Agentless gw HADR

imperva · Aug 16, 2023 · 058ca37 · 058ca37
1 parent 2e87c2d
commit 058ca37
Show file tree

Hide file tree

Showing 6 changed files with 114 additions and 34 deletions.
diff --git a/examples/azure/sonar_deployment/outputs.tf b/examples/azure/sonar_deployment/outputs.tf
@@ -41,24 +41,22 @@ output "sonar" {
       for idx, val in module.agentless_gw :
       {
         private_ip   = try(val.private_ip, null)
-        private_dns  = try(val.private_dns, null)
         jsonar_uid   = try(val.jsonar_uid, null)
         display_name = try(val.display_name, null)
         principal_id = try(val.principal_id, null)
         ssh_command  = try("ssh -o ProxyCommand='ssh -o UserKnownHostsFile=/dev/null -i ${local.private_key_file_path} -W %h:%p ${module.hub[0].ssh_user}@${module.hub[0].public_ip}' -i ${local.private_key_file_path} ${val.ssh_user}@${val.private_ip}", null)
       }
     ]
-    # agentless_gw_secondary = var.agentless_gw_hadr ? [
-    #   for idx, val in module.agentless_gw_secondary :
-    #   {
-    #     private_ip   = try(val.private_ip, null)
-    #     private_dns  = try(val.private_dns, null)
-    #     jsonar_uid   = try(val.jsonar_uid, null)
-    #     display_name = try(val.display_name, null)
-    #     principal_id     = try(val.principal_id, null)
-    #     ssh_command  = try("ssh -o ProxyCommand='ssh -o UserKnownHostsFile=/dev/null -i ${local.private_key_file_path} -W %h:%p ${module.hub[0].ssh_user}@${module.hub[0].public_ip}' -i ${local.private_key_file_path} ${val.ssh_user}@${val.private_ip}", null)
-    #   }
-    # ] : []
+    agentless_gw_secondary = var.agentless_gw_hadr ? [
+      for idx, val in module.agentless_gw_secondary :
+      {
+        private_ip   = try(val.private_ip, null)
+        jsonar_uid   = try(val.jsonar_uid, null)
+        display_name = try(val.display_name, null)
+        principal_id     = try(val.principal_id, null)
+        ssh_command  = try("ssh -o ProxyCommand='ssh -o UserKnownHostsFile=/dev/null -i ${local.private_key_file_path} -W %h:%p ${module.hub[0].ssh_user}@${module.hub[0].public_ip}' -i ${local.private_key_file_path} ${val.ssh_user}@${val.private_ip}", null)
+      }
+    ] : []
   } : null
 }
 

diff --git a/examples/azure/sonar_deployment/sonar.tf b/examples/azure/sonar_deployment/sonar.tf
@@ -84,53 +84,134 @@ module "hub_hadr" {
 }
 
 module "agentless_gw" {
-  count  = var.agentless_gw_hadr ? local.agentless_gw_count : 0
   source = "../../../modules/azurerm/agentless-gw"
   # version                             = "1.3.5" # latest release tag
+  count  = local.agentless_gw_count
 
-  friendly_name         = join("-", [local.deployment_name_salted, "gw", count.index])
+  friendly_name         = join("-", [local.deployment_name_salted, "agentless", "gw", count.index])
   resource_group        = local.resource_group
   subnet_id             = module.network[0].vnet_subnets[0]
   storage_details       = var.agentless_gw_storage_details
   binaries_location     = local.tarball_location
   password              = local.password
   hub_sonarw_public_key = module.hub[0].sonarw_public_key
+  ssh_key = {
+    ssh_public_key            = tls_private_key.ssh_key.public_key_openssh
+    ssh_private_key_file_path = local_sensitive_file.ssh_key.filename
+  }
+  allowed_agentless_gw_cidrs = module.network[0].vnet_address_space
+  allowed_hub_cidrs = module.network[0].vnet_address_space
+  allowed_all_cidrs          = local.workstation_cidr
+  ingress_communication_via_proxy = {
+    proxy_address              = module.hub[0].public_ip
+    proxy_private_ssh_key_path = local_sensitive_file.ssh_key.filename
+    proxy_ssh_user             = module.hub[0].ssh_user
+  }
+  tags = local.tags
+  depends_on = [
+    module.network
+  ]
+}
+
+module "agentless_gw_secondary" {
+  source = "../../../modules/azurerm/agentless-gw"
+  # version                             = "1.3.5" # latest release tag
+  count   = var.agentless_gw_hadr ? local.agentless_gw_count : 0
 
