Splunk SOAR (Phantom) 7.0 on GCP - Terraform Script

This Terraform configuration automates Phase 1 (prerequisites) and parts of Phase 2 (Infrastructure) for installing Splunk SOAR 7.0 on Google Cloud Platform, based on the guide by Jayadeep Reddy Karri.

Resources Created

• Compute Instance:
  • Name: splunk-soar-7
  • Machine Type: e2-standard-4 (4 vCPU, 16 GB RAM) - Recommended for testing/POC.
  • OS: RHEL 8 (Compatible with Oracle Linux 8 recommendation).
  • Disk: 100 GB pd-balanced.
• Firewall Rule:
  • Opens TCP port 8443 (Web UI) and 22 (SSH).

Prerequisites

1. Google Cloud Project: You must have an active GCP project.
2. Terraform Installed: Ensure Terraform is installed on your machine.
3. Authentication: Authenticate with GCP:

   gcloud auth application-default login

Usage

1. Configure Variables:

   • Rename terraform.tfvars.example to terraform.tfvars.
   • Open terraform.tfvars and set your project_id.

2. Initialize Terraform:

   terraform init

3. Review Plan:

   terraform plan

4. Apply / Deploy:

   terraform apply

   • Type yes when prompted.

5. Access:

   • After deployment, Terraform will output the Public IP.
   • Installation Status: The installation runs automatically on startup. It may take 10-15 minutes.
   • SSH Access:

     gcloud compute ssh splunk-soar-7 --zone=us-central1-a

   • Check Installation Status:

     gcloud compute ssh splunk-soar-7 --zone=us-central1-a --command="sudo journalctl -u google-startup-scripts.service -f"

   • Web UI: Once finished, access https://<PUBLIC_IP>:8443.
     • Default Credentials:
       • Username: soar_local_admin
       • Password: password
       • (Note: You will be prompted to change this password on first login).