Merge branch 'master' into fix/update-splunk

hmcts · Sep 7, 2023 · ae0be22 · ae0be22
2 parents 5697d6e + ee395a2
commit ae0be22
Show file tree

Hide file tree

Showing 10 changed files with 200 additions and 58 deletions.
diff --git a/.github/workflows/terraform-docs.yaml b/.github/workflows/terraform-docs.yaml
@@ -0,0 +1,17 @@
+name: Generate terraform docs
+on:
+  - pull_request
+jobs:
+  docs:
+    runs-on: ubuntu-latest
+    steps:
+    - uses: actions/checkout@v3
+      with:
+        ref: ${{ github.event.pull_request.head.ref }}
+
+    - name: Render terraform docs inside the README.md and push changes back to PR branch
+      uses: terraform-docs/gh-actions@main
+      with:
+        working-dir: .
+        config-file: .terraform-docs.yml
+        git-push: "true"
diff --git a/.terraform-docs.yml b/.terraform-docs.yml
@@ -0,0 +1,13 @@
+# https://terraform-docs.io/user-guide/configuration/
+
+settings:
+  hide-empty: true
+
+formatter: "md"
+
+output:
+  file: README.md
+  template: |-
+    <!-- BEGIN_TF_DOCS -->
+    {{ .Content }}
+    <!-- END_TF_DOCS -->
diff --git a/README.md b/README.md
diff --git a/custom_script.tf b/custom_script.tf
@@ -2,7 +2,7 @@
 resource "azurerm_virtual_machine_scale_set_extension" "custom_script" {
   count = (var.install_splunk_uf == true || var.install_nessus_agent == true || var.additional_script_path != null) && var.virtual_machine_type == "vmss" ? 1 : 0
 
-  depends_on = [azurerm_virtual_machine_scale_set_extension.azure_monitor]
+  depends_on = [azurerm_virtual_machine_scale_set_extension.endpoint_protection]
 
   name                         = var.custom_script_extension_name
   virtual_machine_scale_set_id = var.virtual_machine_scale_set_id
@@ -25,7 +25,7 @@ resource "azurerm_virtual_machine_scale_set_extension" "custom_script" {
 resource "azurerm_virtual_machine_extension" "custom_script" {
   count = (var.install_splunk_uf == true || var.install_nessus_agent == true || var.additional_script_path != null) && var.virtual_machine_type == "vm" ? 1 : 0
 
-  depends_on = [azurerm_virtual_machine_extension.azure_monitor]
+  depends_on = [azurerm_virtual_machine_extension.endpoint_protection]
 
   name                       = var.custom_script_extension_name
   virtual_machine_id         = var.virtual_machine_id

diff --git a/dynatrace_oneagent.tf b/dynatrace_oneagent.tf
@@ -1,7 +1,7 @@
 resource "azurerm_virtual_machine_scale_set_extension" "dynatrace_oneagent" {
   count = var.install_dynatrace_oneagent == true && var.virtual_machine_type == "vmss" ? 1 : 0
 
-  depends_on = [ azurerm_virtual_machine_scale_set_extension.custom_script ]
+  depends_on = [azurerm_virtual_machine_scale_set_extension.azure_monitor]
 
   name                         = "Dynatrace"
   virtual_machine_scale_set_id = var.virtual_machine_scale_set_id
@@ -15,7 +15,7 @@ resource "azurerm_virtual_machine_scale_set_extension" "dynatrace_oneagent" {
 resource "azurerm_virtual_machine_extension" "dynatrace_oneagent" {
   count = var.install_dynatrace_oneagent == true && var.virtual_machine_type == "vm" ? 1 : 0
 
-  depends_on = [ azurerm_virtual_machine_extension.custom_script ]
+  depends_on = [azurerm_virtual_machine_scale_set_extension.azure_monitor]
 
   name                       = "Dynatrace"
   virtual_machine_id         = var.virtual_machine_id

