Working version

cyralinc · Oct 19, 2023 · 1de526f · 1de526f
1 parent 34cc496
commit 1de526f
Show file tree

Hide file tree

Showing 2 changed files with 119 additions and 174 deletions.
diff --git a/examples/guides/s3_browser_and_aws_cli.tf b/examples/guides/s3_browser_and_aws_cli.tf
@@ -2,7 +2,7 @@ terraform {
   required_providers {
     cyral = {
       source  = "cyralinc/cyral"
-      version = "~> 4.0"
+      version = "~> 4.7"
     }
   }
 }
@@ -11,43 +11,29 @@ locals {
   # Replace [TENANT] by your tenant name. Ex: mycompany.app.cyral.com
   control_plane_host = "[TENANT].app.cyral.com"
 
+  # Use the name of the IdP that will be used to access the S3 Browser
+  idp = {
+    name = "<IDP_NAME_AS_SHOWN_IN_THE_UI>"
+  }
+
   repos = {
-    # This is the port the SIDECAR will expose to
-    # clients connecting to all databases.
-    sidecar_port = 3306
-    type         = "mysql"
-    mysql1 = {
-      # Name that will be shown in the Cyral UI
-      name = "mysql-1"
-      host = "your-mysql-1-db-host"
-      # This is the port the DATABASE accepts connections.
-      db_port = 3309
-      database_credentials = {
-        # Credentials to be used by the sidecar to connect to the database
-        username = ""
-        password = ""
-      }
-    }
-    mysql2 = {
-      # Name that will be shown in the Cyral UI
-      name    = "mysql-2"
-      host    = "your-mysql-2-db-host"
-      db_port = 3310
-      database_credentials = {
-        # Credentials to be used by the sidecar to connect to the database
-        username = ""
-        password = ""
-      }
+    s3 = {
+      # These are the ports the sidecar will accept connections
+      # for S3 browser and S3 CLI
+      browser_port = 443
+      cli_port = 453
     }
   }
 
   sidecar = {
     # Set to true if you want a sidecar deployed with an
     # internet-facing load balancer (requires a public subnet).
-    public_sidecar = false
+    public_sidecar = true
 
-    # Set the desired sidecar version.
-    sidecar_version = "v4.7.0"
+    # Set the desired sidecar version or leave it empty if
+    # you prefer to control the version from the control plane
+    # (later only possible in CPs >=v4.10).
+    sidecar_version = "v4.10.1"
 
     # Set the AWS region that the sidecar will be deployed to
     region = ""
@@ -67,16 +53,15 @@ locals {
     # sidecar
     monitoring_inbound_cidr = ["0.0.0.0/0"]
 
-    # Set the parameters to access the private Cyral container
-    # registry. These parameters can be found in the sidecar
-    # Terraform template downloaded from the UI. Use the
-    # commented values to locate the variables and copy the
-    # values from the downloaded template.
-    container_registry = {
-      name         = "" # container_registry
-      username     = "" # container_registry_username
-      registry_key = "" # container_registry_key
-    }
+    # Set the ARN for the certificate that will be used by the load balancer
+    # for S3 Browser connections
+    load_balancer_certificate_arn = ""
+    # Set the hosted zone ID that will be used to create the DNS name in
+    # parameter `dns_name`
+    dns_hosted_zone_id = ""
+    # Set the DNS name that will be used by your sidecar. Ex:
+    # sidecar.mycompany.com
+    dns_name = ""
   }
 }
 
@@ -109,195 +94,156 @@ resource "cyral_integration_logging" "cloudwatch" {
 resource "cyral_sidecar" "sidecar" {
   name               = "my-sidecar"
   deployment_method  = "terraform"
-  log_integration_id = cyral_integration_logging.cloudwatch.id
+  activity_log_integration_id = cyral_integration_logging.cloudwatch.id
 }
 
 resource "cyral_sidecar_credentials" "sidecar_credentials" {
   sidecar_id = cyral_sidecar.sidecar.id
 }
 
-resource "cyral_repository" "mysql_1" {
-  name = local.repos.mysql1.name
-  type = local.repos.type
+resource "cyral_repository" "s3" {
+  name = "s3repo"
+  type = "s3"
 
   repo_node {
-    host = local.repos.mysql1.host
-    port = local.repos.mysql1.db_port
+    host = "s3.amazonaws.com"
+    port = 443
   }
 }
 
-resource "cyral_repository" "mysql_2" {
-  name = local.repos.mysql2.name
-  type = local.repos.type
-
-  repo_node {
-    host = local.repos.mysql2.host
-    port = local.repos.mysql2.db_port
+resource "cyral_sidecar_listener" "s3_cli" {
+  sidecar_id = cyral_sidecar.sidecar.id
+  repo_types = ["s3"]
+  network_address {
+    port = local.repos.s3.cli_port
+  }
+  s3_settings {
+    proxy_mode = true
   }
 }
 
