Dra on azure

.github/workflows/deploy_module.yml

@@ -110,6 +110,17 @@ jobs:
             hidden_submodules: "aws/statistics null/statistics"
             begin_tag: 1.0.0
 
+            # todo - hadar add when deploying dra
+#          ## azurerm provider
+#          - source_module: "azurerm/dra-admin"
+#            destination_repo: "terraform-azurerm-dsf-dra-admin"
+#            hidden_submodules: "azurerm/statistics null/statistics"
+#            begin_tag: 1.7.5
+#          - source_module: "azurerm/dra-analytics"
+#            destination_repo: "terraform-azurerm-dsf-dra-analytics"
+#            hidden_submodules: "azurerm/statistics null/statistics"
+#            begin_tag: 1.7.5
+
           # Globals
           ## aws provider
           - source_module: "aws/core/globals"

.github/workflows/dsf_poc_cli_azure.yml

@@ -68,13 +68,30 @@ jobs:
             workspace: azure_cli-all-
             enable_sonar: true
             enable_dam: true
+            enable_dra: true
+          - name: DSF POC - SONAR
+            workspace: azure_cli-sonar-
+            enable_sonar: true
+            enable_dam: false
+            enable_dra: false
+          - name: DSF POC - DAM
+            workspace: azure_cli-dam-
+            enable_sonar: false
+            enable_dam: true
+            enable_dra: false
+          - name: DSF POC - DRA
+            workspace: azure_cli-dra-
+            enable_sonar: false
+            enable_dam: false
+            enable_dra: true
 
     name: '${{ matrix.name }}'
     runs-on: ubuntu-latest
     env:
       EXAMPLE_DIR: ./examples/azure/poc/dsf_deployment
       TF_VAR_enable_sonar: ${{ matrix.enable_sonar }}
       TF_VAR_enable_dam: ${{ matrix.enable_dam }}
+      TF_VAR_enable_dra: ${{ matrix.enable_dra }}
     environment: test
 
     # Use the Bash shell regardless whether the GitHub Actions runner is ubuntu-latest, macos-latest, or windows-latest
@@ -146,6 +163,16 @@ jobs:
           az_blob = "Imperva-ragent-UBN-px86_64-b14.6.0.60.0.636085.bsx"
         }
         simulation_db_types_for_agent=["PostgreSql", "MySql"]
+        dra_admin_vhd_details = {
+          storage_account_name = "dsfinstallation"
+          container_name       = "dra"
+          path_to_vhd          = "DRA-4.13.0.20.0.3_30207_x86_64-Admin.vhd"
+        }
+        dra_analytics_vhd_details = {
+          storage_account_name = "dsfinstallation"
+          container_name       = "dra"
+          path_to_vhd          = "DRA-4.13.0.20.0.3_30207_x86_64-Analytics.vhd"
+        }
         EOF
 
     # Install the latest version of Terraform CLI and configure the Terraform CLI configuration file with a Terraform Cloud user API token
@@ -178,6 +205,7 @@ jobs:
           mv $EXAMPLE_DIR/outputs.tf{,_}
           mv $EXAMPLE_DIR/sonar.tf{,_}
           mv $EXAMPLE_DIR/dam.tf{,_}
+          mv $EXAMPLE_DIR/dra.tf{,_}
           mv $EXAMPLE_DIR/agent_sources.tf{,_}
           mv $EXAMPLE_DIR/networking.tf{,_}
           ls -la $EXAMPLE_DIR
@@ -186,6 +214,7 @@ jobs:
           mv $EXAMPLE_DIR/outputs.tf{_,}
           mv $EXAMPLE_DIR/sonar.tf{_,}
           mv $EXAMPLE_DIR/dam.tf{_,}
+          mv $EXAMPLE_DIR/dra.tf{,_}
           mv $EXAMPLE_DIR/agent_sources.tf{_,}
           mv $EXAMPLE_DIR/networking.tf{_,}
         fi

