diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..24c3f8d --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1 @@ +@Noamstrauss \ No newline at end of file diff --git a/.github/ISSUE_TEMPLATE/bug_report.md b/.github/ISSUE_TEMPLATE/bug_report.md new file mode 100644 index 0000000..87ba4e9 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/bug_report.md @@ -0,0 +1,30 @@ +--- +name: Bug report +about: Create a report to help us improve +title: '' +labels: bug +assignees: '' + +--- + +**Describe the bug** +A clear and concise description of what the bug is. + +**Steps to reproduce** + + +**Expected behavior** +A clear and concise description of what you expected to happen. + +**Screenshots** +If applicable, add screenshots to help explain your problem. + +**Please complete the following information):** + - Terraform Version: [e.g. v1.0.0 ] + - Module Version [e.g. v0.15.0] + +Run `terraform version` to find your Terraform version. +You can find the module version by running `terraform providers` or in your terraform configuration. If developing locally you can check the `VERSION` file in the project root directory. + +**Additional context** +Add any other context about the problem here. diff --git a/.github/ISSUE_TEMPLATE/feature_request.md b/.github/ISSUE_TEMPLATE/feature_request.md new file mode 100644 index 0000000..e74cb57 --- /dev/null +++ b/.github/ISSUE_TEMPLATE/feature_request.md @@ -0,0 +1,20 @@ +--- +name: Feature request +about: Suggest an idea for this project +title: '' +labels: Feature +assignees: '' + +--- + +**Is your feature request related to a problem? Please describe.** +A clear and concise description of what the problem is. Ex. I'm always frustrated when [...] + +**Describe the solution you'd like** +A clear and concise description of what you want to happen. + +**Describe alternatives you've considered** +A clear and concise description of any alternative solutions or features you've considered. + +**Additional context** +Add any other context or screenshots about the feature request here. diff --git a/.github/workflows/pr-checks.yaml b/.github/workflows/pr-checks.yaml new file mode 100644 index 0000000..5f6133c --- /dev/null +++ b/.github/workflows/pr-checks.yaml @@ -0,0 +1,87 @@ +name: PR Checks + +on: + pull_request: + +jobs: + pr-checks: + name: Terraform Validation + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v4 + + - name: Setup Terraform + uses: hashicorp/setup-terraform@v3 + with: + terraform_version: ${{ vars.TERRAFORM_VERSION }} + + - name: Setup TFLint + uses: terraform-linters/setup-tflint@v1 + with: + tflint_version: ${{ vars.TFLINT_VERSION }} + + - name: Run TFLint + id: tflint + run: tflint --config .tflint.hcl -f compact + continue-on-error: true + + - name: Run tests for each example folder + id: terraform-checks + run: | + TEST_CASES=( + examples/single-account + ) + + format_check=true + init_check=true + validate_check=true + + for tcase in ${TEST_CASES[@]}; do + echo "--> Running tests at $tcase" + ( + cd $tcase || exit 1 + echo "Replacing placeholders" + if [[ "$OSTYPE" == "darwin"* ]]; then + sed -i '' 's//dummy_value/g' *.tf + else + sed -i 's//dummy_value/g' *.tf + fi + echo "Terraform Format Check" + terraform fmt -check || format_check=false + echo "Terraform Init" + terraform init || init_check=false + echo "Terraform Validate" + terraform validate || validate_check=false + ) || exit 1 + done + + echo "format_check=$format_check" >> $GITHUB_OUTPUT + echo "init_check=$init_check" >> $GITHUB_OUTPUT + echo "validate_check=$validate_check" >> $GITHUB_OUTPUT + + - name: Comment PR with Terraform status + uses: actions/github-script@v7 + env: + FORMAT_CHECK: ${{ steps.terraform-checks.outputs.format_check == 'true' && '✅' || '❌' }} + INIT_CHECK: ${{ steps.terraform-checks.outputs.init_check == 'true' && '✅' || '❌' }} + VALIDATE_CHECK: ${{ steps.terraform-checks.outputs.validate_check == 'true' && '✅' || '❌' }} + TFLINT_CHECK: ${{ steps.tflint.outcome == 'success' && '✅' || '❌' }} + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const output = `#### Terraform Validation Results: + + Terraform Format Check ${{ env.FORMAT_CHECK }} + Terraform Init ${{ env.INIT_CHECK }} + Terraform Validate ${{ env.VALIDATE_CHECK }} + TFLint Check ${{ env.TFLINT_CHECK }} + + *Pusher: @${{ github.actor }}, Action: \`${{ github.event_name }}\`, Workflow: \`${{ github.workflow }}\`*`; + + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: output + }) \ No newline at end of file diff --git a/.github/workflows/terraform-docs.yaml b/.github/workflows/terraform-docs.yaml new file mode 100644 index 0000000..99d6231 --- /dev/null +++ b/.github/workflows/terraform-docs.yaml @@ -0,0 +1,20 @@ +name: Generate terraform docs +on: + - pull_request +jobs: + docs: + runs-on: ubuntu-20.04 + steps: + - uses: actions/checkout@v4 + with: + ref: ${{ github.event.pull_request.head.ref }} + + - name: Render terraform docs and push changes back to PR + uses: terraform-docs/gh-actions@v1.2.0 + with: + working-dir: . + output-file: README.md + scan-ref: '.' + scan-type: 'repo' + output-method: inject + git-push: "true" \ No newline at end of file diff --git a/.github/workflows/trivy-scan.yaml b/.github/workflows/trivy-scan.yaml new file mode 100644 index 0000000..4158699 --- /dev/null +++ b/.github/workflows/trivy-scan.yaml @@ -0,0 +1,26 @@ +name: Trivy +on: pull_request +jobs: + aqua: + name: Aqua scanner + runs-on: ubuntu-20.04 + steps: + - name: Checkout code + uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - uses: gitleaks/gitleaks-action@v2 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} + GITLEAKS_LICENSE: ${{ secrets.GITLEAKS_LICENSE}} + + - name: Run Aqua scanner + uses: docker://aquasec/aqua-scanner + with: + args: trivy fs --scanners misconfig,secret . + env: + AQUA_KEY: ${{ secrets.AQUA_KEY }} + AQUA_SECRET: ${{ secrets.AQUA_SECRET }} + GITHUB_TOKEN: ${{ github.token }} + TRIVY_RUN_AS_PLUGIN: 'aqua' \ No newline at end of file diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..eef3d79 --- /dev/null +++ b/.gitignore @@ -0,0 +1,45 @@ +# Local .terraform directories +**/.terraform* + +# generated via "make ci" +examples/**/.terraform.lock.hcl + +# .tfstate files +*.tfstate +*.tfstate.* + +# Crash log files +crash.log + +# Ignore any .tfvars files that are generated automatically for each Terraform run. Most +# .tfvars files are managed as part of configuration and so should be included in +# version control. +# +# example.tfvars +*.tfvars + +# Ignore override files as they are usually used to override resources locally and so +# are not checked in +override.tf +override.tf.json +*_override.tf +*_override.tf.json + +# Include override files you do wish to add to version control using negated pattern +# +# !example_override.tf + +# Include tfplan files to ignore the plan output of command: terraform plan -out=tfplan +# example: *tfplan* + +# Credentials Files +**/credentials.json +**/*.json + +# Local testing variables + +# vim +*.swp + +/.idea/ +.DS_Store \ No newline at end of file diff --git a/.tflint.hcl b/.tflint.hcl new file mode 100644 index 0000000..723bf59 --- /dev/null +++ b/.tflint.hcl @@ -0,0 +1,9 @@ +rule "terraform_required_providers" { + enabled = false + source = false + version = false +} + +rule "terraform_required_version" { + enabled = false +} \ No newline at end of file diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..261eeb9 --- /dev/null +++ b/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. diff --git a/README.md b/README.md index ac396a4..da08742 100644 --- a/README.md +++ b/README.md @@ -1 +1,143 @@ -# terraform-aws-onbaording \ No newline at end of file +![Aquasecurity logo](https://avatars3.githubusercontent.com/u/12783832?s=200&v=4) + +# Terraform-aws-onboarding + +![Trivy](https://github.com/aquasecurity/terraform-aws-onboarding/actions/workflows/trivy-scan.yaml/badge.svg) +[![Release](https://img.shields.io/github/v/release/aquasecurity/terraform-aws-onboarding)](https://github.com/aquasecurity/terraform-aws-onboarding/releases) +[![License](https://img.shields.io/badge/License-Apache%202.0-blue.svg)](https://opensource.org/licenses/Apache-2.0) + +This Terraform module provides an easy way +to configure Aqua Security’s CSPM and agentless solutions on Amazon Web Services (AWS). + +It creates the necessary resources, such as lambda functions, roles, and permissions, +to enable seamless integration with Aqua’s platform. + +--- + +## Table of Contents + +- [Pre-requisites](#Pre-requisites) +- [Usage](#usage) +- [Examples](#examples) + +## Pre-requisites + +Before using this module, ensure that you have the following: + +- Terraform version `1.6.4` or later. +- `aws` CLI installed and configured. +- `Python` 3+ installed. +- Aqua Security account API credentials. + +## Usage +1. Leverage the Aqua platform to generate the local variables required by the module. +2. Important: Replace `aqua_api_key` and `aqua_api_secret` with your generated API credentials. +3. Login using the AWS CLI on the account you want to onboard. +4. Run `terraform init` to initialize the module. +5. Run `terraform apply` to create the resources. + +**Notes:** +- Ensure that the provided regions are enabled in your AWS account. If the provided regions are not enabled, they will be skipped they will be skipped even if they had been defined within Aqua's scan settings during onboarding. +- If you change parameters after initial deployment, we recommend running `terraform destroy` before applying the changes again to avoid certain Lambda errors. + + +## Examples + +* [Single account with multiple regions](https://github.com/aquasecurity/terraform-aws-onboarding/examples/single-account) + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.6.4 | +| [archive](#requirement\_archive) | ~> 2.4.2 | +| [aws](#requirement\_aws) | ~> 5.57.0 | +| [external](#requirement\_external) | ~> 2.3.3 | +| [http](#requirement\_http) | ~> 3.4.3 | +| [random](#requirement\_random) | ~> 3.6.2 | + +## Providers + +| Name | Version | +|------|---------| +| [random](#provider\_random) | ~> 3.6.2 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [single](#module\_single) | ./modules/single | n/a | + +## Resources + +| Name | Type | +|------|------| +| [random_string.id](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/string) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [additional\_tags](#input\_additional\_tags) | Additional tags to be sent to the Autoconnect API | `map(string)` | `{}` | no | +| [aqua\_api\_key](#input\_aqua\_api\_key) | Aqua API Key | `string` | n/a | yes | +| [aqua\_api\_secret](#input\_aqua\_api\_secret) | Aqua API Secret | `string` | n/a | yes | +| [aqua\_autoconnect\_url](#input\_aqua\_autoconnect\_url) | Aqua Autoconnect API URL | `string` | n/a | yes | +| [aqua\_bucket\_name](#input\_aqua\_bucket\_name) | Aqua Bucket Name | `string` | n/a | yes | +| [aqua\_cspm\_aws\_account\_id](#input\_aqua\_cspm\_aws\_account\_id) | Aqua CSPM AWS Account ID | `string` | n/a | yes | +| [aqua\_cspm\_group\_id](#input\_aqua\_cspm\_group\_id) | Aqua CSPM Group ID | `number` | n/a | yes | +| [aqua\_cspm\_ipv4\_address](#input\_aqua\_cspm\_ipv4\_address) | Aqua CSPM IPv4 address | `string` | n/a | yes | +| [aqua\_cspm\_role\_prefix](#input\_aqua\_cspm\_role\_prefix) | Aqua CSPM role name prefix | `string` | n/a | yes | +| [aqua\_cspm\_url](#input\_aqua\_cspm\_url) | Aqua CSPM API URL | `string` | n/a | yes | +| [aqua\_session\_id](#input\_aqua\_session\_id) | Aqua Session ID | `string` | n/a | yes | +| [aqua\_volscan\_api\_token](#input\_aqua\_volscan\_api\_token) | Aqua Volume Scanning API Token | `string` | n/a | yes | +| [aqua\_volscan\_api\_url](#input\_aqua\_volscan\_api\_url) | Aqua Volume Scanning API URL | `string` | n/a | yes | +| [aqua\_volscan\_aws\_account\_id](#input\_aqua\_volscan\_aws\_account\_id) | Aqua Volume Scanning AWS Account ID | `string` | n/a | yes | +| [aqua\_worker\_role\_arn](#input\_aqua\_worker\_role\_arn) | Aqua Worker Role ARN | `string` | n/a | yes | +| [create\_vpcs](#input\_create\_vpcs) | Toggle to create VPCs | `bool` | `true` | no | +| [custom\_agentless\_role\_name](#input\_custom\_agentless\_role\_name) | Custom Agentless role Name | `string` | `""` | no | +| [custom\_bucket\_name](#input\_custom\_bucket\_name) | Custom bucket Name | `string` | `""` | no | +| [custom\_cspm\_role\_name](#input\_custom\_cspm\_role\_name) | Custom CSPM role Name | `string` | `""` | no | +| [custom\_internet\_gateway\_name](#input\_custom\_internet\_gateway\_name) | Custom Internet Gateway Name | `string` | `""` | no | +| [custom\_processor\_lambda\_role\_name](#input\_custom\_processor\_lambda\_role\_name) | Custom Processor lambda role Name | `string` | `""` | no | +| [custom\_security\_group\_name](#input\_custom\_security\_group\_name) | Custom Security Group Name | `string` | `""` | no | +| [custom\_vpc\_name](#input\_custom\_vpc\_name) | Custom VPC Name | `string` | `""` | no | +| [custom\_vpc\_subnet1\_name](#input\_custom\_vpc\_subnet1\_name) | Custom VPC Subnet 1 Name | `string` | `""` | no | +| [custom\_vpc\_subnet2\_name](#input\_custom\_vpc\_subnet2\_name) | Custom VPC Subnet 2 Name | `string` | `""` | no | +| [custom\_vpc\_subnet\_route\_table1\_name](#input\_custom\_vpc\_subnet\_route\_table1\_name) | Custom VPC Route Table 1 Name | `string` | `""` | no | +| [custom\_vpc\_subnet\_route\_table2\_name](#input\_custom\_vpc\_subnet\_route\_table2\_name) | Custom VPC Route Table 2 Name | `string` | `""` | no | +| [region](#input\_region) | Main AWS Region to to deploy resources | `string` | n/a | yes | +| [regions](#input\_regions) | AWS Regions to deploy discovery and scanning resources | `list(string)` | n/a | yes | +| [show\_outputs](#input\_show\_outputs) | Whether to show outputs after deployment | `bool` | `false` | no | +| [type](#input\_type) | The type of onboarding. Currently only 'single' onboarding types are supported | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [agentless\_role\_arn](#output\_agentless\_role\_arn) | The ARN of the IAM role created for the Agentless Volume Scanning | +| [cloudwatch\_event\_bus\_arn](#output\_cloudwatch\_event\_bus\_arn) | Cloudwatch Event Bus ARN | +| [cloudwatch\_event\_rule\_arn](#output\_cloudwatch\_event\_rule\_arn) | Cloudwatch Event Rule ARN | +| [cspm\_external\_id](#output\_cspm\_external\_id) | Aqua CSPM External ID generated by the 'generate\_cspm\_external\_id\_function' Lambda function | +| [cspm\_lambda\_execution\_role\_arn](#output\_cspm\_lambda\_execution\_role\_arn) | The ARN of the lambda execution IAM role created for the CSPM | +| [cspm\_role\_arn](#output\_cspm\_role\_arn) | The ARN of the IAM role created for the CSPM | +| [is\_already\_cspm\_client](#output\_is\_already\_cspm\_client) | Boolean indicating if the client is already a CSPM client, to be sent to the Autoconnect API | +| [kinesis\_firehose\_bucket\_name](#output\_kinesis\_firehose\_bucket\_name) | Kinesis Firehose S3 Bucket Name | +| [kinesis\_firehose\_delivery\_stream\_arn](#output\_kinesis\_firehose\_delivery\_stream\_arn) | Kinesis Firehose Delivery Stream ARN | +| [kinesis\_firehose\_role\_arn](#output\_kinesis\_firehose\_role\_arn) | Kinesis Firehose Role ARN | +| [kinesis\_processor\_lambda\_execution\_role\_arn](#output\_kinesis\_processor\_lambda\_execution\_role\_arn) | Kinesis Processor Lambda Execution Role ARN | +| [kinesis\_processor\_lambda\_function\_arn](#output\_kinesis\_processor\_lambda\_function\_arn) | Kinesis Processor Lambda Function ARN | +| [kinesis\_processor\_lambda\_log\_group\_name](#output\_kinesis\_processor\_lambda\_log\_group\_name) | Kinesis Processor Lambda Cloudwatch Log Group Name | +| [kinesis\_stream\_arn](#output\_kinesis\_stream\_arn) | Kinesis Stream ARN | +| [kinesis\_stream\_events\_role\_arn](#output\_kinesis\_stream\_events\_role\_arn) | Kinesis Stream Events Role ARN | +| [onboarding\_status](#output\_onboarding\_status) | Onboarding API Status Result | +| [region](#output\_region) | AWS Region to to deploy discovery resources | +| [regions](#output\_regions) | AWS Regions to to deploy scanning resources | +| [stack\_set\_admin\_role\_arn](#output\_stack\_set\_admin\_role\_arn) | ARN of the StackSet admin role | +| [stack\_set\_admin\_role\_name](#output\_stack\_set\_admin\_role\_name) | Name of the StackSet admin role | +| [stack\_set\_execution\_role\_arn](#output\_stack\_set\_execution\_role\_arn) | ARN of the StackSet execution role | +| [stack\_set\_execution\_role\_name](#output\_stack\_set\_execution\_role\_name) | Name of the StackSet execution role | +| [stack\_set\_name](#output\_stack\_set\_name) | Name of the CloudFormation StackSet | +| [stack\_set\_template\_url](#output\_stack\_set\_template\_url) | URL of the CloudFormation template used by the StackSet | +| [volscan\_external\_id](#output\_volscan\_external\_id) | Aqua Volume Scanning External ID generated by the 'generate\_volscan\_external\_id\_function' Lambda function | + \ No newline at end of file diff --git a/examples/single-account/README.md b/examples/single-account/README.md new file mode 100644 index 0000000..6eef248 --- /dev/null +++ b/examples/single-account/README.md @@ -0,0 +1,35 @@ +# Onboarding an AWS Account with Multiple Regions Example + +--- + +## Overview + +This example demonstrates how to onboard an AWS account by provisioning the necessary Aqua Security resources and configurations across multiple regions. + +## Pre-requisites + +Before running this example, ensure that you have the following: + +1. Terraform installed (version 1.6.4 or later). +2. AWS CLI installed and configured. +3. Aqua Security account API credentials. + +## Usage + +1. Obtain the Terraform configuration file generated by the Aqua platform. +2. Replace the placeholder values (``) in the example configuration with your actual Aqua Security API credentials and other required values. +3. **Log in to your desired AWS account using the AWS CLI.** +4. Run `terraform init` to initialize the Terraform working directory. +5. Run `terraform apply` to create the resources. + +## What's Happening + +- The `aqua_aws_onboarding` module is called to create the discovery and scanning resources across multiple AWS regions (`us-east-1`, `eu-central-1`, `ap-south-1`). + +## Outputs + +- `onboarding_status`: The output from the `aqua_aws_onboarding` module, displaying the result of the onboarding process. + +## Cleanup + +To remove the resources created by this example, run `terraform destroy`. \ No newline at end of file diff --git a/examples/single-account/main.tf b/examples/single-account/main.tf new file mode 100644 index 0000000..532e92e --- /dev/null +++ b/examples/single-account/main.tf @@ -0,0 +1,51 @@ +################################ + +# Define local variables +locals { + additional_tags = { example = "true" } +} + +# AWS Provider configuration +provider "aws" { + region = "us-east-1" + default_tags { + tags = merge( + local.additional_tags, + { + aqua-agentless-scanner = "true" + } + ) + } +} + +################################ + +# Create discovery and scanning resources +module "aqua_aws_onboarding" { + source = "../../" + type = "single" + region = "us-east-1" + regions = ["eu-central-1", "ap-south-1"] + additional_tags = local.additional_tags + aqua_api_key = "" + aqua_api_secret = "" + aqua_autoconnect_url = "https://example-aqua-autoconnect-url.com" + aqua_bucket_name = "generic-bucket-name" + aqua_volscan_aws_account_id = "123456789101" + aqua_volscan_api_token = "" + aqua_volscan_api_url = "https://example-aqua-volscan-api-url.com" + aqua_cspm_group_id = 123456 + aqua_cspm_aws_account_id = "123456789101" + aqua_cspm_ipv4_address = "1.234.56.78/32" + aqua_cspm_role_prefix = "" + aqua_cspm_url = "https://example-aqua-cspm-api-url.com" + aqua_worker_role_arn = "arn:aws:iam::123456789101:role/role-arn" + aqua_session_id = "234e3cea-d84a-4b9e-bb36-92518e6a5772" +} + +################################ + +# Output the onboarding status +output "onboarding_status" { + value = module.aqua_aws_onboarding.onboarding_status +} diff --git a/locals.tf b/locals.tf new file mode 100644 index 0000000..4672b23 --- /dev/null +++ b/locals.tf @@ -0,0 +1,5 @@ +# locals.tf + +locals { + random_id = lower(random_string.id.result) +} \ No newline at end of file diff --git a/main.tf b/main.tf new file mode 100644 index 0000000..34aff8e --- /dev/null +++ b/main.tf @@ -0,0 +1,41 @@ +# main.tf + +resource "random_string" "id" { + length = 5 + special = false +} + +module "single" { + source = "./modules/single" + count = var.type == "single" ? 1 : 0 + random_id = local.random_id + region = var.region + aqua_autoconnect_url = var.aqua_autoconnect_url + aqua_session_id = var.aqua_session_id + aqua_volscan_api_url = var.aqua_volscan_api_url + aqua_volscan_aws_account_id = var.aqua_volscan_aws_account_id + aqua_volscan_api_token = var.aqua_volscan_api_token + aqua_cspm_aws_account_id = var.aqua_cspm_aws_account_id + aqua_cspm_ipv4_address = var.aqua_cspm_ipv4_address + aqua_cspm_url = var.aqua_cspm_url + aqua_cspm_group_id = var.aqua_cspm_group_id + aqua_worker_role_arn = var.aqua_worker_role_arn + aqua_api_key = var.aqua_api_key + aqua_api_secret = var.aqua_api_secret + aqua_bucket_name = var.aqua_bucket_name + regions = var.regions + additional_tags = var.additional_tags + aqua_cspm_role_prefix = var.aqua_cspm_role_prefix + custom_cspm_role_name = var.custom_cspm_role_name + custom_bucket_name = var.custom_bucket_name + custom_agentless_role_name = var.custom_agentless_role_name + custom_processor_lambda_role_name = var.custom_processor_lambda_role_name + create_vpcs = var.create_vpcs + custom_internet_gateway_name = var.custom_internet_gateway_name + custom_security_group_name = var.custom_security_group_name + custom_vpc_name = var.custom_vpc_name + custom_vpc_subnet1_name = var.custom_vpc_subnet1_name + custom_vpc_subnet2_name = var.custom_vpc_subnet2_name + custom_vpc_subnet_route_table1_name = var.custom_vpc_subnet_route_table1_name + custom_vpc_subnet_route_table2_name = var.custom_vpc_subnet_route_table2_name +} \ No newline at end of file diff --git a/modules/single/README.md b/modules/single/README.md new file mode 100644 index 0000000..3df3ac2 --- /dev/null +++ b/modules/single/README.md @@ -0,0 +1,100 @@ +# `single` module + +--- + +This Terraform module provisions the essential AWS infrastructure and configurations to deploy and integrate Aqua Security. + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.6.4 | +| [aws](#requirement\_aws) | ~> 5.57.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | ~> 5.57.0 | + +## Modules + +| Name | Source | Version | +|------|--------|---------| +| [kinesis](#module\_kinesis) | ./modules/kinesis | n/a | +| [lambda](#module\_lambda) | ./modules/lambda | n/a | +| [stackset](#module\_stackset) | ./modules/stackset | n/a | +| [trigger](#module\_trigger) | ./modules/trigger | n/a | + +## Resources + +| Name | Type | +|------|------| +| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source | +| [aws_partition.