A Terraform Module to configure the Lacework Agentless Scanner.
Name | Version |
---|---|
terraform | >= 0.15.0 |
aws | >= 4.0 |
lacework | ~> 2.0 |
random | >= 2.1 |
Name | Version |
---|---|
aws | >= 4.0 |
lacework | ~> 2.0 |
null | n/a |
random | >= 2.1 |
No modules.
Name | Description | Type | Default | Required |
---|---|---|---|---|
additional_environment_variables | Optional list of additional environment variables passed to the ECS task. | list(object({ |
[] |
no |
agentless_scan_ecs_event_role_arn | ECS event role ARN. Required input for regional resources. (Deprecated: use global_module_reference) | string |
"" |
no |
agentless_scan_ecs_execution_role_arn | ECS execution role ARN. Required input for regional resources. (Deprecated: use global_module_reference) | string |
"" |
no |
agentless_scan_ecs_task_role_arn | ECS task role ARN. Required input for regional resources. (Deprecated: use global_module_reference) | string |
"" |
no |
agentless_scan_secret_arn | AWS SecretsManager Secret ARN for Lacework Account/Token. Required if Global is false and Regional is true . (Deprecated: use global_module_reference) |
string |
"" |
no |
bucket_encryption_enabled | Set this to false to disable setting S3 SSE. |
bool |
true |
no |
bucket_force_destroy | Force destroy bucket. (if disabled, terraform will not be able do destroy non-empty bucket) | bool |
true |
no |
bucket_sse_algorithm | The encryption algorithm to use for S3 bucket server-side encryption. | string |
"AES256" |
no |
bucket_sse_key_arn | The ARN of the KMS encryption key to be used for S3 (required when bucket_sse_algorithm is aws:kms ). |
string |
"" |
no |
bucket_tags | Optional collection of tags to apply to the bucket | map(string) |
{} |
no |
cross_account_role_arn | The IAM cross account role ARN is required when setting use_existing_cross_account_role to true | string |
"" |
no |
cross_account_role_name | The IAM cross account role name. Required to match with cross_account_role_arn if use_existing_cross_account_role is set to true | string |
"" |
no |
external_id | The external ID configured inside the IAM role used for cross account access | string |
"" |
no |
filter_query_text | The LQL query to constrain the scanning to specific resources. If left blank, Lacework will scan all resources available to the account or organization. For more information, see Limit Scanned Workloads. | string |
"" |
no |
global | Whether or not to create global resources. Defaults to false . |
bool |
false |
no |
global_module_reference | A reference to the global lacework_aws_agentless_scanning module for this account. | object({ |
{ |
no |
iam_service_linked_role | Whether or not to create aws_iam_service_linked_role. Defaults to false . |
bool |
false |
no |
image_url | The container image url for Lacework sidekick. | string |
"public.ecr.aws/p5r4i7k7/sidekick:latest" |
no |
lacework_account | The name of the Lacework account with which to integrate. | string |
"" |
no |
lacework_aws_account_id | The Lacework AWS account that the IAM role will grant access. | string |
"434813966438" |
no |
lacework_domain | The domain of the Lacework account with with to integrate. | string |
"lacework.net" |
no |
lacework_integration_name | The name of the Lacework cloud account integration. | string |
"aws-agentless-scanning" |
no |
org_account_mappings | Mapping of AWS accounts to Lacework accounts within a Lacework organization | list(object({ |
[] |
no |
organization | Used for multi-account scanning. Set management_account to the AWS Organizations management account. Set the monitored_accounts list to a list of AWS account IDs or OUs. | object({ |
{ |
no |
prefix | A string to be prefixed to the name of all new resources. | string |
"lacework-agentless-scanning" |
no |
regional | Whether or not to create regional resources. Defaults to false . |
bool |
false |
no |
scan_containers | Whether to includes scanning for containers. Defaults to true . |
bool |
true |
no |
scan_frequency_hours | How often in hours the scan will run in hours. Defaults to 24 . |
number |
24 |
no |
scan_host_vulnerabilities | Whether to includes scanning for host vulnerabilities. Defaults to true . |
bool |
true |
no |
scan_multi_volume | Whether to scan secondary volumes. Defaults to false . |
bool |
false |
no |
scan_stopped_instances | Whether to scan stopped instances. Defaults to true . |
bool |
true |
no |
secretsmanager_kms_key_id | ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret. | string |
null |
no |
security_group_id | The ID of the security group to use for scanning compute resources. Must also set use_existing_security_group to true . |
string |
"" |
no |
snapshot_role | Whether or not to create an AWS Organization snapshot role. Defaults to false . |
bool |
false |
no |
subnet_id | The ID of the subnet to use for scanning compute resources. Must also set use_existing_subnet to true . |
string |
"" |
no |
suffix | A string to be appended to the end of the name of all new resources. | string |
"" |
no |
tags | A map/dictionary of Tags to be assigned to created resources | map(string) |
{} |
no |
use_aws_flow_log | Whether or not you want to create AWS flow logs for the VPC. | bool |
true |
no |
use_existing_cross_account_role | Set this to true to use an existing IAM cross account role | bool |
false |
no |
use_existing_event_role | Set this to true to use an existing IAM event role | bool |
false |
no |
use_existing_execution_role | Set this to true to use an existing IAM execution role | bool |
false |
no |
use_existing_security_group | Set this to true to use an existing security group for scanning compute resources. |
bool |
false |
no |
use_existing_subnet | Set this to true to use an existing subnet for scanning compute resources. |
bool |
false |
no |
use_existing_task_role | Set this to true to use an existing IAM task role | bool |
false |
no |
use_existing_vpc | Set this to true to use an existing VPC. The VPC must have a Internet Gateway attached, and vpc_cidr_block will be used to create new subnet to isolate scanning resources. |
bool |
false |
no |
use_internet_gateway | Whether or not you want to use an 'AWS internet gateway' for internet facing traffic. Only set this to false if you route internet traffic using a different approach. | bool |
true |
no |
vpc_cidr_block | VPC CIDR block used to isolate scanning VPC and single subnet. | string |
"10.10.32.0/24" |
no |
vpc_id | The ID of an existing AWS VPC to use for deploying regional scan resources. Must have an Internet Gateway attached. | string |
"" |
no |
Name | Description |
---|---|
agentless_scan_ecs_cluster_arn | Output ECS cluster ARN. Useful for managing ECS tasks via AWS CLI/SDK. |
agentless_scan_ecs_event_role_arn | Output ECS event role ARN. |
agentless_scan_ecs_execution_role_arn | Output ECS execution role ARN. |
agentless_scan_ecs_task_role_arn | Output ECS task role ARN. |
agentless_scan_secret_arn | AWS SecretsManager Secret ARN for Lacework Account and Token. |
external_id | External ID used for assuming snapshot creation and cross-account roles. |
lacework_account | Lacework Account Name for Integration. |
lacework_domain | Lacework Domain Name for Integration. |
lacework_integration_guid | The GUID for the created Lacework integration. This GUID is useful for interacting with this integration from the CLI or API. |
prefix | Prefix used to add uniqueness to resource names. |
s3_bucket_arn | The ARN of the S3 bucket used for storing Lacework agentless integration. |
suffix | Suffix used to add uniqueness to resource names. |