Dam | Added support for activation key (#232)

EDSF-319
imperva · Jul 9, 2023 · 1c085ed · 1c085ed
1 parent af2de8d
commit 1c085ed
Show file tree

Hide file tree

Showing 13 changed files with 57 additions and 41 deletions.
diff --git a/.github/workflows/terraform_apply_cli_dam_poc.yml b/.github/workflows/terraform_apply_cli_dam_poc.yml
@@ -154,13 +154,13 @@ jobs:
     - name: Terraform Plan
       run: |
         terraform -chdir=$EXAMPLE_DIR workspace list
-        terraform -chdir=$EXAMPLE_DIR plan -var license_file=license.mprv
+        terraform -chdir=$EXAMPLE_DIR plan -var license=license.mprv
 
       # On push to "main", build or change infrastructure according to Terraform configuration files
       # Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks
     - name: Terraform Apply
       # if: github.ref == 'refs/heads/"master"' && github.event_name == 'push' || github.event_name == 'workflow_dispatch'
-      run: terraform -chdir=$EXAMPLE_DIR apply -var license_file=license.mprv -auto-approve
+      run: terraform -chdir=$EXAMPLE_DIR apply -var license=license.mprv -auto-approve
 
     - name: Terraform Output
       if: always()
@@ -169,7 +169,7 @@ jobs:
     - name: Terraform Destroy
       id: destroy
       if: always()
-      run: terraform -chdir=$EXAMPLE_DIR destroy -var license_file=license.mprv -auto-approve
+      run: terraform -chdir=$EXAMPLE_DIR destroy -var license=license.mprv -auto-approve
 
     - name: Terraform Delete Workspace
       if: always()

diff --git a/.github/workflows/terraform_apply_cli_dsf_poc.yml b/.github/workflows/terraform_apply_cli_dsf_poc.yml
@@ -129,13 +129,13 @@ jobs:
     - name: Terraform Plan
       run: |
         terraform -chdir=$EXAMPLE_DIR workspace list
-        terraform -chdir=$EXAMPLE_DIR plan -var license_file=license.mprv
+        terraform -chdir=$EXAMPLE_DIR plan -var license=license.mprv
 
       # On push to "main", build or change infrastructure according to Terraform configuration files
       # Note: It is recommended to set up a required "strict" status check in your repository for "Terraform Cloud". See the documentation on "strict" required status checks for more information: https://help.github.com/en/github/administering-a-repository/types-of-required-status-checks
     - name: Terraform Apply
       # if: github.ref == 'refs/heads/"master"' && github.event_name == 'push' || github.event_name == 'workflow_dispatch'
-      run: terraform -chdir=$EXAMPLE_DIR apply -var license_file=license.mprv -auto-approve
+      run: terraform -chdir=$EXAMPLE_DIR apply -var license=license.mprv -auto-approve
 
     - name: Terraform Output
       if: always()
@@ -144,7 +144,7 @@ jobs:
     - name: Terraform Destroy
       id: destroy
       if: always()
-      run: terraform -chdir=$EXAMPLE_DIR destroy -var license_file=license.mprv -auto-approve
+      run: terraform -chdir=$EXAMPLE_DIR destroy -var license=license.mprv -auto-approve
 
     - name: Terraform Delete Workspace
       if: always()

diff --git a/examples/alpha/dam_basic_deployment/flex b/examples/alpha/dam_basic_deployment/flex
@@ -0,0 +1 @@
+1D8C36C7-LC78-414B-9F8F-D03060FB49B9
diff --git a/examples/alpha/dam_basic_deployment/main.tf b/examples/alpha/dam_basic_deployment/main.tf
@@ -72,7 +72,7 @@ module "mx" {
   friendly_name                     = join("-", [local.deployment_name_salted, "mx"])
   dam_version                       = var.dam_version
   subnet_id                         = local.mx_subnet_id
-  license_file                      = var.license_file
+  license                           = var.license
   key_pair                          = module.key_pair.key_pair.key_pair_name
   secure_password                   = local.password
   mx_password                       = local.password
@@ -93,7 +93,6 @@ module "mx" {
 module "agent_gw" {
   source  = "imperva/dsf-agent-gw/aws"
   version = "1.5.0" # latest release tag
-
   count = var.gw_count
 
   friendly_name                           = join("-", [local.deployment_name_salted, "agent", "gw", count.index])

diff --git a/examples/alpha/dam_basic_deployment/variables.tf b/examples/alpha/dam_basic_deployment/variables.tf
@@ -18,10 +18,6 @@ variable "gw_count" {
   type        = number
   default     = 2
   description = "Number of DSF Agent Gateways"
-  validation {
-    condition     = var.gw_count >= 2
-    error_message = "Must be greater or equal to 2"
-  }
 }
 
 variable "agent_count" {
@@ -79,13 +75,17 @@ variable "gw_group_id" {
   description = "Gw group id. Keep empty for random generated one"
 }
 
