2.185.0

Author: root

azure/azure_persistent/main.tf

@@ -5,6 +5,12 @@ variable "resource_group" {
   description = "resource group name"
 }
 
+variable "deploy_nfs" {
+  type        = bool
+  description = "Deploy NFS for storing files after processing. Setting to false will disable the re-running of analysis pipelines and downloading files."
+  default     = true
+}
+
 variable "region" {
   type        = string
   description = "Region to deploy in"
@@ -72,6 +78,7 @@ resource "azurerm_storage_container" "container" {
 }
 
 resource "azurerm_storage_share" "share" {
+  count                = var.deploy_nfs ? 1 : 0
   name                 = "cadoshare"
   storage_account_name = azurerm_storage_account.storage.name
   quota                = var.share_size # TODO increase to 2TB

azure/azure_transient/main.tf

@@ -292,10 +292,10 @@ resource "azurerm_linux_virtual_machine" "vm" {
       "echo -n ${var.use_secrets_manager} | sudo tee -a /home/admin/processor/envars/USE_SECRETS_MANAGER",
       "echo local_workers = ${var.local_workers} | sudo tee -a /home/admin/processor/first_run.cfg",
       "echo minimum_role_deployment = ${!var.deploy_acquisition_permissions} | sudo tee -a /home/admin/processor/first_run.cfg",
+      "echo azure_storage_account = ${data.azurerm_storage_account.storage.name} | sudo tee -a /home/admin/processor/first_run.cfg"
       ],
       var.deploy_nfs ? [
         "echo azure_storage_share = ${data.azurerm_storage_share.share[0].name} | sudo tee -a /home/admin/processor/first_run.cfg",
-        "echo azure_storage_account = ${data.azurerm_storage_account.storage.name} | sudo tee -a /home/admin/processor/first_run.cfg"
       ] : [],
       [
         for k, v in var.tags :

gcp/README.md

@@ -59,7 +59,9 @@ No resources.
 | <a name="input_create_cloud_build_role_service_account"></a> [create\_cloud\_build\_role\_service\_account](#input\_create\_cloud\_build\_role\_service\_account) | Create a custom Cloud Build role | `bool` | `true` | no |
 | <a name="input_credentials_file"></a> [credentials\_file](#input\_credentials\_file) | Path to the credentials file | `string` | `""` | no |
 | <a name="input_custom_networking"></a> [custom\_networking](#input\_custom\_networking) | Custom networking configuration. Set to null to create new resources. | <pre>object({<br>    vpc_name           = string<br>    public_subnet_name = string<br>  })</pre> | `null` | no |
+| <a name="input_deploy_acquisition_permissions"></a> [deploy\_acquisition\_permissions](#input\_deploy\_acquisition\_permissions) | Deploy instance with permissions needed for same project acquisitions | `bool` | `true` | no |
 | <a name="input_deploy_nfs"></a> [deploy\_nfs](#input\_deploy\_nfs) | Deploy NFS for storing files after processing. Setting to false will disable the re-running of analysis pipelines and downloading files. | `bool` | `true` | no |
+| <a name="input_enable_platform_updates"></a> [enable\_platform\_updates](#input\_enable\_platform\_updates) | Enable platform updates, False requires updates via Terraform | `bool` | `true` | no |
 | <a name="input_finalize_cmd"></a> [finalize\_cmd](#input\_finalize\_cmd) | Command to run on the VM after deployment | `string` | `"sudo /home/admin/processor/release/finalize.sh --main"` | no |
 | <a name="input_image"></a> [image](#input\_image) | Cado Response VM image path | `string` | `"projects/cado-public/global/images/cadoresponse"` | no |
 | <a name="input_inbound_ports"></a> [inbound\_ports](#input\_inbound\_ports) | The list of ports to open | `list(string)` | <pre>[<br>  "22",<br>  "443"<br>]</pre> | no |

gcp/gcpVars.tfvars

@@ -24,9 +24,12 @@ instance_worker_type = "n2-highmem-8"   # Choose your desired worker VM size. De
 # Network settings
 allowed_ips = ["1.2.3.4/32", "2.3.4.5/32"] # List IPs you wish to whitelist.
 
