Skip to content

Terraform module for configuring an integration with Lacework and AWS for agentless scanning

License

Notifications You must be signed in to change notification settings

lacework/terraform-aws-agentless-scanning

Repository files navigation

terraform-aws-agentless-scanning

GitHub release Codefresh build status

A Terraform Module to configure the Lacework Agentless Scanner.

Requirements

Name Version
terraform >= 0.15.0
aws >= 4.0
lacework ~> 2.0
random >= 2.1

Providers

Name Version
aws >= 4.0
lacework ~> 2.0
null n/a
random >= 2.1

Modules

No modules.

Resources

Name Type
aws_cloudwatch_event_rule.agentless_scan_event_rule resource
aws_cloudwatch_event_target.agentless_scan_event_target resource
aws_cloudwatch_log_group.agentless_scan_log_group resource
aws_default_network_acl.default resource
aws_default_security_group.default resource
aws_ecs_cluster.agentless_scan_ecs_cluster resource
aws_ecs_cluster_capacity_providers.agentless_scan_capacity_providers resource
aws_ecs_task_definition.agentless_scan_task_definition resource
aws_flow_log.agentless_scan_vpc_flow_log resource
aws_iam_policy.agentless_scan_task_policy resource
aws_iam_role.agentless_scan_cross_account_role resource
aws_iam_role.agentless_scan_ecs_event_role resource
aws_iam_role.agentless_scan_ecs_execution_role resource
aws_iam_role.agentless_scan_ecs_task_role resource
aws_iam_role.agentless_scan_snapshot_role resource
aws_iam_service_linked_role.agentless_scan_linked_role resource
aws_internet_gateway.agentless_scan_gateway resource
aws_route.agentless_scan_route resource
aws_route_table.agentless_scan_route_table resource
aws_route_table_association.agentless_scan_route_table_association resource
aws_s3_bucket.agentless_scan_bucket resource
aws_s3_bucket_lifecycle_configuration.agentless_scan_bucket_lifecyle resource
aws_s3_bucket_ownership_controls.agentless_scan_bucket_ownership_controls resource
aws_s3_bucket_policy.agentless_scan_bucket_policy resource
aws_s3_bucket_public_access_block.agentless_scan_bucket_public_access_block resource
aws_s3_bucket_server_side_encryption_configuration.agentless_scan_bucket_encryption resource
aws_s3_bucket_versioning.versioning_example resource
aws_secretsmanager_secret.agentless_scan_secret resource
aws_secretsmanager_secret_version.agentless_scan_secret_version resource
aws_security_group.agentless_scan_sec_group resource
aws_subnet.agentless_scan_public_subnet resource
aws_vpc.agentless_scan_vpc resource
lacework_external_id.aws_iam_external_id resource
lacework_integration_aws_agentless_scanning.lacework_cloud_account resource
lacework_integration_aws_org_agentless_scanning.lacework_cloud_account resource
null_resource.check_organization_requires_global_input resource
random_id.uniq resource
aws_caller_identity.current data source
aws_iam_policy_document.agentless_scan_bucket_policy data source
aws_iam_policy_document.agentless_scan_cross_account_policy data source
aws_iam_policy_document.agentless_scan_task_policy_document data source
aws_iam_policy_document.cross_account_inline_policy_bucket data source
aws_iam_policy_document.cross_account_inline_policy_ecs data source
aws_internet_gateway.selected data source
aws_region.current data source
aws_vpc.selected data source
lacework_metric_module.lwmetrics data source
lacework_user_profile.current data source

