├── .github
    ├── ISSUE_TEMPLATE.md
    └── PULL_REQUEST_TEMPLATE.md
├── .gitignore
├── CONTRIBUTING.md
├── LICENSE
├── README.md
├── compute.tf
├── main.tf
├── network.tf
├── scripts.tf
├── splunk-on-gcp-diagram.png
├── startup_script.sh.tpl
├── variables.tf
└── variables.yaml


/.github/ISSUE_TEMPLATE.md:
--------------------------------------------------------------------------------
 1 | ## Expected Behavior
 2 | 
 3 | 
 4 | ## Actual Behavior
 5 | 
 6 | 
 7 | ## Steps to Reproduce the Problem
 8 | 
 9 | 1.
10 | 1.
11 | 1.
12 | 
13 | ## Specifications
14 | 
15 | - Version:
16 | - Platform:


--------------------------------------------------------------------------------
/.github/PULL_REQUEST_TEMPLATE.md:
--------------------------------------------------------------------------------
1 | Fixes #<issue_number_goes_here>
2 | 
3 | > It's a good idea to open an issue first for discussion.
4 | 
5 | - [ ] Tests pass
6 | - [ ] Appropriate changes to README are included in PR


--------------------------------------------------------------------------------
/.gitignore:
--------------------------------------------------------------------------------
1 | .terraform
2 | terraform.tfvars*
3 | terraform.tfstate*
4 | 
5 | *.swp
6 | 


--------------------------------------------------------------------------------
/CONTRIBUTING.md:
--------------------------------------------------------------------------------
 1 | # How to Contribute
 2 | 
 3 | We'd love to accept your patches and contributions to this project. There are
 4 | just a few small guidelines you need to follow.
 5 | 
 6 | ## Contributor License Agreement
 7 | 
 8 | Contributions to this project must be accompanied by a Contributor License
 9 | Agreement. You (or your employer) retain the copyright to your contribution;
10 | this simply gives us permission to use and redistribute your contributions as
11 | part of the project. Head over to <https://cla.developers.google.com/> to see
12 | your current agreements on file or to sign a new one.
13 | 
14 | You generally only need to submit a CLA once, so if you've already submitted one
15 | (even if it was for a different project), you probably don't need to do it
16 | again.
17 | 
18 | ## Code reviews
19 | 
20 | All submissions, including submissions by project members, require review. We
21 | use GitHub pull requests for this purpose. Consult
22 | [GitHub Help](https://help.github.com/articles/about-pull-requests/) for more
23 | information on using pull requests.
24 | 
25 | ## Community Guidelines
26 | 
27 | This project follows [Google's Open Source Community
28 | Guidelines](https://opensource.google/conduct/).
29 | 


--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
  1 | 
  2 |                                  Apache License
  3 |                            Version 2.0, January 2004
  4 |                         http://www.apache.org/licenses/
  5 | 
  6 |    TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
  7 | 
  8 |    1. Definitions.
  9 | 
 10 |       "License" shall mean the terms and conditions for use, reproduction,
 11 |       and distribution as defined by Sections 1 through 9 of this document.
 12 | 
 13 |       "Licensor" shall mean the copyright owner or entity authorized by
 14 |       the copyright owner that is granting the License.
 15 | 
 16 |       "Legal Entity" shall mean the union of the acting entity and all
 17 |       other entities that control, are controlled by, or are under common
 18 |       control with that entity. For the purposes of this definition,
 19 |       "control" means (i) the power, direct or indirect, to cause the
 20 |       direction or management of such entity, whether by contract or
 21 |       otherwise, or (ii) ownership of fifty percent (50%) or more of the
 22 |       outstanding shares, or (iii) beneficial ownership of such entity.
 23 | 
 24 |       "You" (or "Your") shall mean an individual or Legal Entity
 25 |       exercising permissions granted by this License.
 26 | 
 27 |       "Source" form shall mean the preferred form for making modifications,
 28 |       including but not limited to software source code, documentation
 29 |       source, and configuration files.
 30 | 
 31 |       "Object" form shall mean any form resulting from mechanical
 32 |       transformation or translation of a Source form, including but
 33 |       not limited to compiled object code, generated documentation,
 34 |       and conversions to other media types.
 35 | 
 36 |       "Work" shall mean the work of authorship, whether in Source or
 37 |       Object form, made available under the License, as indicated by a
 38 |       copyright notice that is included in or attached to the work
 39 |       (an example is provided in the Appendix below).
 40 | 
 41 |       "Derivative Works" shall mean any work, whether in Source or Object
 42 |       form, that is based on (or derived from) the Work and for which the
 43 |       editorial revisions, annotations, elaborations, or other modifications
 44 |       represent, as a whole, an original work of authorship. For the purposes
 45 |       of this License, Derivative Works shall not include works that remain
 46 |       separable from, or merely link (or bind by name) to the interfaces of,
 47 |       the Work and Derivative Works thereof.
 48 | 
 49 |       "Contribution" shall mean any work of authorship, including
 50 |       the original version of the Work and any modifications or additions
 51 |       to that Work or Derivative Works thereof, that is intentionally
 52 |       submitted to Licensor for inclusion in the Work by the copyright owner
 53 |       or by an individual or Legal Entity authorized to submit on behalf of
 54 |       the copyright owner. For the purposes of this definition, "submitted"
 55 |       means any form of electronic, verbal, or written communication sent
 56 |       to the Licensor or its representatives, including but not limited to
 57 |       communication on electronic mailing lists, source code control systems,
 58 |       and issue tracking systems that are managed by, or on behalf of, the
 59 |       Licensor for the purpose of discussing and improving the Work, but
 60 |       excluding communication that is conspicuously marked or otherwise
 61 |       designated in writing by the copyright owner as "Not a Contribution."
 62 | 
 63 |       "Contributor" shall mean Licensor and any individual or Legal Entity
 64 |       on behalf of whom a Contribution has been received by Licensor and
 65 |       subsequently incorporated within the Work.
 66 | 
 67 |    2. Grant of Copyright License. Subject to the terms and conditions of
 68 |       this License, each Contributor hereby grants to You a perpetual,
 69 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 70 |       copyright license to reproduce, prepare Derivative Works of,
 71 |       publicly display, publicly perform, sublicense, and distribute the
 72 |       Work and such Derivative Works in Source or Object form.
 73 | 
 74 |    3. Grant of Patent License. Subject to the terms and conditions of
 75 |       this License, each Contributor hereby grants to You a perpetual,
 76 |       worldwide, non-exclusive, no-charge, royalty-free, irrevocable
 77 |       (except as stated in this section) patent license to make, have made,
 78 |       use, offer to sell, sell, import, and otherwise transfer the Work,
 79 |       where such license applies only to those patent claims licensable
 80 |       by such Contributor that are necessarily infringed by their
 81 |       Contribution(s) alone or by combination of their Contribution(s)
 82 |       with the Work to which such Contribution(s) was submitted. If You
 83 |       institute patent litigation against any entity (including a
 84 |       cross-claim or counterclaim in a lawsuit) alleging that the Work
 85 |       or a Contribution incorporated within the Work constitutes direct
 86 |       or contributory patent infringement, then any patent licenses
 87 |       granted to You under this License for that Work shall terminate
 88 |       as of the date such litigation is filed.
 89 | 
 90 |    4. Redistribution. You may reproduce and distribute copies of the
 91 |       Work or Derivative Works thereof in any medium, with or without
 92 |       modifications, and in Source or Object form, provided that You
 93 |       meet the following conditions:
 94 | 
 95 |       (a) You must give any other recipients of the Work or
 96 |           Derivative Works a copy of this License; and
 97 | 
 98 |       (b) You must cause any modified files to carry prominent notices
 99 |           stating that You changed the files; and
100 | 
101 |       (c) You must retain, in the Source form of any Derivative Works
102 |           that You distribute, all copyright, patent, trademark, and
103 |           attribution notices from the Source form of the Work,
104 |           excluding those notices that do not pertain to any part of
105 |           the Derivative Works; and
106 | 
107 |       (d) If the Work includes a "NOTICE" text file as part of its
108 |           distribution, then any Derivative Works that You distribute must
109 |           include a readable copy of the attribution notices contained
110 |           within such NOTICE file, excluding those notices that do not
111 |           pertain to any part of the Derivative Works, in at least one
112 |           of the following places: within a NOTICE text file distributed
113 |           as part of the Derivative Works; within the Source form or
114 |           documentation, if provided along with the Derivative Works; or,
115 |           within a display generated by the Derivative Works, if and
116 |           wherever such third-party notices normally appear. The contents
117 |           of the NOTICE file are for informational purposes only and
118 |           do not modify the License. You may add Your own attribution
119 |           notices within Derivative Works that You distribute, alongside
120 |           or as an addendum to the NOTICE text from the Work, provided
121 |           that such additional attribution notices cannot be construed
122 |           as modifying the License.
