Once you have installed Cloud Resolver on the host machine, you must create the configuration file that contains information the type of information that is pulled from the cloud environment.
- Log in to the host instance using SSH.
- Navigate to the /etc/cloud-resolver/ directory.
- Create a new file called cloud-resolver.conf.
- Edit the cloud-resolver.conf configuration file and add the necessary values listed in Configuration parameters.
- Once you have added the necessary configuration parameters to the configuration
file, restart Cloud Resolver using the following
command:
sudo systemctl restart cloud-resolver.service
Configuration parameters
When configuring Cloud Resolver, you can define the following environment variables within the cloud-resolver.conf file:
Parameter | Description | Default value | Required/Optional | AWS-only/Azure-only/Common |
---|---|---|---|---|
CRS_IAM_ROLE | The IAM role to assume. Note: This is only required for STS
authentication.
|
None | Optional | AWS-only |
CRS_EXTERNAL_ID | The role external_id to use for assuming the
CRS_IAM_ROLE. Note: This is only required for
STS authentication.
|
None | Optional | AWS-only |
AWS_REGION | The AWS region for which Cloud Resolver retrieves DNS zone information. | None | Required | AWS-only |
CRS_VPC_ID | The VPC ID of Cloud Resolver. | None | Required | AWS-only |
AWS_CONFIG_FILE | The location of the AWS configuration file. If this value is not configured, it defaults to the known locations in AWS. | None | Optional | AWS-only |
AWS_PROFILE | The AWS Profile name. | None | Optional | AWS-only |
CRS_REMOTE_ACCOUNTS | A JSON list of additional AWS accounts for discovery and
resolution. The primary account for Cloud Resolver must have
permissions for STS AssumeRole for the remote role. This will only
discover the current region in the remote account. The list must
be in the following
format:
[ { "account": <account_name>, "role_asn": <role_asn>, "role_sessions_name": <value> } ... ] |
None | Optional | AWS-only |
CRS_REMOTE_TENANTS | A JSON list of additional Azure tenants for discovery and
resolution. The list must be in the following
format:
[ { "tenant_id": <tenant_id>, "client_id": <client_id>, "client_secret_url": <value> } ... ] Note: The
client_secret_url must be a valid URL
to an Azure Vault Secret in the local tenant that contains
the client secret for the remote tenant for Cloud Resolver.
If you are using HashiCorp Vault, the value must be the key
name where the tenant is stored under.
|
None | Optional | Azure-only |
CRS_CLOUD_PROVIDER | The cloud environment that Cloud Resolver from which DNS information is retrieved. The value can be aws or azure. | None | Required | Common |
CRS_EDGE_API_KEY | The API key of the Edge user that Cloud Resolver will use to add new DNS zones to the domain list. | None | Required | Common |
CRS_EDGE_SECRET_KEY | The API secret key of the Edge user that Cloud Resolver will use to add new DNS zones to the domain list. | None | Required | Common |
CRS_EDGE_SECRETS_ID | The base URL to the Vault where the Edge API key and Edge Secret
key are stored. Note: When storing the Edge API key and Edge Secret
key to a vault, the Edge API key must be named
CRS-EDGE-API-Key and the Edge Secret key
must be named CRS-EDGE_SECRET-KEY.
If you are storing the values in Azure Vault, the CRS_EDGE_SECRETS_ID must be the base URL to the Azure Vault where the keys are stored. If you are storing the values in AWS, the CRS_EDGE_SECRETS_ID must be a valid ARN where both secrets are stored. |
None | Optional | Common |
CRS_EDGE_CI_URL | The API URL of the Edge Cloud Instance that Cloud Resolver will write data to. For example: http://api-<Edge_URL>.bluec.at | None | Required | Common |
CRS_EDGE_NAMESPACE_ID | The ID of the Edge Namespace. | None | Required | Common |
CRS_EDGE_DOMAINLIST_ID | The ID of the Edge Domain List where the Cloud Resolver will add new DNS zones. | None | Required | Common |
CRS_DNS_LISTEN_ON | Defines the sock address that will be used to listen for DNS messages on UDP and TCP. | 127.0.0.1:5003 | Required | Common |
CRS_CONFIGURATION_ZONE | The DNS zone ARN lookup. | cloudresolver.config. | Required | Common |
CRS_POLLING_INTERVAL | The interval between the polling of the Cloud Service Provider API, in seconds. | 60 | Required | Common |
CRS_TCP_HEALTH_CHECK_PORT | The port that will be used for simple TCP checks to determine whether the service is live. | 8080 | Required | Common |
CRS_DIAGNOSTICS_PORT | The port that will be used to access the Cloud Resolver web delivered diagnostics. | 9000 | Required | Common |
CRS_PROMETHEUS_PORT | The port that will be used to pull data to Prometheus. | 9090 | Required | Common |
CRS_PROMETHEUS_PROTOBUF | The format of the Prometheus data. Set to true for protobuf and set to false for text. | false | Required | Common |
CRS_MAX_IN_FLIGHT_UDP | The maximum number of in-flight UDP queries before a SERVFAIL is returned for overage. | 500 | Required | Common |
CRS_MAX_IN_FLIGHT_TCP | The maximum number of in-flight TCP queries before a SERVFAIL is returned for overage. | 500 | Required | Common |
CRS_IN_FLIGHT_CACHE_SIZE | The maximum TTL cache size. You can configure this value to protect against DoS attacks. | 2500 | Required | Common |
CRS_LOG | The logging level for Cloud Resolver. | cloud_resolver=info | Optional | Common |
CRS_SNAPSHOT_PATH | The directory path where Cloud Resolver snapshots are stored. | /var/lib/bluecat | Required | Common |
CRS_SNAPSHOT_AUTOLOAD | Determines whether the latest snapshot is automatically loaded when starting Cloud Resolver. Set to true to automatically load the latest Cloud Resolver snapshot upon start or set to false to not load the latest Cloud Resolver snapshot upon start. | false | Required | Common |
CRS_PROXY_ADDR | The URL and port of the proxy server. For example,
https://example.prox:4545 Note: This is only
required if you are using a proxy server.