-nfs_protocol        = "NFS_V3" # Choose the NFS protocol version. Default is "NFS_V3". "NFS_V4_1" is in GCP beta.
-deploy_nfs          = true     # Deploy NFS for storing files after processing. Setting to false will disable the re-running of analysis pipelines and downloading files.
-use_secrets_manager = true     # Use GCP Secret Manager for storing secrets, set to false to store on disk.
+nfs_protocol                   = "NFS_V3" # Choose the NFS protocol version. Default is "NFS_V3". "NFS_V4_1" is in GCP beta.
+deploy_nfs                     = true     # Deploy NFS for storing files after processing. Setting to false will disable the re-running of analysis pipelines and downloading files.
+use_secrets_manager            = true     # Use GCP Secret Manager for storing secrets, set to false to store on disk.
+local_workers                  = false    # Deploy without scalable workers. Only limited acquisition types will be available.
+deploy_acquisition_permissions = true     # Deploy instance with permissions needed for same project acquisitions.
+enable_platform_updates        = true     # Enable platform updates. False requires updates via Terraform.
 
 # If you'd like to use custom networking, uncomment the following block and provide the necessary information.
 # If you're unsure, leave this section commented out and the deployment will use default networking settings.

gcp/main.tf

@@ -37,31 +37,37 @@ module "networking" {
 }
 
 module "iam" {
-  source      = "./modules/iam"
-  project_id  = var.project_id
-  unique_name = var.unique_name
-  role        = var.role
+  source                         = "./modules/iam"
+  project_id                     = var.project_id
+  unique_name                    = var.unique_name
+  role                           = var.role
+  use_secrets_manager            = var.use_secrets_manager
+  local_workers                  = var.local_workers
+  deploy_acquisition_permissions = var.deploy_acquisition_permissions
+  enable_platform_updates        = var.enable_platform_updates
 }
 
 module "deploy" {
-  source               = "./modules/deploy"
-  project_id           = var.project_id
-  region               = var.region
-  unique_name          = var.unique_name
-  vm_size              = var.vm_size
-  vol_size             = var.vol_size
-  tags                 = var.tags
-  service_account      = module.iam.service_account
-  boot_disk_image      = var.image
-  network_config       = module.networking.vpc_network
-  subnetwork_config    = module.networking.custom_subnetwork
-  network_name         = module.networking.vpc_network_name
-  finalize_cmd         = var.finalize_cmd
-  proxy                = var.proxy
-  proxy_cert_url       = var.proxy_cert_url
-  instance_worker_type = var.instance_worker_type
-  use_beta             = local.use_beta
-  deploy_nfs           = var.deploy_nfs
-  use_secrets_manager  = var.use_secrets_manager
-  local_workers        = var.local_workers
+  source                         = "./modules/deploy"
+  project_id                     = var.project_id
+  region                         = var.region
+  unique_name                    = var.unique_name
+  vm_size                        = var.vm_size
+  vol_size                       = var.vol_size
+  tags                           = var.tags
+  service_account                = module.iam.service_account
+  boot_disk_image                = var.image
+  network_config                 = module.networking.vpc_network
+  subnetwork_config              = module.networking.custom_subnetwork
+  network_name                   = module.networking.vpc_network_name
+  finalize_cmd                   = var.finalize_cmd
+  proxy                          = var.proxy
+  proxy_cert_url                 = var.proxy_cert_url
+  instance_worker_type           = var.instance_worker_type
+  use_beta                       = local.use_beta
+  deploy_nfs                     = var.deploy_nfs
+  use_secrets_manager            = var.use_secrets_manager
+  local_workers                  = var.local_workers
+  deploy_acquisition_permissions = var.deploy_acquisition_permissions
+  enable_platform_updates        = var.enable_platform_updates
 }