123 | 
124 |       You may add Your own copyright statement to Your modifications and
125 |       may provide additional or different license terms and conditions
126 |       for use, reproduction, or distribution of Your modifications, or
127 |       for any such Derivative Works as a whole, provided Your use,
128 |       reproduction, and distribution of the Work otherwise complies with
129 |       the conditions stated in this License.
130 | 
131 |    5. Submission of Contributions. Unless You explicitly state otherwise,
132 |       any Contribution intentionally submitted for inclusion in the Work
133 |       by You to the Licensor shall be under the terms and conditions of
134 |       this License, without any additional terms or conditions.
135 |       Notwithstanding the above, nothing herein shall supersede or modify
136 |       the terms of any separate license agreement you may have executed
137 |       with Licensor regarding such Contributions.
138 | 
139 |    6. Trademarks. This License does not grant permission to use the trade
140 |       names, trademarks, service marks, or product names of the Licensor,
141 |       except as required for reasonable and customary use in describing the
142 |       origin of the Work and reproducing the content of the NOTICE file.
143 | 
144 |    7. Disclaimer of Warranty. Unless required by applicable law or
145 |       agreed to in writing, Licensor provides the Work (and each
146 |       Contributor provides its Contributions) on an "AS IS" BASIS,
147 |       WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
148 |       implied, including, without limitation, any warranties or conditions
149 |       of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
150 |       PARTICULAR PURPOSE. You are solely responsible for determining the
151 |       appropriateness of using or redistributing the Work and assume any
152 |       risks associated with Your exercise of permissions under this License.
153 | 
154 |    8. Limitation of Liability. In no event and under no legal theory,
155 |       whether in tort (including negligence), contract, or otherwise,
156 |       unless required by applicable law (such as deliberate and grossly
157 |       negligent acts) or agreed to in writing, shall any Contributor be
158 |       liable to You for damages, including any direct, indirect, special,
159 |       incidental, or consequential damages of any character arising as a
160 |       result of this License or out of the use or inability to use the
161 |       Work (including but not limited to damages for loss of goodwill,
162 |       work stoppage, computer failure or malfunction, or any and all
163 |       other commercial damages or losses), even if such Contributor
164 |       has been advised of the possibility of such damages.
165 | 
166 |    9. Accepting Warranty or Additional Liability. While redistributing
167 |       the Work or Derivative Works thereof, You may choose to offer,
168 |       and charge a fee for, acceptance of support, warranty, indemnity,
169 |       or other liability obligations and/or rights consistent with this
170 |       License. However, in accepting such obligations, You may act only
171 |       on Your own behalf and on Your sole responsibility, not on behalf
172 |       of any other Contributor, and only if You agree to indemnify,
173 |       defend, and hold each Contributor harmless for any liability
174 |       incurred by, or claims asserted against, such Contributor by reason
175 |       of your accepting any such warranty or additional liability.
176 | 
177 |    END OF TERMS AND CONDITIONS
178 | 
179 |    APPENDIX: How to apply the Apache License to your work.
180 | 
181 |       To apply the Apache License to your work, attach the following
182 |       boilerplate notice, with the fields enclosed by brackets "[]"
183 |       replaced with your own identifying information. (Don't include
184 |       the brackets!)  The text should be enclosed in the appropriate
185 |       comment syntax for the file format. We also recommend that a
186 |       file or class name and description of purpose be included on the
187 |       same "printed page" as the copyright notice for easier
188 |       identification within third-party archives.
189 | 
190 |    Copyright [yyyy] [name of copyright owner]
191 | 
192 |    Licensed under the Apache License, Version 2.0 (the "License");
193 |    you may not use this file except in compliance with the License.
194 |    You may obtain a copy of the License at
195 | 
196 |        http://www.apache.org/licenses/LICENSE-2.0
197 | 
198 |    Unless required by applicable law or agreed to in writing, software
199 |    distributed under the License is distributed on an "AS IS" BASIS,
200 |    WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
201 |    See the License for the specific language governing permissions and
202 |    limitations under the License.
203 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
  1 | # Terraform templates for Splunk Enterprise on GCP
  2 | 
  3 | A set of Terraform templates to deploy distributed multi-zone Splunk Enterprise in a user-specified GCP region. Deployment includes a pre-configured indexer cluster where cluster master also acts as license master, as well as a pre-configured search head cluster with a deployer. Indexer cluster splunktcp and http event collector (HEC) input are pre-configured and ready to receive data. Search head cluster is fronted by a global load balancer for user web traffic. Indexer cluster is fronted by a global load balancer for HEC data traffic. For splunktcp data traffic, indexer discovery is pre-enabled so Splunk Forwarders can automatically discover list of peer nodes and natively load balance data across indexer cluster.
  4 | 
  5 | These deployment templates are provided for demo/POC purposes only.
  6 | 
  7 | ### Architecture Diagram
  8 | 
  9 | ![Architecture Diagram of Splunk Enterprise on GCP](./splunk-on-gcp-diagram.png)
 10 | 
 11 | ### Configurable Parameters
 12 | 
 13 | Parameter | Description 
 14 | --- | ---
 15 | project | The project to deploy to, if not set the default provider project is used
 16 | region | Region for cloud resources
 17 | zone | Zone for cloud resources (if not specified first zone in region used)
 18 | splunk_idx_cluster_size | Size of Splunk indexer cluster (multi-zone)
 19 | splunk_sh_cluster_size | Size of Splunk search head cluster (multi-zone)
 20 | splunk_admin_password | Splunk admin password (No single quotes)
 21 | splunk_cluster_secret | Splunk secret shared by indexer and search head clusters (No single quotes)
 22 | splunk_indexer_discovery_secret | Splunk secret for indexer discovery (No single quotes)
 23 | splunk_network | Network to deploy Splunk onto (default splunk-network)
 24 | splunk_subnet | Subnetwork to deploy Splunk onto (default splunk-subnet)
 25 | splunk_subnet_cidr | Subnetwork CIDR for Splunk (default 192.168.0.0/16 - ignored if not creating network)
 26 | create_network | Boolean (default true) to create splunk network (set to false to reuse existing network)
 27 | idx_disk_type | Disk type to use for data volume on indexers.  Can be local-ssd, pd-ssd or pd-standard
 28 | idx_disk_size | Disk size for persistent disk data volumes (default 100 GB - ignored if using local-ssd in which case it's set to 375 GB)
 29 | idx_disk_count | Number of scratch disks to attach (default 1 - ignored if using pd-ssd or pd-standard in which cases there's only 1 PD)
 30 | 
 31 | ### Getting Started
 32 | 
 33 | #### Requirements
 34 | * Terraform 0.12.20+
 35 | 
 36 | #### Setup working directory
 37 | 
 38 | 1. Copy placeholder vars file `variables.yaml` into new `terraform.tfvars` to hold your own settings.
 39 | 2. Update placeholder values in `terraform.tfvars` to correspond to your GCP environment and desired Splunk settings. See [list of input parameters](#configurable-parameters) above.
 40 | 3. Initialize Terraform working directory and download plugins by running `terraform init`.
 41 | 
 42 | #### Deploy Splunk Enterprise
 43 | 
 44 | ```shell
 45 | $ terraform plan
 46 | $ terraform apply
 47 | ```
 48 | 
 49 | #### Access Splunk Enterprise
 50 | 
 51 | Once Terraform completes:
 52 | 
 53 | 1. Confirm indexer cluster is configured correctly with all nodes up & running:
 54 |   * Navigate to `https://<splunk-cluster-master-public-ip>:8000/en-US/manager/system/clustering?tab=peers`
 55 | 
 56 | 2. Visit Splunk web
 57 |   * Navigate to `http://<splunk-shc-splunkweb-address>/`
 58 |   * Login with 'admin' user and the password you specified (`splunk_admin_password`)
 59 | 
 60 | 3. Send data to Splunk via Splunk Forwarders (Option A)
 61 |   * Point Splunk Forwarders to `https://<splunk-cluster-master-public-ip>:8089` to auto-discover indexers and forward data to indexer cluster directly. Configure forwarders with Splunk secret that you have specified (`splunk_indexer_discovery_secret`). Follow instructions [here](https://docs.splunk.com/Documentation/Splunk/7.2.6/Indexer/indexerdiscovery#3._Configure_the_forwarders) for more details.
 62 |  
 63 | 4. Send data to Splunk via HEC (Option B)
 64 |   * Send data to HEC load balancer `http://<splunk-idx-hecinput-address:8080`. Use HEC token returned by Terraform. Refer to docs [here](https://docs.splunk.com/Documentation/Splunk/7.2.6/Data/UsetheHTTPEventCollector#Example_of_sending_data_to_HEC_with_an_HTTP_request) for example of an HTTP request to Splunk HEC.