diff --git a/keyvault.tf b/keyvault.tf
@@ -0,0 +1,49 @@
+data "azurerm_key_vault" "cnp_vault" {
+  count               = var.install_dynatrace_oneagent ? 1 : 0
+  provider            = azurerm.cnp
+  name                = "infra-vault-${var.env}"
+  resource_group_name = local.cnp_vault_rg
+}
+
+data "azurerm_key_vault_secret" "token" {
+  count        = var.install_dynatrace_oneagent ? 1 : 0
+  provider     = azurerm.cnp
+  name         = "dynatrace-${var.env}-token"
+  key_vault_id = data.azurerm_key_vault.cnp_vault[0].id
+}
+
+data "azurerm_key_vault" "soc_vault" {
+  count               = var.install_nessus_agent || var.install_splunk_uf ? 1 : 0
+  provider            = azurerm.soc
+  name                = var.soc_vault_name
+  resource_group_name = var.soc_vault_rg
+}
+
+# Splunk UF
+data "azurerm_key_vault_secret" "splunk_username" {
+  count        = var.install_splunk_uf ? 1 : 0
+  provider     = azurerm.soc
+  name         = "splunk-gui-admin-username"
+  key_vault_id = data.azurerm_key_vault.soc_vault[0].id
+}
+
+data "azurerm_key_vault_secret" "splunk_password" {
+  count        = var.install_splunk_uf ? 1 : 0
+  provider     = azurerm.soc
+  name         = "splunk-gui-admin-password"
+  key_vault_id = data.azurerm_key_vault.soc_vault[0].id
+}
+
+data "azurerm_key_vault_secret" "splunk_pass4symmkey" {
+  count        = var.install_splunk_uf ? 1 : 0
+  provider     = azurerm.soc
+  name         = "splunk-pass4symmkey"
+  key_vault_id = data.azurerm_key_vault.soc_vault[0].id
+}
+
+data "azurerm_key_vault_secret" "nessus_agent_key" {
+  count        = var.install_nessus_agent ? 1 : 0
+  provider     = azurerm.soc
+  name         = "nessus-agent-key-${var.env}"
+  key_vault_id = data.azurerm_key_vault.soc_vault[0].id
+}
diff --git a/locals.tf b/locals.tf
@@ -2,22 +2,31 @@ locals {
   # Custom Script
   bootstrap_vm_script = lower(var.os_type) == "linux" ? "scripts/bootstrap_vm.sh" : "scripts/bootstrap_vm.ps1"
 