.github/workflows/plan_cli.yml

@@ -78,6 +78,14 @@ jobs:
                 az_blob = "dummy-blob"
               }
               dam_license="license.mprv"
+              dra_admin_image_details = {
+                resource_group_name = "dummy-resource-group"
+                image_id = "dummy-admin-image-id"
+              }
+              dra_analytics_image_details = {
+                resource_group_name = "dummy-resource-group"
+                image_id = "dummy-analytics-image-id"
+              }
           - name: AWS - POC - DSF
             example: ./examples/aws/poc/dsf_deployment
             terraformvars: |

README.md

@@ -452,7 +452,7 @@ Before using eDSF Kit to deploy DSF, it is necessary to satisfy a set of prerequ
 
 ### Azure Prerequisites
 
-1. [Establish an Azure App Registration](https://learn.microsoft.com/en-us/azure/healthcare-apis/register-application) and [assign it a custom role](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal?tabs=delegate-condition) 
+1. [Establish an Azure App Registration](https://learn.microsoft.com/en-us/azure/healthcare-apis/register-application) and [assign it a custom role](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal?tabs=delegate-condition) (without role assignment conditions) 
    under the associated subscription, ensuring the custom role includes the required IAM permissions (see [IAM Permissions for Running eDSF Kit section](#iam-permissions-for-azure)).
 2. Configure programmatic deployment for the desired version of Imperva DAM by [enabling it on the relevant DAM image from the Azure Marketplace](https://portal.azure.com/#view/Microsoft_Azure_Marketplace/LegalTermsSkuProgrammaticAccessBlade/legalTermsSkuProgrammaticAccessData~/%7B%22product%22%3A%7B%22publisherId%22%3A%22imperva%22%2C%22offerId%22%3A%22imperva-dam-v14%22%2C%22planId%22%3A%22securesphere-imperva-dam-14%22%2C%22standardContractAmendmentsRevisionId%22%3Anull%2C%22isCspEnabled%22%3Atrue%7D%7D). For DAM LTS version, use [DAM LTS Azure Marketplace image](https://portal.azure.com/#view/Microsoft_Azure_Marketplace/LegalTermsSkuProgrammaticAccessBlade/legalTermsSkuProgrammaticAccessData~/%7B%22product%22%3A%7B%22publisherId%22%3A%22imperva%22%2C%22offerId%22%3A%22imperva-dam-v14-lts%22%2C%22planId%22%3A%22securesphere-imperva-dam-14%22%2C%22standardContractAmendmentsRevisionId%22%3Anull%2C%22isCspEnabled%22%3Atrue%7D%7D).
 For the POC example, configure programmatic deployment also for [Ubuntu Pro 20.04 LTS image](https://portal.azure.com/#view/Microsoft_Azure_Marketplace/LegalTermsSkuProgrammaticAccessBlade/legalTermsSkuProgrammaticAccessData~/%7B%22product%22%3A%7B%22publisherId%22%3A%22canonical%22%2C%22offerId%22%3A%220001-com-ubuntu-pro-focal%22%2C%22planId%22%3A%22pro-20_04-lts%22%2C%22standardContractAmendmentsRevisionId%22%3Anull%2C%22isCspEnabled%22%3Atrue%7D%7D).

examples/aws/installation/dsf_single_account_deployment/dra.tf

@@ -9,13 +9,13 @@ module "dra_admin" {
   version = "1.7.5" # latest release tag
   count   = var.enable_dra ? 1 : 0
 
-  friendly_name               = join("-", [local.deployment_name_salted, "dra", "admin"])
+  name                        = join("-", [local.deployment_name_salted, "dra", "admin"])
   subnet_id                   = var.subnet_ids.dra_admin_subnet_id
   security_group_ids          = var.security_group_ids_dra_admin
   dra_version                 = module.globals.dra_version
   ebs                         = var.dra_admin_ebs_details
   admin_registration_password = local.password
-  admin_password              = local.password
+  admin_ssh_password          = local.password
   allowed_web_console_cidrs   = var.web_console_cidr
   allowed_analytics_cidrs     = [data.aws_subnet.dra_analytics.cidr_block]
   allowed_hub_cidrs           = local.hub_cidr_list
@@ -31,13 +31,13 @@ module "dra_analytics" {
   version = "1.7.5" # latest release tag
   count   = local.dra_analytics_count
 