 65 | 
 66 | 
 67 | ### Cleanup
 68 | 
 69 | To delete resources created by Terraform, first type and confirm:
 70 | ``` shell
 71 | $ terraform destroy
 72 | ```
 73 | 
 74 | You also need to delete the indexers persistent disks since the indexer instance template is defined such that the disk is not auto-deleted when the instance is down or removed. This way, the auto-healing process by the instance group manager can re-attach the persistent disks to a new VM in the rare case where the indexer VM goes down or is unhealthy and needs to be recreated. You can run the following bash script which loops through all disks prefixed by 'splunk-idx' (per indexers instances names) and delete them one by one.  Note that deleting a disk is irreversible and any data on the disk will be lost.
 75 | 
 76 | ``` shell
 77 | #!/bin/bash
 78 | for diskInfo in $(gcloud compute disks list --filter="name ~ '^splunk-idx'" --format="csv[no-heading](name,zone.scope(),type,size_gb)")
 79 | do
 80 |   echo "diskInfo: $diskInfo"
 81 |   IFS=',' read -ra diskInfoArray<<< "$diskInfo"
 82 |   NAME="${diskInfoArray[0]}"
 83 |   ZONE="${diskInfoArray[1]}"
 84 |   #echo "NAME: ${NAME}, ZONE: ${ZONE}"; echo ""
 85 |   gcloud compute disks delete $NAME --zone $ZONE
 86 | done
 87 | ```
 88 | 
 89 | ### TODOs
 90 | 
 91 | * Create & use base image with Splunk binaries + basic system & user configs
 92 | * Make startup script (Splunk configuration) more modular
 93 | * Delete instance metadata startup-script upon boot
 94 | 
 95 | ### Authors
 96 | 
 97 | * **Roy Arsan** - [rarsan](https://github.com/rarsan)
 98 | * **Cuyler Dingwell** [c-dingwell](https://github.com/c-dingwell)
 99 | 
100 | ### Support
101 | 
102 | This is not an officially supported Google product. Terraform templates for Splunk Enterprise are developer and community-supported. Please don't hesitate to open an issue or pull request.
103 | 
104 | ### Copyright & License
105 | 
106 | Copyright 2019 Google LLC
107 | 
108 | Terraform templates for Splunk Enterprise are licensed under the Apache license, v2.0. Details can be found in [LICENSE](./LICENSE) file.
109 | 


--------------------------------------------------------------------------------
/compute.tf:
--------------------------------------------------------------------------------
  1 | # Copyright 2019 Google LLC
  2 | #
  3 | # Licensed under the Apache License, Version 2.0 (the "License");
  4 | # you may not use this file except in compliance with the License.
  5 | # You may obtain a copy of the License at
  6 | #
  7 | #     https://www.apache.org/licenses/LICENSE-2.0
  8 | #
  9 | # Unless required by applicable law or agreed to in writing, software
 10 | # distributed under the License is distributed on an "AS IS" BASIS,
 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 12 | # See the License for the specific language governing permissions and
 13 | # limitations under the License.
 14 | 
 15 | 
 16 | ####
 17 | ## Cluster Master
 18 | ####
 19 | resource "google_compute_instance" "splunk_cluster_master" {
 20 |   name         = local.splunk_cluster_master_name
 21 |   machine_type = "n1-standard-4"
 22 |   zone = local.zone
 23 |   tags = ["splunk"]
 24 | 
 25 |   boot_disk {
 26 |     initialize_params {
 27 |       image = "ubuntu-os-cloud/ubuntu-1604-lts"
 28 |       type  = "pd-ssd"
 29 |       size  = "50"
 30 |     }
 31 |   }
 32 | 
 33 |   network_interface {
 34 |     network = var.create_network ? google_compute_network.vpc_network[0].self_link : var.splunk_network
 35 |     network_ip = google_compute_address.splunk_cluster_master_ip.address
 36 |     subnetwork = var.create_network ? google_compute_subnetwork.splunk_subnet[0].self_link : var.splunk_subnet
 37 | 
 38 |     access_config {
 39 |       # Ephemeral IP
 40 |     }
 41 |   }
 42 | 
 43 |   metadata = {
 44 |     startup-script = data.template_file.splunk_startup_script.rendered
 45 |     splunk-role    = "IDX-Master"
 46 |     enable-guest-attributes = "TRUE"
 47 |   }
 48 | 
 49 |   depends_on = [
 50 |     google_compute_firewall.allow_internal,
 51 |     google_compute_firewall.allow_ssh,
 52 |     google_compute_firewall.allow_splunk_web,
 53 |   ]
 54 | }
 55 | 
 56 | ####
 57 | ## Search Head Deployer
 58 | ####
 59 | resource "google_compute_instance" "splunk_deployer" {
 60 |   name         = "splunk-deployer"
 61 |   machine_type = "n1-standard-4"
 62 |   zone = local.zone
 63 | 
 64 |   tags = ["splunk"]
 65 | 
 66 |   boot_disk {
 67 |     initialize_params {
 68 |       image = "ubuntu-os-cloud/ubuntu-1604-lts"
 69 |       type  = "pd-ssd"
 70 |       size  = "50"
 71 |     }
 72 |   }
 73 | 
 74 |   network_interface {
 75 |     network = var.create_network ? google_compute_network.vpc_network[0].self_link : var.splunk_network
 76 |     network_ip = google_compute_address.splunk_deployer_ip.address
 77 |     subnetwork = var.create_network ? google_compute_subnetwork.splunk_subnet[0].self_link : var.splunk_subnet
 78 |     access_config {
 79 |       # Ephemeral IP
 80 |     }
 81 |   }
 82 | 
 83 |   metadata = {
 84 |     startup-script = data.template_file.splunk_startup_script.rendered
 85 |     splunk-role    = "SHC-Deployer"
 86 |     enable-guest-attributes = "TRUE"
 87 |   }
 88 | 
 89 |   depends_on = [
 90 |     google_compute_firewall.allow_internal,
 91 |     google_compute_firewall.allow_ssh,
 92 |     google_compute_firewall.allow_splunk_web,
 93 |   ]
 94 | }
 95 | 
 96 | ####
 97 | ## Indexers
 98 | ####
 99 | resource "google_compute_disk" "indexer-data-disk" {
100 |   # Don't create if using local ssd
101 |   count = var.idx_disk_type == "local-ssd" ? 0 : 1
102 |   name = "splunk-indexer-data"
103 |   size = var.idx_disk_size
104 |   type = var.idx_disk_type
105 |   zone = local.zone
106 | }
107 | 
108 | resource "google_compute_image" "indexer-data-disk-image" {
109 |   # Don't create if using local ssd
110 |   count = var.idx_disk_type == "local-ssd" ? 0 : 1
111 |   name = "splunk-indexer-data-image"
112 |   source_disk = google_compute_disk.indexer-data-disk[0].self_link
113 |   depends_on = [google_compute_disk.indexer-data-disk]
114 | }
115 | 
116 | # Indexer Template for Persistent Disk
117 | resource "google_compute_instance_template" "splunk_idx_template-pd" {
118 |   count = var.idx_disk_type != "local-ssd" ? 1 : 0
119 |   name_prefix  = "splunk-idx-template-"
120 |   machine_type = "n1-standard-4"
121 |   tags = ["splunk"]
122 | 
123 |   # boot disk
124 |   disk {
125 |     source_image = "ubuntu-os-cloud/ubuntu-1604-lts"
126 |     disk_type    = "pd-ssd"
127 |     disk_size_gb = "50"
128 |     auto_delete  = false
129 |     boot         = true
130 |   }
131 |   # data disk
132 |   disk {
133 |     source_image = google_compute_image.indexer-data-disk-image[0].name
134 |     disk_name = "splunk-db"
135 |     auto_delete = false
136 |     boot = false
137 |   }
138 |   network_interface {
139 |     network = var.create_network ? google_compute_network.vpc_network[0].self_link : var.splunk_network
140 |     subnetwork = var.create_network ? google_compute_subnetwork.splunk_subnet[0].self_link : var.splunk_subnet
141 |     access_config {
142 |       # Ephemeral IP
143 |     }
144 |   }
145 |   metadata = {
146 |     startup-script = data.template_file.splunk_startup_script.rendered
147 |     splunk-role    = "IDX-Peer"
148 |     enable-guest-attributes = "TRUE"
149 |   }
150 | 
151 |   lifecycle {
152 |     create_before_destroy = true
153 |   }
154 |   
155 |   depends_on = [google_compute_image.indexer-data-disk-image]
156 | }
157 | 
158 | # Indexer Template for Local SSD's
159 | resource "google_compute_instance_template" "splunk_idx_template-localssd" {
160 |   count = var.idx_disk_type == "local-ssd" ? 1 : 0
161 |   name_prefix  = "splunk-idx-template-"