+  friendly_name                   = join("-", [local.deployment_name_salted, "agentless", "gw", "DR", count.index])
+  resource_group        = local.resource_group
+  subnet_id             = module.network[0].vnet_subnets[1]
+  storage_details       = var.agentless_gw_storage_details
+  binaries_location     = local.tarball_location
+  password              = local.password
+  hub_sonarw_public_key = module.hub[0].sonarw_public_key
+  hadr_secondary_node             = true
+  primary_node_sonarw_public_key  = module.agentless_gw[count.index].sonarw_public_key
+  primary_node_sonarw_private_key = module.agentless_gw[count.index].sonarw_private_key
   ssh_key = {
     ssh_public_key            = tls_private_key.ssh_key.public_key_openssh
     ssh_private_key_file_path = local_sensitive_file.ssh_key.filename
   }
+  allowed_agentless_gw_cidrs = module.network[0].vnet_address_space
   allowed_hub_cidrs = module.network[0].vnet_address_space
+  allowed_all_cidrs          = local.workstation_cidr
   ingress_communication_via_proxy = {
     proxy_address              = module.hub[0].public_ip
     proxy_private_ssh_key_path = local_sensitive_file.ssh_key.filename
     proxy_ssh_user             = module.hub[0].ssh_user
   }
+  tags = local.tags
   depends_on = [
     module.network
   ]
 }
 
+module "agentless_gw_hadr" {
+  source  = "imperva/dsf-hadr/null"
+  version = "1.5.1" # latest release tag
+  count   = length(module.agentless_gw_secondary)
+
+  sonar_version            = module.globals.tarball_location.version
+  dsf_primary_ip           = module.agentless_gw[count.index].private_ip
+  dsf_primary_private_ip   = module.agentless_gw[count.index].private_ip
+  dsf_secondary_ip         = module.agentless_gw_secondary[count.index].private_ip
+  dsf_secondary_private_ip = module.agentless_gw_secondary[count.index].private_ip
+  ssh_key_path             = local_sensitive_file.ssh_key.filename
+  ssh_user                 = module.agentless_gw[count.index].ssh_user
+  proxy_info = {
+    proxy_address              = module.hub[0].public_ip
+    proxy_private_ssh_key_path = local_sensitive_file.ssh_key.filename
+    proxy_ssh_user             = module.hub[0].ssh_user
+  }
+  depends_on = [
+    module.agentless_gw,
+    module.agentless_gw_secondary
+  ]
+}
+
+locals {
+  gws = merge(
+    { for idx, val in module.agentless_gw : "agentless-gw-${idx}" => val },
+    { for idx, val in module.agentless_gw_secondary : "agentless-gw-secondary-${idx}" => val },
+  )
+  gws_set = values(local.gws)
+  hubs_set = concat(
+    var.enable_sonar ? [module.hub[0]] : [],
+    var.enable_sonar && var.hub_hadr ? [module.hub_secondary[0]] : []
+  )
+  hubs_keys = compact([
+    var.enable_sonar ? "hub-primary" : null,
+    var.enable_sonar && var.hub_hadr ? "hub-secondary" : null,
+  ])
+
+  hub_gw_combinations_values = setproduct(local.hubs_set, local.gws_set)
+  hub_gw_combinations_keys   = [for v in setproduct(local.hubs_keys, keys(local.gws)) : "${v[0]}-${v[1]}"]
+
+  hub_gw_combinations = zipmap(local.hub_gw_combinations_keys, local.hub_gw_combinations_values)
+}
+
 module "federation" {
-  for_each = { for idx, val in module.agentless_gw : idx => val }
   source   = "imperva/dsf-federation/null"
-  gw_info = {
-    gw_ip_address           = each.value.private_ip
-    gw_private_ssh_key_path = local_sensitive_file.ssh_key.filename
-    gw_ssh_user             = each.value.ssh_user
-  }
+  version  = "1.5.1" # latest release tag
+  for_each = local.hub_gw_combinations
+
   hub_info = {
-    hub_ip_address           = module.hub[0].public_ip
+    hub_ip_address           = each.value[0].public_ip
     hub_private_ssh_key_path = local_sensitive_file.ssh_key.filename
-    hub_ssh_user             = module.hub[0].ssh_user
+    hub_ssh_user             = each.value[0].ssh_user
+  }
+  gw_info = {
+    gw_ip_address           = each.value[1].private_ip
+    gw_private_ssh_key_path = local_sensitive_file.ssh_key.filename
+    gw_ssh_user             = each.value[1].ssh_user
   }
   gw_proxy_info = {
     proxy_address              = module.hub[0].public_ip
     proxy_private_ssh_key_path = local_sensitive_file.ssh_key.filename
     proxy_ssh_user             = module.hub[0].ssh_user
   }
   depends_on = [
-    module.hub,
-    module.agentless_gw,
+    module.hub_hadr,
+    module.agentless_gw_hadr
   ]
 }
diff --git a/examples/poc/dsf_deployment/sonar.tf b/examples/poc/dsf_deployment/sonar.tf
@@ -117,7 +117,7 @@ module "agentless_gw" {
   }
   tags = local.tags
   depends_on = [
-    module.vpc,
+    module.vpc
   ]
 }
 

