Merge branch 'main' into dg-add-cdr-infra-wf

elastic · Aug 28, 2024 · 25ffbef · 25ffbef
2 parents 43283ee + 50f37d1
commit 25ffbef
Show file tree

Hide file tree

Showing 12 changed files with 532 additions and 7 deletions.
diff --git a/.github/workflows/test-environment.yml b/.github/workflows/test-environment.yml
@@ -256,19 +256,19 @@ jobs:
           aws-secret-access-key: ${{ env.AWS_SECRET_ACCESS_KEY }}
           aws-region: ${{ env.AWS_REGION }}
 
+      - id: azure-auth
+        name: Azure login
+        uses: azure/login@v2
+        with:
+          creds: ${{ secrets.AZURE_CREDENTIALS }}
+
       - id: google-auth
         name: Authenticate to Google Cloud
         uses: google-github-actions/auth@v2
         with:
           workload_identity_provider: ${{ secrets.GCP_WORKLOAD_IDENTITY_PROVIDER }}
           service_account: ${{ secrets.GCP_SERVICE_ACCOUNT }}
 
-      - id: azure-auth
-        name: Azure login
-        uses: azure/login@v2
-        with:
-          creds: ${{ secrets.AZURE_CREDENTIALS }}
-
       - name: Set TF_STATE_FOLDER
         run: |
           echo "TF_STATE_FOLDER=$(date +'%Y-%m-%d_%H-%M-%S')" >> $GITHUB_ENV

diff --git a/deploy/cloud/modules/gcp/vm/main.tf b/deploy/cloud/modules/gcp/vm/main.tf
@@ -0,0 +1,49 @@
+resource "random_id" "id" {
+  byte_length = 4
+}
+
+locals {
+  vm_private_key_file = "${path.module}/gcp-vm-${random_id.id.hex}.pem"
+  vm_username         = "ubuntu"
+  deploy_name         = "${var.deployment_name}-${random_id.id.hex}"
+}
+
+resource "tls_private_key" "gcp_vm_key" {
+  algorithm = "RSA"
+  rsa_bits  = 4096
+}
+
+resource "local_file" "ssh_private_key" {
+  filename        = local.vm_private_key_file
+  content         = tls_private_key.gcp_vm_key.private_key_pem
+  file_permission = 0400
+}
+
+resource "google_compute_instance" "vm_instance" {
+  name         = local.deploy_name
+  machine_type = var.machine_type
+  zone         = var.zone
+  labels       = var.specific_tags
+
+  boot_disk {
+    initialize_params {
+      image = var.disk_image
+    }
+  }
+
+  network_interface {
+    network = var.network
+
+    access_config {
+      // Ephemeral public IP
+    }
+  }
+
+  metadata = {
+    ssh-keys = "${local.vm_username}:${tls_private_key.gcp_vm_key.public_key_openssh}"
+  }
+
+  service_account {
+    scopes = var.scopes
+  }
+}
diff --git a/deploy/cloud/modules/gcp/vm/outputs.tf b/deploy/cloud/modules/gcp/vm/outputs.tf
@@ -0,0 +1,14 @@
+output "gcp_vm_puglic_ip" {
+  description = "GCP VM instance public IP"
+  value       = google_compute_instance.vm_instance.network_interface[0].access_config[0].nat_ip
+}
+
+output "gcp_vm_ssh_cmd" {
+  description = "Use this command to SSH into the GCP VM instance"
+  value       = "ssh -i ${local.vm_private_key_file} ${local.vm_username}@${google_compute_instance.vm_instance.network_interface[0].access_config[0].nat_ip}"
+}
+
+output "gcp_vm_ssh_key" {
+  description = "The path to the private SSH key file."
+  value       = local.vm_private_key_file
+}
diff --git a/deploy/cloud/modules/gcp/vm/terraform.tf b/deploy/cloud/modules/gcp/vm/terraform.tf
@@ -0,0 +1,11 @@
+terraform {
+  required_providers {
+
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 5.0.0"
+    }
+  }
+
+  required_version = ">= 1.3, <2.0.0"
+}
diff --git a/deploy/cloud/modules/gcp/vm/variables.tf b/deploy/cloud/modules/gcp/vm/variables.tf
@@ -0,0 +1,39 @@
+variable "deployment_name" {
+  description = "The base name used for resources in this deployment."
+  type        = string
+}
+
+variable "specific_tags" {
+  description = "List of tags in the format 'key=value'"
+  type        = map(string)
+  default     = {}
+}
+
+variable "machine_type" {
+  description = "The machine type to use for the VM."
+  type        = string
+  default     = "n2-standard-4"
+}
+
+variable "disk_image" {
+  description = "The image to use for the VM's boot disk."
+  type        = string
+  default     = "ubuntu-os-cloud/ubuntu-2204-lts"
+}
+
+variable "zone" {
+  description = "The GCP zone where the VM will be deployed."
+  type        = string
+  default     = "us-central1-a"
+}
+
+variable "network" {
+  description = "The network to attach the VM to."
+  type        = string
+}
+
+variable "scopes" {
+  description = "The scopes to attach to the service account."
+  type        = list(string)
+  default     = ["https://www.googleapis.com/auth/cloud-platform", "https://www.googleapis.com/auth/cloudplatformorganizations"]
+}
diff --git a/deploy/test-environments/main.tf b/deploy/test-environments/main.tf
@@ -2,6 +2,10 @@ provider "aws" {
   region = var.region
 }
 