162 |   machine_type = "n1-standard-4"
163 |   tags = ["splunk"]
164 |   # boot disk
165 |   disk {
166 |     source_image = "ubuntu-os-cloud/ubuntu-1604-lts"
167 |     disk_type    = "pd-ssd"
168 |     disk_size_gb = "50"
169 |     auto_delete = false
170 |     boot        = true
171 |   }
172 |   # Local SSD Block
173 |   dynamic "disk" {
174 |     for_each = range(var.idx_disk_count)
175 |     content {
176 |       disk_type = "local-ssd"
177 |       interface = "SCSI"
178 |       type = "SCRATCH"
179 |       disk_size_gb = 375
180 |     }
181 |   }
182 |   network_interface {
183 |     network = var.create_network ? google_compute_network.vpc_network[0].self_link : var.splunk_network
184 |     subnetwork = var.create_network ? google_compute_subnetwork.splunk_subnet[0].self_link : var.splunk_subnet
185 |     access_config {
186 |       # Ephemeral IP
187 |     }
188 |   }
189 |   metadata = {
190 |     startup-script = data.template_file.splunk_startup_script.rendered
191 |     splunk-role    = "IDX-Peer"
192 |     enable-guest-attributes = "TRUE"
193 |   }
194 | 
195 |   lifecycle {
196 |     create_before_destroy = true
197 |   }
198 | }
199 | 
200 | resource "google_compute_region_instance_group_manager" "indexer_cluster" {
201 |   provider           = google-beta
202 |   name               = "splunk-idx-mig"
203 |   region             = var.region
204 |   base_instance_name = "splunk-idx"
205 |   target_size        = var.splunk_idx_cluster_size
206 | 
207 |   version {
208 |     name              = "splunk-idx-mig-version-0"
209 |     instance_template = var.idx_disk_type == "local-ssd" ? google_compute_instance_template.splunk_idx_template-localssd[0].self_link : google_compute_instance_template.splunk_idx_template-pd[0].self_link
210 |   }
211 | 
212 |   named_port {
213 |     name = "splunkhec"
214 |     port = "8088"
215 |   }
216 | 
217 |   named_port {
218 |     name = "splunktcp"
219 |     port = "9997"
220 |   }
221 | 
222 |   auto_healing_policies {
223 |     health_check      = google_compute_health_check.splunk_idx.self_link
224 |     initial_delay_sec = 300
225 |   }
226 | 
227 |   depends_on = [google_compute_instance.splunk_cluster_master]
228 | }
229 | 
230 | ####
231 | ## Search Heads
232 | ####
233 | resource "google_compute_instance_template" "splunk_shc_template" {
234 |   name_prefix  = "splunk-shc-template-"
235 |   machine_type = "n1-standard-4"
236 | 
237 |   tags = ["splunk"]
238 | 
239 |   # boot disk
240 |   disk {
241 |     source_image = "ubuntu-os-cloud/ubuntu-1604-lts"
242 |     disk_type    = "pd-ssd"
243 |     disk_size_gb = "50"
244 |     boot         = "true"
245 |   }
246 | 
247 |   network_interface {
248 |     network = var.create_network ? google_compute_network.vpc_network[0].self_link : var.splunk_network
249 |     subnetwork = var.create_network ? google_compute_subnetwork.splunk_subnet[0].self_link : var.splunk_subnet
250 |     access_config {
251 |       # Ephemeral IP
252 |     }
253 |   }
254 | 
255 |   metadata = {
256 |     startup-script = data.template_file.splunk_startup_script.rendered
257 |     splunk-role    = "SHC-Member"
258 |     enable-guest-attributes = "TRUE"
259 |   }
260 | }
261 | 
262 | resource "google_compute_region_instance_group_manager" "search_head_cluster" {
263 |   provider           = google-beta
264 |   name               = "splunk-shc-mig"
265 |   region             = var.region
266 |   base_instance_name = "splunk-sh"
267 | 
268 |   target_size = var.splunk_sh_cluster_size
269 | 
270 |   version {
271 |     name              = "splunk-shc-mig-version-0"
272 |     instance_template = google_compute_instance_template.splunk_shc_template.self_link
273 |   }
274 | 
275 |   named_port {
276 |     name = "splunkweb"
277 |     port = "8000"
278 |   }
279 | 
280 |   depends_on = [
281 |     google_compute_instance.splunk_cluster_master,
282 |     google_compute_instance.splunk_deployer,
283 |     google_compute_instance_template.splunk_shc_template
284 |   ]
285 | }
286 | 
287 | 
288 | 


--------------------------------------------------------------------------------
/main.tf:
--------------------------------------------------------------------------------
 1 | # Copyright 2019 Google LLC
 2 | #
 3 | # Licensed under the Apache License, Version 2.0 (the "License");
 4 | # you may not use this file except in compliance with the License.
 5 | # You may obtain a copy of the License at
 6 | #
 7 | #     https://www.apache.org/licenses/LICENSE-2.0
 8 | #
 9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | 
15 | terraform {
16 |   required_version = "~> 0.12.20"
17 |   experiments = [variable_validation]
18 | }
19 | 
20 | provider "google" {
21 |   project = var.project
22 |   region  = var.region
23 |   version = "~> 2.14"
24 | }
25 | 
26 | provider "google-beta" {
27 |   project = var.project
28 |   region  = var.region
29 |   version = "~> 2.14"
30 | }
31 | 
32 | locals {
33 |   splunk_package_name = "splunk-8.0.5-a1a6394cc5ae-Linux-x86_64.tgz"
34 |   splunk_package_url = "http://download.splunk.com/products/splunk/releases/8.0.5/linux/${local.splunk_package_name}"
35 |   splunk_cluster_master_name = "splunk-cm"
36 |   zone    = var.zone == "" ? data.google_compute_zones.available.names[0] : var.zone
37 | }
38 | 
39 | data "template_file" "splunk_startup_script" {
40 |   template = file(format("${path.module}/startup_script.sh.tpl"))
41 | 
42 |   vars = {
43 |     SPLUNK_PACKAGE_URL              = local.splunk_package_url
44 |     SPLUNK_PACKAGE_NAME             = local.splunk_package_name
45 |     SPLUNK_ADMIN_PASSWORD           = var.splunk_admin_password
46 |     SPLUNK_CLUSTER_SECRET           = var.splunk_cluster_secret
47 |     SPLUNK_INDEXER_DISCOVERY_SECRET = var.splunk_indexer_discovery_secret
48 |     SPLUNK_CM_PRIVATE_IP            = google_compute_address.splunk_cluster_master_ip.address
49 |     SPLUNK_DEPLOYER_PRIVATE_IP      = google_compute_address.splunk_deployer_ip.address
50 |   }
51 | 
52 |   depends_on = [
53 |     google_compute_address.splunk_cluster_master_ip,
54 |     google_compute_address.splunk_deployer_ip,
55 |   ]
56 | }
57 | 
58 | data "google_compute_zones" "available" {
59 |     region = var.region
60 | }
61 | 
62 | output "search_head_cluster_url" {
63 |   value = "http://${google_compute_global_address.search_head_cluster_address.address}"
64 | }
65 | 
66 | output "search_head_deployer_url" {
67 |   value = "http://${google_compute_instance.splunk_deployer.network_interface.0.access_config.0.nat_ip}:8000"
68 | }
69 | 
70 | output "indexer_cluster_master_url" {
71 |   value = "http://${google_compute_instance.splunk_cluster_master.network_interface.0.access_config.0.nat_ip}:8000"
72 | }
73 | 
74 | output "indexer_cluster_hec_url" {
75 |   value = "http://${google_compute_global_address.indexer_hec_input_address.address}:8080"
76 | }
77 | 
78 | output "indexer_cluster_hec_token" {
79 |   value = "${module.shell_output_token.stdout}"
80 | }


--------------------------------------------------------------------------------
/network.tf:
--------------------------------------------------------------------------------
  1 | # Copyright 2019 Google LLC
  2 | #
  3 | # Licensed under the Apache License, Version 2.0 (the "License");
  4 | # you may not use this file except in compliance with the License.
  5 | # You may obtain a copy of the License at
  6 | #
  7 | #     https://www.apache.org/licenses/LICENSE-2.0
  8 | #
  9 | # Unless required by applicable law or agreed to in writing, software
 10 | # distributed under the License is distributed on an "AS IS" BASIS,
 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 12 | # See the License for the specific language governing permissions and
 13 | # limitations under the License.