gcp/modules/deploy/README.md

@@ -32,7 +32,9 @@ No modules.
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
 | <a name="input_boot_disk_image"></a> [boot\_disk\_image](#input\_boot\_disk\_image) | The image to use for the VM's boot disk | `string` | n/a | yes |
+| <a name="input_deploy_acquisition_permissions"></a> [deploy\_acquisition\_permissions](#input\_deploy\_acquisition\_permissions) | Whether to deploy the acquisition permissions | `bool` | n/a | yes |
 | <a name="input_deploy_nfs"></a> [deploy\_nfs](#input\_deploy\_nfs) | Deploy NFS for storing files after processing. Setting to false will disable the re-running of analysis pipelines and downloading files. | `bool` | n/a | yes |
+| <a name="input_enable_platform_updates"></a> [enable\_platform\_updates](#input\_enable\_platform\_updates) | Enable platform updates, False requires updates via Terraform | `bool` | n/a | yes |
 | <a name="input_finalize_cmd"></a> [finalize\_cmd](#input\_finalize\_cmd) | Command to run on the VM after deployment | `string` | n/a | yes |
 | <a name="input_instance_worker_type"></a> [instance\_worker\_type](#input\_instance\_worker\_type) | Set Worker instance type | `string` | n/a | yes |
 | <a name="input_local_workers"></a> [local\_workers](#input\_local\_workers) | Deploy without scalable workers. Only limited acquisition types will be available | `bool` | n/a | yes |

gcp/modules/deploy/main.tf

@@ -42,19 +42,18 @@ resource "google_compute_instance" "vm_instance" {
     "echo bucket = $storage_bucket >> /home/admin/processor/first_run.cfg",
     "echo service_account_email = ${var.service_account} >> /home/admin/processor/first_run.cfg",
     "echo deployment_mode = terraform >> /home/admin/processor/first_run.cfg",
-    "echo feature_flag_platform_upgrade = true >> /home/admin/processor/first_run.cfg",
+    "echo feature_flag_platform_upgrade = ${var.enable_platform_updates} >> /home/admin/processor/first_run.cfg",
     "echo PROXY_url = ${var.proxy} >> /home/admin/processor/first_run.cfg",
     "echo PROXY_cert_url = ${var.proxy_cert_url} >> /home/admin/processor/first_run.cfg",
     "echo worker_instance = ${var.instance_worker_type} >> /home/admin/processor/first_run.cfg",
     "echo local_workers = ${var.local_workers} >> /home/admin/processor/first_run.cfg",
+    "echo minimum_role_deployment = ${!var.deploy_acquisition_permissions} >> /home/admin/processor/first_run.cfg",
+    "echo -n ${var.use_secrets_manager} > /home/admin/processor/envars/USE_SECRETS_MANAGER"
     ],
     [
       for k, v in var.tags :
       "echo CUSTOM_TAG_${k} = ${v} | sudo tee -a /home/admin/processor/first_run.cfg"
     ],
-    [
-      "echo -n ${var.use_secrets_manager} > /home/admin/processor/envars/USE_SECRETS_MANAGER"
-    ],
     [
       join(" ", concat([
         "${var.finalize_cmd}",
@@ -109,7 +108,7 @@ resource "google_filestore_instance" "beta_filestore_instance" {
 }
 
 resource "google_filestore_instance" "filestore_instance" {
-  count    = (var.use_beta && var.deploy_nfs) ? 0 : 1
+  count    = (!var.use_beta && var.deploy_nfs) ? 1 : 0
   name     = "cadoresponse-fileshare-${var.unique_name}"
   location = data.google_compute_zones.available.names[0]
   tier     = "BASIC_HDD"

gcp/modules/deploy/variables.tf

@@ -88,3 +88,13 @@ variable "local_workers" {
   type        = bool
   description = "Deploy without scalable workers. Only limited acquisition types will be available"
 }
+
+variable "deploy_acquisition_permissions" {
+  description = "Whether to deploy the acquisition permissions"
+  type        = bool
+}
+
+variable "enable_platform_updates" {
+  description = "Enable platform updates, False requires updates via Terraform"
+  type        = bool
+}

gcp/modules/iam/README.md

@@ -25,9 +25,13 @@ No modules.
 
