit_excl_users"
+      value = "rdsadmin"
+    },
+    {
+      name  = "server_audit_events"
+      value = "CONNECT,QUERY,QUERY_DCL,QUERY_DDL,QUERY_DML"
+    },
+    {
+      name  = "slow_query_log"
+      value = 1
+    },
+    {
+      name  = "long_query_time"
+      value = 5
+    },
+    {
+      name  = "log_slow_admin_statements"
+      value = 1
+    }
+  ]
+
+  cluster_cluster_id             = "aurora-mysql-cluster"
+  cluster_db_master_username     = "admin"
+  cluster_db_master_password     = "mypassword"
+  cluster_db_subnet_group_name   = local.subnet_group_name
+  cluster_vpc_security_group_ids = local.vpc_security_group_ids
+
+  instance_identifier          = "aurora-mysql"
+  instance_publicly_accessible = false
+
+  aws_aurora_mysql_cluster_admin_email     = local.admin_email
+  aws_aurora_mysql_cluster_gateway_id      = local.gateway_id
+  aws_aurora_mysql_cluster_parent_asset_id = module.aws-default-account-asset.this.asset_id
+  aws_aurora_mysql_cluster_region          = local.aws_region
+
+  aws_log_group_audit_pull_enabled = true
+}
diff --git a/examples/onboard-aws-rds-aurora-mysql/README.md b/examples/onboard-aws-rds-aurora-mysql/README.md
@@ -0,0 +1,42 @@
+# Onboard Amazon Aurora MySQL example
+This example includes additional prerequisites that will need to be completed to fully utilize the module. More details can be found in the [onboarding documentation](https://docs.imperva.com/bundle/onboarding-databases-to-sonar-reference-guide/page/Amazon-Aurora-MySQL-Onboarding-Steps_48366913.html).
+
+This example creates both 'aws' and 'dsfhub' resources. More information regarding authentication to each can be found in the relevant provider documentation:
+- [aws](https://registry.terraform.io/providers/hashicorp/aws/latest/docs)
+- [dsfhub](https://registry.terraform.io/providers/imperva/dsfhub/latest/docs)
+
+## Prerequisites
+### Account Asset Permissions
+An AWS account asset will need to be onboarded to your DSF hub prior to using this module. The account asset will need to be granted permissions to be able to read from the newly created CloudWatch log group.
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_aws-aurora-mysql"></a> [aws-aurora-mysql](#module\_aws-aurora-mysql) | ../../modules/onboard-aws-rds-aurora-mysql | n/a |
+| <a name="module_aws-default-account-asset"></a> [aws-default-account-asset](#module\_aws-default-account-asset) | imperva/agentless-onboarding/dsfhub//modules/dsfhub-aws-cloud-account | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_dsfhub_host"></a> [dsfhub\_host](#input\_dsfhub\_host) | n/a | `any` | n/a | yes |
+| <a name="input_dsfhub_token"></a> [dsfhub\_token](#input\_dsfhub\_token) | n/a | `any` | n/a | yes |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->