 14 | 
 15 | ####
 16 | ## VPC
 17 | ####
 18 | resource "google_compute_network" "vpc_network" {
 19 |   count                   = var.create_network ? 1 : 0
 20 |   name                    = var.splunk_network
 21 |   auto_create_subnetworks = false
 22 | }
 23 | 
 24 | resource "google_compute_subnetwork" "splunk_subnet" {
 25 |   count         = var.create_network ? 1 : 0
 26 |   name          = var.splunk_subnet
 27 |   ip_cidr_range = var.splunk_subnet_cidr
 28 |   region        = var.region
 29 |   network       = google_compute_network.vpc_network[0].self_link
 30 | }
 31 | 
 32 | resource "google_compute_address" "splunk_cluster_master_ip" {
 33 |   name         = "splunk-cm-ip"
 34 |   address_type = "INTERNAL"
 35 |   subnetwork = var.create_network ? google_compute_subnetwork.splunk_subnet[0].self_link : var.splunk_subnet 
 36 | }
 37 | 
 38 | resource "google_compute_address" "splunk_deployer_ip" {
 39 |   name         = "splunk-deployer-ip"
 40 |   address_type = "INTERNAL"
 41 |   subnetwork   = var.create_network ? google_compute_subnetwork.splunk_subnet[0].self_link : var.splunk_subnet
 42 | }
 43 | 
 44 | resource "google_compute_global_forwarding_rule" "search_head_cluster_rule" {
 45 |   name       = "splunk-shc-splunkweb-rule"
 46 |   target     = google_compute_target_http_proxy.search_head_cluster_proxy.self_link
 47 |   ip_address = google_compute_global_address.search_head_cluster_address.address
 48 |   port_range = "80"
 49 | }
 50 | 
 51 | resource "google_compute_global_address" "search_head_cluster_address" {
 52 |   name = "splunk-shc-splunkweb-address"
 53 | }
 54 | 
 55 | resource "google_compute_target_http_proxy" "search_head_cluster_proxy" {
 56 |   name    = "splunk-shc-splunkweb-proxy"
 57 |   url_map = google_compute_url_map.search_head_cluster_url_map.self_link
 58 | }
 59 | 
 60 | resource "google_compute_url_map" "search_head_cluster_url_map" {
 61 |   name            = "splunk-shc-splunkweb-url-map"
 62 |   default_service = google_compute_backend_service.default.self_link
 63 | }
 64 | 
 65 | resource "google_compute_backend_service" "default" {
 66 |   name      = "shc-splunkweb"
 67 |   port_name = "splunkweb"
 68 |   protocol  = "HTTP"
 69 | 
 70 |   backend {
 71 |     group          = google_compute_region_instance_group_manager.search_head_cluster.instance_group
 72 |     balancing_mode = "UTILIZATION"
 73 |   }
 74 | 
 75 |   health_checks = [google_compute_health_check.default.self_link]
 76 | 
 77 |   session_affinity        = "GENERATED_COOKIE"
 78 |   affinity_cookie_ttl_sec = "86400"
 79 |   enable_cdn              = true
 80 | 
 81 |   connection_draining_timeout_sec = "300"
 82 | }
 83 | 
 84 | resource "google_compute_global_forwarding_rule" "indexer_hec_input_rule" {
 85 |   name       = "splunk-idx-hecinput-rule"
 86 |   target     = google_compute_target_http_proxy.indexer_hec_input_proxy.self_link
 87 |   ip_address = google_compute_global_address.indexer_hec_input_address.address
 88 |   port_range = "8080"
 89 | }
 90 | 
 91 | resource "google_compute_global_address" "indexer_hec_input_address" {
 92 |   name = "splunk-idx-hecinput-address"
 93 | }
 94 | 
 95 | resource "google_compute_target_http_proxy" "indexer_hec_input_proxy" {
 96 |   name    = "splunk-idx-hecinput-proxy"
 97 |   url_map = google_compute_url_map.indexer_hec_input_url_map.self_link
 98 | }
 99 | 
100 | resource "google_compute_url_map" "indexer_hec_input_url_map" {
101 |   name            = "splunk-idx-hecinput-url-map"
102 |   default_service = google_compute_backend_service.splunk_hec.self_link
103 | }
104 | 
105 | resource "google_compute_backend_service" "splunk_hec" {
106 |   name      = "idx-splunk-hec"
107 |   port_name = "splunkhec"
108 |   protocol  = "HTTPS"
109 |   backend {
110 |     group          = google_compute_region_instance_group_manager.indexer_cluster.instance_group
111 |     balancing_mode = "UTILIZATION"
112 |   }
113 |   health_checks = [google_compute_health_check.splunk_hec.self_link]
114 |   connection_draining_timeout_sec = "300"
115 | }
116 | 
117 | ####
118 | ## Firewall Rules
119 | ####
120 | resource "google_compute_firewall" "allow_internal" {
121 |   name    = "splunk-network-allow-internal"
122 |   network = var.create_network ? google_compute_network.vpc_network[0].name : var.splunk_network
123 | 
124 |   allow {
125 |     protocol = "tcp"
126 |   }
127 |   allow {
128 |     protocol = "udp"
129 |   }
130 |   allow {
131 |     protocol = "icmp"
132 |   }
133 | 
134 |   source_tags = ["splunk"]
135 |   target_tags = ["splunk"]
136 | }
137 | 
138 | resource "google_compute_firewall" "allow_health_checks" {
139 |   name    = "splunk-network-allow-health-checks"
140 |   network = var.create_network ? google_compute_network.vpc_network[0].name : var.splunk_network
141 | 
142 |   allow {
143 |     protocol = "tcp"
144 |     ports    = ["8089", "8088"]
145 |   }
146 | 
147 |   source_ranges = ["35.191.0.0/16", "130.211.0.0/22"]
148 |   target_tags   = ["splunk"]
149 | }
150 | 
151 | resource "google_compute_firewall" "allow_ssh" {
152 |   name    = "splunk-network-allow-ssh"
153 |   network = var.create_network ? google_compute_network.vpc_network[0].name : var.splunk_network
154 | 
155 |   allow {
156 |     protocol = "tcp"
157 |     ports    = ["22"]
158 |   }
159 | 
160 |   target_tags = ["splunk"]
161 | }
162 | 
163 | resource "google_compute_firewall" "allow_splunk_web" {
164 |   name    = "splunk-network-allow-web"
165 |   network = var.create_network ? google_compute_network.vpc_network[0].name : var.splunk_network
166 | 
167 |   allow {
168 |     protocol = "tcp"
169 |     ports    = ["8000"]
170 |   }
171 | 
172 |   target_tags = ["splunk"]
173 | }
174 | 
175 | ####
176 | ## Health Checks
177 | ####
178 | resource "google_compute_health_check" "default" {
179 |   name                = "shc-mgmt-port-health-check"
180 |   check_interval_sec  = 15
181 |   timeout_sec         = 5
182 |   healthy_threshold   = 2
183 |   unhealthy_threshold = 3
184 | 
185 |   tcp_health_check {
186 |     port = "8089"
187 |   }
188 | 
189 |   depends_on = [google_compute_firewall.allow_health_checks]
190 | }
191 | 
192 | resource "google_compute_health_check" "splunk_hec" {
193 |   name                = "idx-hec-port-health-check"
194 |   check_interval_sec  = 15
195 |   timeout_sec         = 5
196 |   healthy_threshold   = 2
197 |   unhealthy_threshold = 3
198 | 
199 |   https_health_check {
200 |     request_path = "/services/collector/health"
201 |     port         = "8088"
202 |   }
203 | 
204 |   depends_on = [google_compute_firewall.allow_health_checks]
205 | }
206 | 
207 | resource "google_compute_health_check" "splunk_idx" {
208 |   name                = "idx-mgmt-port-health-check"
209 |   check_interval_sec  = 30
210 |   timeout_sec         = 10
211 |   healthy_threshold   = 2
212 |   unhealthy_threshold = 4 # 2 minutes
213 | 
214 |   https_health_check {
215 |     request_path = "/"
216 |     port         = "8089"
217 |   }
218 | 
219 |   depends_on = [google_compute_firewall.allow_health_checks]
220 | }
221 | 
222 | 


--------------------------------------------------------------------------------
/scripts.tf:
--------------------------------------------------------------------------------
 1 | 
 2 | ####
 3 | ## Local Scripts
 4 | ####
 5 | 
 6 | # Continuously check for HEC token for output
 7 | module "shell_output_token" {
 8 |   source = "matti/resource/shell"
 9 |   version = "0.12.0"
10 |   command =  <<CMD
11 | sleep 10
12 | until \
13 | token=`gcloud compute instances get-guest-attributes ${local.splunk_cluster_master_name} --zone ${local.zone} --query-path=splunk/token --format="value(VALUE)" --quiet 2> /dev/null`
14 | do sleep 10
15 | done
16 | echo $token
17 | CMD
18 | }
19 | 
20 | # Wait until successful install then remove startup-script from instance metadata
21 | # Note, doesn't remove from instance template
22 | module "shell_output_install_progress" {
23 |   source = "matti/resource/shell"
24 |   version = "0.12.0"
25 |   command = <<CMD
26 | sleep 30
27 | until gcloud compute instances list --format="value(name,zone)" --filter="metadata['items']['key']=splunk-role" | sort |  \
28 | awk '
29 | BEGIN {r=0;h="";t="";c=0}
30 | {
31 | cmd = "gcloud compute instances get-guest-attributes "$1" --zone "$2" --query-path=splunk/install --format=\"value(VALUE)\" 2> /dev/null"
32 | rv=""
33 | rs=""
34 | cmd | getline rv
35 | cmd = "gcloud compute instances get-guest-attributes "$1" --zone "$2" --query-path=splunk/install-status --format=\"value(VALUE)\" 2> /dev/null"
36 | cmd | getline rs
37 | if (rv == "") { rv = "booting" }
38 | if (rv != "complete") { r = 1; h = h" "$1 }
39 | t=sprintf("%s\n %-25s %-14s %s",t,$1,rv,rs)
40 | c=c+1
41 | }
42 | END {
43 | print "Install progress:"t
44 | if (c == 0) { r=1; }
45 | if (h != "" && c!=0) {
46 |   print "Still installing on hosts: "h
47 | }
48 | exit r
49 | }'
50 | do sleep 15
51 | done
52 | echo "All hosts completed install, now removing metadata from hosts"
53 | gcloud compute instances list --format="value(name,zone)" --filter="metadata['items']['key']=splunk-role" | \
54 | awk '{system("gcloud compute instances remove-metadata "$1" --zone "$2" --keys startup-script --quiet")}'
55 | CMD
56 | }


--------------------------------------------------------------------------------
/splunk-on-gcp-diagram.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/GoogleCloudPlatform/terraform-google-splunk-enterprise/70e0eff0796244d1dfec2c2a5f12b544786d64e9/splunk-on-gcp-diagram.png


--------------------------------------------------------------------------------
/startup_script.sh.tpl:
--------------------------------------------------------------------------------
  1 | #!/bin/bash
  2 | #
  3 | # Copyright 2019 Google LLC
  4 | # 
  5 | # Licensed under the Apache License, Version 2.0 (the "License");
  6 | # you may not use this file except in compliance with the License.