-  friendly_name                = join("-", [local.deployment_name_salted, "dra", "analytics", count.index])
+  name                         = join("-", [local.deployment_name_salted, "dra", "analytics", count.index])
   subnet_id                    = var.subnet_ids.dra_analytics_subnet_id
   security_group_ids           = var.security_group_ids_dra_analytics
   dra_version                  = module.globals.dra_version
   ebs                          = var.dra_analytics_ebs_details
   admin_registration_password  = local.password
-  admin_password               = local.password
+  analytics_ssh_password       = local.password
   allowed_admin_cidrs          = [data.aws_subnet.dra_admin.cidr_block]
   allowed_agent_gateways_cidrs = local.agent_gw_cidr_list
   allowed_hub_cidrs            = local.hub_cidr_list

examples/aws/installation/dsf_single_account_deployment/sonar.tf

@@ -53,8 +53,8 @@ module "hub_main" {
   dra_details = var.enable_dra ? {
     name              = module.dra_admin[0].display_name
     address           = module.dra_admin[0].public_ip
-    username          = module.dra_admin[0].ssh_user
     password          = local.password
+    archiver_username = module.dra_analytics[0].archiver_user
     archiver_password = module.dra_analytics[0].archiver_password
   } : null
   generate_access_tokens = true

examples/aws/installation/dsf_single_account_deployment/variables.tf

@@ -475,6 +475,7 @@ variable "dam_license" {
   2. License file path
   EOF
   type        = string
+  default     = null
 }
 
 variable "large_scale_mode" {

examples/aws/poc/dsf_deployment/README.md

@@ -17,7 +17,7 @@ The deployment is modular and allows users to deploy one or more of the followin
    - Agent Gateways
 4. DRA
    - Admin server
-   - Analytic servers
+   - Analytics servers
 5. Audit sources
    - Agent audit sources (EC2 instances)
    - Agentless audit sources (RDS instances)
@@ -71,7 +71,7 @@ Several variables in the `variables.tf` file are important for configuring the d
 - `enable_dra`: Enable DRA sub-product
 
 ### Server Count
-- `dra_analytics_count`: Number of DRA Analytic servers
+- `dra_analytics_count`: Number of DRA Analytics servers
 - `agentless_gw_count`: Number of Agentless Gateways
 - `agent_gw_count`: Number of Agent Gateways
 

examples/aws/poc/dsf_deployment/dra.tf

@@ -9,17 +9,19 @@ module "dra_admin" {
   version = "1.7.5" # latest release tag
   count   = var.enable_dra ? 1 : 0
 
-  friendly_name               = join("-", [local.deployment_name_salted, "dra", "admin"])
+  name                        = join("-", [local.deployment_name_salted, "dra", "admin"])
   subnet_id                   = local.dra_admin_subnet_id
   dra_version                 = module.globals.dra_version
   ebs                         = var.dra_admin_ebs_details
+  key_pair                    = module.key_pair.key_pair.key_pair_name
   admin_registration_password = local.password
-  admin_password              = local.password
+  admin_ssh_password          = local.password
   allowed_web_console_cidrs   = var.web_console_cidr
   allowed_analytics_cidrs     = [data.aws_subnet.dra_analytics.cidr_block]
   allowed_hub_cidrs           = local.hub_cidr_list
   allowed_ssh_cidrs           = concat(local.workstation_cidr, var.allowed_ssh_cidrs)
-  key_pair                    = module.key_pair.key_pair.key_pair_name
+  attach_persistent_public_ip = true
+
   tags                        = local.tags
   depends_on = [
     module.vpc
@@ -31,12 +33,12 @@ module "dra_analytics" {
   version = "1.7.5" # latest release tag
 
