Skip to content

Discovery Configuration - Self Managed and Data Plane

Ensure that you have completed the Prerequisites before proceeding with the Discovery configuration.

Enable Discovery features

Run the following commands on the Privacera Manager host to enable Discovery features in Self-Managed and PrivaceraCloud Data Plane deployments.

Copy the vars.discovery.aws.yml from config/sample-vars to config/custom-vars and edit the file.

Bash
1
2
3
cd ~/privacera/privacera-manager
cp -n config/sample-vars/vars.discovery.aws.yml config/custom-vars/
vi config/custom-vars/vars.discovery.aws.yml

Add or edit the following variables:

Bash
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
# Discovery bucket name. Should be without 's3://' prefix 
# and can contain optional folder path
#
# Example 1: DISCOVERY_BUCKET_NAME: "my-discovery-bucket"
# Example 2: DISCOVERY_BUCKET_NAME: "my-discovery-bucket/my-path"
# This bucket will be created by Privacera Manager using terraform.
DISCOVERY_BUCKET_NAME: “<PLEASE_CHANGE>”

# If you do not want Privacera Manager to create the S3bucket, 
# uncomment the following,
# DISCOVERY_CREATE_BUCKET: "false"

# If you do not want Privacera Managerto create the DynamoDB tables, uncomment 
# the following,
#DISCOVERY_CREATE_NOSQL_TABLES: "false"

# If you have created DynamoDB tables with different names, then uncomment the following,
# and set the values to the table names.
#
# NOTE: Privacera Manager will not create tables with these names, you have to create
# them manually and set DISCOVERY_CREATE_NOSQL_TABLES: "false"
#
# SCAN_REQUEST_TABLE: "<PLEASE_CHANGE>"
# RESOURCE_TABLE: "<PLEASE_CHANGE>"
# ALERT_TABLE: "<PLEASE_CHANGE>"
# AUDIT_SUMMARY_TABLE: "<PLEASE_CHANGE>"
# ACTIVE_SCANS_TABLE: "<PLEASE_CHANGE>"
# STATE_TABLE: "<PLEASE_CHANGE>"

# If you do not want Privacera Manager to create the SQS queue, uncomment 
# the following
#DISCOVERY_CREATE_SQS: "false"

# If you want to use a different name for the SQS queue, uncomment the following
# DISCOVERY_BUCKET_SQS_NAME: "<PLEASE_CHANGE>"

# IAM Role for Service Account used by Discovery Driver and Executor Pods
DISCOVERY_USE_POD_IAM_ROLE: "true"
DISCOVERY_IAM_ROLE_ARN: "<PLEASE_CHANGE>"

DISCOVERY_CONSUMER_ENABLE: "true"
DISCOVERY_CONSUMER_USE_POD_IAM_ROLE: "true"
DISCOVERY_CONSUMER_IAM_ROLE_ARN: "<PLEASE_CHANGE>"

PORTAL_USE_POD_IAM_ROLE: "true"
PORTAL_IAM_ROLE_ARN: "<PLEASE_CHANGE>"

DISCOVERY_K8S_SPARK_DYNAMIC_ALLOCATION_ENABLED: "true"

Replace the following placeholders

These were created as part of the Prerequisites -> AWS steps.

DISCOVERY_BUCKET_NAME: Discovery configuration bucket name.

DISCOVERY_IAM_ROLE_ARN: ARN of the IAM role created for Discovery driver, executor and Portal pods

DISCOVERY_CONSUMER_IAM_ROLE_ARN: ARN of the IAM role created for Discovery consumer pods

PORTAL_IAM_ROLE_ARN: ARN of the IAM role created for Discovery driver, executor and Portal pods

Copy the vars.discovery.azure.yml from config/sample-vars to config/custom-vars.

Bash
1
2
3
cd ~/privacera/privacera-manager  
cp -n config/sample-vars/vars.discovery.azure.yml config/custom-vars
vi config/custom-vars/vars.discovery.azure.yml

Add or edit the following variables:

Bash
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
DISCOVERY_FS_PREFIX: "<PLEASE_CHANGE>"
DISCOVERY_AZURE_STORAGE_ACCOUNT_NAME: "<PLEASE_CHANGE>"
DISCOVERY_AZURE_STORAGE_ACCOUNT_KEY: "<PLEASE_CHANGE>"

DISCOVERY_AZURE_LOCATION: "<PLEASE_CHANGE>"

CREATE_AZURE_RESOURCES: "false"