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/partition) | data source | +| [aws_regions.enabled](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/regions) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [additional\_tags](#input\_additional\_tags) | Additional resource tags to will be send to the Autoconnect API | `map(string)` | n/a | yes | +| [aqua\_api\_key](#input\_aqua\_api\_key) | Aqua API key | `string` | n/a | yes | +| [aqua\_api\_secret](#input\_aqua\_api\_secret) | Aqua API secret | `string` | n/a | yes | +| [aqua\_autoconnect\_url](#input\_aqua\_autoconnect\_url) | Aqua Autoconnect API URL | `string` | n/a | yes | +| [aqua\_bucket\_name](#input\_aqua\_bucket\_name) | Aqua Bucket Name | `string` | n/a | yes | +| [aqua\_cspm\_aws\_account\_id](#input\_aqua\_cspm\_aws\_account\_id) | Aqua CSPM AWS Account ID | `string` | n/a | yes | +| [aqua\_cspm\_group\_id](#input\_aqua\_cspm\_group\_id) | Aqua CSPM Group ID | `number` | n/a | yes | +| [aqua\_cspm\_ipv4\_address](#input\_aqua\_cspm\_ipv4\_address) | Aqua CSPM IPv4 address | `string` | n/a | yes | +| [aqua\_cspm\_role\_prefix](#input\_aqua\_cspm\_role\_prefix) | Aqua CSPM role name prefix | `string` | n/a | yes | +| [aqua\_cspm\_url](#input\_aqua\_cspm\_url) | Aqua CSPM API URL | `string` | n/a | yes | +| [aqua\_session\_id](#input\_aqua\_session\_id) | Aqua Session ID | `string` | n/a | yes | +| [aqua\_volscan\_api\_token](#input\_aqua\_volscan\_api\_token) | Aqua Volume Scanning API Token | `string` | n/a | yes | +| [aqua\_volscan\_api\_url](#input\_aqua\_volscan\_api\_url) | Aqua Volume Scanning API URL | `string` | n/a | yes | +| [aqua\_volscan\_aws\_account\_id](#input\_aqua\_volscan\_aws\_account\_id) | Aqua Volume Scanning AWS Account ID | `string` | n/a | yes | +| [aqua\_worker\_role\_arn](#input\_aqua\_worker\_role\_arn) | Aqua Worker Role ARN | `string` | n/a | yes | +| [create\_vpcs](#input\_create\_vpcs) | Toggle to create VPCs | `bool` | n/a | yes | +| [custom\_agentless\_role\_name](#input\_custom\_agentless\_role\_name) | Custom Agentless role Name | `string` | n/a | yes | +| [custom\_bucket\_name](#input\_custom\_bucket\_name) | Custom bucket Name | `string` | n/a | yes | +| [custom\_cspm\_role\_name](#input\_custom\_cspm\_role\_name) | Custom CSPM role Name | `string` | n/a | yes | +| [custom\_internet\_gateway\_name](#input\_custom\_internet\_gateway\_name) | Custom Internet Gateway Name | `string` | n/a | yes | +| [custom\_processor\_lambda\_role\_name](#input\_custom\_processor\_lambda\_role\_name) | Custom Processor lambda role Name | `string` | n/a | yes | +| [custom\_security\_group\_name](#input\_custom\_security\_group\_name) | Custom Security Group Name | `string` | n/a | yes | +| [custom\_vpc\_name](#input\_custom\_vpc\_name) | Custom VPC Name | `string` | n/a | yes | +| [custom\_vpc\_subnet1\_name](#input\_custom\_vpc\_subnet1\_name) | Custom VPC Subnet 1 Name | `string` | n/a | yes | +| [custom\_vpc\_subnet2\_name](#input\_custom\_vpc\_subnet2\_name) | Custom VPC Subnet 2 Name | `string` | n/a | yes | +| [custom\_vpc\_subnet\_route\_table1\_name](#input\_custom\_vpc\_subnet\_route\_table1\_name) | Custom VPC Route Table 1 Name | `string` | n/a | yes | +| [custom\_vpc\_subnet\_route\_table2\_name](#input\_custom\_vpc\_subnet\_route\_table2\_name) | Custom VPC Route Table 2 Name | `string` | n/a | yes | +| [random\_id](#input\_random\_id) | Random ID to apply to resource names | `string` | n/a | yes | +| [region](#input\_region) | Main AWS Region to to deploy resources | `string` | n/a | yes | +| [regions](#input\_regions) | AWS Regions to deploy discovery and scanning resources | `list(string)` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [agentless\_role\_arn](#output\_agentless\_role\_arn) | The ARN of the IAM role created for the Agentless Volume Scanning | +| [cloudwatch\_event\_bus\_arn](#output\_cloudwatch\_event\_bus\_arn) | Cloudwatch Event Bus ARN | +| [cloudwatch\_event\_rule\_arn](#output\_cloudwatch\_event\_rule\_arn) | Cloudwatch Event Rule ARN | +| [cspm\_external\_id](#output\_cspm\_external\_id) | Aqua CSPM External ID generated by the 'generate\_cspm\_external\_id\_function' Lambda function | +| [cspm\_lambda\_execution\_role\_arn](#output\_cspm\_lambda\_execution\_role\_arn) | The ARN of the lambda execution IAM role created for the CSPM | +| [cspm\_role\_arn](#output\_cspm\_role\_arn) | The ARN of the IAM role created for the CSPM | +| [is\_already\_cspm\_client](#output\_is\_already\_cspm\_client) | Boolean indicating if the client is already a CSPM client, to be sent to the Autoconnect API | +| [kinesis\_firehose\_bucket\_name](#output\_kinesis\_firehose\_bucket\_name) | Kinesis Firehose S3 Bucket Name | +| [kinesis\_firehose\_delivery\_stream\_arn](#output\_kinesis\_firehose\_delivery\_stream\_arn) | Kinesis Firehose Delivery Stream ARN | +| [kinesis\_firehose\_role\_arn](#output\_kinesis\_firehose\_role\_arn) | Kinesis Firehose Role ARN | +| [kinesis\_processor\_lambda\_execution\_role\_arn](#output\_kinesis\_processor\_lambda\_execution\_role\_arn) | Kinesis Processor Lambda Execution Role ARN | +| [kinesis\_processor\_lambda\_function\_arn](#output\_kinesis\_processor\_lambda\_function\_arn) | Kinesis Processor Lambda Function ARN | +| [kinesis\_processor\_lambda\_log\_group\_name](#output\_kinesis\_processor\_lambda\_log\_group\_name) | Kinesis Processor Lambda Cloudwatch Log Group Name | +| [kinesis\_stream\_arn](#output\_kinesis\_stream\_arn) | Kinesis Stream ARN | +| [kinesis\_stream\_events\_role\_arn](#output\_kinesis\_stream\_events\_role\_arn) | Kinesis Stream Events Role ARN | +| [onboarding\_status](#output\_onboarding\_status) | Onboarding API Status Result | +| [stack\_set\_admin\_role\_arn](#output\_stack\_set\_admin\_role\_arn) | ARN of the StackSet admin role | +| [stack\_set\_admin\_role\_name](#output\_stack\_set\_admin\_role\_name) | Name of the StackSet admin role | +| [stack\_set\_execution\_role\_arn](#output\_stack\_set\_execution\_role\_arn) | ARN of the StackSet execution role | +| [stack\_set\_execution\_role\_name](#output\_stack\_set\_execution\_role\_name) | Name of the StackSet execution role | +| [stack\_set\_name](#output\_stack\_set\_name) | Name of the CloudFormation StackSet | +| [stack\_set\_template\_url](#output\_stack\_set\_template\_url) | URL of the CloudFormation template used by the StackSet | +| [volscan\_external\_id](#output\_volscan\_external\_id) | Aqua Volume Scanning External ID generated by the 'generate\_volscan\_external\_id\_function' Lambda function | + \ No newline at end of file diff --git a/modules/single/data.tf b/modules/single/data.tf new file mode 100644 index 0000000..d82876d --- /dev/null +++ b/modules/single/data.tf @@ -0,0 +1,16 @@ +# modules/single/data.tf + +data "aws_caller_identity" "current" {} + +data "aws_partition" "current" {} + +# Fetch All AWS regions that are enabled +data "aws_regions" "enabled" { + # Retrieve all AWS regions + all_regions = true + + filter { + name = "opt-in-status" + values = ["opt-in-not-required", "opted-in"] + } +} diff --git a/modules/single/locals.tf b/modules/single/locals.tf new file mode 100644 index 0000000..1f41cf6 --- /dev/null +++ b/modules/single/locals.tf @@ -0,0 +1,15 @@ +# modules/single/locals.tf + +locals { + # Filter and select only the enabled regions that are specified in var.regions + enabled_regions = [ + for region in data.aws_regions.enabled.names : + region if contains(var.regions, region) + ] + + # Fetch the current caller AWS account ID + aws_account_id = data.aws_caller_identity.current.account_id + + # Fetch the current AWS partition + aws_partition = data.aws_partition.current.partition +} \ No newline at end of file diff --git a/modules/single/main.tf b/modules/single/main.tf new file mode 100644 index 0000000..23224a6 --- /dev/null +++ b/modules/single/main.tf @@ -0,0 +1,65 @@ +# modules/single/main.tf + +module "kinesis" { + source = "./modules/kinesis" + random_id = var.random_id + aqua_volscan_api_url = var.aqua_volscan_api_url + aqua_volscan_api_token = var.aqua_volscan_api_token + custom_bucket_name = var.custom_bucket_name + custom_processor_lambda_role_name = var.custom_processor_lambda_role_name +} + +module "lambda" { + source = "./modules/lambda" + random_id = var.random_id + aqua_autoconnect_url = var.aqua_autoconnect_url + aqua_volscan_aws_account_id = var.aqua_volscan_aws_account_id + aqua_api_key = var.aqua_api_key + aqua_api_secret = var.aqua_api_secret + aqua_cspm_group_id = var.aqua_cspm_group_id + aqua_cspm_ipv4_address = var.aqua_cspm_ipv4_address + aqua_cspm_aws_account_id = var.aqua_cspm_aws_account_id + aqua_cspm_url = var.aqua_cspm_url + aqua_worker_role_arn = var.aqua_worker_role_arn + aws_account_id = local.aws_account_id + aqua_cspm_role_prefix = var.aqua_cspm_role_prefix + custom_agentless_role_name = var.custom_agentless_role_name + custom_cspm_role_name = var.custom_cspm_role_name + depends_on = [module.kinesis] + +} + +module "stackset" { + source = "./modules/stackset" + random_id = var.random_id + aws_account_id = local.aws_account_id + aws_partition = local.aws_partition + aqua_bucket_name = var.aqua_bucket_name + enabled_regions = local.enabled_regions + create_vpcs = var.create_vpcs + custom_vpc_name = var.custom_vpc_name + custom_vpc_subnet_route_table1_name = var.custom_vpc_subnet_route_table1_name + custom_vpc_subnet_route_table2_name = var.custom_vpc_subnet_route_table2_name + custom_internet_gateway_name = var.custom_internet_gateway_name + custom_vpc_subnet1_name = var.custom_vpc_subnet1_name + custom_vpc_subnet2_name = var.custom_vpc_subnet2_name + custom_security_group_name = var.custom_security_group_name + event_bus_arn = module.kinesis.event_bus_arn + depends_on = [module.lambda] +} + +module "trigger" { + source = "./modules/trigger" + region = var.region + aqua_api_key = var.aqua_api_key + aqua_api_secret = var.aqua_api_secret + aqua_autoconnect_url = var.aqua_autoconnect_url + aqua_session_id = var.aqua_session_id + cspm_role_arn = module.lambda.cspm_role_arn + cspm_external_id = module.lambda.cspm_external_id + is_already_cspm_client = module.lambda.is_already_cspm_client + volscan_role_arn = module.lambda.agentless_role_arn + volscan_external_id = module.lambda.volscan_external_id + additional_tags = var.additional_tags + depends_on = [module.stackset] +} \ No newline at end of file diff --git a/modules/single/modules/kinesis/README.md b/modules/single/modules/kinesis/README.md new file mode 100644 index 0000000..0a0071a --- /dev/null +++ b/modules/single/modules/kinesis/README.md @@ -0,0 +1,66 @@ +# `kinesis` module + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.6.4 | +| [archive](#requirement\_archive) | ~> 2.4.2 | +| [aws](#requirement\_aws) | ~> 5.57.0 | + +## Providers + +| Name | Version | +|------|---------| +| [archive](#provider\_archive) | ~> 2.4.2 | +| [aws](#provider\_aws) | ~> 5.57.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_cloudwatch_event_bus.event_bus](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_bus) | resource | +| [aws_cloudwatch_event_rule.event_rule](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_event_rule) | resource | +| [aws_cloudwatch_log_group.kinesis_processor_lambda_log_group](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudwatch_log_group) | resource | +| [aws_iam_role.kinesis_firehose_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.kinesis_stream_events_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.processor_lambda_execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_kinesis_firehose_delivery_stream.kinesis_firehose](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_firehose_delivery_stream) | resource | +| [aws_kinesis_stream.kinesis_stream](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/kinesis_stream) | resource | +| [aws_lambda_function.kinesis_processor_lambda](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource | +| [aws_s3_bucket.kinesis_firehose_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket) | resource | +| [aws_s3_bucket_lifecycle_configuration.kinesis_firehose_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_lifecycle_configuration) | resource | +| [aws_s3_bucket_public_access_block.kinesis_firehose_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_public_access_block) | resource | +| [aws_s3_bucket_server_side_encryption_configuration.kinesis_firehose_bucket](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket_server_side_encryption_configuration) | resource | +| [archive_file.kinesis_processor_function](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [aqua\_volscan\_api\_token](#input\_aqua\_volscan\_api\_token) | Aqua Volume Scanning API Token | `string` | n/a | yes | +| [aqua\_volscan\_api\_url](#input\_aqua\_volscan\_api\_url) | Aqua Volume Scanning API URL | `string` | n/a | yes | +| [custom\_bucket\_name](#input\_custom\_bucket\_name) | Custom bucket Name | `string` | n/a | yes | +| [custom\_processor\_lambda\_role\_name](#input\_custom\_processor\_lambda\_role\_name) | Custom Processor lambda role Name | `string` | n/a | yes | +| [random\_id](#input\_random\_id) | Random ID to apply to resource names | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [event\_bus\_arn](#output\_event\_bus\_arn) | Cloudwatch Event Bus ARN | +| [event\_rule\_arn](#output\_event\_rule\_arn) | Cloudwatch Event Rule ARN | +| [kinesis\_firehose\_bucket\_name](#output\_kinesis\_firehose\_bucket\_name) | Kinesis Firehose S3 Bucket Name | +| [kinesis\_firehose\_delivery\_stream\_arn](#output\_kinesis\_firehose\_delivery\_stream\_arn) | Kinesis Firehose Delivery Stream ARN | +| [kinesis\_firehose\_role\_arn](#output\_kinesis\_firehose\_role\_arn) | Kinesis Firehose Role ARN | +| [kinesis\_processor\_lambda\_execution\_role\_arn](#output\_kinesis\_processor\_lambda\_execution\_role\_arn) | Kinesis Processor Lambda Execution Role ARN | +| [kinesis\_processor\_lambda\_function\_arn](#output\_kinesis\_processor\_lambda\_function\_arn) | Kinesis Processor Lambda Function ARN | +| [kinesis\_processor\_lambda\_log\_group\_name](#output\_kinesis\_processor\_lambda\_log\_group\_name) | Kinesis Processor Lambda Cloudwatch Log Group Name | +| [kinesis\_stream\_arn](#output\_kinesis\_stream\_arn) | Kinesis Stream ARN | +| [kinesis\_stream\_events\_role\_arn](#output\_kinesis\_stream\_events\_role\_arn) | Kinesis Stream Events Role ARN | + \ No newline at end of file diff --git a/modules/single/modules/kinesis/data.tf b/modules/single/modules/kinesis/data.tf new file mode 100644 index 0000000..f4a0fb6 --- /dev/null +++ b/modules/single/modules/kinesis/data.tf @@ -0,0 +1,8 @@ +# modules/single/modules/kinesis/data.tf + +# Archive kinesis_processor.py into a zip file +data "archive_file" "kinesis_processor_function" { + type = "zip" + source_file = "${path.module}/functions/kinesis_processor.py" + output_path = "kinesis_processor.zip" +} \ No newline at end of file diff --git a/modules/single/modules/kinesis/functions/kinesis_processor.py b/modules/single/modules/kinesis/functions/kinesis_processor.py new file mode 100644 index 0000000..f354d82 --- /dev/null +++ b/modules/single/modules/kinesis/functions/kinesis_processor.py @@ -0,0 +1,79 @@ +import base64 +import json +import logging +import time +import boto3 + +logger = logging.getLogger() +logger.setLevel(logging.INFO) + +tagKey = "aqua-agentless-scanner" +tagValue = "true" + +def handler(event, context) -> dict: + output = [] + allowed = 0 + dropped = 0 + logging.info("main handler function") + + for record in event['records']: + payload = base64.b64decode(record["data"]) + allowed_record = filter_record_payload(payload) + + output_record = { + 'recordId': record['recordId'], + 'result': 'Ok' if allowed_record else 'Dropped', + 'data': record['data'] + } + output.append(output_record) + + if allowed_record: + allowed += 1 + else: + dropped += 1 + + logger.info(f"Successfully processed {len(event['records'])} records. Dropped {dropped}. Allowed {allowed}") + return {'records': output} + +def filter_record_payload(payload): + sleep_seconds = 5 + num_of_retries = 3 + logging.info("filter record function") + logging.info("Decoded payload: " + str(payload)) + + decoded_payload = json.loads(payload) + ec2_client = boto3.client('ec2', region_name=decoded_payload['region']) + + for i in range(num_of_retries): + try: + snapshot_arn_split = decoded_payload['resources'][0].split("/") + snapshot_id = snapshot_arn_split[-1] + logging.info(f"Getting snapshot description for snapshot id: {snapshot_id} in try {i}") + snapshots_description = ec2_client.describe_snapshots(SnapshotIds=[snapshot_id]) + except Exception as e: + logging.warning(f"Snapshots description failed. error: {e}") + if i < num_of_retries - 1: + time.sleep(sleep_seconds) + sleep_seconds += 3 + else: + break + else: + raise ValueError('Failed to describe snapshots') + + logging.info("Description of snapshot: " + str(snapshots_description)) + + snapshot_description = snapshots_description['Snapshots'][0] + logger.info(f"Snapshot Id: {snapshot_description['SnapshotId']} Volume Id: {snapshot_description['VolumeId']}") + + try: + for i, tagPair in enumerate(snapshot_description['Tags']): + logger.info(f"Verifying Tag Key: {tagPair['Key']} Value: {tagPair['Value']}") + if tagPair['Key'] == tagKey and tagPair['Value'] == tagValue: + logger.info("Snapshot has a tag that is matching with the desired Aqua tag") + return True + elif i == len(snapshot_description['Tags']) - 1: + logger.info("None of the snapshot's tags is matching the desired tag") + return False + except KeyError: + logger.info("There are no tags for this snapshot") + return False diff --git a/modules/single/modules/kinesis/main.tf b/modules/single/modules/kinesis/main.tf new file mode 100644 index 0000000..1f1ab5f --- /dev/null +++ b/modules/single/modules/kinesis/main.tf @@ -0,0 +1,264 @@ +# modules/single/modules/kinesis/main.tf + +# Create Cloudwatch event bus +resource "aws_cloudwatch_event_bus" "event_bus" { + name = "aqua-bus-${var.random_id}" +} + +# Create Cloudwatch event rule for EBS events +resource "aws_cloudwatch_event_rule" "event_rule" { + name = "aqua-autoconnect-event-rule-${var.random_id}" + description = "Aqua EventBridge rule" + event_bus_name = aws_cloudwatch_event_bus.event_bus.name + role_arn = aws_iam_role.kinesis_stream_events_role.arn + event_pattern = jsonencode({ + "detail" : { + "event" : [ + "createSnapshots" + ], + "result" : [ + "succeeded", + "failed" + ] + }, + "detail-type" : [ + "EBS Multi-Volume Snapshots Completion Status" + ], + "source" : [ + "aws.ec2" + ] + }) +} + +# Create Kinesis Processor lambda Cloudwatch log group +# trivy:ignore:AVD-AWS-0017 +resource "aws_cloudwatch_log_group" "kinesis_processor_lambda_log_group" { + name = "/aws/lambda/aqua-autoconnect-kinesis-processor-lambda-${var.random_id}" + retention_in_days = 7 +} + +# Create Kinesis Data Stream Events role +resource "aws_iam_role" "kinesis_stream_events_role" { + assume_role_policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Principal" : { + "Service" : "events.amazonaws.com" + }, + "Action" : "sts:AssumeRole" + } + ] + }) + inline_policy { + name = "kinesis-datastream-events-role-policy-${var.random_id}" + policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Action" : [ + "kinesis:PutRecord", + "kinesis:PutRecords" + ], + "Resource" : aws_kinesis_stream.kinesis_stream.arn, + "Effect" : "Allow" + } + ] + }) + } + name = "aqua-autoconnect-kinesis-datastream-events-role-${var.random_id}" +} + +# Create Kinesis Firehose role +resource "aws_iam_role" "kinesis_firehose_role" { + assume_role_policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Principal" : { + "Service" : "firehose.amazonaws.com" + }, + "Action" : "sts:AssumeRole" + } + ] + }) + description = "Aqua kinesis firehose role" + inline_policy { + name = "aqua-policy" + policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Action" : [ + "kinesis:DescribeStream", + "kinesis:GetRecords", + "kinesis:GetShardIterator", + "kinesis:ListShards" + ], + "Resource" : aws_kinesis_stream.kinesis_stream.arn, + "Effect" : "Allow", + "Sid" : "kinesisStreamPermissions" + }, + { + "Action" : [ + "lambda:GetFunctionConfiguration", + "lambda:InvokeFunction" + ], + "Resource" : aws_kinesis_stream.kinesis_stream.arn, + "Effect" : "Allow", + "Sid" : "lambdaPermissions" + }, + { + "Action" : [ + "s3:AbortMultipartUpload", + "s3:GetObject", + "s3:ListBucket", + "s3:ListBucketMultipartUploads", + "s3:PutObject" + ], + "Resource" : [ + aws_s3_bucket.kinesis_firehose_bucket.arn, + "${aws_s3_bucket.kinesis_firehose_bucket.arn}/*" + ], + "Effect" : "Allow", + "Sid" : "s3Permissions" + } + ] + }) + } + name = "aqua-autoconnect-kinesis-firehose-role-${var.random_id}" +} + +# Create Kinesis Processor lambda execution role +resource "aws_iam_role" "processor_lambda_execution_role" { + assume_role_policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Principal" : { + "Service" : "lambda.amazonaws.com" + }, + "Action" : "sts:AssumeRole" + } + ] + }) + description = "Aqua kinesis firehose processor lambda role" + inline_policy { + name = "policy" + policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Action" : "ec2:DescribeSnapshots", + "Resource" : "*", + "Effect" : "Allow", + "Sid" : "DescribeEc2Snapshots" + } + ] + }) + } + managed_policy_arns = ["arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole", "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"] + name = var.custom_processor_lambda_role_name == "" ? "aqua-autoconnect-processor-lambda-execution-role-${var.random_id}" : var.custom_processor_lambda_role_name +} + +# Create Kinesis Firehose S3 bucket +# trivy:ignore:AVD-AWS-0090 +# trivy:ignore:AVD-AWS-0089 +resource "aws_s3_bucket" "kinesis_firehose_bucket" { + bucket = var.custom_bucket_name == "" ? "aqua-autoconnect-kinesis-firehose-bucket-${var.random_id}" : var.custom_bucket_name +} + +# Create Kinesis Firehose S3 bucket lifecycle configuration +resource "aws_s3_bucket_lifecycle_configuration" "kinesis_firehose_bucket" { + bucket = aws_s3_bucket.kinesis_firehose_bucket.bucket + rule { + expiration { + days = 7 + expired_object_delete_marker = false + } + id = "aqua-autoconnect-kinesis-firehose-bucket-lifecycle-policy" + status = "Enabled" + } +} + +# Create Kinesis Firehose S3 bucket public access block +resource "aws_s3_bucket_public_access_block" "kinesis_firehose_bucket" { + bucket = aws_s3_bucket.kinesis_firehose_bucket.bucket + block_public_acls = true + block_public_policy = true + ignore_public_acls = true + restrict_public_buckets = true +} + +# Create Kinesis Firehose S3 bucket SSE configuration +# trivy:ignore:AVD-AWS-0132 +resource "aws_s3_bucket_server_side_encryption_configuration" "kinesis_firehose_bucket" { + bucket = aws_s3_bucket.kinesis_firehose_bucket.bucket + rule { + apply_server_side_encryption_by_default { + sse_algorithm = "AES256" + } + bucket_key_enabled = false + } +} + +# Create Kinesis Processor lambda function +# trivy:ignore:AVD-AWS-0066 +resource "aws_lambda_function" "kinesis_processor_lambda" { + architectures = ["x86_64"] + description = "Aqua Kinesis Firehose Processor Lambda" + function_name = "aqua-autoconnect-kinesis-processor-lambda-function-${var.random_id}" + handler = "index.handler" + role = aws_iam_role.processor_lambda_execution_role.arn + runtime = "python3.12" + timeout = 900 + filename = data.archive_file.kinesis_processor_function.output_path + source_code_hash = data.archive_file.kinesis_processor_function.output_base64sha256 + tracing_config { + mode = "PassThrough" + } +} + +# Create Kinesis Stream +resource "aws_kinesis_stream" "kinesis_stream" { + encryption_type = "KMS" + kms_key_id = "alias/aws/kinesis" + name = "aqua-autoconnect-kinesis-datastream-${var.random_id}" + shard_count = 1 +} + +# Create Kinesis Firehose Delivery Stream +resource "aws_kinesis_firehose_delivery_stream" "kinesis_firehose" { + destination = "http_endpoint" + http_endpoint_configuration { + access_key = var.aqua_volscan_api_token + buffering_interval = 60 + buffering_size = 5 + name = "kinesis-firehose-destination" + processing_configuration { + enabled = true + processors { + parameters { + parameter_name = "LambdaArn" + parameter_value = aws_lambda_function.kinesis_processor_lambda.arn + } + type = "Lambda" + } + } + role_arn = aws_iam_role.kinesis_firehose_role.arn + url = var.aqua_volscan_api_url + s3_configuration { + bucket_arn = aws_s3_bucket.kinesis_firehose_bucket.arn + role_arn = aws_iam_role.kinesis_firehose_role.arn + } + } + kinesis_source_configuration { + kinesis_stream_arn = aws_kinesis_stream.kinesis_stream.arn + role_arn = aws_iam_role.kinesis_firehose_role.arn + } + name = "aqua-autoconnect-kinesis-firehose-${var.random_id}" +} + diff --git a/modules/single/modules/kinesis/outputs.tf b/modules/single/modules/kinesis/outputs.tf new file mode 100644 index 0000000..7920c6f --- /dev/null +++ b/modules/single/modules/kinesis/outputs.tf @@ -0,0 +1,51 @@ +# modules/single/modules/kinesis/outputs.tf + +output "event_bus_arn" { + description = "Cloudwatch Event Bus ARN" + value = aws_cloudwatch_event_bus.event_bus.arn +} + +output "event_rule_arn" { + description = "Cloudwatch Event Rule ARN" + value = aws_cloudwatch_event_rule.event_rule.arn +} + +output "kinesis_processor_lambda_log_group_name" { + description = "Kinesis Processor Lambda Cloudwatch Log Group Name" + value = aws_cloudwatch_log_group.kinesis_processor_lambda_log_group.name +} + +output "kinesis_stream_events_role_arn" { + description = "Kinesis Stream Events Role ARN" + value = aws_iam_role.kinesis_stream_events_role.arn +} + +output "kinesis_firehose_role_arn" { + description = "Kinesis Firehose Role ARN" + value = aws_iam_role.kinesis_firehose_role.arn +} + +output "kinesis_processor_lambda_execution_role_arn" { + description = "Kinesis Processor Lambda Execution Role ARN" + value = aws_iam_role.processor_lambda_execution_role.arn +} + +output "kinesis_firehose_bucket_name" { + description = "Kinesis Firehose S3 Bucket Name" + value = aws_s3_bucket.kinesis_firehose_bucket.bucket +} + +output "kinesis_processor_lambda_function_arn" { + description = "Kinesis Processor Lambda Function ARN" + value = aws_lambda_function.kinesis_processor_lambda.arn +} + +output "kinesis_stream_arn" { + description = "Kinesis Stream ARN" + value = aws_kinesis_stream.kinesis_stream.arn +} + +output "kinesis_firehose_delivery_stream_arn" { + description = "Kinesis Firehose Delivery Stream ARN" + value = aws_kinesis_firehose_delivery_stream.kinesis_firehose.arn +} diff --git a/modules/single/modules/kinesis/variables.tf b/modules/single/modules/kinesis/variables.tf new file mode 100644 index 0000000..86fc0d3 --- /dev/null +++ b/modules/single/modules/kinesis/variables.tf @@ -0,0 +1,26 @@ +# modules/single/modules/kinesis/variables.tf + +variable "random_id" { + description = "Random ID to apply to resource names" + type = string +} + +variable "aqua_volscan_api_url" { + description = "Aqua Volume Scanning API URL" + type = string +} + +variable "aqua_volscan_api_token" { + description = "Aqua Volume Scanning API Token" + type = string +} + +variable "custom_bucket_name" { + description = "Custom bucket Name" + type = string +} + +variable "custom_processor_lambda_role_name" { + description = "Custom Processor lambda role Name" + type = string +} \ No newline at end of file diff --git a/modules/single/modules/kinesis/versions.tf b/modules/single/modules/kinesis/versions.tf new file mode 100644 index 0000000..34c4ceb --- /dev/null +++ b/modules/single/modules/kinesis/versions.tf @@ -0,0 +1,15 @@ +# modules/single/modules/kinesis/versions.tf + +terraform { + required_version = ">= 1.6.4" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.57.0" + } + archive = { + source = "hashicorp/archive" + version = "~> 2.4.2" + } + } +} \ No newline at end of file diff --git a/modules/single/modules/lambda/README.md b/modules/single/modules/lambda/README.md new file mode 100644 index 0000000..3f0ed36 --- /dev/null +++ b/modules/single/modules/lambda/README.md @@ -0,0 +1,71 @@ +# `lambda` module + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.6.4 | +| [archive](#requirement\_archive) | ~> 2.4.2 | +| [aws](#requirement\_aws) | ~> 5.57.0 | + +## Providers + +| Name | Version | +|------|---------| +| [archive](#provider\_archive) | ~> 2.4.2 | +| [aws](#provider\_aws) | ~> 5.57.0 | +| [time](#provider\_time) | n/a | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_iam_role.agentless_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.cspm_lambda_execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.cspm_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.lambda_execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_lambda_function.create_cspm_key_function](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource | +| [aws_lambda_function.generate_cspm_external_id_function](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource | +| [aws_lambda_function.generate_volscan_external_id_function](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_function) | resource | +| [aws_lambda_invocation.create_cspm_key_function](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_invocation) | resource | +| [aws_lambda_invocation.generate_cspm_external_id_function](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_invocation) | resource | +| [aws_lambda_invocation.generate_volscan_external_id_function](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/lambda_invocation) | resource | +| [time_sleep.sleep](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | +| [archive_file.create_cspm_key_function](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source | +| [archive_file.generate_external_id_function](https://registry.terraform.io/providers/hashicorp/archive/latest/docs/data-sources/file) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [aqua\_api\_key](#input\_aqua\_api\_key) | Aqua API Key | `string` | n/a | yes | +| [aqua\_api\_secret](#input\_aqua\_api\_secret) | Aqua API Secret | `string` | n/a | yes | +| [aqua\_autoconnect\_url](#input\_aqua\_autoconnect\_url) | Aqua Autoconnect API URL | `string` | n/a | yes | +| [aqua\_cspm\_aws\_account\_id](#input\_aqua\_cspm\_aws\_account\_id) | Aqua CSPM AWS Account ID | `string` | n/a | yes | +| [aqua\_cspm\_group\_id](#input\_aqua\_cspm\_group\_id) | Aqua CSPM Group ID | `number` | n/a | yes | +| [aqua\_cspm\_ipv4\_address](#input\_aqua\_cspm\_ipv4\_address) | Aqua CSPM IPv4 address | `string` | n/a | yes | +| [aqua\_cspm\_role\_prefix](#input\_aqua\_cspm\_role\_prefix) | Aqua CSPM role name prefix | `string` | n/a | yes | +| [aqua\_cspm\_url](#input\_aqua\_cspm\_url) | Aqua CSPM API URL | `string` | n/a | yes | +| [aqua\_volscan\_aws\_account\_id](#input\_aqua\_volscan\_aws\_account\_id) | Aqua Volume Scanning AWS Account ID | `string` | n/a | yes | +| [aqua\_worker\_role\_arn](#input\_aqua\_worker\_role\_arn) | Aqua Worker Role ARN | `string` | n/a | yes | +| [aws\_account\_id](#input\_aws\_account\_id) | AWS Account ID | `number` | n/a | yes | +| [custom\_agentless\_role\_name](#input\_custom\_agentless\_role\_name) | Custom Agentless role Name | `string` | n/a | yes | +| [custom\_cspm\_role\_name](#input\_custom\_cspm\_role\_name) | Custom CSPM role Name | `string` | n/a | yes | +| [random\_id](#input\_random\_id) | Random ID to apply to resource names | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [agentless\_role\_arn](#output\_agentless\_role\_arn) | The ARN of the IAM role created for the Agentless Volume Scanning | +| [cspm\_external\_id](#output\_cspm\_external\_id) | Aqua CSPM External ID generated by the 'generate\_cspm\_external\_id\_function' Lambda function | +| [cspm\_lambda\_execution\_role\_arn](#output\_cspm\_lambda\_execution\_role\_arn) | The ARN of the lambda execution IAM role created for the CSPM | +| [cspm\_role\_arn](#output\_cspm\_role\_arn) | The ARN of the IAM role created for the CSPM | +| [is\_already\_cspm\_client](#output\_is\_already\_cspm\_client) | Boolean indicating if the client is already a CSPM client, to be sent to the Autoconnect API | +| [volscan\_external\_id](#output\_volscan\_external\_id) | Aqua Volume Scanning External ID generated by the 'generate\_volscan\_external\_id\_function' Lambda function | + \ No newline at end of file diff --git a/modules/single/modules/lambda/data.tf b/modules/single/modules/lambda/data.tf new file mode 100644 index 0000000..0bc4e79 --- /dev/null +++ b/modules/single/modules/lambda/data.tf @@ -0,0 +1,17 @@ +# modules/single/modules/lambda/data.tf + +# Archive create_cspm_key.py into a zip file +data "archive_file" "create_cspm_key_function" { + type = "zip" + source_file = "${path.module}/functions/create_cspm_key.py" + output_path = "create_cspm_key.zip" +} + +# Archive generate_external_id.py into a zip file +data "archive_file" "generate_external_id_function" { + type = "zip" + source_file = "${path.module}/functions/generate_external_id.py" + output_path = "generate_external_id.zip" +} + + diff --git a/modules/single/modules/lambda/functions/create_cspm_key.py b/modules/single/modules/lambda/functions/create_cspm_key.py new file mode 100644 index 0000000..bc75f30 --- /dev/null +++ b/modules/single/modules/lambda/functions/create_cspm_key.py @@ -0,0 +1,80 @@ + +import json +import urllib3 +import hashlib +import time +import hmac + +def handler(event, context): + cspm_url = event.get('ApiUrl') + ac_url = event.get('AutoConnectApiUrl') + aqua_api_key = event.get('AquaApiKey') + aqua_secret = event.get('AquaSecretKey') + role_arn = event.get('RoleArn') + account_id = event.get('AccountId') + external_id = event.get('ExternalId') + group = int(event.get('GroupId')) + aws_account_id = context.invoked_function_arn.split(":")[4] + + try: + print('creating a new cspm key') + is_already_cspm_client = create_cspm_key( + cspm_url, ac_url, aqua_api_key, aqua_secret, + role_arn, external_id, group, account_id, aws_account_id + ) + return {"IsAlreadyCSPMClient": is_already_cspm_client} + + except Exception as e: + print(f"error: {e}") + return {"error": e} + + +def get_signature(aqua_secret, tstmp, path, method, body): + enc = tstmp + method + path + body + print(f'enc: {enc}') + enc_b = bytes(enc, 'utf-8') + secret = bytes(aqua_secret, 'utf-8') + sig = hmac.new(secret, enc_b, hashlib.sha256).hexdigest() + return sig + +def http_request(url, headers, method, body=None): + http = urllib3.PoolManager(cert_reqs='CERT_NONE') + + try: + response = http.request(method, url, body=body, headers=headers) + data = json.loads(response.data.decode('utf-8')) + except Exception as e: + print(f'could not parse event data; {e}') + data = {} + return data + +def create_cspm_key(cspm_url, ac_url, aqua_api_key, aqua_secret, role_arn, external_id, group, account_id, aws_account_id): + body = { + "name": account_id, + "cloud": "aws", + "autoconnect": True, + "role_arn": role_arn, + "external_id": external_id, + "group_id": group + } + + print(f'body: {body}') + tstmp = str(int(time.time() * 1000)) + jsonbody = json.dumps(body, separators=(',', ':')) + sig = get_signature(aqua_secret, tstmp, "/v2/keys", "POST", jsonbody) + headers = { + "X-API-Key": aqua_api_key, + "X-Signature": sig, + "X-Timestamp": tstmp + } + + response = http_request(cspm_url + '/v2/keys', headers, "POST", jsonbody) + print(f'response: {response}') + if response.get('status', 0) != 200 and response.get('status', 0) != 201: + raise Exception(response.get('message', "Internal server error")) + + is_already_cspm_client = False + if response.get('status', 0) == 200: + is_already_cspm_client = True + + return is_already_cspm_client \ No newline at end of file diff --git a/modules/single/modules/lambda/functions/generate_external_id.py b/modules/single/modules/lambda/functions/generate_external_id.py new file mode 100644 index 0000000..4f8f01b --- /dev/null +++ b/modules/single/modules/lambda/functions/generate_external_id.py @@ -0,0 +1,62 @@ +import json +import urllib3 +import hashlib +import time +import hmac + +def handler(event, context): + cspm_url = event.get('ApiUrl') + ac_url = event.get('AutoConnectApiUrl') + aqua_api_key = event.get('AquaApiKey') + aqua_secret = event.get('AquaSecretKey') + aws_account_id = context.invoked_function_arn.split(":")[4] + + try: + print('generating external id') + external_id = generate_external_id(cspm_url, ac_url, aqua_api_key, aqua_secret, aws_account_id) + print('generated external id: {}'.format(external_id)) + return {"ExternalId": external_id} + except Exception as e: + print('failed generating external id') + print(f"error: {e}") + raise e + + +def get_signature(aqua_secret, tstmp, path, method, body): + enc = tstmp + method + path + body + enc_b = bytes(enc, 'utf-8') + secret = bytes(aqua_secret, 'utf-8') + sig = hmac.new(secret, enc_b, hashlib.sha256).hexdigest() + return sig + +def http_request(url, headers, method, body=None): + if body is None: + body = {} + + http = urllib3.PoolManager(cert_reqs='CERT_NONE') + + try: + response = http.request(method, url, body=body, headers=headers) + + data = json.loads(response.data.decode('utf-8')) + except Exception as e: + print("warning: {}".format(e)) + data = {} + + return data + + +def generate_external_id(cspm_url, ac_url, aqua_api_key, aqua_secret, aws_account_id): + u = cspm_url + '/v2/generatedids' + print('api url: {}'.format(u)) + + tstmp = str(int(time.time() * 1000)) + method = "POST" + sig = get_signature(aqua_secret, tstmp, '/v2/generatedids', method, '') + headers = {"X-API-Key": aqua_api_key, "X-Signature": sig, "X-Timestamp": tstmp} + + response = http_request(u, headers, method) + if response.get('status', 0) != 200 and response.get('status', 0) != 201 or not response.get('data'): + raise Exception("failed to generate external id; {}".format(response.get('message', 'Internal server error'))) + + return response['data'][0]['generated_id'] diff --git a/modules/single/modules/lambda/locals.tf b/modules/single/modules/lambda/locals.tf new file mode 100644 index 0000000..2593e98 --- /dev/null +++ b/modules/single/modules/lambda/locals.tf @@ -0,0 +1,8 @@ +# modules/single/modules/lambda/locals.tf + +locals { + # Decode the results of Lambda function invocations + cspm_external_id = jsondecode(aws_lambda_invocation.generate_cspm_external_id_function.result)["ExternalId"] + volscan_external_id = jsondecode(aws_lambda_invocation.generate_volscan_external_id_function.result)["ExternalId"] + is_already_cspm_client = jsondecode(aws_lambda_invocation.create_cspm_key_function.result)["IsAlreadyCSPMClient"] +} diff --git a/modules/single/modules/lambda/main.tf b/modules/single/modules/lambda/main.tf new file mode 100644 index 0000000..50b497b --- /dev/null +++ b/modules/single/modules/lambda/main.tf @@ -0,0 +1,453 @@ +# modules/single/modules/lambda/main.tf + +# Create lambda execution role +resource "aws_iam_role" "lambda_execution_role" { + assume_role_policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Principal" : { + "Service" : "lambda.amazonaws.com" + }, + "Action" : "sts:AssumeRole" + } + ] + }) + managed_policy_arns = ["arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"] + name = "aqua-autoconnect-lambda-execution-role-${var.random_id}" +} + +# Create CSPM lambda execution role +resource "aws_iam_role" "cspm_lambda_execution_role" { + assume_role_policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Principal" : { + "Service" : "lambda.amazonaws.com" + }, + "Action" : "sts:AssumeRole" + } + ] + }) + managed_policy_arns = ["arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"] + name = "aqua-autoconnect-cspm-lambda-execution-role-${var.random_id}" +} + +# Create generate CSPM external id lambda function +resource "aws_lambda_function" "generate_cspm_external_id_function" { + architectures = ["x86_64"] + description = "Generate CSPM External ID" + function_name = "aqua-autoconnect-generate-cspm-external-id-function-${var.random_id}" + handler = "generate_external_id.handler" + role = aws_iam_role.cspm_lambda_execution_role.arn + runtime = "python3.12" + timeout = 120 + filename = data.archive_file.generate_external_id_function.output_path + source_code_hash = data.archive_file.generate_external_id_function.output_base64sha256 + tracing_config { + mode = "Active" + } +} + +# Invoking generate CSPM external id lambda function +resource "aws_lambda_invocation" "generate_cspm_external_id_function" { + function_name = aws_lambda_function.generate_cspm_external_id_function.function_name + input = jsonencode({ + ApiUrl = var.aqua_cspm_url + AutoConnectApiUrl = var.aqua_autoconnect_url + AquaApiKey = var.aqua_api_key + AquaSecretKey = var.aqua_api_secret + }) +} + +# Create generate Volume Scan external id lambda function +resource "aws_lambda_function" "generate_volscan_external_id_function" { + architectures = ["x86_64"] + description = "Generate Volume Scanning External ID" + function_name = "aqua-autoconnect-generate-volscan-external-id-function-${var.random_id}" + handler = "generate_external_id.handler" + role = aws_iam_role.cspm_lambda_execution_role.arn + runtime = "python3.12" + timeout = 120 + filename = data.archive_file.generate_external_id_function.output_path + source_code_hash = data.archive_file.generate_external_id_function.output_base64sha256 + tracing_config { + mode = "Active" + } +} + +# Invoking generate Volume Scan external id lambda function +resource "aws_lambda_invocation" "generate_volscan_external_id_function" { + function_name = aws_lambda_function.generate_volscan_external_id_function.function_name + input = jsonencode({ + ApiUrl = var.aqua_cspm_url + AutoConnectApiUrl = var.aqua_autoconnect_url + AquaApiKey = var.aqua_api_key + AquaSecretKey = var.aqua_api_secret + }) +} + +# Create Agentless role +# trivy:ignore:AVD-AWS-0057 +resource "aws_iam_role" "agentless_role" { + assume_role_policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Principal" : { + "AWS" : "arn:aws:iam::${var.aqua_volscan_aws_account_id}:root" + }, + "Action" : "sts:AssumeRole", + "Condition" : { + "StringEquals" : { + "sts:ExternalId" : local.volscan_external_id + } + } + } + ] + }) + description = "Aqua Agentless Role" + inline_policy { + name = "policy" + policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Action" : [ + "ec2:CreateSnapshot", + "ec2:CreateSnapshots", + "ec2:CreateVolume", + "ec2:DescribeInstances", + "ec2:DescribeRegions", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSnapshots", + "ec2:DescribeSubnets", + "ec2:DescribeVolumes", + "ec2:RunInstances" + ], + "Resource" : "*", + "Effect" : "Allow", + "Sid" : "createEc2Resources" + }, + { + "Condition" : { + "StringLike" : { + "ec2:ResourceTag/aqua-agentless-scanner" : "*" + } + }, + "Action" : [ + "ec2:DeleteSnapshot", + "ec2:DeleteVolume", + "ec2:TerminateInstances" + ], + "Resource" : "*", + "Effect" : "Allow", + "Sid" : "deleteEc2Resources" + }, + { + "Condition" : { + "StringEquals" : { + "ec2:CreateAction" : [ + "CreateSnapshot", + "CreateSnapshots", + "CreateVolume", + "RunInstances" + ] + } + }, + "Action" : "ec2:CreateTags", + "Resource" : "*", + "Effect" : "Allow", + "Sid" : "createEc2Tags" + } + ] + }) + } + name = var.custom_agentless_role_name == "" ? "aqua-agentless-role-${var.random_id}" : var.custom_agentless_role_name + depends_on = [aws_lambda_invocation.generate_volscan_external_id_function] +} + +# Create CSPM role +# trivy:ignore:AVD-AWS-0057 +resource "aws_iam_role" "cspm_role" { + assume_role_policy = jsonencode({ + "Version" : "2008-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Principal" : { + "AWS" : "arn:aws:iam::${var.aqua_cspm_aws_account_id}:role/${var.aqua_cspm_role_prefix}lambda-cloudsploit-api" + }, + "Action" : "sts:AssumeRole", + "Condition" : { + "StringEquals" : { + "sts:ExternalId" : local.cspm_external_id + }, + "IpAddress" : { + "aws:SourceIp" : var.aqua_cspm_ipv4_address + } + } + }, + { + "Effect" : "Allow", + "Principal" : { + "AWS" : "arn:aws:iam::${var.aqua_cspm_aws_account_id}:role/${var.aqua_cspm_role_prefix}lambda-cloudsploit-collector" + }, + "Action" : "sts:AssumeRole", + "Condition" : { + "StringEquals" : { + "sts:ExternalId" : local.cspm_external_id + }, + "IpAddress" : { + "aws:SourceIp" : var.aqua_cspm_ipv4_address + } + } + }, + { + "Effect" : "Allow", + "Principal" : { + "AWS" : "arn:aws:iam::${var.aqua_cspm_aws_account_id}:role/${var.aqua_cspm_role_prefix}lambda-cloudsploit-remediator" + }, + "Action" : "sts:AssumeRole", + "Condition" : { + "StringEquals" : { + "sts:ExternalId" : local.cspm_external_id + }, + "IpAddress" : { + "aws:SourceIp" : var.aqua_cspm_ipv4_address + } + } + }, + { + "Effect" : "Allow", + "Principal" : { + "AWS" : "arn:aws:iam::${var.aqua_cspm_aws_account_id}:role/${var.aqua_cspm_role_prefix}lambda-cloudsploit-tasks" + }, + "Action" : "sts:AssumeRole", + "Condition" : { + "StringEquals" : { + "sts:ExternalId" : local.cspm_external_id + }, + "IpAddress" : { + "aws:SourceIp" : var.aqua_cspm_ipv4_address + } + } + }, + { + "Effect" : "Allow", + "Principal" : { + "AWS" : var.aqua_worker_role_arn + }, + "Action" : "sts:AssumeRole" + } + ] + }) + inline_policy { + name = "aqua-csp-scanner-policy" + policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Action" : [ + "ecr:GetDownloadUrlForLayer", + "ecr:BatchGetImage", + "ecr:BatchCheckLayerAvailability", + "ecr:PutImage", + "ecr:InitiateLayerUpload", + "ecr:UploadLayerPart", + "ecr:CompleteLayerUpload", + "ecr:DescribeRepositories", + "ecr:GetAuthorizationToken", + "lambda:ListAliases", + "lambda:ListTags", + "lambda:GetLayerVersion", + "lambda:UntagResource", + "lambda:PutFunctionConcurrency", + "lambda:TagResource", + "lambda:GetFunction", + "lambda:UpdateFunctionConfiguration", + "lambda:PublishLayerVersion", + "lambda:DeleteLayerVersion", + "lambda:DeleteFunctionConcurrency", + "iam:ListRolePolicies", + "cloudwatch:GetMetricData", + "cloudwatch:ListMetrics" + ], + "Resource" : "*", + "Effect" : "Allow" + } + ] + }) + } + inline_policy { + name = "aqua-cspm-supplemental-policy" + policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Action" : [ + "compute-optimizer:GetEC2InstanceRecommendations", + "compute-optimizer:GetAutoScalingGroupRecommendations", + "imagebuilder:ListInfrastructureConfigurations", + "imagebuilder:ListImageRecipes", + "imagebuilder:ListContainerRecipes", + "imagebuilder:ListComponents", + "imagebuilder:GetComponent", + "ses:DescribeActiveReceiptRuleSet", + "athena:GetWorkGroup", + "logs:DescribeLogGroups", + "logs:DescribeMetricFilters", + "config:getComplianceDetailsByConfigRule", + "elasticmapreduce:ListInstanceGroups", + "elastictranscoder:ListPipelines", + "elasticfilesystem:DescribeFileSystems", + "servicequotas:ListServiceQuotas", + "ssm:ListAssociations", + "devops-guru:ListNotificationChannels", + "ec2:GetEbsEncryptionByDefault", + "ec2:GetEbsDefaultKmsKeyId", + "organizations:ListAccounts", + "kendra:ListIndices", + "proton:ListEnvironmentTemplates", + "qldb:ListLedgers", + "airflow:ListEnvironments", + "airflow:GetEnvironment", + "profile:ListDomains", + "timestream:DescribeEndpoints", + "timestream:ListDatabases", + "frauddetector:GetDetectors", + "memorydb:DescribeClusters", + "kafka:ListClusters", + "apprunner:ListServices", + "apprunner:DescribeService", + "finspace:ListEnvironments", + "healthlake:ListFHIRDatastores", + "codeartifact:ListDomains", + "auditmanager:GetSettings", + "appflow:ListFlows", + "databrew:ListJobs", + "managedblockchain:ListNetworks", + "managedblockchain:ListMembers", + "managedblockchain:GetMember", + "connect:ListInstances", + "backup:ListBackupVaults", + "backup:DescribeRegionSettings", + "backup:getBackupVaultNotifications", + "backup:ListBackupPlans", + "backup:GetBackupVaultAccessPolicy", + "backup:GetBackupPlan", + "dlm:GetLifecyclePolicies", + "glue:GetSecurityConfigurations", + "ssm:describeSessions", + "ssm:GetServiceSetting", + "ecr:DescribeRegistry", + "ecr-public:DescribeRegistries", + "kinesisvideo:ListStreams", + "wisdom:ListAssistants", + "voiceid:ListDomains", + "lookoutequipment:ListDatasets", + "iotsitewise:DescribeDefaultEncryptionConfiguration", + "geo:ListTrackers", + "geo:ListGeofenceCollections", + "lookoutvision:ListProjects", + "lookoutmetrics:ListAnomalyDetectors", + "lex:ListBots", + "forecast:ListDatasets", + "forecast:ListForecastExportJobs", + "forecast:DescribeDataset", + "lambda:GetFunctionUrlConfig", + "lambda:GetFunctionCodeSigningConfig", + "cloudwatch:GetMetricStatistics", + "geo:DescribeTracker", + "connect:ListInstanceStorageConfigs", + "lex:ListBotAliases", + "lookoutvision:ListModels", + "geo:DescribeGeofenceCollection", + "codebuild:BatchGetProjects", + "profile:GetDomain", + "lex:DescribeBotAlias", + "lookoutvision:DescribeModel", + "s3:ListBucket", + "frauddetector:GetKMSEncryptionKey", + "imagebuilder:ListImagePipelines", + "compute-optimizer:GetRecommendationSummaries", + "wafv2:GetWebACLForResource", + "appflow:DescribeFlow", + "aoss:ListSecurityPolicies", + "aoss:GetAccessPolicy", + "aoss:ListCollections", + "aoss:ListAccessPolicies", + "aoss:GetSecurityPolicy", + "cognito-idp:GetWebACLForResource", + "cognito-idp:ListResourcesForWebACL", + "bedrock:ListCustomModels", + "bedrock:GetModelInvocationLoggingConfiguration", + "bedrock:ListModelCustomizationJobs", + "bedrock:GetCustomModel", + "bedrock:GetModelCustomizationJob" + ], + "Resource" : "*", + "Effect" : "Allow" + }, + { + "Action" : [ + "apigateway:GET" + ], + "Resource" : [ + "arn:aws:apigateway:*::/domainnames/*" + ], + "Effect" : "Allow" + }, + { + "Action" : "s3:GetObject", + "Resource" : "arn:aws:s3:::elasticbeanstalk-env-resources-*", + "Effect" : "Allow" + } + ] + }) + } + managed_policy_arns = ["arn:aws:iam::aws:policy/SecurityAudit"] + name = var.custom_cspm_role_name == "" ? "aqua-autoconnect-cspm-role-${var.random_id}" : var.custom_cspm_role_name +} + +# Creating a sleep for 30s between CSPM role and CSPM key lambda function +resource "time_sleep" "sleep" { + create_duration = "30s" + depends_on = [aws_iam_role.cspm_role] +} + +# Create CSPM key lambda function +resource "aws_lambda_function" "create_cspm_key_function" { + architectures = ["x86_64"] + description = "Trigger CSPM via CSPM Api" + function_name = "aqua-autoconnect-create-cspm-key-function-${var.random_id}" + handler = "create_cspm_key.handler" + role = aws_iam_role.cspm_lambda_execution_role.arn + runtime = "python3.12" + timeout = 120 + filename = data.archive_file.create_cspm_key_function.output_path + source_code_hash = data.archive_file.create_cspm_key_function.output_base64sha256 + tracing_config { + mode = "Active" + } +} + +# Invoking CSPM key lambda function +resource "aws_lambda_invocation" "create_cspm_key_function" { + function_name = aws_lambda_function.create_cspm_key_function.function_name + input = jsonencode({ + ApiUrl = var.aqua_cspm_url + AutoConnectApiUrl = var.aqua_autoconnect_url + AquaApiKey = var.aqua_api_key + AquaSecretKey = var.aqua_api_secret + RoleArn = aws_iam_role.cspm_role.arn + ExternalId = local.cspm_external_id + AccountId = tostring(var.aws_account_id) + GroupId = var.aqua_cspm_group_id + }) + depends_on = [time_sleep.sleep] +} \ No newline at end