This Terraform module provides an easy way to configure Aqua Security’s CSPM and agentless solutions on Amazon Web Services (AWS).
It creates the necessary resources, such as lambda functions, roles, and permissions, to enable seamless integration with Aqua’s platform.
Before using this module, ensure that you have the following:
- Terraform version
1.9.0or later. awsCLI installed and configured.Python3+ installed.- Aqua Security account API credentials.
- Leverage the Aqua platform to generate the local variables required by the module.
- Important: Replace
aqua_api_keyandaqua_api_secretwith your generated API credentials. - Log in using the AWS CLI on the account you want to onboard. If you are running organization onboarding, ensure you log in using the management account.
- Run
terraform initto initialize the module. - Run
terraform applyto create the resources.
Notes:
- Ensure that the provided regions are enabled in your AWS account. If the provided regions are not enabled, they will be skipped even if they had been defined within Aqua's scan settings during onboarding.
- If you change parameters after initial deployment, we recommend running
terraform destroybefore applying the changes again to avoid certain Lambda errors.
| Name | Version |
|---|---|
| terraform | >= 1.9.0 |
| archive | ~> 2.4.2 |
| aws | ~> 5.57.0 |
| external | ~> 2.3.3 |
| http | ~> 3.4.3 |
| random | ~> 3.6.2 |
| Name | Version |
|---|---|
| random | ~> 3.6.2 |
| Name | Source | Version |
|---|---|---|
| organization | ./modules/organization | n/a |
| single | ./modules/single | n/a |
| Name | Type |
|---|---|
| random_string.id | resource |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| additional_tags | Additional tags to be sent to the Autoconnect API | map(string) |
{} |
no |
| aqua_api_key | Aqua API Key | string |
n/a | yes |
| aqua_api_secret | Aqua API Secret | string |
n/a | yes |
| aqua_autoconnect_url | Aqua Autoconnect API URL (This should be provided only if type of onboarding is 'single') | string |
"" |
no |
| aqua_bucket_name | Aqua Bucket Name | string |
n/a | yes |
| aqua_cspm_aws_account_id | Aqua CSPM AWS Account ID | string |
n/a | yes |
| aqua_cspm_group_id | Aqua CSPM Group ID | number |
n/a | yes |
| aqua_cspm_ipv4_address | Aqua CSPM IPv4 address | string |
n/a | yes |
| aqua_cspm_role_prefix | Aqua CSPM role name prefix | string |
n/a | yes |
| aqua_cspm_url | Aqua CSPM API URL | string |
n/a | yes |
| aqua_group_name | Aqua Group Name (This should be provided only if type of onboarding is 'organization') | string |
"" |
no |
| aqua_random_id | Aqua Random ID (This should be provided only if type of onboarding is 'organization') | string |
"" |
no |
| aqua_session_id | Aqua Session ID | string |
n/a | yes |
| aqua_tenant_id | Aqua Tenant ID (This should be provided only if type of onboarding is 'organization') | string |
"" |
no |
| aqua_volscan_api_token | Aqua Volume Scanning API Token | string |
n/a | yes |
| aqua_volscan_api_url | Aqua Volume Scanning API URL | string |
n/a | yes |
| aqua_volscan_aws_account_id | Aqua Volume Scanning AWS Account ID | string |
n/a | yes |
| aqua_worker_role_arn | Aqua Worker Role ARN | string |
n/a | yes |
| create_vpcs | Toggle to create VPCs | bool |
true |
no |
| custom_agentless_role_name | Custom Agentless role Name | string |
"" |
no |
| custom_bucket_name | Custom bucket Name | string |
"" |
no |
| custom_cspm_role_name | Custom CSPM role Name | string |
"" |
no |
| custom_internet_gateway_name | Custom Internet Gateway Name | string |
"" |
no |
| custom_processor_lambda_role_name | Custom Processor lambda role Name | string |
"" |
no |
| custom_security_group_name | Custom Security Group Name | string |
"" |
no |
| custom_vpc_name | Custom VPC Name | string |
"" |
no |
| custom_vpc_subnet1_name | Custom VPC Subnet 1 Name | string |
"" |
no |
| custom_vpc_subnet2_name | Custom VPC Subnet 2 Name | string |
"" |
no |
| custom_vpc_subnet_route_table1_name | Custom VPC Route Table 1 Name | string |
"" |
no |
| custom_vpc_subnet_route_table2_name | Custom VPC Route Table 2 Name | string |
"" |
no |
| organizational_unit_id | AWS Organizational unit (OU) ID to deploy resources on (This should be provided only if type of onboarding is 'organization') | string |
"" |
no |
| region | Main AWS Region to deploy resources | string |
n/a | yes |
| regions | AWS Regions to deploy discovery and scanning resources | list(string) |
n/a | yes |
| show_outputs | Whether to show outputs after deployment | bool |
false |
no |
| type | The type of onboarding. Valid values are 'single' or 'organization' onboarding types | string |
n/a | yes |
| Name | Description |
|---|---|
| agentless_role_arn | The ARN of the IAM role created for the Agentless Volume Scanning |
| cloudwatch_event_bus_arn | Cloudwatch Event Bus ARN |
| cloudwatch_event_rule_arn | Cloudwatch Event Rule ARN |
| cspm_external_id | Aqua CSPM External ID generated by the 'generate_cspm_external_id_function' Lambda function |
| cspm_lambda_execution_role_arn | The ARN of the lambda execution IAM role created for the CSPM |
| cspm_role_arn | The ARN of the IAM role created for the CSPM |
| is_already_cspm_client | Boolean indicating if the client is already a CSPM client, to be sent to the Autoconnect API |
| kinesis_firehose_bucket_name | Kinesis Firehose S3 Bucket Name |
| kinesis_firehose_delivery_stream_arn | Kinesis Firehose Delivery Stream ARN |
| kinesis_firehose_role_arn | Kinesis Firehose Role ARN |
| kinesis_processor_lambda_execution_role_arn | Kinesis Processor Lambda Execution Role ARN |
| kinesis_processor_lambda_function_arn | Kinesis Processor Lambda Function ARN |
| kinesis_processor_lambda_log_group_name | Kinesis Processor Lambda Cloudwatch Log Group Name |
| kinesis_stream_arn | Kinesis Stream ARN |
| kinesis_stream_events_role_arn | Kinesis Stream Events Role ARN |
| onboarding_status | Onboarding API Status Result |
| organization_stack_set_name | Name of the Organization CloudFormation StackSet |
| organization_stack_set_template_url | URL of the Organization CloudFormation template used by the StackSet |
| region | AWS Region to to deploy discovery resources |
| regions | AWS Regions to to deploy scanning resources |
| stack_set_admin_role_arn | ARN of the StackSet admin role |
| stack_set_admin_role_name | Name of the StackSet admin role |
| stack_set_execution_role_arn | ARN of the StackSet execution role |
| stack_set_execution_role_name | Name of the StackSet execution role |
| stack_set_name | Name of the CloudFormation StackSet |
| stack_set_template_url | URL of the CloudFormation template used by the StackSet |
| volscan_external_id | Aqua Volume Scanning External ID generated by the 'generate_volscan_external_id_function' Lambda function |