gcp-vsensor-quickstart/launch.py.schema at main · darktrace/gcp-vsensor-quickstart · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
info:
    title: Darktrace vSensor Quick Start for GCP
    author: Darktrace Holdings Ltd
    description: Creates an auto-scaling Darktrace vSensor deployment into a GCP region.
    version: 1.1

imports:
  - path: launch.py
  - path: common.py
  - path: iam_member.py
  - path: network.py
  - path: storage.py
  - path: autoscaledgroup.py
  - path: bastion.py
  - path: loadbalancer.py

required:
  - zone1
  - zone2
  - bastion-enable
  - mig-subnet-cidr
  - mig-instance-type
  - mig-min-size
  - mig-max-size
  - vsensor-update-key
  - appliance-hostname
  - appliance-port
  - appliance-push-token
  - pcap-retention-time-days

properties:

  existing-vpc-name:
    type: string
    description: (Optional) Use an existing VPC to deploy the vSensor Quick Start subnets in. Leaving blank will deploy a new VPC which can be peered/expanded.

  zone1:
    type: string
    default: europe-west2-a
    description: Availability Zone 1 to use for the bastion/vSensors. Two Availability Zones are used for this deployment. Both zones must be in the same region.

  zone2:
    type: string
    default: europe-west2-b
    description: Availability Zone 2 to use for the bastion/vSensors. Two Availability Zones are used for this deployment. Both zones must be in the same region.

  bastion-enable:
    type: boolean
    default: true
    description: Deploy a public Bastion host to access your vSensor deployment. If 'False' is selected, configure your ssh access manually after deployment.

  bastion-subnet-cidr:
    type: string
    pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$
    default: 10.127.1.0/24
    description: CIDR IP range of the public subnet the bastion will be deployed in (must not overlap with vSensors or other subnets in VPC).

  bastion-external-cidr:
    type: string
    pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$
    default: 0.0.0.0/0
    description: CIDR IP range that is permitted to access the bastion hosts. We recommend that you set this value to a trusted IP range.

  bastion-ssh-user-key:
    type: string
    # https://manpages.ubuntu.com/manpages/xenial/en/man8/useradd.8.html
    pattern: ^[a-z0-9_]([a-z0-9_-]{0,31}|[a-z0-9_-]{0,30}\$):[A-Za-z0-9@_+/=\s-]+$
    description: (Optional) SSH username and public key to be added to the bastion for ssh public key authentication. The format is 'USERNAME:SSH_PUBLIC_KEY' (https://cloud.google.com/compute/docs/connect/add-ssh-keys#add_ssh_keys_to_instance_metadata)

  mig-subnet-cidr:
    type: string
    pattern: ^(([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])\.){3}([0-9]|[1-9][0-9]|1[0-9]{2}|2[0-4][0-9]|25[0-5])(\/([0-9]|[1-2][0-9]|3[0-2]))$
    default: 10.127.0.0/24
    description: CIDR IP range of the private subnet the vSensors will be deployed in (must not overlap with bastion or other subnets in VPC).

  ipv6-enable:
    type: boolean
    default: False
    description: Enable Dual-Stack IPv6 support to vSensor for allowing packet mirroring from IPv6 enabled hosts/subnets.

  mig-instance-type:
    type: string
    enum:
      - e2-standard-2
      - e2-standard-4
      - e2-standard-8
      - n2-standard-8
      - n2-standard-16
      - n2-standard-32
    default: e2-standard-4
    description: The instance type of deployed vSensors.

  mig-min-size:
    type: integer
    minimum: 1
    maximum: 100
    default: 1
    description: Minimum number of vSensor instances in the Managed Instance Group.

  mig-max-size:
    type: integer
    minimum: 1
    maximum: 100
    default: 1
    description: Maximum number of vSensor instances in the Managed Instance Group.

  mig-ssh-user-key:
    type: string
    # https://manpages.ubuntu.com/manpages/xenial/en/man8/useradd.8.html
    pattern: ^[a-z0-9_]([a-z0-9_-]{0,31}|[a-z0-9_-]{0,30}\$):[A-Za-z0-9@_+/=\s-]+$
    description: (Optional) SSH username and public key to be added to the vSensor for ssh public key authentication. The format is 'USERNAME:SSH_PUBLIC_KEY' (https://cloud.google.com/compute/docs/connect/add-ssh-keys#add_ssh_keys_to_instance_metadata)

  vsensor-update-key:
    type: string
    pattern: ^[a-zA-Z0-9%\.]+:[a-zA-Z0-9]+$
    default: XXXXXXXXXX:XXXXXXXXX
    description: Darktrace update key. If you don't have one, contact your Darktrace representative.

  appliance-hostname:
    type: string
    description: Host name of the Darktrace appliance.

  appliance-port:
    type: integer
    minimum: 1
    maximum: 65535
    default: 443
    description: Connection port between vSensor and the Darktrace appliance.

  appliance-push-token:
    type: string
    pattern: ^[a-zA-Z0-9-]{4,64}:[a-zA-Z0-9]{5,63}$
    default: XXXXXXXXXX:XXXXXXXXX
    description: Push token to authenticate with the appliance. For more information, see the Darktrace Customer Portal.

  ossensor-hmac:
    type: string
    minLength: 6
    maxLength: 62
    description: Hash-based message authentication code (HMAC) token to authenticate osSensors with vSensor.

  pcap-retention-time-days:
    type: integer
    minimum: 0
    default: 7
    description: Captured packets storage retention (days), longer retention will increase storage costs. Set to 0 to disable PCAPs and Storage bucket.

  subnets-to-mirror:
    type: string
    description: Comma-separated list of existing subnet names in the 'existing-vpc-name' VPC to setup packet mirroring subnet policies for. Must be in same region as vSensor.
    default: ""

outputs:
  vpc-name:
    description: The VPC Darktrace vSensors have been deployed into.
    type: string
  nat-external-ip:
    description: The NAT IP used by vSensors to communicate with the Appliance. Allow this IP ingress in the network containing the appliance.
    type: string
  pcap-bucket-name:
    description: The GCP Storage Bucket which PCAPs will be stored within.
    type: string
  bastion-subnet-name:
    description: A bastion has been deployed into this subnet
    type: string
  vsensor-subnet-name:
    description: The subnet containing the vSensor managed instance group. Configure firewall / routing to allow osSensors access to this subnet.
    type: string
  ossensor-vsensor-ip:
    description: Configure osSensors to access this IP address as the vSensor. It will automatically reregister with a vSensor directly.
    type: string
  ossensor-vsensor-cidr:
    description: Configure firewall / routing to allow osSensors access to this CIDR.
    type: string