DISCOVERY_AZURE_COSMOS_DB_ACCOUNT: "<PLEASE_CHANGE>"
DISCOVERY_COSMOSDB_URL: "<PLEASE_CHANGE>"
DISCOVERY_COSMOSDB_KEY: "<PLEASE_CHANGE>"
DISCOVERY_COSMOSDB_SERVERLESS: "false"

DISCOVERY_CONSUMER_ENABLE: "true"

DISCOVERY_AZURE_APPLICATION_ID: "<PLEASE_CHANGE>"
DISCOVERY_AZURE_TENANTID: "<PLEASE_CHANGE>"
DISCOVERY_AZURE_APP_CLIENT_SECRET_BASE64: "<PLEASE_CHANGE>"

Replace the following placeholders

These were created as part of the Prerequisites -> Azure steps.

DISCOVERY_FS_PREFIX: Discovery configuration container name.

DISCOVERY_AZURE_STORAGE_ACCOUNT_NAME: Discovery configuration storage account name.

DISCOVERY_AZURE_STORAGE_ACCOUNT_KEY: Key for discovery configuration storage account if created manually else comment it.

DISCOVERY_AZURE_LOCATION: Default value is East US to create discovery resources by privacera manager else provide region where resource created manually.

CREATE_AZURE_RESOURCES: Make this property true in case you want privacera manager to create resources for you. if resources are created manually then keep it false.

DISCOVERY_AZURE_COSMOS_DB_ACCOUNT: Azure CosmosDB name which can create by privacera manager during installation. if you have created Azure CosmosDB manually then comment it.

DISCOVERY_COSMOSDB_URL: Provide url for Azure CosmosDB if created manually else comment it.

DISCOVERY_COSMOSDB_KEY: Provide key for Azure CosmosDB if created manually else comment it.

DISCOVERY_COSMOSDB_SERVERLESS: Make this property true in case you are using serverless cosmosDB

DISCOVERY_AZURE_APPLICATION_ID: If you want Privacera Manager to create resources using the Azure Subscription Principal, provide the Application ID. If you are using Managed Service Identity (MSI) for resource creation, leave it commented.

DISCOVERY_AZURE_APP_CLIENT_SECRET_BASE64: If you want Privacera Manager to create resources using the Azure Subscription Principal, provide the Application Secret for Azure AD [Base64 encoded]. If you are using Managed Service Identity (MSI) for resource creation, leave it commented.

DISCOVERY_AZURE_TENANTID: If you want Privacera Manager to create resources using the Azure Subscription Principal, provide the Tenant ID for Azure AD. If you are using Managed Service Identity (MSI) for resource creation, leave it commented.

Copy the vars.discovery.gcp.yml from config/sample-vars to config/custom-vars and edit the file.

Bash
1
2
3
cd ~/privacera/privacera-manager
cp -n config/sample-vars/vars.discovery.gcp.yml config/custom-vars/
vi config/custom-vars/vars.discovery.gcp.yml

Add or edit the following variables:

Bash
1
2
3
BIGTABLE_INSTANCE_ID: "<PLEASE_CHANGE>"
DISCOVERY_BUCKET_NAME: "<PLEASE_CHANGE>"
DISCOVERY_CONSUMER_ENABLE: "true"

Enable Kafka for Discovery

Kafka is required for inter process communication between the Discovery components.

Copy the vars.kafka.yml from config/sample-vars to config/custom-vars and edit the file.

Bash
1
2
3
cd ~/privacera/privacera-manager
cp -n config/sample-vars/vars.kafka.yml config/custom-vars/
vi config/custom-vars/vars.kafka.yml

Add or edit the following variables:

Bash
1
2
# Add or edit the following variables in the file
USE_KAFKA_SPECIFIC_STORAGE_CLASS: "true"

Copy the vars.kafka.yml from config/sample-vars to config/custom-vars and edit the file.

Bash
1
2
3
cd ~/privacera/privacera-manager
cp -n config/sample-vars/vars.kafka.yml config/custom-vars/
vi config/custom-vars/vars.kafka.yml

Add or edit the following variables:

Bash
1
2
# Add or edit the following variables in the file
USE_KAFKA_SPECIFIC_STORAGE_CLASS: "true"

Kafka is not required for GCP as it uses pubsub. Please refer prerequisites for GCP for more details

Apply the configuration

To apply the configuration you should run Privacera Manager to restart the services.

Bash
1
2
3
cd ~/privacera/privacera-manager
./privacera-manager.sh setup
./pm_with_helm.sh upgrade

Comments