  7 | # You may obtain a copy of the License at
  8 | # 
  9 | #     https://www.apache.org/licenses/LICENSE-2.0
 10 | # 
 11 | # Unless required by applicable law or agreed to in writing, software
 12 | # distributed under the License is distributed on an "AS IS" BASIS,
 13 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 14 | # See the License for the specific language governing permissions and
 15 | # limitations under the License.
 16 | 
 17 | set -e
 18 | set -x
 19 | 
 20 | log() { 
 21 |   echo "`date`: $1"; 
 22 |   curl -X PUT --data "$1" http://metadata.google.internal/computeMetadata/v1/instance/guest-attributes/splunk/install-status -H "Metadata-Flavor: Google"
 23 | }
 24 | 
 25 | export SPLUNK_USER=splunk
 26 | export SPLUNK_BIN=/opt/splunk/bin/splunk
 27 | export SPLUNK_HOME=/opt/splunk
 28 | export SPLUNK_DB_MNT_DIR=/mnt/splunk_db
 29 | export SPLUNK_ROLE="$(curl http://metadata.google.internal/computeMetadata/v1/instance/attributes/splunk-role -H "Metadata-Flavor: Google")"
 30 | export LOCAL_IP="$(curl http://metadata.google.internal/computeMetadata/v1/instance/network-interfaces/0/ip -H "Metadata-Flavor: Google")"
 31 | 
 32 | curl -X PUT --data "in-progress" http://metadata.google.internal/computeMetadata/v1/instance/guest-attributes/splunk/install -H "Metadata-Flavor: Google"
 33 | 
 34 | # Determine if this is first-time boot of a new VM as opposed to a VM restart (or a VM recreate from MIG auto-healer).
 35 | # In the latter cases, no additional configuration is needed, and just exit startup script.
 36 | # Note: the exception here is MIG-recreated VMs with local SSDs as data disks. Unlike re-attached preserved PD,
 37 | # the SSDs disks are recreated and need to be re-formatted and re-striped. TODO: add that logic below.
 38 | # More info: https://cloud.google.com/compute/docs/instance-groups/autohealing-instances-in-migs#autohealing_and_disks
 39 | if [[ -d "$SPLUNK_HOME" ]]; then
 40 |   log "Splunk installation found. Skipping node configuration."
 41 |   exit 0
 42 | fi 
 43 | 
 44 | log "Downloading and installing Splunk..."
 45 | # Download & install Splunk Enterprise
 46 | wget -O ${SPLUNK_PACKAGE_NAME} "${SPLUNK_PACKAGE_URL}"
 47 | tar zxf ${SPLUNK_PACKAGE_NAME}
 48 | mv splunk $SPLUNK_HOME
 49 | rm ${SPLUNK_PACKAGE_NAME}
 50 | 
 51 | log "Creating Splunk system user..."
 52 | # Create Splunk system user, and set directory permissions
 53 | if ! id $SPLUNK_USER >/dev/null 2>&1; then
 54 |   useradd -r -m -s /bin/bash -U $SPLUNK_USER
 55 | fi
 56 | chown -R $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME
 57 | 
 58 | log "Configuring data disks (if any)..."
 59 | export DATA_DISKS=`ls /dev/sd* | egrep -v '^/dev/sda[0-9]*'`
 60 | declare OVERRIDE_SPLUNK_DB_LOCATION=0
 61 | 
 62 | # If Data PD attached, format+mount it and override SPLUNK_DB location
 63 | if [[ -h /dev/disk/by-id/google-persistent-disk-1 ]]; then
 64 |   log "Mountaing data PD for Splunk DB"
 65 |   DATA_DISK=$(readlink /dev/disk/by-id/google-persistent-disk-1)
 66 |   DATA_DISK_ID=$(basename $DATA_DISK)
 67 |   # Confirm this is first boot based on data mount point existence
 68 |   if [[ ! -e $SPLUNK_DB_MNT_DIR ]]; then
 69 |     mkfs.ext4 -m 0 -E lazy_itable_init=0,lazy_journal_init=0,discard /dev/$DATA_DISK_ID
 70 |     mkdir -p $SPLUNK_DB_MNT_DIR
 71 |     mount -o discard,defaults /dev/$DATA_DISK_ID $SPLUNK_DB_MNT_DIR
 72 |     OVERRIDE_SPLUNK_DB_LOCATION=1
 73 |   fi
 74 | # If Local SSDs attached (in SCSI mode), format+stripe+mount them and override SPLUNK_DB location
 75 | elif [[ $DATA_DISKS != "" ]]; then
 76 |   DATA_DISKS_CNT=$(echo $DATA_DISKS | tr ' ' '\n' | wc -l)
 77 |   DATA_DISK_ID='md0'
 78 |   # Confirm this is first boot based on data mount point existence
 79 |   if [[ ! -e $SPLUNK_DB_MNT_DIR ]]; then
 80 |     # Stripe local SSDs into single RAID0 array
 81 |     mdadm --create /dev/$DATA_DISK_ID --level=0 --raid-devices=$DATA_DISKS_CNT $DATA_DISKS
 82 |     # Format full array
 83 |     mkfs.ext4 -F /dev/$DATA_DISK_ID
 84 |     mkdir -p $SPLUNK_DB_MNT_DIR
 85 |     mount -o discard,defaults,nobarrier /dev/$DATA_DISK_ID $SPLUNK_DB_MNT_DIR
 86 |     OVERRIDE_SPLUNK_DB_LOCATION=1
 87 |   fi
 88 | fi
 89 | 
 90 | # Set Splunk DB location
 91 | if [[ $OVERRIDE_SPLUNK_DB_LOCATION -eq 1 ]]; then
 92 |   # Grant access to Splunk system user
 93 |   chown $SPLUNK_USER:$SPLUNK_USER $SPLUNK_DB_MNT_DIR
 94 |   # Persist mount in fstab for instance restarts
 95 |   echo UUID=$(blkid -s UUID -o value /dev/$DATA_DISK_ID) $SPLUNK_DB_MNT_DIR ext4 discard,defaults,nofail 0 2 | tee -a /etc/fstab
 96 | 
 97 |   # Point SPLUNK_DB to data disk mount directory 
 98 |   cp $SPLUNK_HOME/etc/splunk-launch.conf.default $SPLUNK_HOME/etc/splunk-launch.conf
 99 |   sed -i "/SPLUNK_DB/c\SPLUNK_DB=$SPLUNK_DB_MNT_DIR" $SPLUNK_HOME/etc/splunk-launch.conf
100 |   chown $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/splunk-launch.conf
101 | fi
102 | 
103 | log "Configuring Splunk installation..."
