From 1c429bd95bfde76c9e44cec25d5d25fc2f047653 Mon Sep 17 00:00:00 2001 From: Ryan Haney <25014745+thathaneydude@users.noreply.github.com> Date: Thu, 21 Nov 2024 12:10:41 -0600 Subject: [PATCH] Removing subnet creation from the module. We should not be altering the customers network. Updated the health check to use the appropriate 41080 port. renamed the sensor admin user to "ubuntu" to match our documentation. Added the Linux Health Extension to provide a grace period before health checks are sent. (#12) --- README.md | 7 +++---- load_balancer.tf | 30 +++++++++--------------------- nat_gateway.tf | 2 +- outputs.tf | 4 ++-- scale_set.tf | 24 ++++++++++++++++++++---- sensor_config.tf | 1 - subnet.tf | 8 -------- variables.tf | 21 +++++++++++---------- 8 files changed, 46 insertions(+), 51 deletions(-) delete mode 100644 subnet.tf diff --git a/README.md b/README.md index 3dea909..aadc407 100644 --- a/README.md +++ b/README.md @@ -13,13 +13,12 @@ module "sensor" { license_key = "" location = "" resource_group_name = "" - virtual_network_name = "" - virtual_network_resource_group = "" - virtual_network_address_space = "" corelight_sensor_image_id = "" community_string = "" sensor_ssh_public_key = "" - + management_subnet_id = "" + monitoring_subnet_id = "" + tags = { foo: bar, terraform: true, diff --git a/load_balancer.tf b/load_balancer.tf index 316980f..54a7a1c 100644 --- a/load_balancer.tf +++ b/load_balancer.tf @@ -6,7 +6,7 @@ resource "azurerm_lb" "scale_set_lb" { frontend_ip_configuration { name = var.lb_frontend_ip_config_name - subnet_id = azurerm_subnet.subnet.id + subnet_id = var.monitoring_subnet_id } tags = var.tags @@ -25,11 +25,12 @@ resource "azurerm_lb_backend_address_pool" "monitoring_pool" { resource "azurerm_lb_probe" "sensor_health_check_probe" { loadbalancer_id = azurerm_lb.scale_set_lb.id name = var.lb_health_check_probe_name - port = 443 - request_path = "/api/system/healthcheck/" - protocol = "Https" + port = 41080 + request_path = "/api/system/healthcheck" + protocol = "Http" interval_in_seconds = 30 - probe_threshold = 3 + number_of_probes = 2 + probe_threshold = 2 } resource "azurerm_lb_rule" "monitoring_vxlan_lb_rule" { @@ -45,28 +46,15 @@ resource "azurerm_lb_rule" "monitoring_vxlan_lb_rule" { probe_id = azurerm_lb_probe.sensor_health_check_probe.id } -resource "azurerm_lb_rule" "monitoring_geneve_lb_rule" { - name = var.lb_geneve_rule_name - loadbalancer_id = azurerm_lb.scale_set_lb.id - protocol = "Udp" - backend_port = 6081 - frontend_port = 6081 - frontend_ip_configuration_name = azurerm_lb.scale_set_lb.frontend_ip_configuration[0].name - backend_address_pool_ids = [ - azurerm_lb_backend_address_pool.monitoring_pool.id - ] - probe_id = azurerm_lb_probe.sensor_health_check_probe.id -} - resource "azurerm_lb_rule" "monitoring_health_check_rule" { name = var.lb_health_check_rule_name loadbalancer_id = azurerm_lb.scale_set_lb.id protocol = "Tcp" - backend_port = 443 - frontend_port = 443 + backend_port = 41080 + frontend_port = 41080 frontend_ip_configuration_name = azurerm_lb.scale_set_lb.frontend_ip_configuration[0].name backend_address_pool_ids = [ - azurerm_lb_backend_address_pool.management_pool.id + azurerm_lb_backend_address_pool.monitoring_pool.id ] probe_id = azurerm_lb_probe.sensor_health_check_probe.id } diff --git a/nat_gateway.tf b/nat_gateway.tf index 72d1bc2..dfffc50 100644 --- a/nat_gateway.tf +++ b/nat_gateway.tf @@ -17,7 +17,7 @@ resource "azurerm_nat_gateway" "lb_nat_gw" { } resource "azurerm_subnet_nat_gateway_association" "nat_gw_association" { - subnet_id = azurerm_subnet.subnet.id + subnet_id = var.management_subnet_id nat_gateway_id = azurerm_nat_gateway.lb_nat_gw.id } diff --git a/outputs.tf b/outputs.tf index 3ab2492..b3decb7 100644 --- a/outputs.tf +++ b/outputs.tf @@ -18,6 +18,6 @@ output "sensor_scale_set_name" { value = azurerm_linux_virtual_machine_scale_set.sensor_scale_set.name } -output "sensor_scale_set_subnet_name" { - value = azurerm_subnet.subnet.name +output "sensor_load_balancer_frontend_ip_address" { + value = azurerm_lb.scale_set_lb.frontend_ip_configuration[0].private_ip_address } \ No newline at end of file diff --git a/scale_set.tf b/scale_set.tf index 8815549..32a6059 100644 --- a/scale_set.tf +++ b/scale_set.tf @@ -33,7 +33,7 @@ resource "azurerm_linux_virtual_machine_scale_set" "sensor_scale_set" { ip_configuration { name = "management-nic-ip-cfg" primary = true - subnet_id = azurerm_subnet.subnet.id + subnet_id = var.management_subnet_id load_balancer_backend_address_pool_ids = [ azurerm_lb_backend_address_pool.management_pool.id ] @@ -41,17 +41,33 @@ resource "azurerm_linux_virtual_machine_scale_set" "sensor_scale_set" { } network_interface { - name = "monitoring-nic" + name = "monitoring-nic" + enable_accelerated_networking = true ip_configuration { name = "monitoring-nic-ip-cfg" - primary = true - subnet_id = azurerm_subnet.subnet.id + subnet_id = var.monitoring_subnet_id load_balancer_backend_address_pool_ids = [ azurerm_lb_backend_address_pool.monitoring_pool.id ] } } + extension { + name = "HealthExtension" + publisher = "Microsoft.ManagedServices" + type = "ApplicationHealthLinux" + type_handler_version = "2.0" + auto_upgrade_minor_version = true + settings = jsonencode({ + protocol = "https" + port = 41080 + requestPath = "/api/system/healthcheck" + intervalInSeconds = 15 + numberOfProbes = 2 + gracePeriod = 600 + }) + } + tags = var.tags depends_on = [ diff --git a/sensor_config.tf b/sensor_config.tf index 217aa63..14f953a 100644 --- a/sensor_config.tf +++ b/sensor_config.tf @@ -17,7 +17,6 @@ module "sensor_config" { sensor_management_interface_name = "eth0" sensor_monitoring_interface_name = "eth1" sensor_health_check_probe_source_ranges_cidr = [local.azure_lb_health_check_probe_ip] - sensor_health_check_http_port = 443 gzip_config = true base64_encode_config = true enrichment_enabled = var.enrichment_storage_account_name != "" && var.enrichment_storage_container_name != "" diff --git a/subnet.tf b/subnet.tf deleted file mode 100644 index f86aacf..0000000 --- a/subnet.tf +++ /dev/null @@ -1,8 +0,0 @@ -resource "azurerm_subnet" "subnet" { - name = var.sensor_subnet_name - virtual_network_name = var.virtual_network_name - resource_group_name = var.virtual_network_resource_group - address_prefixes = [ - cidrsubnet(var.virtual_network_address_space, 8, 1) - ] -} \ No newline at end of file diff --git a/variables.tf b/variables.tf index 3f1b001..c6b860a 100644 --- a/variables.tf +++ b/variables.tf @@ -14,18 +14,13 @@ variable "license_key" { sensitive = true } -variable "virtual_network_name" { - description = "The name of the virtual network the sensor will be deployed in" +variable "management_subnet_id" { + description = "The subnet used to access the sensor" type = string } -variable "virtual_network_address_space" { - description = "The address space of the virtual network the sensor be deployed in" - type = string -} - -variable "virtual_network_resource_group" { - description = "The resource group where the virtual network is deployed" +variable "monitoring_subnet_id" { + description = "The subnet used for monitoring traffic" type = string } @@ -54,7 +49,7 @@ variable "sensor_subnet_name" { variable "sensor_admin_username" { description = "The name of the admin user on the corelight sensor VM in the VMSS" type = string - default = "corelight" + default = "ubuntu" } variable "nat_gateway_ip_name" { @@ -202,3 +197,9 @@ variable "fleet_no_proxy" { default = "" description = "(optional) hosts or domains to bypass the proxy for fleet traffic" } + +variable "monitoring_nsg_name" { + type = string + default = "corelight-monitoring-nsg" + description = "(optional) Name of the monitoring network security group" +}