support fleet configuration (#10)

Ability to pair the sensor to Fleet.

Co-authored-by: John Dewey <john.dewey@corelight.com>

Author: retr0h

README.md

@@ -16,6 +16,10 @@ module "sensor_config" {
   subnetwork_monitoring_cidr                   = "<the instance's monitoring subnetwork CIDR>"
   subnetwork_monitoring_gateway                = "<the instance's monitoring subnetwork gateway IP>"
 
+  # Optional - Fleet Manager
+  fleet_token = "b1cd099ff22ed8a41abc63929d1db126"
+  fleet_url   = "https://fleet.example.com:1443/fleet/v1/internal/softsensor/websocket"
+
   # Optional - Enrichment Service
   enrichment_enabled             = "<if cloud enrichment should enabled at time of sensor deployment>"
   enrichment_cloud_provider_name = "<the cloud provider name>"

cloud-config/init.tpl

@@ -32,6 +32,21 @@ write_files:
               port: ${health_port}
               net: ${probe}
 %{ endfor ~}
+%{ if fleet_token != "" && fleet_url != "" ~}
+        pairing:
+          token: ${fleet_token}
+          url: ${fleet_url}
+          server_sslname: ${fleet_server_sslname}
+%{ if fleet_http_proxy != "" ~}
+          http_proxy: ${fleet_http_proxy}
+%{ endif ~}
+%{ if fleet_https_proxy != "" ~}
+          https_proxy: ${fleet_https_proxy}
+%{ endif ~}
+%{ if fleet_no_proxy != "" ~}
+          no_proxy: ${fleet_no_proxy}
+%{ endif ~}
+%{ endif ~}
 
 runcmd:
   - corelightctl sensor deploy -v

data.tf

@@ -14,6 +14,13 @@ data "cloudinit_config" "config" {
       mon_subnet       = var.subnetwork_monitoring_cidr
       mon_gateway      = var.subnetwork_monitoring_gateway
 
+      fleet_token          = var.fleet_token
+      fleet_url            = var.fleet_url
+      fleet_server_sslname = var.fleet_server_sslname
+      fleet_http_proxy     = var.fleet_http_proxy
+      fleet_https_proxy    = var.fleet_https_proxy
+      fleet_no_proxy       = var.fleet_no_proxy
+
       # Optional - Cloud Enrichment Configuration
       enrichment_enabled         = var.enrichment_enabled
       cloud_provider             = var.enrichment_cloud_provider_name

examples/deployment/main.tf

@@ -7,10 +7,13 @@ locals {
   mon_cidr                 = "10.3.0.0/24"
   mon_gateway              = "10.3.0.1"
 
+  # Optional - Fleet Manager
+  fleet_token = "b1cd099ff22ed8a41abc63929d1db126"
+  fleet_url   = "https://fleet.example.com:1443/fleet/v1/internal/softsensor/websocket"
 
-  # Enrichment
-  enrichment_enabled              = "<true | false>"
-  enrichment_cloud_provider       = "<aws | azure | gcp>"
+  # Optional - Enrichment Service
+  enrichment_enabled              = false # "<true | false>"
+  enrichment_cloud_provider       = "aws" # "<aws | azure | gcp>"
   enrichment_storage_account_name = "account-foo"
   enrichment_bucket_name          = "bucket-bar"
   enrichment_s3_bucket_region     = "us-east-1"
@@ -19,7 +22,10 @@ locals {
 module "sensor_config" {
   source = "../../"
 
-  fleet_community_string                       = local.community_string
+  fleet_community_string = local.community_string
+  fleet_token            = local.fleet_token
+  fleet_url              = local.fleet_url
+
   sensor_license                               = local.license
   sensor_management_interface_name             = local.mgmt_interface
   sensor_monitoring_interface_name             = local.mon_interface

variables.tf

@@ -47,13 +47,51 @@ variable "sensor_health_check_probe_source_ranges_cidr" {
 variable "subnetwork_monitoring_cidr" {
   type        = string
   default     = ""
-  description = "(optional) the monitoring subnet for the sensor(s), leaving this empty will result in no sensor.monitoring_interface.health_check section being rendered into user data."
+  description = "(optional) the monitoring subnet for the sensor(s), leaving this empty will result in no sensor.monitoring_interface.health_check section being rendered into user data"
 }
 
 variable "subnetwork_monitoring_gateway" {
   type        = string
   default     = ""
-  description = "(optional) the monitoring subnet's gateway address, leaving this empty will result in no sensor.monitoring_interface.health_check section being rendered into user data."
+  description = "(optional) the monitoring subnet's gateway address, leaving this empty will result in no sensor.monitoring_interface.health_check section being rendered into user data"
+}
+
+variable "fleet_token" {
+  type        = string
+  default     = ""
+  sensitive   = true
+  description = "(optional) the pairing token from the Fleet UI. Must be set if 'fleet_url' is provided"
+}
+
+variable "fleet_url" {
+  type        = string
+  default     = ""
+  description = "(optional) the URL of the fleet instance from the Fleet UI. Must be set if 'fleet_token' is provided"
+}
+
+variable "fleet_server_sslname" {
+  type        = string
+  default     = "1.broala.fleet.product.corelight.io"
+  description = "(optional) the SSL hostname for the fleet server"
+
+}
+
+variable "fleet_http_proxy" {
+  type        = string
+  default     = ""
+  description = "(optional) the proxy URL for HTTP traffic from the fleet"
+}
+
+variable "fleet_https_proxy" {
+  type        = string
+  default     = ""
+  description = "(optional) the proxy URL for HTTPS traffic from the fleet"
+}
+
+variable "fleet_no_proxy" {
+  type        = string
+  default     = ""
+  description = "(optional) hosts or domains to bypass the proxy for fleet traffic"
 }
 
 # Enrichment Service
@@ -70,7 +108,7 @@ variable "enrichment_cloud_provider_name" {
 
   validation {
     condition     = contains(["", "aws", "azure", "gcp"], var.enrichment_cloud_provider_name)
-    error_message = "allowed options: \"aws\", \"azure\", \"gcp\"."
+    error_message = "allowed options: \"aws\", \"azure\", \"gcp\""
   }
 }