Skip to content

Discovery Configuration - Self Managed and Data Plane

Make sure you have completed the Prerequisites before proceeding with the Discovery configuration.

The following prerequisites are required to enable Discovery features in AWS.

  • Create IAM policies and roles for Privacera Manager to create AWS resources required for Privacera Discovery (optional).
  • Create an S3 bucket and path for storing the configurations and temporary files for Privacera Discovery or let Privacera Manager create it for you.
  • Create DynamoDB tables to store metadata and tags or let Privacera Manager create them for you.
  • Create an SQS queue for real-time scanning or let Privacera Manager create it for you (optional).
  • Create IAM policies and roles for the Discovery and Portal pods to access the AWS resources.
  • Create IAM policies for the Discovery and Portal pods to scan the S3 bucket (optional).
  • Assign the IAM roles to the EKS Service Accounts for the Discovery and Portal pods.

And you have the values for the following placeholders:

  • DISCOVERY_BUCKET_NAME: Discovery configuration bucket name and path.
  • DynamoDB table names for storing metadata and tags (only if you have created the tables manually).
    • SCAN_REQUEST_TABLE: DynamoDB table name for storing scan requests
    • RESOURCE_TABLE: DynamoDB table name for storing resource metadata
    • ALERT_TABLE: DynamoDB table name for storing alerts
    • AUDIT_SUMMARY_TABLE: DynamoDB table name for storing audit summary
    • ACTIVE_SCANS_TABLE: DynamoDB table name for storing active scans
    • STATE_TABLE: DynamoDB table name for storing state
  • DISCOVERY_BUCKET_SQS_NAME: Amazon SQS Queue name (only if you have created the queue manually).
  • IAM Role For Discovery and Portal Pods: ARN of the IAM role created for Discovery driver, executor and Portal pods. You can set the same value as privacera-discovery-role-privacera-prod from prerequisites.)

Enable Discovery features

Run the following commands on the Privacera Manager host to enable Discovery features in Self Managed and PrivaceraCloud Data Plane deployments.

Copy the vars.discovery.aws.yml from config/sample-vars to config/custom-vars and edit the file.

Bash
1
2
3
cd ~/privacera/privacera-manager
cp -n config/sample-vars/vars.discovery.aws.yml config/custom-vars/
vi config/custom-vars/vars.discovery.aws.yml

Add or edit the following variables:

Bash
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
# Discovery bucket name. Should be without 's3://' prefix 
# and can contain optional folder path
#
# Example 1: DISCOVERY_BUCKET_NAME: "my-discovery-bucket"
# Example 2: DISCOVERY_BUCKET_NAME: "my-discovery-bucket/my-path"
# This bucket will be created by Privacera Manager using terraform.
DISCOVERY_BUCKET_NAME: “<PLEASE_CHANGE>”

# If you do not want Privacera Manager to create the S3bucket, 
# uncomment the following,
# DISCOVERY_CREATE_BUCKET: "false"

# If you do not want Privacera Managerto create the DynamoDB tables, uncomment 
# the following,
#DISCOVERY_CREATE_NOSQL_TABLES: "false"

# If you have created DynamoDB tables with different names, then uncomment the following,
# and set the values to the table names.
#
# NOTE: Privacera Manager will not create tables with these names, you have to create
# them manually and set DISCOVERY_CREATE_NOSQL_TABLES: "false"
#
# SCAN_REQUEST_TABLE: "<PLEASE_CHANGE>"
# RESOURCE_TABLE: "<PLEASE_CHANGE>"
# ALERT_TABLE: "<PLEASE_CHANGE>"
# AUDIT_SUMMARY_TABLE: "<PLEASE_CHANGE>"
# ACTIVE_SCANS_TABLE: "<PLEASE_CHANGE>"
# STATE_TABLE: "<PLEASE_CHANGE>"

# If you do not want Privacera Manager to create the SQS queue, uncomment 
# the following
#DISCOVERY_CREATE_SQS: "false"

