- 13 Jun 2024
- 8 Minutes to read
- Print
- PDF
AWS mirroring - Terraform
- Updated on 13 Jun 2024
- 8 Minutes to read
- Print
- PDF
The topic explains deploying Traceable’s platform agent using Terraform in AWS. The template also sets up traffic mirroring. Traffic mirroring can be used to capture a copy of the original data from the source network interface without disrupting your existing infrastructure and without adding any latency to your requests. For example, this mirrored data can be used for telemetry, attack detection, and so on.
Before you begin
Make a note of the following before you proceed with the deployment:
- Make sure that you have Terraform 1.2 and later.
- Keep Traceable's access token handy. It will be used when you configure the variables in the
*.tfvars
file. You can copy the access token by logging into your Traceable platform and then navigate to Settings ()→Account → Agent Token.InformationAtfvars
file is a file that contains variable assignments for use with Terraform, a tool for building, changing, and versioning infrastructure safely and efficiently. Thetfvars
file allows users to set values for variables that are used in Terraform configuration files, and can be used to customize the infrastructure that is created or managed by Terraform. The file typically has a.tfvars
file extension, and the variable assignments are in a key-value format. - Make sure that Terraform is already installed. For more information on installing Terraform, see Download Terraform.
- Configure AWS in the shell you are using. Enter the following command to set up your AWS CLI installation:ActionScript
The following example shows sample values. Replace them with your values to configure the credentials correctly.aws configure
ActionScript
For more information on the$ aws configure AWS Access Key ID [None]: AKIAIOSFODNN7EXAMPLE AWS Secret Access Key [None]: wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY Default region name [None]: us-west-2 Default output format [None]: json
credentials
file, see Configuration and credential file settings.If you have configured named AWS profiles, export the environment variable
AWS_PROFILE=myprofile
where the profile namedmyprofile
has the credentials which you wish to use in deploying the Traceable mirroring resources.Finally, run the following command and verify that the AWS region is set to the region where you wish to install Traceable:
aws configure get region
For more information on configuration, see AWS documentation.
Download
Enter the following command to download the AWS traffic mirroring tarball:
curl -O https://downloads.traceable.ai/install/traffic-mirroring/aws/terraform/latest/traffic-mirroring-aws.tar.gz
Untar the tarball. Enter the following command:
tar xvzf traffic-mirroring-aws.tar.gz
Installation
To install, create a file terraform.tfvars
with terraform variables as shown below.
vpc_id = "vpc-08dc789"
subnet_ids = "subnet-123jndw,subnet-89sd3j"
assign_public_ip = true
traceable_refresh_token = "my-token"
traceable_environment = "my-env"
mirror_source = {
type = "ECS_CLUSTER"
value = "terraform-test"
vpc_id = "vpc-08dc789"
}
instance_group_configuration = {
key_name = "my-keypair-name"
instance_type = "m4.large"
traceable_refresh_token_secret_arn = ""
}
tags = {
"TAG1" = "VALUE1"
"TAG2:GLOBAL" = "VALUE2"
"TAG3" = "VALUE3"
}
Configure terraform variables
The following tables describe the various terraform variables.
|
|
| VPC where you wish to deploy Traceable. |
|
|
| Provide a comma-separated list of subnets where Traceable will be deployed. Provide one subnet for each availability zone across which the mirror sources exist. |
|
|
| Assign public IP to Traceable instance/ECS service. |
|
|
| Traceable Platform token. |
|
|
| Environment under which mirrored traffic will be seen on Traceable platform. |
|
|
| Service name for the mirrored traffic. |
|
|
| Traceable API Endpoint. |
|
|
| Deploy Traceable in an ECS cluster. |
|
| — | See the next section. |
|
| — | See the next section. |
autoscaling_configuration |
| — | See the autoscaling configuration section. |
|
|
| Additional tags to be applied on all the Traceable resources. |
install_packages | bool | true | Install Traceable and mirroring packages on the Traceable instances. This variable will be ignored if custom_ami_id is not provided. |
custom_ami_id | string | "" | Custom AMI ID to be used for Traceable instances. Note Traceable only supports Ubuntu, CentOS 7, and Amazon Linux 2 AMIs in the custom_ami_id field. If you are using an ARM64-based AMI, then make sure that the chosen instance type is also based on ARM64 architecture. |
mirroring_session_lambda | object | — | See the mirroring session lambda section. |
route53_configuration | object | — | See the route53_configuration section for more details. |
You can deploy the Traceable agent either in an instance-group or in an ECS cluster. If deploy_traceable_agent_in_ecs=true
then Traceable is deployed in an ECS cluster. In such a case, instance_group_configuration
is ignored. If deploy_traceable_agent_in_ecs=false
then Traceable is deployed in an Instance group. Refer below for the attributes which should be passed as part of theinstance_group_configuration.
mirror_source
The mirror_source object has the following values:
|
|
| Type of mirror source. Possible values are |
|
|
| Depending on the
|
|
|
| comma-separated list of VPC IDs where mirrored sources exist, for example,vpc_id = "MY_VPC" |
LOAD_BALANCER_TAGS
You can use mirror_source
type if you wish to choose load balancers based on tags. All load balancers that match at least one of the tags provided in the mirror_source
value are mirrored. The Tag can be either in the form of key=value
or key
.
