Creating the Cloud Resolver configuration file - BlueCat Cloud Resolver - 1.4.1

BlueCat Cloud Resolver Administration Guide
Locale
English
Product name
BlueCat Cloud Resolver
Version
1.4.1

Once you have installed Cloud Resolver on the host machine, you must create the configuration file that contains information the type of information that is pulled from the cloud environment.

To create the configuration file:
  1. Log in to the host instance using SSH.
  2. Navigate to the /etc/cloud-resolver/ directory.
  3. Create a new file called cloud-resolver.conf.
  4. Edit the cloud-resolver.conf configuration file and add the necessary values listed in Configuration parameters.
  5. Once you have added the necessary configuration parameters to the configuration file, restart Cloud Resolver using the following command:
    sudo systemctl restart cloud-resolver.service

Configuration parameters

When configuring Cloud Resolver, you can define the following environment variables within the cloud-resolver.conf file:
Attention: Configuration parameters that are required and have default values do not need to be entered in the cloud-resolver.conf file unless you are modifying the default value.
Parameter Description Default value Required/Optional AWS-only/Azure-only/Common
CRS_IAM_ROLE The IAM role to assume.
Note: This is only required for STS authentication.
 None Optional AWS-only
CRS_EXTERNAL_ID The role external_id to use for assuming the CRS_IAM_ROLE.
Note: This is only required for STS authentication.
 None Optional AWS-only
AWS_REGION The AWS region for which Cloud Resolver retrieves DNS zone information. None Required AWS-only
CRS_VPC_ID The VPC ID of Cloud Resolver. None Required AWS-only
AWS_CONFIG_FILE The location of the AWS configuration file. If this value is not configured, it defaults to the known locations in AWS. None Optional AWS-only
AWS_PROFILE The AWS Profile name. None Optional AWS-only
CRS_REMOTE_ACCOUNTS A JSON list of additional AWS accounts for discovery and resolution. The primary account for Cloud Resolver must have permissions for STS AssumeRole for the remote role. This will only discover the current region in the remote account.
The list must be in the following format:
[
    {
        "account": <account_name>,
        "role_asn": <role_asn>,
        "role_session_name": <value>
    }
    ...
]
 None Optional AWS-only
CRS_REMOTE_TENANTS A JSON list of additional Azure tenants for discovery and resolution.

Cloud Resolver uses the OAuth 2.0 client credentials flow to authenticate as a Service Principal in remote tenants with a client secret. The client secret should be stored in either an Azure Vault Secret or HashiCorp Vault. The client secret can also be passed as an environment variable; however, BlueCat recommends using a vault to store in the client secret in production environments.

The list must be in the following format:
[
    {
        "tenant_id": <tenant_id>,
        "client_id": <client_id>,
        "client_secret_url": <value>,
        "azure_cloud": <value>
    }
    ...
]
Note:
  • The client_secret_url must be a valid URL to an Azure Vault Secret in the local tenant that contains the client secret for the remote tenant for Cloud Resolver. If you are using HashiCorp Vault, the value must be the key name where the tenant is stored under.
  • The azure_cloud must be one of the following values:
    • AzureCloud—for Azure public, commercial cloud. This is the default value.
    • AzureUsGovernmentCloud—for Azure US Government Cloud.
    • AzureChinaCloud—for Azure China Cloud.

 None Optional Azure-only
CRS_CLOUD_PROVIDER The cloud environment that Cloud Resolver from which DNS information is retrieved. The value can be aws or azure. None Required Common
CRS_EDGE_API_KEY The API key of the Edge user that Cloud Resolver will use to add new DNS zones to the domain list. None Required Common
CRS_EDGE_SECRET_KEY The API secret key of the Edge user that Cloud Resolver will use to add new DNS zones to the domain list. None Required Common
CRS_EDGE_SECRETS_ID The base URL to the Vault where the Edge API key and Edge Secret key are stored.
Note: When storing the Edge API key and Edge Secret key to a vault, the Edge API key must be named CRS-EDGE-API-KEY and the Edge Secret key must be named CRS-EDGE-SECRET-KEY.

