flatten TF into a single module (#4)

* flatten TF into a single module * updated per review --------- Co-authored-by: John Dewey <[email protected]>
corelight · Jun 5, 2024 · ee4df88 · ee4df88
1 parent 6d59cd2
commit ee4df88
Show file tree

Hide file tree

Showing 13 changed files with 115 additions and 230 deletions.
diff --git a/README.md b/README.md
@@ -4,28 +4,27 @@
 
 Terraform for Corelight's GCP Cloud Sensor Deployment.
 
-## Getting Started
-
-Corelight Sensors support a broad range of instance types and sizes.
-You can create regional MIGs or zonal MIGs. Regional MIGs provide
-higher availability compared to zonal MIGs because the instances in
-a regional MIG are spread across multiple zones in a single region.
-
-It is important to consider that some cost per GiB of traffic may be
-incurred if data is sent between regions within GCP. The sensors operate
-independently on individual traffic flows from the internal load balancer -
-which means the MIGs can be stateless.
-
-MIG’s can be autoscaled based on several factors, CPU utilization, HTTP
-capacity, and select cloud metrics. Here at Corelight, we believe in
-using our own products to help secure our own infrastructure. In doing
-so, we’ve used our sensors to secure the entirety of our hybrid
-deployment, both on premise and in the cloud. For our cloud sensors we
-have taken full advantage of autoscaling based on the amount of CPU
-utilization to ensure we have enough sensor capacity to secure our
-environments without running into adverse issues. We recommend scaling
-Corelight sensors when CPU utilization is over 70% for over 120
-seconds.
+### Usage
+
+```hcl
+module "sensor" {
+  source = "github.com/corelight/terraform-gcp-sensor"
+
+  region                  = "<instance region>"
+  zone                    = "<instance availability zone>"
+  network_mgmt_name       = "<virtual network management name>"
+  subnetwork_mgmt_name    = "<virtual network subnetwork management name>"
+  subnetwork_mgmt_cidr    = "<virtual network subnetwork management CIDR>"
+  network_prod_name       = "<virtual network name for infra to be monitored"
+  subnetwork_mon_name     = "<virtual network subnetwork monitoring name>"
+  subnetwork_mon_cidr     = "<virtual network subnetwork monitoring CIDR>"
+  subnetwork_mon_gateway  = "<virtual network subnetwork monitoring gateway>"
+  instance_ssh_key_pub    = "<instance ssh public key>"
+  image                   = "<instance image>"
+  sensor_license          = "<your Corelight senosr license key>"
+  sensor_community_string = "<the Fleet Manager community string>"
+}
+```
 
 ### Deployment
 

diff --git a/modules/sensor/cloud-config/build.tpl → cloud-config/build.tpl b/modules/sensor/cloud-config/build.tpl → cloud-config/build.tpl
diff --git a/modules/sensor/data.tf → data.tf b/modules/sensor/data.tf → data.tf
diff --git a/examples/deployment/main.tf b/examples/deployment/main.tf
@@ -2,14 +2,14 @@ locals {
   region                  = "us-west1"
   zone                    = "us-west1-a"
   project_id              = "<project-id>"
-  auth                    = "~/.config/gcloud/application_default_credentials.json"
+  auth                    = file("~/.config/gcloud/application_default_credentials.json")
   instance_ssh_key_pub    = "~/.ssh/id_ed25519_cl.pub"
   instance_bastion_image  = "ubuntu-os-cloud/ubuntu-2004-lts"
-  instance_sensor_image   = "alma-8-20240506203234"
+  instance_sensor_image   = "alma-8-20240516193720"
   subnetwork_mgmt_cidr    = "10.129.0.0/24"
   subnetwork_mon_cidr     = "10.3.0.0/24"
   subnetwork_mon_gateway  = "10.3.0.1"
-  sensor_license          = "~/corelight-license.txt"
+  sensor_license          = file("~/corelight-license.txt")
   sensor_community_string = "managedPassword!"
 }
 
@@ -19,7 +19,7 @@ locals {
 
 provider "google" {
   project     = local.project_id
-  credentials = file(local.auth)
+  credentials = local.auth
   region      = local.region
   zone        = local.zone
 }
@@ -28,46 +28,119 @@ provider "google" {
 # Create a VPC
 ####################################################################################################
 
-module "custom_vpc" {
-  region               = local.region
-  subnetwork_mgmt_cidr = local.subnetwork_mgmt_cidr
-  subnetwork_mon_cidr  = local.subnetwork_mon_cidr
+# firewall
 