Example: For the following input:
mirror_source = {
type = "LOAD_BALANCER_TAGS"
value = "app=development, traceable-mirror=true, traceable-app"
vpc_id = "MY_VPC_ID"
}
All load balancers in the VPC MY_VPC_ID
satisfying at least one of the following conditions will be mirrored:
- The load balancer has a tag with key
app
and valuedevelopment
. - The load balancer has a tag with key
traceable-mirror
and valuetrue
. - The load balancer has a tag with a key
traceable-app
and any value.
instance_group_configuration
The instance_group_configuration has the following values:
|
|
| SSH key name that should be attached to Traceable EC2 instances. |
|
|
| Instance type name of Traceable instances. Make sure that the VM instance where Traceable Platform agent will be installed has at least 4 vCPUs and 8 GB RAM. |
|
|
| ARN of secret where Traceable Platform token is stored. If you provide this, then |
autoscaling_configuration
The autoscaling_configuration has the following values:
Name | Type | Default value | Description |
---|---|---|---|
max_size | number | 20 | Maximum number of EC2 instances in the Traceable autoscaling group or ECS tasks in the Traceable ECS cluster. |
target_value | number | 80 | Target threshold value in percentage for average CPU and memory utilization in the autoscaling policy of Traceable Instance group or ECS service. |
mirroring_session_lambda
The mirroring_session_lambda has the following values:
Name | Type | Default value | Description |
---|---|---|---|
timeout | number | 600 seconds | Mirroring session lambda timeout in seconds. |
interval | number | 15 minutes | Mirroring session lambda interval in minutes. Lambda runs at the configured interval to update mirror sessions and filter rules for any changes in the mirror sources. |
mirror_unhealthy_targets | bool | false | If you set this value to true, Traceable creates traffic mirroring sessions and filter rules for targets even if their health status is not healthy . |
route53_configuration
This variable is used only when you set mirror_source.type = FARGATE
. The route53_configuration object has the following values:
Name | Type | Default value | Description |
---|---|---|---|
name |
|
| Defines the zone name for Traceable route53 private zone. |
id |
|
| Zone ID for existing route53 private zone. If this configuration is empty, a new private hosted zone is created for the Traceable NLB. Otherwise, Traceable uses the zone represented by this zone ID for the Traceable NLB. |
subdomain |
|
| Subdomain for route53 alias record created for the Traceable NLB. |
associate_traceable_vpc |
| true | Defines whether Traceable VPC should be associated with the Traceable route53 zone. |
Apply terraform
Run the following commands to apply the terraform changes:
terraform init
terraform apply
Mirroring in peered VPC
what is peered VPC?
A peered VPC (Virtual Private Cloud) is a networking configuration in which two or more VPCs are connected to each other through a VPC peering connection. This allows resources in one VPC to communicate with resources in the other VPC as if they were on the same network. When VPCs are peered, their CIDR blocks become part of the same IP address range, which allows resources to communicate with each other using private IP addresses. This eliminates the need to use public IP addresses or a VPN connection to connect the VPCs.
AWS provides the capability to create VPC peering connections between VPCs in the same region, or across different regions, or across different accounts, using the VPC peering connection feature in the AWS Management Console.
Traceable traffic-mirroring in peered VPC
If you want to deploy Traceable in a VPC which is different from the VPC where your mirror source(s) reside, it can be done as follows:
- Under themirror_source configuration, provide the source VPC where the mirror sources reside.
- Under the
vpc_id
configuration, provide the destination VPC where you wish to deploy Traceable. - Make sure that an active peering connection exists between the source and destination VPC provided above. For more information, see VPC Peering.
- In the main route table of source VPC, add a new route with target as the peering connection and destination as the VPC CIDR of the destination VPC. This allows the mirrored traffic to go from the source VPC to destination VPC.
Example
Let us assume that the mirror sources are invpc_A while you wish to deploy Traceable invpc_B. If the subnets used to deploy Traceable aresubnet_1, subnet_2, and so on, with CIDRs as cidr_1,cidr_2, and so on, then follow these two steps:
- Establish a peering connectionpcx_AB betweenvpc_A andvpc_B.
- Add new routes in the main route table ofvpc_A with target aspcx_AB and destination ascidr_1,cidr_2, and so on. By doing this, we are trying to make sure that all the subnets where Traceable is deployed receive mirrored traffic from the source VPCvpc_A.
Once done, you can use the following configuration to deploy Traceable. Rest of the configuration options can be used as described in Configure terraform variables:
vpc_id = "<vpc_B>"
subnet_ids = "<subnet_1>,<subnet_2>,..."
mirror_source = {
type = "LOAD_BALANCER"
value = "terraform-test"
vpc_id = "<vpc_A>"
}
Note that if the mirror sources are across more than one VPC (sayvpc_A2, vpc_A3, and so on) then you need to repeat the above two steps for vpc_A2, vpc_A3, and so on, and finally add these VPCs to thevpc_id variable in mirror_source in the above configuration.
Verification
Log into Traceable Platform to and navigate to API Catalog > Services to view the service name that you configured earlier.
Uninstall
Run the following command from the same directory to destroy all the resources created in the installation step:
terraform destroy