-resource "cyral_sidecar_listener" "listener" {
+resource "cyral_sidecar_listener" "s3_browser" {
   sidecar_id = cyral_sidecar.sidecar.id
-  repo_types = [local.repos.type]
-  // Clients will connect to both MySQL repos through
-  // the same port
+  repo_types = ["s3"]
   network_address {
-    port = local.repos.sidecar_port
+    port = local.repos.s3.browser_port
   }
-  # MySQL version that will be shown to clients
-  # connecting to both MySQL instances
-  mysql_settings {
-    db_version = "8.0.4"
+  s3_settings {
+    proxy_mode = false
   }
 }
 
-resource "cyral_repository_binding" "mysql_1" {
-  repository_id = cyral_repository.mysql_1.id
+resource "cyral_repository_binding" "s3" {
   sidecar_id    = cyral_sidecar.sidecar.id
-  # Smart ports will be automatically be activated as both
-  # repos are bound to the same listener
+  repository_id = cyral_repository.s3.id
   listener_binding {
-    listener_id = cyral_sidecar_listener.listener.listener_id
+    listener_id = cyral_sidecar_listener.s3_cli.listener_id
   }
-}
-
-resource "cyral_repository_binding" "mysql_2" {
-  repository_id = cyral_repository.mysql_2.id
-  sidecar_id    = cyral_sidecar.sidecar.id
-  # Smart ports will be automatically be activated as both
-  # repos are bound to the same listener
   listener_binding {
-    listener_id = cyral_sidecar_listener.listener.listener_id
+    listener_id = cyral_sidecar_listener.s3_browser.listener_id
   }
 }
 
-#####################################################################
-# Deploys the credentials that the sidecar will use to access the
-# databases and associate them to the repositories as user accounts
-resource "aws_secretsmanager_secret" "mysql_1" {
-  # The sidecar deployed using our AWS sidecar module has access to
-  # all secrets with the prefix '/cyral/' in the region it is
-  # deployed.
-  name = join("", [
-    "/cyral/dbsecrets/",
-    cyral_repository.mysql_1.id
-  ])
+data "cyral_integration_idp_saml" "saml" {
+    display_name = local.idp.name
 }
 
-resource "aws_secretsmanager_secret_version" "mysql_1" {
-  secret_id     = aws_secretsmanager_secret.mysql_1.id
-  secret_string = jsonencode(local.repos.mysql1.database_credentials)
+# Let users from the provided `identity_provider` use SSO
+# to access the database
+resource "cyral_repository_conf_auth" "s3" {
+  repository_id     = cyral_repository.s3.id
+  identity_provider = data.cyral_integration_idp_saml.saml.idp_list[0].id
 }
 
-resource "cyral_repository_user_account" "mysql_1" {
-  repository_id = cyral_repository.mysql_1.id
-  name          = local.repos.mysql1.database_credentials.username
-  auth_scheme {
-    aws_secrets_manager {
-      secret_arn = aws_secretsmanager_secret.mysql_1.arn
-    }
-  }
+# Enables the access portal for this repository in the
+# especified sidecar
+resource "cyral_repository_access_gateway" "s3" {
+  repository_id = cyral_repository.s3.id
+  sidecar_id    = cyral_sidecar.sidecar.id
+  binding_id    = cyral_repository_binding.s3.binding_id
 }
 
-resource "aws_secretsmanager_secret" "mysql_2" {
-  # The sidecar deployed using our AWS sidecar module has access to
-  # all secrets with the prefix '/cyral/' in the region it is
-  # deployed.
-  name = join("", [
-    "/cyral/dbsecrets/",
-    cyral_repository.mysql_2.id
-  ])
+###########################################################################
+# Creates an IAM policy that the sidecar will assume in order to access
+# your S3 bucket. In this example, the policy attached to the role will
+# let the sidecar access all buckets.
+
+data "aws_iam_policy_document" "s3_access_policy" {
+  statement {
+    actions   = ["s3:*"]
+    resources = [
+      "arn:aws:s3:::*"
+    ]
+  }
 }
 
-resource "aws_secretsmanager_secret_version" "mysql_2" {
-  secret_id     = aws_secretsmanager_secret.mysql_2.id
-  secret_string = jsonencode(local.repos.mysql2.database_credentials)
+resource "aws_iam_policy" "s3_access_policy" {
+  name        = "sidecar_s3_access_policy"
+  path        = "/"
+  description = "Allow sidecar to access S3"
+  policy      = data.aws_iam_policy_document.s3_access_policy.json
 }
 
-resource "cyral_repository_user_account" "mysql_2" {
-  repository_id = cyral_repository.mysql_2.id
-  name          = local.repos.mysql2.database_credentials.username
-  auth_scheme {
-    aws_secrets_manager {
-      secret_arn = aws_secretsmanager_secret.mysql_2.arn
+data "aws_iam_policy_document" "sidecar_trust_policy" {
+  statement {
+    actions = ["sts:AssumeRole"]
+    effect  = "Allow"
+    principals {
+      type        = "AWS"
+      identifiers = [module.cyral_sidecar.aws_iam_role_arn]
     }
   }
 }
-#####################################################################
 