diff --git a/modules/azurerm/core/globals/variables.tf b/modules/azurerm/core/globals/variables.tf
@@ -1,10 +1,7 @@
 variable "sonar_version" {
-  type    = string
-  default = "4.10"
-  validation {
-    condition     = contains(["4.9", "4.10"], var.sonar_version)
-    error_message = "The sonar_version value must be from the list [\"4.9\", \"4.10\"]"
-  }
+  type        = string
+  default     = "4.12"
+  description = "The Sonar version to install. Supported versions are: 4.9 and up. Both long and short version formats are supported, for example, 4.12.0.10 or 4.12. The short format maps to the latest patch."
 }
 
 variable "tarball_location" {

diff --git a/modules/azurerm/sonar-base-instance/outputs.tf b/modules/azurerm/sonar-base-instance/outputs.tf
@@ -2,15 +2,19 @@ output "public_ip" {
   description = "Public elastic IP address of the DSF base instance"
   value       = local.public_ip
   depends_on = [
-    azurerm_network_interface_security_group_association.nic_ip_association
+    azurerm_network_interface_security_group_association.nic_ip_association,
+    azurerm_virtual_machine_data_disk_attachment.data_disk_attachment,
+    azurerm_role_assignment.dsf_base_storage_role_assignment
   ]
 }
 
 output "private_ip" {
   description = "Private IP address of the DSF base instance"
   value       = local.private_ip
   depends_on = [
-    azurerm_network_interface_security_group_association.nic_ip_association
+    azurerm_network_interface_security_group_association.nic_ip_association,
+    azurerm_virtual_machine_data_disk_attachment.data_disk_attachment,
+    azurerm_role_assignment.dsf_base_storage_role_assignment
   ]
 }
 

diff --git a/modules/null/hadr/variables.tf b/modules/null/hadr/variables.tf
@@ -3,7 +3,7 @@ variable "sonar_version" {
   description = "The Sonar version to install. Supported versions are: 4.11 and up. Both long and short version formats are supported, for example, 4.12.0.10 or 4.12. The short format maps to the latest patch."
   nullable    = false
   validation {
-    condition     = !startswith(var.sonar_version, "4.9.") && !startswith(var.sonar_version, "4.10.")
+    condition     = !startswith(var.sonar_version, "4.9") && !startswith(var.sonar_version, "4.10")
     error_message = "The sonar_version value must be 4.11 or higher"
   }
 }