+  # Dynatrace Tenant IDs per environment
+
+  dynatrace_tenant_id = var.env == "prod" ? "ebe20728" : "yrk32651"
+
+  dynatrace_server = var.env == "prod" ? "https://10.10.70.30:9999/e/ebe20728/api" : "https://yrk32651.live.dynatrace.com/api\n"
+
+  nessus_server = var.nessus_server == "prod" ? "nessus-scanners-prod000005.platform.hmcts.net" : "https://10.10.70.8:9999/e/yrk32651/api\n"
+
   # Dynatrace OneAgent
-  dynatrace_settings = var.dynatrace_hostgroup == null && var.dynatrace_server == null ? "{ \"tenantId\" : \"${var.dynatrace_tenant_id}\" , \"token\" : \"${var.dynatrace_token}\" , \"installerArguments\" : \"--set-network-zone=${var.dynatrace_network_zone}\" }" : var.dynatrace_hostgroup != null && var.dynatrace_server == null ? "{ \"tenantId\" : \"${var.dynatrace_tenant_id}\" , \"token\" : \"${var.dynatrace_token}\" , \"hostGroup\" : \"${var.dynatrace_hostgroup}\" , \"installerArguments\" : \"--set-network-zone=${var.dynatrace_network_zone}\"}" : var.dynatrace_hostgroup == null && var.dynatrace_server != null ? "{ \"tenantId\" : \"${var.dynatrace_tenant_id}\" , \"token\" : \"${var.dynatrace_token}\" , \"server\" : \"${var.dynatrace_server}\" , \"installerArguments\" : \"--set-network-zone=${var.dynatrace_network_zone}\" }" : "{ \"tenantId\" : \"${var.dynatrace_tenant_id}\" , \"token\" : \"${var.dynatrace_token}\" , \"hostGroup\" : \"${var.dynatrace_hostgroup}\" , \"server\" : \"${var.dynatrace_server}\" , \"installerArguments\" : \"--set-network-zone=${var.dynatrace_network_zone}\" }"
-
-  template_file = base64encode(format("%s\n%s", templatefile("${path.module}/${local.bootstrap_vm_script}", {
-    UF_INSTALL      = tostring(var.install_splunk_uf),
-    UF_USERNAME     = var.splunk_username,
-    UF_PASSWORD     = var.splunk_password,
-    UF_PASS4SYMMKEY = var.splunk_pass4symmkey,
-    UF_GROUP        = var.splunk_group,
-    NESSUS_INSTALL  = var.install_nessus_agent,
-    NESSUS_SERVER   = var.nessus_server,
-    NESSUS_KEY      = var.nessus_key,
-    NESSUS_GROUPS   = var.nessus_groups
+
+  dynatrace_settings = var.dynatrace_hostgroup == null && var.dynatrace_server == null ? "{ \"tenantId\" : \"${var.dynatrace_tenant_id == null || var.dynatrace_tenant_id == "" ? local.dynatrace_tenant_id : var.dynatrace_tenant_id}\" , \"token\" : \"${var.dynatrace_token == null || var.dynatrace_token == "" ? (length(data.azurerm_key_vault_secret.token) > 0 ? data.azurerm_key_vault_secret.token[0].value : "") : var.dynatrace_token}\" , \"installerArguments\" : \"--set-network-zone=${var.dynatrace_network_zone}\" }" : var.dynatrace_hostgroup != null && var.dynatrace_server == null ? "{ \"tenantId\" : \"${var.dynatrace_tenant_id}\" , \"token\" : \"${var.dynatrace_token}\" , \"hostGroup\" : \"${var.dynatrace_hostgroup}\" , \"installerArguments\" : \"--set-network-zone=${var.dynatrace_network_zone}\"}" : var.dynatrace_hostgroup == null && var.dynatrace_server != null ? "{ \"tenantId\" : \"${var.dynatrace_tenant_id}\" , \"token\" : \"${var.dynatrace_token}\" , \"server\" : \"${var.dynatrace_server == null || var.dynatrace_tenant_id == "" ? local.dynatrace_tenant_id : var.dynatrace_tenant_id}\" , \"installerArguments\" : \"--set-network-zone=${var.dynatrace_network_zone}\" }" : "{ \"tenantId\" : \"${var.dynatrace_tenant_id}\" , \"token\" : \"${var.dynatrace_token}\" , \"hostGroup\" : \"${var.dynatrace_hostgroup}\" , \"server\" : \"${var.dynatrace_server}\" , \"installerArguments\" : \"--set-network-zone=${var.dynatrace_network_zone}\" }"
+  template_file = base64encode(format("%s\n%s", templatefile("${path.module}/${local.bootstrap_vm_script}",
+    {
+      UF_INSTALL      = tostring(var.install_splunk_uf),
+      UF_USERNAME     = var.splunk_username == null || var.splunk_username == "" ? (length(data.azurerm_key_vault_secret.splunk_username) > 0 ? data.azurerm_key_vault_secret.splunk_username[0].value : "") : var.splunk_username
+      UF_PASSWORD     = var.splunk_password == null || var.splunk_password == "" ? (length(data.azurerm_key_vault_secret.splunk_password) > 0 ? data.azurerm_key_vault_secret.splunk_password[0].value : "") : var.splunk_password
+      UF_PASS4SYMMKEY = var.splunk_pass4symmkey == null || var.splunk_pass4symmkey == "" ? (length(data.azurerm_key_vault_secret.splunk_pass4symmkey) > 0 ? data.azurerm_key_vault_secret.splunk_pass4symmkey[0].value : "") : var.splunk_pass4symmkey
+      UF_GROUP        = var.splunk_group
+      NESSUS_INSTALL  = tostring(var.install_nessus_agent)
+      NESSUS_SERVER   = var.nessus_server == null || var.nessus_server == "" ? local.dynatrace_server : var.nessus_server
+      NESSUS_KEY      = var.nessus_key == null || var.nessus_key == "" ? (length(data.azurerm_key_vault_secret.nessus_agent_key) > 0 ? data.azurerm_key_vault_secret.nessus_agent_key[0].value : "") : var.nessus_key
+      NESSUS_GROUPS   = var.nessus_groups == null || var.nessus_groups == "" ? "Platform-Operation-Bastions" : var.nessus_groups
   }), var.additional_script_path == null ? "" : file("${var.additional_script_path}")))
 
   additional_template_file = var.additional_script_uri != null ? format("%s%s%s", "[ ", "\"${var.additional_script_uri}\"", " ]") : "\"\""
 
-
-}
+  cnp_vault_rg = var.cnp_vault_rg == null ? var.env != "prod" ? "cnp-core-infra" : "core-infra-${var.env}" : var.cnp_vault_rg
+}
diff --git a/ms_endpoint_protection.tf b/ms_endpoint_protection.tf
@@ -1,7 +1,7 @@
 resource "azurerm_virtual_machine_scale_set_extension" "endpoint_protection" {
   count = var.install_endpoint_protection == true && var.os_type == "Windows" && var.virtual_machine_type == "vmss" ? 1 : 0
 