+provider "google" {
+  project = var.gcp_project_id
+}
+
 provider "azurerm" {
   features {}
 }
@@ -15,6 +19,7 @@ locals {
     owner      = "${var.owner}"
     deployment = "${var.deployment_name}"
   }
+
   ec_url = "https://cloud.elastic.co"
   ec_headers = {
     Content-type  = "application/json"
@@ -42,6 +47,17 @@ module "aws_ec2_for_cspm" {
   specific_tags   = merge(local.common_tags, { "ec2_type" : "cspm" })
 }
 
+module "gcp_audit_logs" {
+  count     = var.cdr_infra ? 1 : 0
+  providers = { google : google }
+  source    = "../cloud/modules/gcp/vm"
+
+  deployment_name = var.deployment_name
+  network         = "default"
+  specific_tags   = merge(local.common_tags, { "vm_instance" : "audit-logs" })
+
+}
+
 resource "random_string" "suffix" {
   length  = 3
   special = false

diff --git a/deploy/test-environments/output.tf b/deploy/test-environments/output.tf
@@ -52,6 +52,21 @@ output "ec2_cloudtrail_key" {
   sensitive = true
 }
 
+output "gcp_audit_logs_ssh_cmd" {
+  value = var.cdr_infra ? module.gcp_audit_logs[0].gcp_vm_ssh_cmd : null
+  #  sensitive = true
+}
+
+output "gcp_audit_logs_public_ip" {
+  value = var.cdr_infra ? module.gcp_audit_logs[0].gcp_vm_puglic_ip : null
+  # sensitive = true
+}
+
+output "gcp_audit_logs_key" {
+  value = var.cdr_infra ? module.gcp_audit_logs[0].gcp_vm_ssh_key : null
+  # sensitive = true
+}
+
 output "az_vm_activity_logs_ssh_cmd" {
   value     = var.cdr_infra ? module.azure_vm_activity_logs[0].azure_vm_ssh_cmd : null
   sensitive = true
@@ -66,7 +81,6 @@ output "az_vm_activity_logs_key" {
   value     = var.cdr_infra ? module.azure_vm_activity_logs[0].azure_vm_ssh_key : null
   sensitive = true
 }
-
 # =============================================================
 
 # Elastic Cloud output

diff --git a/deploy/test-environments/terraform.tf b/deploy/test-environments/terraform.tf
@@ -5,6 +5,11 @@ terraform {
       version = "~> 4.15.0"
     }
 
+    google = {
+      source  = "hashicorp/google"
+      version = ">= 5.0.0"
+    }
+
     azurerm = {
       source  = "hashicorp/azurerm"
       version = ">= 3.11, < 4.0"

diff --git a/deploy/test-environments/variables.tf b/deploy/test-environments/variables.tf
@@ -23,6 +23,13 @@ variable "ami_map" {
   }
 }
 
+# GCP project ID
+variable "gcp_project_id" {
+  description = "GCP project ID"
+  type        = string
+  default     = "default"
+}
+
 # Elastic Cloud variables
 # ===========================================
 variable "ec_api_key" {

diff --git a/tests/integrations_setup/configuration_fleet.py b/tests/integrations_setup/configuration_fleet.py
@@ -54,6 +54,12 @@
 gcp_dm_config.credentials_file = os.getenv("GOOGLE_APPLICATION_CREDENTIALS", "")
 gcp_dm_config.service_account_json_path = os.getenv("SERVICE_ACCOUNT_JSON_PATH", "")
 
+gcp_audit_config = Munch()
+gcp_audit_config.credentials_file = os.getenv("GOOGLE_APPLICATION_CREDENTIALS", "")
+gcp_audit_config.project_id = os.getenv("GOOGLE_CLOUD_PROJECT", "")
+gcp_audit_config.topic_name = os.getenv("GCP_TOPIC_NAME", "")
+gcp_audit_config.subscription_name = os.getenv("GCP_SUBSCRIPTION_NAME", "")
+
 # Used for Azure deployment on stack 8.11.* (1.6.* package version)
 azure_arm_parameters = Munch()
 azure_arm_parameters.deployment_name = os.getenv("DEPLOYMENT_NAME", "")