# If you want to use a different name for the SQS queue, uncomment the following
# DISCOVERY_BUCKET_SQS_NAME: "<PLEASE_CHANGE>"

# IAM Role for Service Account used by Discovery Driver and Executor Pods
DISCOVERY_USE_POD_IAM_ROLE: "true"
DISCOVERY_IAM_ROLE_ARN: "<PLEASE_CHANGE>"

DISCOVERY_CONSUMER_ENABLE: "true"
DISCOVERY_CONSUMER_USE_POD_IAM_ROLE: "true"
DISCOVERY_CONSUMER_IAM_ROLE_ARN: "<PLEASE_CHANGE>"

PORTAL_USE_POD_IAM_ROLE: "true"
PORTAL_IAM_ROLE_ARN: "<PLEASE_CHANGE>"

DISCOVERY_K8S_SPARK_DYNAMIC_ALLOCATION_ENABLED: "true"

Replace the following placeholders

These were created as part of the Prerequisites -> AWS steps.

DISCOVERY_BUCKET_NAME: Discovery configuration bucket name.

DISCOVERY_IAM_ROLE_ARN: ARN of the IAM role created for Discovery driver, executor and Portal pods

DISCOVERY_CONSUMER_IAM_ROLE_ARN: ARN of the IAM role created for Discovery consumer pods

PORTAL_IAM_ROLE_ARN: ARN of the IAM role created for Discovery driver, executor and Portal pods

Copy the vars.discovery.azure.yml from from config/sample-vars to config/custom-vars.

Bash
1
2
3
cd ~/privacera/privacera-manager  
cp -n config/sample-vars/vars.discovery.azure.yml config/custom-vars
vi config/custom-vars/vars.discovery.azure.yml

Add or edit the following variables:

Bash
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
DISCOVERY_FS_PREFIX: "<PLEASE_CHANGE>"
DISCOVERY_AZURE_STORAGE_ACCOUNT_NAME: <PLEASE_CHANGE>"
DISCOVERY_AZURE_STORAGE_ACCOUNT_KEY: "<PLEASE_CHANGE>"

DISCOVERY_AZURE_LOCATION: "<PLEASE_CHANGE>"

CREATE_AZURE_RESOURCES: "false"

DISCOVERY_AZURE_RESOURCE_GROUP: "<PLEASE_CHANGE>"

DISCOVERY_AZURE_COSMOS_DB_ACCOUNT: "<PLEASE_CHANGE>"
DISCOVERY_COSMOSDB_URL: <PLEASE_CHANGE>"
DISCOVERY_COSMOSDB_KEY: "<PLEASE_CHANGE>"

DISCOVERY_CONSUMER_ENABLE: "true"

Copy the vars.discovery.gcp.yml from from config/sample-vars to config/custom-vars and edit the file.

Bash
1
2
3
cd ~/privacera/privacera-manager
cp -n config/sample-vars/vars.discovery.gcp.yml config/custom-vars/
vi config/custom-vars/vars.discovery.gcp.yml

Add or edit the following variables:

Bash
1
2
BIGTABLE_INSTANCE_ID: "<PLEASE_CHANGE>"
DISCOVERY_BUCKET_NAME: "<PLEASE_CHANGE>"

Enable Kafka for Discovery

Copy the vars.kafka.yml from from config/sample-vars to config/custom-vars and edit the file.

Bash
1
2
3
cd ~/privacera/privacera-manager
cp -n config/sample-vars/vars.kafka.yml config/custom-vars/
vi config/custom-vars/vars.kafka.yml

Add or edit the following variables:

Bash
1
2
# Add or edit the following variables in the file
USE_KAFKA_SPECIFIC_STORAGE_CLASS: "true"

Apply the configuration

To apply the configuration you should run Privacera Manager to restart the services.

Bash
1
2
3
cd ~/privacera/privacera-manager
./privacera-manager.sh setup
./pm_with_helm.sh upgrade

Comments