-variable "license_file" {
-  type = string
+variable "license" {
+  description = <<EOF
+  License information. Must be one of the following:
+  1. Activation code (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)
+  2. License file path
+  EOF
+  type        = string
   validation {
-    condition     = fileexists(var.license_file)
-    error_message = "File doesn't exist"
+    condition = fileexists(var.license) || can(regex("^[[:alnum:]]{8}-([[:alnum:]]{4}-){3}[[:alnum:]]{12}$", var.license))
+    error_message = "Invalid license details. Can either be an activation code in the format of xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx or a path to a license file on disk"
   }
-  description = "DAM license file path"
 }
 
 variable "subnet_ids" {

diff --git a/examples/poc/dsf_deployment/dam.tf b/examples/poc/dsf_deployment/dam.tf
@@ -14,7 +14,7 @@ module "mx" {
   friendly_name                     = join("-", [local.deployment_name_salted, "mx"])
   dam_version                       = var.dam_version
   subnet_id                         = local.mx_subnet_id
-  license_file                      = var.license_file
+  license                           = var.license
   key_pair                          = module.key_pair.key_pair.key_pair_name
   secure_password                   = local.password
   mx_password                       = local.password

diff --git a/examples/poc/dsf_deployment/variables.tf b/examples/poc/dsf_deployment/variables.tf
@@ -118,9 +118,17 @@ variable "dam_version" {
   }
 }
 
-variable "license_file" {
+variable "license" {
+  description = <<EOF
+  License information. Must be one of the following:
+  1. Activation code (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)
+  2. License file path
+  EOF
   type        = string
-  description = "DAM license file path"
+  validation {
+    condition = fileexists(var.license) || can(regex("^[[:alnum:]]{8}-([[:alnum:]]{4}-){3}[[:alnum:]]{12}$", var.license))
+    error_message = "Invalid license details. Can either be an activation code in the format of xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx or a path to a license file on disk"
+  }
 }
 
 variable "large_scale_mode" {

diff --git a/modules/aws/hub/variables.tf b/modules/aws/hub/variables.tf
@@ -255,7 +255,7 @@ variable "sonarw_public_key_content" {
 variable "generate_access_tokens" {
   type        = bool
   default     = false
-  description = "Generate access tokens for connecting to USC / connect DAM to the DSF Hub"
+  description = "Automatically generate access tokens for connecting to USC / connect DAM to the DSF Hub"
 }
 
 variable "mx_details" {

diff --git a/modules/aws/mx/README.md b/modules/aws/mx/README.md
@@ -34,7 +34,7 @@ The following input variables are **required**:
 * `mx_password`: MX password
 * `secure_password`: The password used for communication between the Management Server and the Agent Gateway
 * `dam_version`: Version must be in the format dd.dd.dd.dd where each dd is a number between 1-99 (e.g 14.10.1.10)
-* `license_file`: DAM license file path. Make sure this license is valid before deploying DAM otherwise this will result in an invalid deployment and loss of time
+* `license`: DAM license file path or activation key. Make sure this license is valid before deploying DAM otherwise this will result in an invalid deployment and loss of time
 
 Refer to [variables.tf](variables.tf) for additional variables with default values and additional info.
 