-  depends_on = [ azurerm_virtual_machine_scale_set_extension.dynatrace_oneagent ]
+  depends_on = [azurerm_virtual_machine_scale_set_extension.dynatrace_oneagent]
 
   name                         = "AntiMalwareEndpointProtection"
   virtual_machine_scale_set_id = var.virtual_machine_scale_set_id
@@ -21,7 +21,7 @@ resource "azurerm_virtual_machine_scale_set_extension" "endpoint_protection" {
 resource "azurerm_virtual_machine_extension" "endpoint_protection" {
   count = var.install_endpoint_protection == true && var.os_type == "Windows" && var.virtual_machine_type == "vm" ? 1 : 0
 
-  depends_on = [ azurerm_virtual_machine_extension.dynatrace_oneagent ]
+  depends_on = [azurerm_virtual_machine_extension.dynatrace_oneagent]
 
   name                       = "AntiMalwareEndpointProtection"
   virtual_machine_id         = var.virtual_machine_id

diff --git a/providers.tf b/providers.tf
@@ -0,0 +1,8 @@
+terraform {
+  required_providers {
+    azurerm = {
+      source                = "hashicorp/azurerm"
+      configuration_aliases = [azurerm.cnp, azurerm.soc]
+    }
+  }
+}
diff --git a/variables.tf b/variables.tf
@@ -1,3 +1,4 @@
+
 # VM/VMSS Extension General
 variable "common_tags" {
   description = "Common Tags"
@@ -11,6 +12,12 @@ variable "os_type" {
   default     = "Linux"
 }
 
+variable "env" {
+  description = "Environment name."
+  type        = string
+
+}
+
 variable "virtual_machine_id" {
   description = "Virtual machine resource id."
   type        = string
@@ -115,7 +122,7 @@ variable "dynatrace_type_handler_version" {
 variable "dynatrace_hostgroup" {
   description = "Define the hostgroup to which the VM belongs."
   type        = string
-  default     = ""
+  default     = null
 }
 
 variable "dynatrace_network_zone" {
@@ -125,21 +132,21 @@ variable "dynatrace_network_zone" {
 }
 
 variable "dynatrace_tenant_id" {
-  description = "The Dynatrace environment ID."
+  description = "The tenant ID of your Dynatrace environment."
   type        = string
   default     = ""
 }
 
 variable "dynatrace_token" {
-  description = "The Dynatrace PaaS token."
+  description = "The API token of your Dynatrace environment."
   type        = string
   default     = ""
 }
 
 variable "dynatrace_server" {
   description = "The server URL, if you want to configure an alternative communication endpoint."
   type        = string
-  default     = ""
+  default     = null
 }
 
 # Nessus Agent
@@ -158,13 +165,13 @@ variable "nessus_server" {
 variable "nessus_key" {
   description = "Nessus linking key - read input from keyvault."
   type        = string
-  default     = ""
+  default     = null
 }
 
 variable "nessus_groups" {
-  description = "Nessus agent groups."
+  description = "Nessus group name."
   type        = string
-  default     = ""
+  default     = "Platform-Operation-Bastions"
 }
 
 # Splunk UF
@@ -177,19 +184,19 @@ variable "install_splunk_uf" {
 variable "splunk_username" {
   description = "Splunk universal forwarder local admin username - read input from keyvault."
   type        = string
-  default     = ""
+  default     = null
 }
 
 variable "splunk_password" {
   description = "Splunk universal forwarder local admin password - read input from keyvault."
   type        = string
-  default     = ""
+  default     = null
 }
 
 variable "splunk_pass4symmkey" {
   description = "Splunk universal forwarder communication security key - read input from keyvault."
   type        = string
-  default     = ""
+  default     = null
 }
 
 variable "splunk_group" {
@@ -286,3 +293,21 @@ variable "additional_script_mi_id" {
   description = "This variable will be used to pass Managed Identity ID when the additional script has been used"
   default     = null
 }
+
+variable "cnp_vault_rg" {
+  description = "The name of the resource group where the CNP Key Vault is located."
+  type        = string
+  default     = null
+}
+
+variable "soc_vault_rg" {
+  description = "The name of the resource group where the SOC Key Vault is located."
+  type        = string
+  default     = "soc-core-infra-prod-rg"
+}
+
+variable "soc_vault_name" {
+  description = "The name of the SOC Key Vault."
+  type        = string
+  default     = "soc-prod"
+}