|
None | Optional | Common |
CRS_PROXY_USER | The username used to authenticate with the proxy server when
using basic_auth. Note: This is only required if you
are using a proxy server.
|
None | Optional | Common |
CRS_PROXY_PASS | The password used to authenticate with the proxy server when
using basic_auth. Note: This is only required if you
are using a proxy server.
|
None | Optional | Common |
CRS_PROXY_SKIP | The list of domains, networks, and IP addresses to bypass the
proxy. Note: This is only required if you are using a proxy
server.
|
None | Optional | Common |
CRS_VAULT_TYPE | The vaults used to store the secret keys for Edge and CSP Remote Tenant. The valid values are csp and hcv_approle. | None | Optional | Common |
CRS_HCV_BASE_URL | The base URL of HashiCorp Vault Service. Note: This is only
required if you set CRS_VAULT_TYPE=
"hcv_approle".
|
None | Optional | Common |
CRS_HCV_LOGIN_PATH | The URL path to append to the base URL for login. Note: This is
only required if you set CRS_VAULT_TYPE=
"hcv_approle".
|
None | Optional | Common |
CRS_HCV_SECRET_PATH | The URL path to append to the base URL secret store. Note: This is
only required if you set CRS_VAULT_TYPE=
"hcv_approle".
|
None | Optional | Common |
CRS_HCV_ROLE_ID | The Role ID generated from HashiCorp Vault Service. Note: This is
only required if you set CRS_VAULT_TYPE=
"hcv_approle".
|
None | Optional | Common |
CRS_HCV_SECRET_ID | The Secret ID generated from HashiCorp Vault Service. Note: This
is only required if you set CRS_VAULT_TYPE=
"hcv_approle".
|
None | Optional | Common |
CRS_HCV_NAMESPACE | The vault namespace. Note: This is only required if you set
CRS_VAULT_TYPE= "hcv_approle" and if you
use vault namespaces.
|
None | Optional | Common |
CRS_FALLBACK_RESOLVER | A comma delimited list of IP addresses of fallback resolvers. | None | Optional | Common |
CRS_SKIP_FALLBACK_NETWORKS | A comma delimited list of CIDR notation networks that should not be forwarded to fallback resolvers. | None | Optional | Common |
CRS_ALLOW_FALLBACK_NETWORKS | A comma delimited list of IP addresses in CIDR notation that can forward to a fallback resolver, regardless of whether the IP addresses are in the discovered cloud networks. If the source IP address is part of any network listed in the CRS_SKIP_FALLBACK_NETWORKS list, it will not be allowed to query fallback resolvers. | None | Optional | Common |
CRS_GENERATE_REVERSE | Defines whether to automatically generate reverse zones for cloud discovered network space. Set to true to automatically generate reverse zones or set to false to ensure that reverse zones are not automatically generated. | false | Optional | Common |
Example configuration file
CRS_DNS_LISTEN_ON=0.0.0.0:53 CRS_CLOUD_PROVIDER=aws CRS_CONFIGURATION_ZONE=cloudresolver.config. CRS_EDGE_API_KEY="<edge_api_key>" CRS_EDGE_SECRET_KEY="<edge_secret_key>" CRS_EDGE_CI_URL="https://api-example.bluec.at" CRS_EDGE_NAMESPACE_ID="ddccbbaa-0954-4823-ab09-848fc2a2d847" CRS_EDGE_DOMAINLIST_ID="aabbccdd-1234-5678-90ab-416bb4b1c684" CRS_SNAPSHOT_AUTOLOAD=false CRS_SNAPSHOT_PATH="/var/lib/bluecat" CRS_POLLING_INTERVAL=60 CRS_TCP_HEALTH_CHECK_PORT=8080 CRS_DIAGNOSTICS_PORT=9000 CRS_PROMETHEUS_PORT=9090 CRS_PROMETHEUS_PROTOBUF=false CRS_MAX_IN_FLIGHT_UDP=500 CRS_MAX_IN_FLIGHT_TCP=500 CRS_IN_FLIGHT_CACHE_SIZE=2500 AWS_REGION="us-east-2" CRS_VPC_ID="vpc-987f65fc" AWS_PROFILE="cloudresolver"