If you are storing the values in Azure Vault, the CRS_EDGE_SECRETS_ID must be the base URL to the Azure Vault where the keys are stored. If you are storing the values in AWS, the CRS_EDGE_SECRETS_ID must be a valid ARN where both secrets are stored.

 None Optional Common
CRS_EDGE_CI_URL The API URL of the Edge Cloud Instance that Cloud Resolver will write data to. For example: http://api-<Edge_URL>.bluec.at None Required Common
CRS_EDGE_NAMESPACE_ID The ID of the Edge Namespace. None Required Common
CRS_EDGE_DOMAINLIST_ID The ID of the Edge Domain List where the Cloud Resolver will add new DNS zones. None Required Common
CRS_DNS_LISTEN_ON Defines the sock address that will be used to listen for DNS messages on UDP and TCP. 127.0.0.1:5003 Optional Common
CRS_CONFIGURATION_ZONE The DNS zone ARN lookup. cloudresolver.config. Optional Common
CRS_POLLING_INTERVAL The interval between the polling of the Cloud Service Provider API, in seconds. 60 Optional Common
CRS_TCP_HEALTH_CHECK_PORT The port that will be used for simple TCP checks to determine whether the service is live. 8080 Optional Common
CRS_DIAGNOSTICS_PORT The port that will be used to access the Cloud Resolver web delivered diagnostics. 9000 Optional Common
CRS_PROMETHEUS_PORT The port that will be used to pull data to Prometheus. 9090 Optional Common
CRS_PROMETHEUS_PROTOBUF The format of the Prometheus data. Set to true for protobuf and set to false for text. false Optional Common
CRS_MAX_IN_FLIGHT_UDP The maximum number of in-flight UDP queries before a SERVFAIL is returned for overage. 500 Optional Common
CRS_MAX_IN_FLIGHT_TCP The maximum number of in-flight TCP queries before a SERVFAIL is returned for overage. 500 Optional Common
CRS_IN_FLIGHT_CACHE_SIZE The maximum TTL cache size. You can configure this value to protect against DoS attacks. 2500 Optional Common
CRS_LOG The logging level for Cloud Resolver. cloud_resolver=info Optional Common
CRS_SNAPSHOT_PATH The directory path where Cloud Resolver snapshots are stored.
If you set the CRS_SNAPSHOT_TYPE parameter to csp, the snapshot is written to a cloud storage provider. You must set the CRS_SNAPSHOT_PATH parameter to the full file path of the snapshot in the Azure Blob storage or AWS S3 bucket.
  • For snapshots stored in an AWS S3 bucket, set the CRS_SNAPSHOT_PATH value to the name of the AWS S3 bucket. For example, cr-data.
  • For snapshots stored in an Azure Blob storage, set the CRS_SNAPSHOT_PATH value to the URL of the Azure Blob storage. For example, https://test.blob.core.windows.net/snapshot.
Note: If you are configuring the Cloud Resolver instance as part of a cluster by setting the CRS_ROLE to resolver, you must enter the full file path of the snapshot in the Azure Blob storage or AWS S3 bucket where the snapshots will be read, or mount a shared volume to each Cloud Resolver instance and use the file path.

If you set the CRS_SNAPSHOT_TYPE parameter to file, the snapshot is written to a file on the host machine. By default, the snapshot file is written to the /var/lib/bluecat directory but you can also configure a custom location on the host machine.