 | Name | Description | Type | Default | Required |
 |------|-------------|------|---------|:--------:|
+| <a name="input_deploy_acquisition_permissions"></a> [deploy\_acquisition\_permissions](#input\_deploy\_acquisition\_permissions) | Whether to deploy the acquisition permissions | `bool` | n/a | yes |
+| <a name="input_enable_platform_updates"></a> [enable\_platform\_updates](#input\_enable\_platform\_updates) | Enable platform updates, False requires updates via Terraform | `bool` | n/a | yes |
+| <a name="input_local_workers"></a> [local\_workers](#input\_local\_workers) | Deploy without scalable workers. Only limited acquisition types will be available | `bool` | n/a | yes |
 | <a name="input_project_id"></a> [project\_id](#input\_project\_id) | The Google Cloud project ID where the resources will be created | `string` | n/a | yes |
 | <a name="input_role"></a> [role](#input\_role) | The role to assign to the service account | `string` | `""` | no |
 | <a name="input_unique_name"></a> [unique\_name](#input\_unique\_name) | n/a | `string` | n/a | yes |
+| <a name="input_use_secrets_manager"></a> [use\_secrets\_manager](#input\_use\_secrets\_manager) | Use GCP Secret Manager for storing secrets | `bool` | n/a | yes |
 
 ## Outputs
 

gcp/modules/iam/main.tf

@@ -4,18 +4,69 @@ locals {
   account_id_suffix = length(local.split_unique_name) > 1 ? "-${local.split_unique_name[length(local.split_unique_name) - 1]}" : ""
 }
 
-resource "google_service_account" "user_service_account" {
-  account_id   = "sa-${local.split_unique_name[0]}${local.account_id_suffix}"
-  display_name = "CadoResponse Service Account ${var.unique_name}"
-  project      = var.project_id
-}
+locals {
+  base_permissions = [
+    // Minimal Permissions To Run
+    "iam.serviceAccounts.actAs",
+    "iam.serviceAccounts.get",
+    "iam.serviceAccounts.getAccessToken",
+    "iam.serviceAccounts.getIamPolicy",
+
+    // Cado Host
+    "iam.serviceAccounts.signBlob",
+
+    // Bucket Acquisition
+    "storage.buckets.get",
+    "storage.buckets.list",
+    "storage.objects.create",
+    "storage.objects.delete",
+    "storage.objects.get",
+    "storage.objects.list",
+  ]
+
+  workers_permissions = [
+    // Worker Permissions
+    "compute.disks.create",
+    "compute.instances.create",
+    "compute.instances.setMetadata",
+    "compute.instances.setServiceAccount",
+    "compute.addresses.use",
+    "compute.instances.addAccessConfig",
+    "compute.instances.delete",
+    "compute.instances.setLabels",
+    "compute.subnetworks.use",
+    "compute.networks.get",
+    "compute.networks.list",
+
+    // Adjusting Settings
+    "compute.machineTypes.get",
+    "compute.machineTypes.list",
+    "compute.regions.get",
+  ]
+
+  upgrade_permissions = [
+    // Upgrade Permissions
+    "compute.disks.create",
+    "compute.instances.attachDisk",
+    "compute.images.useReadOnly",
+    "compute.instances.create",
+    "compute.addresses.use",
+    "compute.instances.detachDisk",
+    "compute.instances.deleteAccessConfig",
+    "compute.zoneOperations.get",
+    "compute.subnetworks.useExternalIp",
+  ]
+
+  secretmanager_permissions = [
+    // Secret Management
+    "secretmanager.secrets.create",
+    "secretmanager.versions.access",
+    "secretmanager.versions.add"
+  ]
+
+  acquisition_permissions = [
+    "resourcemanager.projects.get",
 