-data "cyral_integration_idp_saml" "saml" {
-    display_name = "<IDP_NAME_AS_SHOWN_IN_THE_UI>"
+resource "aws_iam_role" "s3_role" {
+  name               = "sidecar_s3_access_role"
+  path               = "/"
+  assume_role_policy = data.aws_iam_policy_document.sidecar_trust_policy.json
 }
 
-# Allow users from SSO group `Everyone` access the database
-resource "cyral_repository_access_rules" "mysql_1" {
-  repository_id   = cyral_repository.mysql_1.id
-  user_account_id = cyral_repository_user_account.mysql_1.user_account_id
-  rule {
-    identity {
-      type = "group"
-      name = "Everyone"
-    }
-  }
+resource "aws_iam_role_policy_attachment" "s3_role_policy_attachment" {
+  role       = aws_iam_role.s3_role.name
+  policy_arn = aws_iam_policy.s3_access_policy.arn
 }
+###########################################################################
 
-# Let users from the provided `identity_provider` use SSO
-# to access the database
-resource "cyral_repository_conf_auth" "mysql_1" {
-  repository_id     = cyral_repository.mysql_1.id
-  identity_provider = data.cyral_integration_idp_saml.saml.idp_list[0].id
-  allow_native_auth = true
-}
-
-# Enables the access portal for this repository in the
-# especified sidecar
-resource "cyral_repository_access_gateway" "mysql_1" {
-  repository_id = cyral_repository.mysql_1.id
-  sidecar_id    = cyral_sidecar.sidecar.id
-  binding_id    = cyral_repository_binding.mysql_1.binding_id
+resource "cyral_repository_user_account" "s3_repo_user_account" {
+  name = aws_iam_role.s3_role.arn
+  repository_id = cyral_repository.s3.id
+  auth_scheme {
+    aws_iam {
+      role_arn = aws_iam_role.s3_role.arn
+    }
+  }
 }
 
-# Allow users from SSO group `Everyone` access the database
-resource "cyral_repository_access_rules" "mysql_2" {
-  repository_id   = cyral_repository.mysql_2.id
-  user_account_id = cyral_repository_user_account.mysql_2.user_account_id
+# Set the proper identity for the username, email or group that will
+# be allowed to access the S3 browser
+resource "cyral_repository_access_rules" "access_rule" {
+  repository_id = cyral_repository.s3.id
+  user_account_id = cyral_repository_user_account.s3_repo_user_account.user_account_id
   rule {
     identity {
-      type = "group"
-      name = "Everyone"
+      type = "email"
+      name = "[email protected]"
     }
   }
 }
 
-# Let users from the provided `identity_provider` use SSO
-# to access the database
-resource "cyral_repository_conf_auth" "mysql_2" {
-  repository_id     = cyral_repository.mysql_2.id
-  identity_provider = data.cyral_integration_idp_saml.saml.idp_list[0].id
-  allow_native_auth = true
-}
-
-# Enables the access portal for this repository in the
-# especified sidecar
-resource "cyral_repository_access_gateway" "mysql_2" {
-  repository_id = cyral_repository.mysql_2.id
-  sidecar_id    = cyral_sidecar.sidecar.id
-  binding_id    = cyral_repository_binding.mysql_2.binding_id
-}
-
 module "cyral_sidecar" {
   source = "cyralinc/sidecar-ec2/aws"
 
   # Use the module version that is compatible with your sidecar.
-  version = "~> 4.0"
+  version = "~> 4.3"
 
   sidecar_version = local.sidecar.sidecar_version
 
   sidecar_id = cyral_sidecar.sidecar.id
-
   control_plane = local.control_plane_host
+  client_id     = cyral_sidecar_credentials.sidecar_credentials.client_id
+  client_secret = cyral_sidecar_credentials.sidecar_credentials.client_secret
 
-  sidecar_ports = [local.repos.sidecar_port]
+  sidecar_ports = [local.repos.s3.browser_port, local.repos.s3.cli_port]
 
   vpc_id  = local.sidecar.vpc_id
   subnets = local.sidecar.subnets
@@ -309,15 +255,14 @@ module "cyral_sidecar" {
   load_balancer_scheme        = local.sidecar.public_sidecar ? "internet-facing" : "internal"
   associate_public_ip_address = local.sidecar.public_sidecar
 
-  deploy_secrets   = true
-  secrets_location = "/cyral/sidecars/${cyral_sidecar.sidecar.id}/secrets"
 
-  container_registry          = local.sidecar.container_registry.name
-  container_registry_username = local.sidecar.container_registry.username
-  container_registry_key      = local.sidecar.container_registry.registry_key
+  load_balancer_certificate_arn = local.sidecar.load_balancer_certificate_arn
+  load_balancer_tls_ports       = [
+    local.repos.s3.browser_port
+  ]
 
-  client_id     = cyral_sidecar_credentials.sidecar_credentials.client_id
-  client_secret = cyral_sidecar_credentials.sidecar_credentials.client_secret
+  sidecar_dns_hosted_zone_id = local.sidecar.dns_hosted_zone_id
+  sidecar_dns_name           = local.sidecar.dns_name
 }
 
 output "sidecar_load_balancer_dns" {