 /var/lib/bluecat Optional Common
CRS_SNAPSHOT_NAME The name of the Cloud Resolver snapshot file. When the Cloud Resolver role is full, this indicates the name of the snapshot file that's written. When the Cloud Resolver role is resolver, this indicates the name of the snapshot file that is read.
Attention: BlueCat does not recommend changing the snapshot name unless you are using the Azure blob or S3 bucket for additional data sets.
 cloud_resolver.dmp Optional Common
CRS_SNAPSHOT_AUTOLOAD Determines whether the latest snapshot is automatically loaded when starting Cloud Resolver. Set to true to automatically load the latest Cloud Resolver snapshot upon start or set to false to not load the latest Cloud Resolver snapshot upon start. false Optional Common
CRS_SNAPSHOT_AUTOGENERATE Determines whether a snapshot is automatically updated when Cloud Resolver discovers new resources from the cloud environment. Set to true to automatically update the snapshot file upon discovery of new resources or set of false if you do not want to update the snapshot file when new resources are discovered. true Optional Common
CRS_SNAPSHOT_TYPE The type of snapshot that Cloud Resolver creates. The value can be file to write the snapshot a local file within the directory defined in CRS_SNAPSHOT_PATH or csp to write the file to an Azure Blob Storage or AWS S3 bucket location. file Optional Common
CRS_PROXY_ADDR The URL and port of the proxy server. For example, https://example.prox:4545
Note: This is only required if you are using a proxy server.
 None Optional Common
CRS_ROLE The role that the Cloud Resolver instance assumes. The value can be full to indicate that the Cloud Resolver instance is standalone or resolver to indicate that the Cloud Resolver instance is part of a cluster.

If you configure the CRS_ROLE to resolver, the Cloud Resolver instance reads the snapshot data that is written by another Cloud Resolver instance located at the Azure Blob storage or AWS S3 bucket location defined in CRS_SNAPSHOT_PATH.

 full Optional Common
CRS_PROXY_USER The username used to authenticate with the proxy server when using basic_auth.
Note: This is only required if you are using a proxy server.
 None Optional Common
CRS_PROXY_PASS The password used to authenticate with the proxy server when using basic_auth.
Note: This is only required if you are using a proxy server.
 None Optional Common
CRS_PROXY_SKIP The list of domains, networks, and IP addresses to bypass the proxy.
Note: This is only required if you are using a proxy server.
 None Optional Common
CRS_VAULT_TYPE The vaults used to store the secret keys for Edge and CSP Remote Tenant. The valid values are csp and hcv_approle. None Optional Common
CRS_HCV_BASE_URL The base URL of HashiCorp Vault Service.
Note: This is only required if you set CRS_VAULT_TYPE= "hcv_approle".
 None Optional Common
CRS_HCV_LOGIN_PATH The URL path to append to the base URL for login.
Note: This is only required if you set CRS_VAULT_TYPE= "hcv_approle".
 None Optional Common
CRS_HCV_SECRET_PATH The URL path to append to the base URL secret store.
Note: This is only required if you set CRS_VAULT_TYPE= "hcv_approle".
 None Optional Common
CRS_HCV_ROLE_ID The Role ID generated from HashiCorp Vault Service.
Note: This is only required if you set CRS_VAULT_TYPE= "hcv_approle".
 None Optional Common
CRS_HCV_SECRET_ID The Secret ID generated from HashiCorp Vault Service.
Note: This is only required if you set CRS_VAULT_TYPE= "hcv_approle".
 None Optional Common
CRS_HCV_NAMESPACE The vault namespace.
Note: This is only required if you set CRS_VAULT_TYPE= "hcv_approle" and if you use vault namespaces.
 None Optional Common
CRS_FALLBACK_RESOLVER A comma delimited list of IP addresses of fallback resolvers. None Optional Common
CRS_SKIP_FALLBACK_NETWORKS A comma delimited list of CIDR notation networks that should not be forwarded to fallback resolvers. None Optional Common
CRS_ALLOW_FALLBACK_NETWORKS A comma delimited list of IP addresses in CIDR notation that can forward to a fallback resolver, regardless of whether the IP addresses are in the discovered cloud networks. If the source IP address is part of any network listed in the CRS_SKIP_FALLBACK_NETWORKS list, it will not be allowed to query fallback resolvers. None Optional Common
CRS_GENERATE_REVERSE Defines whether to automatically generate reverse zones for cloud discovered network space. Set to true to automatically generate reverse zones or set to false to ensure that reverse zones are not automatically generated. false Optional Common