@@ -57,7 +57,7 @@ module "mx" {
   mx_password                  = var.mx_password
   secure_password              = var.secure_password
   dam_version                  = var.dam_version
-  license_file                 = var.license_file
+  license                      = var.license
   allowed_all_cidrs            = [data.aws_vpc.selected.cidr_block]
 }
 ```

diff --git a/modules/aws/mx/configure.tftpl b/modules/aws/mx/configure.tftpl
@@ -19,17 +19,14 @@ echo "Waiting for first ADC content update:"
 while true; do
   http_code=$(curl -k -s --cookie $cookie_file -o $response_file -w "%%{http_code}" \
     --request GET 'https://${mx_address}:8083/SecureSphere/api/v1/administration/adc/timestamp')
-  if [ "$http_code" -ne 200 ]; then
-    echo "Failed to get last ADC content update: http_code: $http_code"
-    cat $response_file
-    exit 1
+  if [ "$http_code" -eq 200 ]; then
+    if ! grep '"adcTimestamp" *: *0' $response_file; then
+      echo "ADC content update is complete."
+      cat $response_file
+      break
+    fi
   fi
 
-  if ! grep '"adcTimestamp" *: *0' $response_file; then
-    echo "ADC content update is complete."
-    cat $response_file
-    break
-  fi
   echo "sleep 1m"
   sleep 60
 done

diff --git a/modules/aws/mx/license.tf b/modules/aws/mx/license.tf
@@ -9,12 +9,21 @@ resource "random_id" "encryption_salt" {
 }
 
 data "local_sensitive_file" "license_file" {
-  filename = var.license_file
+  count = local.license_activation_code ? 0 : 1
+  filename = var.license
+}
+
+locals {
+  license_passphrase = random_password.passphrase.result
+  encrypted_license  = data.external.encrypted_license.result.cipher_text
+  license_activation_code = ! fileexists(var.license)
+  license_content = local.license_activation_code ? var.license : data.local_sensitive_file.license_file[0].content
+  license_params = "${local.license_activation_code ? "--flex" : "--encLic"}=${local.encrypted_license} --passPhrase=${local.license_passphrase}"
 }
 
 locals {
   cmd = <<EOF
-  cipher_text=$(echo '${data.local_sensitive_file.license_file.content}' | openssl aes-256-cbc -S ${random_id.encryption_salt.hex} -pass pass:${random_password.passphrase.result} -md md5 | base64 | tr -d "\n" )
+  cipher_text=$(echo '${local.license_content}' | openssl aes-256-cbc -S ${random_id.encryption_salt.hex} -pass pass:${random_password.passphrase.result} -md md5 | base64 | tr -d "\n" )
   # Add cipher text Salt prefix in case it wasn't created (happens in OpenSSL 3.0.2)
   if [[ ! "$cipher_text" == "U2FsdGVkX1"* ]]; then # "U2FsdGVkX1" is b64 encoded cipher text header - "Salted__"
     # Encode the concatenated binary data as base64

diff --git a/modules/aws/mx/main.tf b/modules/aws/mx/main.tf
@@ -1,6 +1,4 @@
 locals {
-  license_passphrase = random_password.passphrase.result
-  encrypted_license  = data.external.encrypted_license.result.cipher_text
   dam_model          = "AVM150"
   resource_type      = "mx"
   mx_address_for_api = module.mx.public_ip != null ? module.mx.public_ip : module.mx.private_ip
@@ -57,7 +55,7 @@ locals {
 locals {
   large_scale_arg = var.large_scale_mode == true ? "--large_scale" : ""
   user_data_commands = [
-    "/opt/SecureSphere/etc/ec2/ec2_auto_ftl --init_mode --user=${var.ssh_user} --serverPassword=%mxPassword% --secure_password=%securePassword% --system_password=%securePassword% --timezone=${var.timezone} --time_servers=default --dns_servers=default --dns_domain=default --management_interface=eth0 --check_server_status --initiate_services --encLic=${local.encrypted_license} --passPhrase=${local.license_passphrase} ${local.large_scale_arg}"
+    "/opt/SecureSphere/etc/ec2/ec2_auto_ftl --init_mode --user=${var.ssh_user} --serverPassword=%mxPassword% --secure_password=%securePassword% --system_password=%securePassword% --timezone=${var.timezone} --time_servers=default --dns_servers=default --dns_domain=default --management_interface=eth0 --check_server_status --initiate_services ${local.license_params} ${local.large_scale_arg}"
   ]
   iam_actions = [
     "ec2:DescribeInstances"

diff --git a/modules/aws/mx/variables.tf b/modules/aws/mx/variables.tf
@@ -177,12 +177,16 @@ variable "large_scale_mode" {
   default     = false
 }
 
-variable "license_file" {
+variable "license" {
+  description = <<EOF
+  License information. Must be one of the following:
+  1. Activation code (xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx)
+  2. License file path
+  EOF
   type        = string
-  description = "DAM license file path. Make sure this license is valid before deploying DAM otherwise this will result in an invalid deployment and loss of time"
   validation {
-    condition     = fileexists(var.license_file)
-    error_message = "No such file on disk (${var.license_file})"
+    condition = fileexists(var.license) || can(regex("^[[:alnum:]]{8}-([[:alnum:]]{4}-){3}[[:alnum:]]{12}$", var.license))
+    error_message = "Invalid license details. Can either be an activation code in the format of xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx or a path to a license file on disk"
   }
 }