   count                       = local.dra_analytics_count
-  friendly_name               = join("-", [local.deployment_name_salted, "dra", "analytics", count.index])
+  name                        = join("-", [local.deployment_name_salted, "dra", "analytics", count.index])
   subnet_id                   = local.dra_analytics_subnet_id
   dra_version                 = module.globals.dra_version
   ebs                         = var.dra_analytics_ebs_details
   admin_registration_password = local.password
-  admin_password              = local.password
+  analytics_ssh_password      = local.password
   allowed_admin_cidrs         = [data.aws_subnet.dra_admin.cidr_block]
   allowed_ssh_cidrs           = concat(local.hub_cidr_list, var.allowed_ssh_cidrs)
   key_pair                    = module.key_pair.key_pair.key_pair_name

examples/aws/poc/dsf_deployment/sonar.tf

@@ -42,8 +42,8 @@ module "hub_main" {
   dra_details = var.enable_dra ? {
     name              = module.dra_admin[0].display_name
     address           = module.dra_admin[0].public_ip
-    username          = module.dra_admin[0].ssh_user
     password          = local.password
+    archiver_username = module.dra_analytics[0].archiver_user
     archiver_password = module.dra_analytics[0].archiver_password
   } : null
   tags = local.tags

examples/aws/poc/dsf_deployment/variables.tf

@@ -137,6 +137,7 @@ variable "dam_license" {
   2. License file path (Make sure it allows AWS DAM models (AV2500/AV6500))
   EOF
   type        = string
+  default     = null
 }
 
 variable "large_scale_mode" {
@@ -250,12 +251,12 @@ variable "hub_ebs_details" {
     provisioned_iops = number
     throughput       = number
   })
-  description = "DSF Hub compute instance volume attributes. More info in sizing doc - https://docs.imperva.com/bundle/v4.10-sonar-installation-and-setup-guide/page/78729.htm"
   default = {
     disk_size        = 250
     provisioned_iops = 0
     throughput       = 125
   }
+  description = "DSF Hub compute instance volume attributes. More info in sizing doc - https://docs.imperva.com/bundle/v4.10-sonar-installation-and-setup-guide/page/78729.htm"
 }
 
 variable "agentless_gw_ebs_details" {
@@ -264,12 +265,12 @@ variable "agentless_gw_ebs_details" {
     provisioned_iops = number
     throughput       = number
   })
-  description = "DSF Agentless Gateway compute instance volume attributes. More info in sizing doc - https://docs.imperva.com/bundle/v4.10-sonar-installation-and-setup-guide/page/78729.htm"
   default = {
     disk_size        = 150
     provisioned_iops = 0
     throughput       = 125
   }
+  description = "DSF Agentless Gateway compute instance volume attributes. More info in sizing doc - https://docs.imperva.com/bundle/v4.10-sonar-installation-and-setup-guide/page/78729.htm"
 }
 
 variable "additional_install_parameters" {

examples/azure/poc/dsf_deployment/README.md

@@ -1,7 +1,7 @@
 # DSF Deployment example
 [![GitHub tag](https://img.shields.io/github/v/tag/imperva/dsfkit.svg)](https://github.com/imperva/dsfkit/tags)
 
-This example provides DSF (Data Security Fabric) deployment with DSF Hub, Agentless Gateways, DAM (Database Activity Monitoring) and Agent audit sources.
+This example provides a full DSF (Data Security Fabric) deployment with DSF Hub, Agentless Gateways, DAM (Database Activity Monitoring), DRA (Data Risk Analytics) and Agent and Agentless audit sources.
 
 ## Modularity
 The deployment is modular and allows users to deploy one or more of the following modules:
@@ -15,8 +15,12 @@ The deployment is modular and allows users to deploy one or more of the followin
 3. DAM
    - MX
    - Agent Gateways
-4. Audit sources
-   - Agent audit sources (virtual machine instances)
+4. DRA
+   - Admin server
+   - Analytics servers
+5. Audit sources
+   - Agent audit sources (Virtual Machine instances)
+   - Agentless audit source (SQL Server instance)
 
 ### Deploying Specific Modules
 
@@ -28,19 +32,32 @@ To deploy only the DAM module, set the following variables in your Terraform con
 ```
 enable_dam = true
 enable_sonar = false
+enable_dra = false
 ```
 
-This configuration will enable the DAM module while disabling the Sonar module.
+This configuration will enable the DAM module while disabling the DSF Hub and DRA modules.
 