Inputs

Name Description Type Default Required
additional_environment_variables Optional list of additional environment variables passed to the ECS task.
list(object({
name = string
value = string
}))
[] no
agentless_scan_ecs_event_role_arn ECS event role ARN. Required input for regional resources. (Deprecated: use global_module_reference) string "" no
agentless_scan_ecs_execution_role_arn ECS execution role ARN. Required input for regional resources. (Deprecated: use global_module_reference) string "" no
agentless_scan_ecs_task_role_arn ECS task role ARN. Required input for regional resources. (Deprecated: use global_module_reference) string "" no
agentless_scan_secret_arn AWS SecretsManager Secret ARN for Lacework Account/Token. Required if Global is false and Regional is true. (Deprecated: use global_module_reference) string "" no
bucket_encryption_enabled Set this to false to disable setting S3 SSE. bool true no
bucket_force_destroy Force destroy bucket. (if disabled, terraform will not be able do destroy non-empty bucket) bool true no
bucket_sse_algorithm The encryption algorithm to use for S3 bucket server-side encryption. string "AES256" no
bucket_sse_key_arn The ARN of the KMS encryption key to be used for S3 (required when bucket_sse_algorithm is aws:kms). string "" no
bucket_tags Optional collection of tags to apply to the bucket map(string) {} no
cross_account_role_arn The IAM cross account role ARN is required when setting use_existing_cross_account_role to true string "" no
cross_account_role_name The IAM cross account role name. Required to match with cross_account_role_arn if use_existing_cross_account_role is set to true string "" no
external_id The external ID configured inside the IAM role used for cross account access string "" no
filter_query_text The LQL query to constrain the scanning to specific resources. If left blank, Lacework will scan all resources available to the account or organization. For more information, see Limit Scanned Workloads. string "" no
global Whether or not to create global resources. Defaults to false. bool false no
global_module_reference A reference to the global lacework_aws_agentless_scanning module for this account.
object({
agentless_scan_ecs_task_role_arn = string
agentless_scan_ecs_execution_role_arn = string
agentless_scan_ecs_event_role_arn = string
agentless_scan_secret_arn = string
lacework_account = string
lacework_domain = string
external_id = string
prefix = string
s3_bucket_arn = string
suffix = string
})
{
"agentless_scan_ecs_event_role_arn": "",
"agentless_scan_ecs_execution_role_arn": "",
"agentless_scan_ecs_task_role_arn": "",
"agentless_scan_secret_arn": "",
"external_id": "",
"lacework_account": "",
"lacework_domain": "",
"prefix": "",
"s3_bucket_arn": "",
"suffix": ""
}
no
iam_service_linked_role Whether or not to create aws_iam_service_linked_role. Defaults to false. bool false no
image_url The container image url for Lacework sidekick. string "public.ecr.aws/p5r4i7k7/sidekick:latest" no
lacework_account The name of the Lacework account with which to integrate. string "" no
lacework_aws_account_id The Lacework AWS account that the IAM role will grant access. string "434813966438" no
lacework_domain The domain of the Lacework account with with to integrate. string "lacework.net" no
lacework_integration_name The name of the Lacework cloud account integration. string "aws-agentless-scanning" no
org_account_mappings Mapping of AWS accounts to Lacework accounts within a Lacework organization
list(object({
default_lacework_account = string
mapping = list(object({
lacework_account = string
aws_accounts = list(string)
}))
}))
[] no
organization Used for multi-account scanning. Set management_account to the AWS Organizations management account. Set the monitored_accounts list to a list of AWS account IDs or OUs.
object({
management_account = string
monitored_accounts = list(string)
})
{
"management_account": "",
"monitored_accounts": []
}
no
prefix A string to be prefixed to the name of all new resources. string "lacework-agentless-scanning" no
regional Whether or not to create regional resources. Defaults to false. bool false no
scan_containers Whether to includes scanning for containers. Defaults to true. bool true no
scan_frequency_hours How often in hours the scan will run in hours. Defaults to 24. number 24 no
scan_host_vulnerabilities Whether to includes scanning for host vulnerabilities. Defaults to true. bool true no
scan_multi_volume Whether to scan secondary volumes. Defaults to false. bool false no
scan_stopped_instances Whether to scan stopped instances. Defaults to true. bool true no
secretsmanager_kms_key_id ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. string null no
security_group_id The ID of the security group to use for scanning compute resources. Must also set use_existing_security_group to true. string "" no
snapshot_role Whether or not to create an AWS Organization snapshot role. Defaults to false. bool false no
subnet_id The ID of the subnet to use for scanning compute resources. Must also set use_existing_subnet to true. string "" no
suffix A string to be appended to the end of the name of all new resources. string "" no
tags A map/dictionary of Tags to be assigned to created resources map(string) {} no
use_aws_flow_log Whether or not you want to create AWS flow logs for the VPC. bool true no
use_existing_cross_account_role Set this to true to use an existing IAM cross account role bool false no
use_existing_event_role Set this to true to use an existing IAM event role bool false no
use_existing_execution_role Set this to true to use an existing IAM execution role bool false no
use_existing_security_group Set this to true to use an existing security group for scanning compute resources. bool false no
use_existing_subnet Set this to true to use an existing subnet for scanning compute resources. bool false no
use_existing_task_role Set this to true to use an existing IAM task role bool false no
use_existing_vpc Set this to true to use an existing VPC. The VPC must have a Internet Gateway attached, and vpc_cidr_block will be used to create new subnet to isolate scanning resources. bool false no
use_internet_gateway Whether or not you want to use an 'AWS internet gateway' for internet facing traffic. Only set this to false if you route internet traffic using a different approach. bool true no
vpc_cidr_block VPC CIDR block used to isolate scanning VPC and single subnet. string "10.10.32.0/24" no
vpc_id The ID of an existing AWS VPC to use for deploying regional scan resources. Must have an Internet Gateway attached. string "" no

Outputs

Name Description
agentless_scan_ecs_cluster_arn Output ECS cluster ARN. Useful for managing ECS tasks via AWS CLI/SDK.
agentless_scan_ecs_event_role_arn Output ECS event role ARN.
agentless_scan_ecs_execution_role_arn Output ECS execution role ARN.
agentless_scan_ecs_task_role_arn Output ECS task role ARN.
agentless_scan_secret_arn AWS SecretsManager Secret ARN for Lacework Account and Token.
external_id External ID used for assuming snapshot creation and cross-account roles.
lacework_account Lacework Account Name for Integration.
lacework_domain Lacework Domain Name for Integration.
lacework_integration_guid The GUID for the created Lacework integration. This GUID is useful for interacting with this integration from the CLI or API.
prefix Prefix used to add uniqueness to resource names.
s3_bucket_arn The ARN of the S3 bucket used for storing Lacework agentless integration.
suffix Suffix used to add uniqueness to resource names.

About

Terraform module for configuring an integration with Lacework and AWS for agentless scanning

Topics

Resources

License

Stars

Watchers

Forks

Packages

No packages published