104 | # Work around for having to pass admin pass
105 | cd ~
106 | mkdir .splunk
107 | chmod 777 -R .splunk
108 | touch .splunk/authToken_hostname_port
109 | chmod 600 .splunk/authToken_hostname_port
110 | cd $SPLUNK_HOME
111 | 
112 | # Set Splunk admin password and disable first-time run password prompt
113 | cat >>$SPLUNK_HOME/etc/system/local/user-seed.conf <<end
114 | [user_info]
115 | USERNAME = admin
116 | PASSWORD = ${SPLUNK_ADMIN_PASSWORD}
117 | end
118 | touch $SPLUNK_HOME/etc/.ui_login
119 | 
120 | # Configure systemd to start Splunk at boot
121 | cd /opt/splunk
122 | bin/splunk enable boot-start -user $SPLUNK_USER --accept-license -systemd-managed 0
123 | 
124 | # Configure Splunk before starting service
125 | # Increase splunkweb connection timeout with splunkd
126 | mkdir -p $SPLUNK_HOME/etc/apps/base-autogenerated/local
127 | cat >>$SPLUNK_HOME/etc/apps/base-autogenerated/local/web.conf <<end
128 | [settings]
129 | splunkdConnectionTimeout = 300
130 | end
131 | 
132 | chown -R $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/apps/base-autogenerated
133 | 
134 | log "Starting Splunk Service..."
135 | # Start Splunk service
136 | sudo /etc/init.d/splunk start
137 | 
138 | # Allow for Splunk start-up time
139 | sleep 10
140 | 
141 | if [ $SPLUNK_ROLE = "IDX-Master" ]; then
142 | log "Cluster Master configuration"
143 | 
144 | # Change default to HTTPS on the web interface
145 | # cat >>$SPLUNK_HOME/etc/system/local/web.conf <<end
146 | # [settings]
147 | # enableSplunkWebSSL = 1
148 | # end
149 | 
150 | # Forward to indexer cluster using indexer discovery
151 | cat >>$SPLUNK_HOME/etc/apps/base-autogenerated/local/outputs.conf <<end
152 | # Turn off indexing
153 | [indexAndForward]
154 | index = false
155 | 
156 | [tcpout]
157 | defaultGroup = indexer_cluster_peers
158 | forwardedindex.filter.disable = true
159 | indexAndForward = false
160 | 
161 | [tcpout:indexer_cluster_peers]
162 | indexerDiscovery = cluster_master
163 | 
164 | [indexer_discovery:cluster_master]
165 | pass4SymmKey = ${SPLUNK_INDEXER_DISCOVERY_SECRET}
166 | master_uri = https://127.0.0.1:8089
167 | end
168 | 
169 | chown -R $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/apps/base-autogenerated
170 | 
171 | sudo -u $SPLUNK_USER $SPLUNK_BIN login -auth admin:'${SPLUNK_ADMIN_PASSWORD}'
172 | sudo -u $SPLUNK_USER $SPLUNK_BIN edit cluster-config -mode master -replication_factor 3 -search_factor 2 -secret '${SPLUNK_CLUSTER_SECRET}' -cluster_label Splunk-IDX
173 | 
174 | # Configure indexer discovery - pass4SymmKey doesn't get hashed
175 | cat >>$SPLUNK_HOME/etc/system/local/server.conf <<end
176 | 
177 | [indexer_discovery]
178 | pass4SymmKey = ${SPLUNK_INDEXER_DISCOVERY_SECRET}
179 | indexerWeightByDiskCapacity = true
180 | end
181 | 
182 | chown -R $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/system/local/server.conf
183 | 
184 | # Add base configs for peer nodes as an app under master-apps
185 | # Peer config 1: Enable HEC input
186 | sudo -u $SPLUNK_USER $SPLUNK_BIN http-event-collector enable -uri https://localhost:8089 -auth admin:'${SPLUNK_ADMIN_PASSWORD}'
187 | sudo -u $SPLUNK_USER $SPLUNK_BIN http-event-collector create default-token -uri https://localhost:8089 -auth admin:'${SPLUNK_ADMIN_PASSWORD}' > /tmp/token
188 | TOKEN=`sed -n 's/\\ttoken=//p' /tmp/token`
189 | rm /tmp/token
190 | log "Setting HEC Token as guest attribute"
191 | curl -X PUT --data "$TOKEN" http://metadata.google.internal/computeMetadata/v1/instance/guest-attributes/splunk/token -H "Metadata-Flavor: Google"
192 | 
193 | mkdir -p $SPLUNK_HOME/etc/master-apps/peer-base-autogenerated/local
194 | mv $SPLUNK_HOME/etc/apps/splunk_httpinput/local/inputs.conf $SPLUNK_HOME/etc/master-apps/peer-base-autogenerated/local
195 | # Peer config 2: Enable splunktcp input
196 | cat >>$SPLUNK_HOME/etc/master-apps/peer-base-autogenerated/local/inputs.conf <<end
197 | 
198 | [splunktcp://9997]
199 | disabled=0
200 | end
201 | 
202 | chown -R $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/master-apps
203 | 
204 | else
205 | # Link up with License Master
206 | # TODO: Add following when enterprise license installed on cluster master
207 | #sudo -u $SPLUNK_USER $SPLUNK_BIN edit licenser-localslave -master_uri https://${SPLUNK_CM_PRIVATE_IP}:8089 -auth admin:'${SPLUNK_ADMIN_PASSWORD}'
208 | log "Skip license master link up" 
209 | fi
210 | 
211 | if [ $SPLUNK_ROLE = "SHC-Deployer" ]; then
212 | log "Deployer configurations"
213 | 
214 | # Change default to HTTPS on the web interface
215 | # cat >>$SPLUNK_HOME/etc/system/local/web.conf <<end
216 | # [settings]
217 | # enableSplunkWebSSL = 1
218 | # end
219 | 
220 | # Configure some SHC parameters
221 | cat >>$SPLUNK_HOME/etc/apps/base-autogenerated/local/server.conf <<end
222 | 
223 | [shclustering]
224 | pass4SymmKey = ${SPLUNK_CLUSTER_SECRET}
225 | shcluster_label = SplunkSHC
226 | end
227 | 
228 | # Forward to indexer cluster using indexer discovery
229 | cat >>$SPLUNK_HOME/etc/apps/base-autogenerated/local/outputs.conf <<end
230 | # Turn off indexing on the search head
231 | [indexAndForward]
232 | index = false
233 | 
234 | [tcpout]
235 | defaultGroup = indexer_cluster_peers
236 | forwardedindex.filter.disable = true
237 | indexAndForward = false
238 | 
239 | [tcpout:indexer_cluster_peers]
240 | indexerDiscovery = cluster_master
241 | 
242 | [indexer_discovery:cluster_master]
243 | pass4SymmKey = ${SPLUNK_INDEXER_DISCOVERY_SECRET}
244 | master_uri = https://${SPLUNK_CM_PRIVATE_IP}:8089
245 | end
246 | 
247 | chown -R $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/apps/base-autogenerated
248 | 
249 | # Add base config for search head cluster members
250 | mkdir -p $SPLUNK_HOME/etc/shcluster/apps/member-base-autogenerated/local
251 | cat >>$SPLUNK_HOME/etc/shcluster/apps/member-base-autogenerated/local/outputs.conf <<end
252 | # Turn off indexing on the search head
253 | [indexAndForward]
254 | index = false
255 | 
256 | [tcpout]
257 | defaultGroup = indexer_cluster_peers
258 | forwardedindex.filter.disable = true
259 | indexAndForward = false
260 | 
261 | [tcpout:indexer_cluster_peers]
262 | indexerDiscovery = cluster_master
263 | 
264 | [indexer_discovery:cluster_master]
265 | pass4SymmKey = ${SPLUNK_INDEXER_DISCOVERY_SECRET}
266 | master_uri = https://${SPLUNK_CM_PRIVATE_IP}:8089
267 | end
268 | 
269 | chown -R $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/shcluster/apps/member-base-autogenerated
270 | 
271 | sudo -u $SPLUNK_USER $SPLUNK_BIN apply shcluster-bundle -action stage --answer-yes -auth admin:'${SPLUNK_ADMIN_PASSWORD}'
272 | # TODO: send bundle after SHC is initialized with captain bootstrapped
273 | 
274 | 
275 | elif [ $SPLUNK_ROLE = "SHC-Member" ]; then
276 |   log "Search Head Member configurations"
277 |   # Configure some SHC parameters
278 |   cat >>$SPLUNK_HOME/etc/system/local/server.conf <<end
279 | [shclustering]
280 | register_replication_address = $LOCAL_IP
281 | end
282 |   chown -R $SPLUNK_USER:$SPLUNK_USER $SPLUNK_HOME/etc/system/local
283 |   log "Setting cluster config and connecting to master"
284 |   # Sometimes the master is restarting at the same time, retry up to 5 times
285 |   command="sudo -u $SPLUNK_USER $SPLUNK_BIN login -auth admin:'${SPLUNK_ADMIN_PASSWORD}' && \