-#### 2. Sonar Only Deployment
+#### 2. DRA Only Deployment
+
+To deploy only the DRA module, set the following variables in your Terraform configuration:
+```
+enable_dam = false
+enable_sonar = false
+enable_dra = true
+```
+
+This configuration will enable the DRA module while disabling the DSF Hub and DAM modules.
+
+#### 3. Sonar Only Deployment
 
 To deploy only the Sonar module, set the following variables in your Terraform configuration:
 ```
 enable_dam = false
 enable_sonar = true
+enable_dra = false
 ```
 
-This configuration will enable the Sonar module, including the DSF Hub, while disabling the DAM module.
+This configuration will enable the Sonar module, including the DSF Hub, while disabling the DAM and DRA modules.
 
 Feel free to customize your deployment by setting the appropriate variables based on your requirements.
 
@@ -50,8 +67,10 @@ Several variables in the `variables.tf` file are important for configuring the d
 ### Sub-Products
 - `enable_sonar`: Enable Sonar sub-product
 - `enable_dam`: Enable DAM sub-product
+- `enable_dra`: Enable DRA sub-product
 
 ### Server Count
+- `dra_analytics_count`: Number of DRA Analytics servers
 - `agentless_gw_count`: Number of Agentless Gateways
 - `agent_gw_count`: Number of Agent Gateways
 
@@ -65,9 +84,11 @@ Several variables in the `variables.tf` file are important for configuring the d
 ## Mandatory Variables
 Before initiating the Terraform deployment, it is essential to set up the following variables:
 - `resource_group_location`: The region of the resource group to which all DSF components will be associated.
-- `tarball_location`: Storage account and container location of the DSF installation software. az_blob is the full path to the tarball file within the storage account container. 
-- `dam_agent_installation_location`: Storage account and container location of the DAM Agent installation software. az_blob is the full path to the installation file within the storage account container.
-- `dam_license`: DAM license file path.
+- `tarball_location`: Only when deploying Sonar, storage account and container location of the DSF Sonar installation software. 'az_blob' is the full path to the tarball file within the storage account container. 
+- `dam_agent_installation_location`: Only when deploying DAM, storage account and container location of the DAM Agent installation software. 'az_blob' is the full path to the installation file within the storage account container.
+- `dam_license`: Only when deploying DAM, DAM license file path.
+- `dra_admin_image_details` or `dra_admin_vhd_details`: Only when deploying DRA, the image or VHD details of the DRA Admin server.
+- `dra_analytics_image_details` or `dra_analytics_vhd_details`: Only when deploying DRA, the image or VHD details of the DRA Analytics server.
 
 ## Default Example
 To perform the default deployment, run the following command:

examples/azure/poc/dsf_deployment/dam.tf

@@ -21,7 +21,7 @@ module "mx" {
   mx_password                       = local.password
   allowed_web_console_and_api_cidrs = var.web_console_cidr
   allowed_agent_gw_cidrs            = module.network[0].vnet_address_space
-  allowed_ssh_cidrs                 = local.workstation_cidr
+  allowed_ssh_cidrs                 = concat(local.workstation_cidr, var.allowed_ssh_cidrs)
   allowed_hub_cidrs                 = module.network[0].vnet_address_space
 
   hub_details = var.enable_sonar ? {
@@ -55,7 +55,7 @@ module "agent_gw" {
   mx_password                             = local.password
   allowed_agent_cidrs                     = module.network[0].vnet_address_space
   allowed_mx_cidrs                        = module.network[0].vnet_address_space
-  allowed_ssh_cidrs                       = module.network[0].vnet_address_space
+  allowed_ssh_cidrs                       = concat(module.network[0].vnet_address_space, var.allowed_ssh_cidrs)
   allowed_gw_clusters_cidrs               = module.network[0].vnet_address_space
   management_server_host_for_registration = module.mx[0].private_ip
   management_server_host_for_api_access   = module.mx[0].public_ip