-  source = "../../modules/network"
+# allow ssh traffic to mgmt (default is inbound)
+resource "google_compute_firewall" "allow_ssh_to_mgmt" {
+  name      = "corelight-allow-ssh-inbound-to-mgmt"
+  direction = "INGRESS"
+  network   = google_compute_network.mgmt.name
+
+  allow {
+    protocol = "tcp"
+    ports    = ["22"]
+  }
+
+  source_ranges = ["0.0.0.0/0"]
+  target_tags   = ["allow-ssh"]
+}
+
+# allow internal SSH traffic in mgmt network
+resource "google_compute_firewall" "allow_internal" {
+  name      = "corelight-allow-internal"
+  direction = "INGRESS"
+  network   = google_compute_network.mgmt.name
+
+  allow {
+    protocol = "tcp"
+    ports    = ["22"]
+  }
+
+  source_ranges = [local.subnetwork_mgmt_cidr]
+  target_tags   = ["allow-ssh"]
+}
+
+# nat
+
+resource "google_compute_router" "mgmt_router" {
+  name    = "corelight-mgmt-router"
+  region  = local.region
+  network = google_compute_network.mgmt.name
+}
+
+resource "google_compute_router_nat" "mon_nat" {
+  name                               = "corelight-mgmt-nat"
+  router                             = google_compute_router.mgmt_router.name
+  region                             = local.region
+  nat_ip_allocate_option             = "AUTO_ONLY"
+  source_subnetwork_ip_ranges_to_nat = "ALL_SUBNETWORKS_ALL_IP_RANGES"
+
+  log_config {
+    enable = true
+    filter = "ERRORS_ONLY"
+  }
+}
+
+# network
+
+resource "google_compute_network" "mgmt" {
+  name                    = "corelight-mgmt"
+  routing_mode            = "GLOBAL"
+  auto_create_subnetworks = false
+}
+
+resource "google_compute_network" "prod" {
+  name                    = "corelight-prod"
+  routing_mode            = "GLOBAL"
+  auto_create_subnetworks = false
+}
+
+resource "google_compute_subnetwork" "mgmt_subnet" {
+  name          = "corelight-subnet"
+  ip_cidr_range = local.subnetwork_mgmt_cidr
+  network       = google_compute_network.mgmt.name
+  region        = local.region
+}
+
+resource "google_compute_subnetwork" "mon_subnet" {
+  name          = "corelight-mon-subnet"
+  ip_cidr_range = local.subnetwork_mon_cidr
+  network       = google_compute_network.prod.name
+  region        = local.region
 }
 
 ####################################################################################################
 # Create a Bastion
 ####################################################################################################
 
 module "custom_bastion" {
+  source = "../../modules/bastion"
+
   zone                 = local.zone
-  network_mgmt_name    = module.custom_vpc.network_mgmt_name
-  subnetwork_mgmt_name = module.custom_vpc.subnetwork_mgmt_name
+  network_mgmt_name    = google_compute_network.mgmt.name
+  subnetwork_mgmt_name = google_compute_subnetwork.mgmt_subnet.name
   instance_ssh_key_pub = local.instance_ssh_key_pub
   image                = local.instance_bastion_image
-
-  source = "../../modules/bastion"
 }
 
 ####################################################################################################
 # Create Sensor Managed Instance Group
 ####################################################################################################
 
-module "custom_sensor" {
+module "sensor" {
+  source = "../.."
+
   region                  = local.region
   zone                    = local.zone
-  network_mgmt_name       = module.custom_vpc.network_mgmt_name
-  subnetwork_mgmt_name    = module.custom_vpc.subnetwork_mgmt_name
-  network_prod_name       = module.custom_vpc.network_prod_name
-  subnetwork_mon_name     = module.custom_vpc.subnetwork_mon_name
+  network_mgmt_name       = google_compute_network.mgmt.name
+  subnetwork_mgmt_name    = google_compute_subnetwork.mgmt_subnet.name
   subnetwork_mgmt_cidr    = local.subnetwork_mgmt_cidr
+  network_prod_name       = google_compute_network.prod.name
+  subnetwork_mon_name     = google_compute_subnetwork.mon_subnet.name
   subnetwork_mon_cidr     = local.subnetwork_mon_cidr
   subnetwork_mon_gateway  = local.subnetwork_mon_gateway
   instance_ssh_key_pub    = local.instance_ssh_key_pub
   image                   = local.instance_sensor_image
-  sensor_license          = file(local.sensor_license)
+  sensor_license          = local.sensor_license
   sensor_community_string = local.sensor_community_string
-
-  source = "../../modules/sensor"
 }
diff --git a/modules/sensor/instance.tf → instance.tf b/modules/sensor/instance.tf → instance.tf
diff --git a/modules/sensor/load_balancer.tf → load_balancer.tf b/modules/sensor/load_balancer.tf → load_balancer.tf
diff --git a/modules/network/firewall.tf b/modules/network/firewall.tf
diff --git a/modules/network/nat.tf b/modules/network/nat.tf
diff --git a/modules/network/network.tf b/modules/network/network.tf
diff --git a/modules/network/outputs.tf b/modules/network/outputs.tf