Example AWS configuration file

The following is an example cloud-resolver.conf file that connects to an AWS environment:
CRS_DNS_LISTEN_ON=0.0.0.0:53
CRS_CLOUD_PROVIDER=aws
CRS_CONFIGURATION_ZONE=cloudresolver.config.
CRS_EDGE_API_KEY="<edge_api_key>"
CRS_EDGE_SECRET_KEY="<edge_secret_key>"
CRS_EDGE_CI_URL="https://api-example.bluec.at"
CRS_EDGE_NAMESPACE_ID="ddccbbaa-0954-4823-ab09-848fc2a2d847"
CRS_EDGE_DOMAINLIST_ID="aabbccdd-1234-5678-90ab-416bb4b1c684"
CRS_SNAPSHOT_TYPE=file
CRS_SNAPSHOT_AUTOLOAD=true
CRS_SNAPSHOT_AUTOGENERATE=true
CRS_SNAPSHOT_PATH="/var/lib/bluecat"
CRS_ROLE=full
CRS_POLLING_INTERVAL=60
CRS_TCP_HEALTH_CHECK_PORT=8080
CRS_DIAGNOSTICS_PORT=9000
CRS_PROMETHEUS_PORT=9090
CRS_PROMETHEUS_PROTOBUF=false
CRS_MAX_IN_FLIGHT_UDP=500
CRS_MAX_IN_FLIGHT_TCP=500
CRS_IN_FLIGHT_CACHE_SIZE=2500
AWS_REGION="us-east-2"
CRS_VPC_ID="vpc-987f65fc"
AWS_PROFILE="cloudresolver"

Example Azure configuration file

The following is an example cloud-resolver.conf file of a Cloud Resolver instance in the resolver role that reads snapshots from an Azure Blob storage:
CRS_DNS_LISTEN_ON=0.0.0.0:53
CRS_CLOUD_PROVIDER=azure
CRS_CONFIGURATION_ZONE=cloudresolver.config.
CRS_EDGE_API_KEY="<edge_api_key>"
CRS_EDGE_SECRET_KEY="<edge_secret_key>"
CRS_EDGE_CI_URL="https://api-example.bluec.at"
CRS_EDGE_NAMESPACE_ID="ddccbbaa-0954-4823-ab09-848fc2a2d847"
CRS_EDGE_DOMAINLIST_ID="aabbccdd-1234-5678-90ab-416bb4b1c684"
CRS_SNAPSHOT_TYPE=csp
CRS_SNAPSHOT_AUTOLOAD=true
CRS_SNAPSHOT_AUTOGENERATE=true
CRS_SNAPSHOT_PATH="https://test.blob.core.windows.net/snapshot"
CRS_ROLE=resolver
CRS_POLLING_INTERVAL=60
CRS_TCP_HEALTH_CHECK_PORT=8080
CRS_DIAGNOSTICS_PORT=9000
CRS_PROMETHEUS_PORT=9090
CRS_PROMETHEUS_PROTOBUF=false
CRS_MAX_IN_FLIGHT_UDP=500
CRS_MAX_IN_FLIGHT_TCP=500
CRS_IN_FLIGHT_CACHE_SIZE=2500
AZURE_REGION="global"
CRS_REMOTE_TENANTS='[{"tenant_id": "abcdef01-ab12-34cd-5678-bda0b9876e6f", "client_id": "fedcba98-fe87-65dc-b432-ceb1c5432f2a", 
"client_secret_url": "CRS-123456ab7890", "azure_cloud": "AzureCloud"}]'