-resource "google_project_iam_custom_role" "custom_role" {
-  count       = var.role == "" ? 1 : 0
-  role_id     = replace("myCadoResponseRole_${var.unique_name}", "-", "_")
-  title       = "myCadoResponseRole-${var.unique_name}"
-  description = "CadoResponse Role"
-  permissions = [
     // Instance Acquisition
     "cloudbuild.builds.get",
     "cloudbuild.builds.create",
@@ -30,69 +81,39 @@ resource "google_project_iam_custom_role" "custom_role" {
     "compute.images.delete",
     "compute.images.get",
     "compute.instances.getSerialPortOutput",
-
-    // Compute Management
-    "compute.disks.create",
-    "compute.disks.setLabels",
-    "compute.images.useReadOnly",
-    "compute.instances.attachDisk",
-    "compute.instances.create",
-    "compute.instances.delete",
-    "compute.instances.setLabels",
-    "compute.instances.setMetadata",
-    "compute.instances.setServiceAccount",
-    "compute.machineTypes.list",
-    "compute.machineTypes.get",
-    "compute.regions.get",
-    "compute.subnetworks.use",
-    "compute.subnetworks.useExternalIp",
-    "compute.networks.get",
-    "compute.networks.list",
-    "compute.zones.list",
-    "compute.zoneOperations.get",
-
-
-    // Platform Update
-    "compute.addresses.use",
-    "compute.instances.addAccessConfig",
-    "compute.instances.detachDisk",
-    "compute.instances.deleteAccessConfig",
+    "compute.projects.get",
 
     // GKE Acquisition
     "container.clusters.get",
     "container.clusters.list",
     "container.pods.exec",
     "container.pods.get",
     "container.pods.list",
+  ]
 
-    // IAM & Authentication
-    "iam.serviceAccounts.actAs",
-    "iam.serviceAccounts.create",
-    "iam.serviceAccounts.enable",
-    "iam.serviceAccounts.get",
-    "iam.serviceAccounts.getAccessToken",
-    "iam.serviceAccounts.getIamPolicy",
-    "iam.serviceAccounts.implicitDelegation",
-    "iam.serviceAccounts.list",
-    "iam.serviceAccounts.signBlob",
 
-    // Project Management
-    "resourcemanager.projects.get",
-    "compute.projects.get",
+  # Generate the full list of permissions
+  permissions = concat(
+    local.base_permissions,
+    var.deploy_acquisition_permissions ? local.acquisition_permissions : [],
+    var.use_secrets_manager ? local.secretmanager_permissions : [],
+    var.enable_platform_updates ? local.upgrade_permissions : [],
+    !var.local_workers ? local.workers_permissions : []
+  )
+}
 
-    // Secret Management
-    "secretmanager.versions.access",
-    "secretmanager.versions.add",
-    "secretmanager.secrets.create",
+resource "google_service_account" "user_service_account" {
+  account_id   = "sa-${local.split_unique_name[0]}${local.account_id_suffix}"
+  display_name = "CadoResponse Service Account ${var.unique_name}"
+  project      = var.project_id
+}
 
-    // Bucket Acquisition
-    "storage.buckets.get",
-    "storage.buckets.list",
-    "storage.objects.create",
-    "storage.objects.delete",
-    "storage.objects.get",
-    "storage.objects.list",
-  ]
+resource "google_project_iam_custom_role" "custom_role" {
+  count       = var.role == "" ? 1 : 0
+  role_id     = replace("myCadoResponseRole_${var.unique_name}", "-", "_")
+  title       = "myCadoResponseRole-${var.unique_name}"
+  description = "CadoResponse Role"
+  permissions = local.permissions
 }
 
 resource "google_project_iam_member" "project_iam_member_cado" {

gcp/modules/iam/variables.tf

@@ -12,3 +12,23 @@ variable "role" {
   type        = string
   default     = "" # DO NOT CHANGE
 }
+
+variable "use_secrets_manager" {
+  description = "Use GCP Secret Manager for storing secrets"
+  type        = bool
+}
+
+variable "local_workers" {
+  type        = bool
+  description = "Deploy without scalable workers. Only limited acquisition types will be available"
+}
+
+variable "deploy_acquisition_permissions" {
+  description = "Whether to deploy the acquisition permissions"
+  type        = bool
+}
+
+variable "enable_platform_updates" {
+  description = "Enable platform updates, False requires updates via Terraform"
+  type        = bool
+}