286 |   sudo -u $SPLUNK_USER $SPLUNK_BIN init shcluster-config -mgmt_uri https://$LOCAL_IP:8089 -replication_port 8090 -replication_factor 2 -conf_deploy_fetch_url https://${SPLUNK_DEPLOYER_PRIVATE_IP}:8089 -shcluster_label Splunk-SHC -secret '${SPLUNK_CLUSTER_SECRET}' && \
287 |   sudo -u $SPLUNK_USER $SPLUNK_BIN edit cluster-config -mode searchhead -master_uri https://${SPLUNK_CM_PRIVATE_IP}:8089 -secret '${SPLUNK_CLUSTER_SECRET}'"
288 |   count=1;until eval $command || (( $count >= 5 )); do sleep 10; count=$((count + 1)); done
289 | elif [ $SPLUNK_ROLE = "IDX-Peer" ]; then
290 | 
291 | log "Setting cluster config and connecting to master"
292 | # Sometimes the master is restarting at the same time, retry up to 5 times
293 | command="sudo -u $SPLUNK_USER $SPLUNK_BIN login -auth admin:'${SPLUNK_ADMIN_PASSWORD}' && \
294 | sudo -u $SPLUNK_USER $SPLUNK_BIN edit cluster-config -mode slave -master_uri https://${SPLUNK_CM_PRIVATE_IP}:8089 -replication_port 9887 -secret '${SPLUNK_CLUSTER_SECRET}'"
295 | count=1;until eval $command || (( $count >= 5 )); do sleep 10; count=$((count + 1)); done
296 | 
297 | # Override Splunk server name of peer node by adding a random number from 0 to 999 as suffix to hostname
298 | SUFFIX=$(cat /dev/urandom | tr -dc '0-9' | fold -w 256 | head -n 1 | sed -e 's/^0*//' | head --bytes 3)
299 | if [ "$SUFFIX" == "" ]; then SUFFIX=0; fi
300 | sudo -u $SPLUNK_USER $SPLUNK_BIN set servername $(hostname)-$SUFFIX
301 | 
302 | fi
303 | 
304 | # Removing temporary permissive .splunk directory
305 | cd ~
306 | rm -Rf .splunk
307 | 
308 | log "Final restart of services"
309 | # Start Splunk service - changed with 8.0.0 - sometimes it gets an error connecting to it's local web server
310 | command="/etc/init.d/splunk restart"
311 | count=1;until eval $command || (( $count >= 5 )); do sleep 10; count=$((count + 1)); done
312 | 
313 | # Add guest attribute indicating the install process has successfully completed
314 | curl -X PUT --data "complete" http://metadata.google.internal/computeMetadata/v1/instance/guest-attributes/splunk/install -H "Metadata-Flavor: Google"
315 | log "Finished setup on $HOSTNAME with role $SPLUNK_ROLE"
316 | 
317 | exit 0
318 | 


--------------------------------------------------------------------------------
/variables.tf:
--------------------------------------------------------------------------------
  1 | # Copyright 2019 Google LLC
  2 | # 
  3 | # Licensed under the Apache License, Version 2.0 (the "License");
  4 | # you may not use this file except in compliance with the License.
  5 | # You may obtain a copy of the License at
  6 | # 
  7 | #     https://www.apache.org/licenses/LICENSE-2.0
  8 | # 
  9 | # Unless required by applicable law or agreed to in writing, software
 10 | # distributed under the License is distributed on an "AS IS" BASIS,
 11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 12 | # See the License for the specific language governing permissions and
 13 | # limitations under the License.
 14 | variable "project" {
 15 |   description = "Project for Splunk deployment"
 16 | }
 17 | 
 18 | variable "region" {
 19 |   description = "Region to deploy to"
 20 | }
 21 | 
 22 | variable "zone" {
 23 |   description = "Zone to deploy master and deployer into"
 24 |   default = ""
 25 | }
 26 | 
 27 | variable "splunk_idx_cluster_size" {
 28 |   description = "Number of nodes in Splunk indexer cluster"
 29 |   default     = 3
 30 | }
 31 | 
 32 | variable "splunk_sh_cluster_size" {
 33 |   description = "Number of nodes in Splunk search head cluster"
 34 |   default     = 3
 35 | }
 36 | 
 37 | variable "splunk_admin_password" {
 38 |   description = "Splunk admin password"
 39 | 
 40 |    validation {
 41 |      condition = !can(regex("[$()']", var.splunk_admin_password))
 42 |      error_message = "Admin password cannot contain any of the following illegal characters: ' ( ) $."
 43 |    }
 44 | }
 45 | 
 46 | variable "splunk_cluster_secret" {
 47 |   description = "Splunk cluster secret"
 48 | 
 49 |   validation {
 50 |     condition = !can(regex("[$()']", var.splunk_cluster_secret))
 51 |     error_message = "Cluster secret cannot contain any of the following illegal characters: ' ( ) $."
 52 |   }
 53 | }
 54 | 
 55 | variable "splunk_indexer_discovery_secret" {
 56 |   description = "Splunk indexer discovery secret"
 57 | 
 58 |   validation {
 59 |     condition = !can(regex("[$()']", var.splunk_indexer_discovery_secret))
 60 |     error_message = "Indexer discovery secret cannot contain any of the following illegal characters: ' ( ) $."
 61 |   }
 62 | }
 63 | 
 64 | variable "splunk_network" {
 65 |   description = "Network to attach Splunk nodes to"
 66 |   default = "splunk-network"
 67 | }
 68 | 
 69 | 
 70 | variable "splunk_subnet" {
 71 |   description = "Subnet to attach Splunk nodes to"
 72 |   default = "splunk-subnet"
 73 | }
 74 | 
 75 | variable "splunk_subnet_cidr" {
 76 |   description = "Subnet CIDR to attach Splunk nodes to"
 77 |   default = "192.168.0.0/16"
 78 | }
 79 | 
 80 | variable "create_network" {
 81 |   description = "Create Splunk Network (true or false)"
 82 |   type = bool
 83 |   default = true
 84 | }
 85 | 
 86 | 
 87 | variable "idx_disk_type" {
 88 |   description = "Disk type to use for data volume on indexers.  Can be local-ssd, pd-ssd or pd-standard"
 89 |   type = string
 90 |   default = "pd-ssd"
 91 | }
 92 | 
 93 | variable "idx_disk_size" {
 94 |   description = "Default disk size for persistent disk data volumes (if not using local-ssd)"
 95 |   type = number
 96 |   default = 100
 97 | }
 98 | 
 99 | # Only used for Local SSD's
100 | variable "idx_disk_count" {
101 |   description = "Number of disks to attach if using local-ssd (each volume 375 GB)"
102 |   type = number
103 |   default = 1
104 | }
105 | 


--------------------------------------------------------------------------------
/variables.yaml:
--------------------------------------------------------------------------------
 1 | # Copyright 2019 Google LLC
 2 | # 
 3 | # Licensed under the Apache License, Version 2.0 (the "License");
 4 | # you may not use this file except in compliance with the License.
 5 | # You may obtain a copy of the License at
 6 | # 
 7 | #     https://www.apache.org/licenses/LICENSE-2.0
 8 | # 
 9 | # Unless required by applicable law or agreed to in writing, software
10 | # distributed under the License is distributed on an "AS IS" BASIS,
11 | # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 | # See the License for the specific language governing permissions and
13 | # limitations under the License.
14 | 
15 | project = "ENTER_PROJECT_HERE"
16 | region = "ENTER_REGION_HERE"
17 | zone = "ENTER_ZONE_HERE"
18 | splunk_idx_cluster_size = "ENTER_SPLUNK_INDEXER_CLUSTER_SIZE_HERE"
19 | splunk_sh_cluster_size = "ENTER_SPLUNK_SEARCH_HEAD_CLUSTER_SIZE_HERE"
20 | splunk_admin_password = "ENTER_SPLUNK_ADMIN_PASSWORD_HERE"
21 | splunk_cluster_secret = "ENTER_SPLUNK_CLUSTER_SECRET_HERE"
22 | splunk_indexer_discovery_secret = "ENTER_INDEXER_DISCOVERY_SECRET_HERE"
23 | splunk_network = "ENTER_SPLUNK_NETWORK_HERE"
24 | splunk_subnet = "ENTER_SPLUNK_SUBNETWORK_HERE"
25 | splunk_subnet_cidr = "ENTER_SPLUNK_SUBNET_CIDR_HERE"
26 | create_network = "SET_TO_CREATE_SPLUNK_NETWORK"
27 | idx_disk_type = "ENTER_DISK_TYPE_HERE"
28 | idx_disk_size = "ENTER_DISK_SIZE_HERE"
29 | idx_disk_count = "ENTER_DISK_COUNT_IF_LOCAL_SSD_HERE"
30 | 


--------------------------------------------------------------------------------