of file diff --git a/modules/single/modules/lambda/outputs.tf b/modules/single/modules/lambda/outputs.tf new file mode 100644 index 0000000..eec79be --- /dev/null +++ b/modules/single/modules/lambda/outputs.tf @@ -0,0 +1,31 @@ +# modules/single/modules/lambda/outputs.tf + +output "cspm_external_id" { + description = "Aqua CSPM External ID generated by the 'generate_cspm_external_id_function' Lambda function" + value = local.cspm_external_id +} + +output "volscan_external_id" { + description = "Aqua Volume Scanning External ID generated by the 'generate_volscan_external_id_function' Lambda function" + value = local.volscan_external_id +} + +output "is_already_cspm_client" { + description = "Boolean indicating if the client is already a CSPM client, to be sent to the Autoconnect API" + value = local.is_already_cspm_client +} + +output "cspm_lambda_execution_role_arn" { + description = "The ARN of the lambda execution IAM role created for the CSPM" + value = aws_iam_role.cspm_lambda_execution_role.arn +} + +output "cspm_role_arn" { + description = "The ARN of the IAM role created for the CSPM" + value = aws_iam_role.cspm_role.arn +} + +output "agentless_role_arn" { + description = "The ARN of the IAM role created for the Agentless Volume Scanning" + value = aws_iam_role.agentless_role.arn +} diff --git a/modules/single/modules/lambda/variables.tf b/modules/single/modules/lambda/variables.tf new file mode 100644 index 0000000..b22d7f1 --- /dev/null +++ b/modules/single/modules/lambda/variables.tf @@ -0,0 +1,71 @@ +# modules/single/modules/lambda/variables.tf + +variable "random_id" { + description = "Random ID to apply to resource names" + type = string +} + +variable "aqua_api_key" { + description = "Aqua API Key" + type = string +} + +variable "aqua_api_secret" { + description = "Aqua API Secret" + type = string +} + +variable "aqua_volscan_aws_account_id" { + description = "Aqua Volume Scanning AWS Account ID" + type = string +} + +variable "aqua_autoconnect_url" { + description = "Aqua Autoconnect API URL" + type = string +} + +variable "aqua_cspm_url" { + description = "Aqua CSPM API URL" + type = string +} + +variable "aqua_cspm_group_id" { + description = "Aqua CSPM Group ID" + type = number +} + +variable "aqua_cspm_aws_account_id" { + description = "Aqua CSPM AWS Account ID" + type = string +} + +variable "aqua_cspm_ipv4_address" { + description = "Aqua CSPM IPv4 address" + type = string +} + +variable "aqua_cspm_role_prefix" { + description = "Aqua CSPM role name prefix" + type = string +} + +variable "aqua_worker_role_arn" { + description = "Aqua Worker Role ARN" + type = string +} + +variable "custom_cspm_role_name" { + description = "Custom CSPM role Name" + type = string +} + +variable "custom_agentless_role_name" { + description = "Custom Agentless role Name" + type = string +} + +variable "aws_account_id" { + description = "AWS Account ID" + type = number +} diff --git a/modules/single/modules/lambda/versions.tf b/modules/single/modules/lambda/versions.tf new file mode 100644 index 0000000..f99aa6c --- /dev/null +++ b/modules/single/modules/lambda/versions.tf @@ -0,0 +1,15 @@ +# modules/single/modules/lambda/version.tf + +terraform { + required_version = ">= 1.6.4" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.57.0" + } + archive = { + source = "hashicorp/archive" + version = "~> 2.4.2" + } + } +} \ No newline at end of file diff --git a/modules/single/modules/stackset/README.md b/modules/single/modules/stackset/README.md new file mode 100644 index 0000000..9403c6e --- /dev/null +++ b/modules/single/modules/stackset/README.md @@ -0,0 +1,59 @@ +# `stackset` module + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.6.4 | +| [aws](#requirement\_aws) | ~> 5.57.0 | + +## Providers + +| Name | Version | +|------|---------| +| [aws](#provider\_aws) | ~> 5.57.0 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [aws_cloudformation_stack_set.stack_set](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set) | resource | +| [aws_cloudformation_stack_set_instance.stack_set_instance](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance) | resource | +| [aws_iam_role.stackset_admin_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | +| [aws_iam_role.stackset_execution_role](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role) | resource | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [aqua\_bucket\_name](#input\_aqua\_bucket\_name) | Aqua Bucket Name | `string` | n/a | yes | +| [aws\_account\_id](#input\_aws\_account\_id) | AWS Account ID | `string` | n/a | yes | +| [aws\_partition](#input\_aws\_partition) | AWS Partition | `string` | n/a | yes | +| [create\_vpcs](#input\_create\_vpcs) | Toggle to create VPCs | `bool` | n/a | yes | +| [custom\_internet\_gateway\_name](#input\_custom\_internet\_gateway\_name) | Custom Internet Gateway Name | `string` | n/a | yes | +| [custom\_security\_group\_name](#input\_custom\_security\_group\_name) | Custom Security Group Name | `string` | n/a | yes | +| [custom\_vpc\_name](#input\_custom\_vpc\_name) | Custom VPC Name | `string` | n/a | yes | +| [custom\_vpc\_subnet1\_name](#input\_custom\_vpc\_subnet1\_name) | Custom VPC Subnet 1 Name | `string` | n/a | yes | +| [custom\_vpc\_subnet2\_name](#input\_custom\_vpc\_subnet2\_name) | Custom VPC Subnet 2 Name | `string` | n/a | yes | +| [custom\_vpc\_subnet\_route\_table1\_name](#input\_custom\_vpc\_subnet\_route\_table1\_name) | Custom VPC Route Table 1 Name | `string` | n/a | yes | +| [custom\_vpc\_subnet\_route\_table2\_name](#input\_custom\_vpc\_subnet\_route\_table2\_name) | Custom VPC Route Table 2 Name | `string` | n/a | yes | +| [enabled\_regions](#input\_enabled\_regions) | Enabled AWS Regions to deploy Stack Sets on | `list(string)` | n/a | yes | +| [event\_bus\_arn](#input\_event\_bus\_arn) | Cloudwatch Event Bus ARN | `string` | n/a | yes | +| [random\_id](#input\_random\_id) | Random ID to apply to resource names | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [stack\_set\_admin\_role\_arn](#output\_stack\_set\_admin\_role\_arn) | ARN of the StackSet admin role | +| [stack\_set\_admin\_role\_name](#output\_stack\_set\_admin\_role\_name) | Name of the StackSet admin role | +| [stack\_set\_execution\_role\_arn](#output\_stack\_set\_execution\_role\_arn) | ARN of the StackSet execution role | +| [stack\_set\_execution\_role\_name](#output\_stack\_set\_execution\_role\_name) | Name of the StackSet execution role | +| [stack\_set\_name](#output\_stack\_set\_name) | Name of the CloudFormation StackSet | +| [stack\_set\_template\_url](#output\_stack\_set\_template\_url) | URL of the CloudFormation template used by the StackSet | + \ No newline at end of file diff --git a/modules/single/modules/stackset/main.tf b/modules/single/modules/stackset/main.tf new file mode 100644 index 0000000..19a4b92 --- /dev/null +++ b/modules/single/modules/stackset/main.tf @@ -0,0 +1,154 @@ +# modules/single/modules/stackset/main.tf + +# Create Stackset admin role +resource "aws_iam_role" "stackset_admin_role" { + assume_role_policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Principal" : { + "Service" : [ + "cloudformation.eu-south-1.amazonaws.com", + "cloudformation.amazonaws.com", + "cloudformation.ap-southeast-3.amazonaws.com", + "cloudformation.me-south-1.amazonaws.com", + "cloudformation.ap-east-1.amazonaws.com", + "cloudformation.af-south-1.amazonaws.com" + ] + }, + "Action" : "sts:AssumeRole" + } + ] + }) + description = "Aqua StackSet Admin Role" + inline_policy { + name = "policy" + policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Action" : "sts:AssumeRole", + "Resource" : "arn:${var.aws_partition}:iam::*:role/AWSCloudFormationStackSetExecutionRole", + "Effect" : "Allow" + } + ] + }) + } + name = "aqua-autoconnect-stackset-admin-role-${var.random_id}" +} + +# Create Stackset execution role +# trivy:ignore:AVD-AWS-0057 +resource "aws_iam_role" "stackset_execution_role" { + assume_role_policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Effect" : "Allow", + "Principal" : { + "AWS" : aws_iam_role.stackset_admin_role.arn + }, + "Action" : "sts:AssumeRole" + } + ] + }) + description = "Aqua StackSet Execution Role" + inline_policy { + name = "policy" + policy = jsonencode({ + "Version" : "2012-10-17", + "Statement" : [ + { + "Action" : [ + "ec2:CreateInternetGateway", + "ec2:AttachInternetGateway", + "ec2:DescribeInternetGateways", + "ec2:CreateRouteTable", + "ec2:CreateRoute", + "ec2:CreateSecurityGroup", + "ec2:CreateSubnet", + "ec2:CreateTags", + "ec2:CreateVpc", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeAccountAttributes", + "events:DescribeRule", + "events:EnableRule", + "events:PutRule", + "events:PutTargets", + "iam:CreateRole", + "iam:GetRolePolicy", + "iam:GetRole", + "iam:PassRole", + "ec2:AssociateRouteTable", + "ec2:AuthorizeSecurityGroupEgress", + "ec2:DeleteInternetGateway", + "ec2:DeleteRouteTable", + "ec2:DeleteRoute", + "ec2:DeleteSecurityGroup", + "ec2:DeleteSubnet", + "ec2:DeleteTags", + "ec2:DeleteVpc", + "ec2:DisassociateRouteTable", + "ec2:ModifySubnetAttribute", + "ec2:ModifyVpcAttribute", + "ec2:ReplaceRouteTableAssociation", + "ec2:RevokeSecurityGroupEgress", + "ec2:DeleteInternetGateway", + "ec2:DetachInternetGateway", + "events:DeleteRule", + "events:RemoveTargets", + "iam:DeleteRole", + "iam:DeleteRolePolicy", + "iam:PutRolePolicy", + "iam:TagRole", + "cloudformation:*", + "s3:*", + "sns:*" + ], + "Resource" : "*", + "Effect" : "Allow" + } + ] + }) + } + name = "aqua-autoconnect-stackset-execution-role-${var.random_id}" +} + +# Create Cloudformation stackset +resource "aws_cloudformation_stack_set" "stack_set" { + name = "aqua-autoconnect-stackset-${var.random_id}" + description = "Aqua Agentless StackSet" + permission_model = "SELF_MANAGED" + capabilities = ["CAPABILITY_IAM"] + administration_role_arn = aws_iam_role.stackset_admin_role.arn + execution_role_name = aws_iam_role.stackset_execution_role.name + template_url = "https://${var.aqua_bucket_name}.s3.amazonaws.com/volume-scanning-api-key-cfn-stackset.json" + operation_preferences { + region_concurrency_type = "PARALLEL" + max_concurrent_count = 1 + } + parameters = { + EbBusArn = var.event_bus_arn + CreateVPCs = tostring(var.create_vpcs) + CustomVpcName = var.custom_vpc_name + CustomVpcSubnet1Name = var.custom_vpc_subnet1_name + CustomVpcSubnetRouteTable1Name = var.custom_vpc_subnet_route_table1_name + CustomVpcSubnet2Name = var.custom_vpc_subnet2_name + CustomVpcSubnetRouteTable2Name = var.custom_vpc_subnet_route_table2_name + CustomInternetGatewayName = var.custom_internet_gateway_name + CustomSecurityGroupName = var.custom_security_group_name + } +} + +# Create Cloudformation stackset instance for each enabled region specified +resource "aws_cloudformation_stack_set_instance" "stack_set_instance" { + for_each = toset(var.enabled_regions) + stack_set_name = aws_cloudformation_stack_set.stack_set.name + account_id = var.aws_account_id + region = each.value +} \ No newline at end of file diff --git a/modules/single/modules/stackset/outputs.tf b/modules/single/modules/stackset/outputs.tf new file mode 100644 index 0000000..9b076f4 --- /dev/null +++ b/modules/single/modules/stackset/outputs.tf @@ -0,0 +1,31 @@ +# modules/single/modules/stackset/outputs.tf + +output "stack_set_name" { + description = "Name of the CloudFormation StackSet" + value = aws_cloudformation_stack_set.stack_set.name +} + +output "stack_set_admin_role_arn" { + description = "ARN of the StackSet admin role" + value = aws_iam_role.stackset_admin_role.arn +} + +output "stack_set_admin_role_name" { + description = "Name of the StackSet admin role" + value = aws_iam_role.stackset_admin_role.name +} + +output "stack_set_execution_role_arn" { + description = "ARN of the StackSet execution role" + value = aws_iam_role.stackset_execution_role.arn +} + +output "stack_set_execution_role_name" { + description = "Name of the StackSet execution role" + value = aws_iam_role.stackset_execution_role.name +} + +output "stack_set_template_url" { + description = "URL of the CloudFormation template used by the StackSet" + value = aws_cloudformation_stack_set.stack_set.template_url +} \ No newline at end of file diff --git a/modules/single/modules/stackset/variables.tf b/modules/single/modules/stackset/variables.tf new file mode 100644 index 0000000..e9642de --- /dev/null +++ b/modules/single/modules/stackset/variables.tf @@ -0,0 +1,71 @@ +# modules/single/modules/stackset/variables.tf + +variable "random_id" { + description = "Random ID to apply to resource names" + type = string +} + +variable "aws_account_id" { + description = "AWS Account ID" + type = string +} + +variable "aws_partition" { + description = "AWS Partition" + type = string +} + +variable "enabled_regions" { + description = "Enabled AWS Regions to deploy Stack Sets on" + type = list(string) +} + +variable "aqua_bucket_name" { + description = "Aqua Bucket Name" + type = string +} + +variable "create_vpcs" { + description = "Toggle to create VPCs" + type = bool +} + +variable "custom_vpc_name" { + description = "Custom VPC Name" + type = string +} + +variable "custom_vpc_subnet1_name" { + description = "Custom VPC Subnet 1 Name" + type = string +} + +variable "custom_vpc_subnet2_name" { + description = "Custom VPC Subnet 2 Name" + type = string +} + +variable "custom_vpc_subnet_route_table1_name" { + description = "Custom VPC Route Table 1 Name" + type = string +} + +variable "custom_vpc_subnet_route_table2_name" { + description = "Custom VPC Route Table 2 Name" + type = string +} + +variable "custom_internet_gateway_name" { + description = "Custom Internet Gateway Name" + type = string +} + +variable "custom_security_group_name" { + description = "Custom Security Group Name" + type = string +} + +variable "event_bus_arn" { + description = "Cloudwatch Event Bus ARN" + type = string +} \ No newline at end of file diff --git a/modules/single/modules/stackset/versions.tf b/modules/single/modules/stackset/versions.tf new file mode 100644 index 0000000..a5d36e7 --- /dev/null +++ b/modules/single/modules/stackset/versions.tf @@ -0,0 +1,11 @@ +# modules/single/modules/stackset/versions.tf + +terraform { + required_version = ">= 1.6.4" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.57.0" + } + } +} \ No newline at end of file diff --git a/modules/single/modules/trigger/README.md b/modules/single/modules/trigger/README.md new file mode 100644 index 0000000..4ad79b4 --- /dev/null +++ b/modules/single/modules/trigger/README.md @@ -0,0 +1,49 @@ +# `trigger` module + + +## Requirements + +| Name | Version | +|------|---------| +| [terraform](#requirement\_terraform) | >= 1.6.4 | +| [aws](#requirement\_aws) | ~> 5.57.0 | +| [external](#requirement\_external) | ~> 2.3.3 | + +## Providers + +| Name | Version | +|------|---------| +| [external](#provider\_external) | ~> 2.3.3 | + +## Modules + +No modules. + +## Resources + +| Name | Type | +|------|------| +| [external_external.aws_onboarding](https://registry.terraform.io/providers/hashicorp/external/latest/docs/data-sources/external) | data source | + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| [additional\_tags](#input\_additional\_tags) | Additional tags to be sent to the Autoconnect API | `map(string)` | n/a | yes | +| [aqua\_api\_key](#input\_aqua\_api\_key) | Aqua API Key | `string` | n/a | yes | +| [aqua\_api\_secret](#input\_aqua\_api\_secret) | Aqua API Secret | `string` | n/a | yes | +| [aqua\_autoconnect\_url](#input\_aqua\_autoconnect\_url) | Aqua Autoconnect API URL | `string` | n/a | yes | +| [aqua\_session\_id](#input\_aqua\_session\_id) | Aqua Session ID | `string` | n/a | yes | +| [cspm\_external\_id](#input\_cspm\_external\_id) | Aqua CSPM External ID | `string` | n/a | yes | +| [cspm\_role\_arn](#input\_cspm\_role\_arn) | CSPM Role ARN | `string` | n/a | yes | +| [is\_already\_cspm\_client](#input\_is\_already\_cspm\_client) | Boolean indicating if the client is already a CSPM client, to be sent to the Autoconnect API | `bool` | n/a | yes | +| [region](#input\_region) | Main AWS Region to to deploy resources | `string` | n/a | yes | +| [volscan\_external\_id](#input\_volscan\_external\_id) | Aqua Volume Scanning External ID | `string` | n/a | yes | +| [volscan\_role\_arn](#input\_volscan\_role\_arn) | Volume Scanning Role ARN | `string` | n/a | yes | + +## Outputs + +| Name | Description | +|------|-------------| +| [onboarding\_status](#output\_onboarding\_status) | Onboarding API Status Result | + \ No newline at end of file diff --git a/modules/single/modules/trigger/outputs.tf b/modules/single/modules/trigger/outputs.tf new file mode 100644 index 0000000..c35531b --- /dev/null +++ b/modules/single/modules/trigger/outputs.tf @@ -0,0 +1,7 @@ +# modules/single/modules/trigger/outputs.tf + +# Onboarding API call output +output "onboarding_status" { + description = "Onboarding API Status Result" + value = data.external.aws_onboarding.result.status +} \ No newline at end of file diff --git a/modules/single/modules/trigger/trigger-aws.py b/modules/single/modules/trigger/trigger-aws.py new file mode 100644 index 0000000..ab6266c --- /dev/null +++ b/modules/single/modules/trigger/trigger-aws.py @@ -0,0 +1,76 @@ +import time +import json +import sys +import hmac +import hashlib +import http.client +import ssl + +timestamp = str(int(time.time() * 1000)) + +query = json.loads(sys.stdin.read()) +ac_url = query.get('autoconnect_url') +aqua_api_key = query.get('api_key') +aqua_secret = query.get('api_secret') +cspm_role_arn = query.get('cspm_role_arn') +cspm_external_id = query.get('cspm_external_id') +is_already_cspm_client = query.get('is_already_cspm_client') +session_id = query.get('session_id') +vol_scan_role_arn = query.get('volume_scanning_role_arn') +vol_scan_external_id = query.get('volume_scanning_external_id') +cloud = "aws" +region = query.get('region') +additional_resource_tags = query.get('additional_tags') + +def get_signature(aqua_secret, tstmp, path, method, body=''): + enc = tstmp + method + path + body + enc_b = bytes(enc, 'utf-8') + secret = bytes(aqua_secret, 'utf-8') + sig = hmac.new(secret, enc_b, hashlib.sha256).hexdigest() + return sig + +body = json.dumps({ + "cloud": cloud, + "configuration_id": session_id, + "is_already_cspm_client": is_already_cspm_client, + "deployment_method": "Terraform", + "additional_resource_tags": additional_resource_tags, + "payload": { + "cspm": { + "role_arn": cspm_role_arn, + "external_id": cspm_external_id + }, + "volume_scanning": { + "role_arn": vol_scan_role_arn, + "external_id": vol_scan_external_id, + "region": region + } + } +}) + +tstmp = str(int(time.time() * 1000)) +sig = get_signature(aqua_secret, tstmp, "/v2/internal_apikeys", "GET", '') + +headers = { + "X-API-Key": aqua_api_key, + "X-Authenticate-Api-Key-Signature": sig, + "X-Timestamp": tstmp +} + + +conn = http.client.HTTPSConnection(ac_url.split("//")[1], context = ssl._create_unverified_context()) +path = "/discover/aws" +method = "POST" + +conn.request(method, path, body=body, headers=headers) +response = conn.getresponse() +onboarding_status = 'received response: status {}, body: {}'.format(response.status, response.read().decode("utf-8")) + +conn.close() + + +output = { + "status": onboarding_status +} + +print(json.dumps(output)) \ No newline at end of file diff --git a/modules/single/modules/trigger/trigger.tf b/modules/single/modules/trigger/trigger.tf new file mode 100644 index 0000000..f6bc87e --- /dev/null +++ b/modules/single/modules/trigger/trigger.tf @@ -0,0 +1,20 @@ +# modules/single/modules/trigger/trigger.tf + +# Calling onboarding API +data "external" "aws_onboarding" { + program = ["python3", "${path.module}/trigger-aws.py"] + + query = { + autoconnect_url = var.aqua_autoconnect_url + api_key = sensitive(var.aqua_api_key) + api_secret = sensitive(var.aqua_api_secret) + cspm_role_arn = var.cspm_role_arn + cspm_external_id = var.cspm_external_id + is_already_cspm_client = tostring(var.is_already_cspm_client) + session_id = var.aqua_session_id + volume_scanning_role_arn = var.volscan_role_arn + volume_scanning_external_id = var.volscan_external_id + region = var.region + additional_tags = join(",", [for key, value in var.additional_tags : "${key}:${value}"]) + } +} \ No newline at end of file diff --git a/modules/single/modules/trigger/variables.tf b/modules/single/modules/trigger/variables.tf new file mode 100644 index 0000000..db3362b --- /dev/null +++ b/modules/single/modules/trigger/variables.tf @@ -0,0 +1,58 @@ +# modules/single/modules/trigger/variables.tf + +variable "aqua_api_key" { + description = "Aqua API Key" + type = string + sensitive = true +} + +variable "aqua_api_secret" { + description = "Aqua API Secret" + type = string + sensitive = true +} + +variable "aqua_autoconnect_url" { + description = "Aqua Autoconnect API URL" + type = string +} + +variable "aqua_session_id" { + description = "Aqua Session ID" + type = string +} + +variable "cspm_role_arn" { + description = "CSPM Role ARN" + type = string +} + +variable "cspm_external_id" { + description = "Aqua CSPM External ID" + type = string +} + +variable "is_already_cspm_client" { + description = "Boolean indicating if the client is already a CSPM client, to be sent to the Autoconnect API" + type = bool +} + +variable "volscan_role_arn" { + description = "Volume Scanning Role ARN" + type = string +} + +variable "volscan_external_id" { + description = "Aqua Volume Scanning External ID" + type = string +} + +variable "region" { + description = "Main AWS Region to to deploy resources" + type = string +} + +variable "additional_tags" { + description = "Additional tags to be sent to the Autoconnect API" + type = map(string) +} diff --git a/modules/single/modules/trigger/versions.tf b/modules/single/modules/trigger/versions.tf new file mode 100644 index 0000000..8ea85d8 --- /dev/null +++ b/modules/single/modules/trigger/versions.tf @@ -0,0 +1,15 @@ +# modules/single/modules/trigger/versions.tf + +terraform { + required_version = ">= 1.6.4" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.57.0" + } + external = { + source = "hashicorp/external" + version = "~> 2.3.3" + } + } +} \ No newline at end of file diff --git a/modules/single/outputs.tf b/modules/single/outputs.tf new file mode 100644 index 0000000..6cf4c9b --- /dev/null +++ b/modules/single/outputs.tf @@ -0,0 +1,120 @@ +# modules/single/outputs.tf + +# Kinesis module outputs +output "cloudwatch_event_bus_arn" { + description = "Cloudwatch Event Bus ARN" + value = try(module.kinesis.event_bus_arn, null) +} + +output "cloudwatch_event_rule_arn" { + description = "Cloudwatch Event Rule ARN" + value = try(module.kinesis.event_rule_arn, null) +} + +output "kinesis_processor_lambda_log_group_name" { + description = "Kinesis Processor Lambda Cloudwatch Log Group Name" + value = try(module.kinesis.kinesis_processor_lambda_log_group_name, null) +} + +output "kinesis_stream_events_role_arn" { + description = "Kinesis Stream Events Role ARN" + value = try(module.kinesis.kinesis_stream_events_role_arn, null) +} + +output "kinesis_firehose_role_arn" { + description = "Kinesis Firehose Role ARN" + value = try(module.kinesis.kinesis_firehose_role_arn, null) +} + +output "kinesis_processor_lambda_execution_role_arn" { + description = "Kinesis Processor Lambda Execution Role ARN" + value = try(module.kinesis.kinesis_processor_lambda_execution_role_arn, null) +} + +output "kinesis_firehose_bucket_name" { + description = "Kinesis Firehose S3 Bucket Name" + value = try(module.kinesis.kinesis_firehose_bucket_name, null) +} + +output "kinesis_processor_lambda_function_arn" { + description = "Kinesis Processor Lambda Function ARN" + value = try(module.kinesis.kinesis_processor_lambda_function_arn, null) +} + +output "kinesis_stream_arn" { + description = "Kinesis Stream ARN" + value = try(module.kinesis.kinesis_stream_arn, null) +} + +output "kinesis_firehose_delivery_stream_arn" { + description = "Kinesis Firehose Delivery Stream ARN" + value = try(module.kinesis.kinesis_firehose_delivery_stream_arn, null) +} + +# Lambda module outputs +output "cspm_external_id" { + description = "Aqua CSPM External ID generated by the 'generate_cspm_external_id_function' Lambda function" + value = try(module.lambda.cspm_external_id, null) +} + +output "volscan_external_id" { + description = "Aqua Volume Scanning External ID generated by the 'generate_volscan_external_id_function' Lambda function" + value = try(module.lambda.volscan_external_id, null) +} + +output "is_already_cspm_client" { + description = "Boolean indicating if the client is already a CSPM client, to be sent to the Autoconnect API" + value = try(module.lambda.is_already_cspm_client, null) +} + +output "cspm_lambda_execution_role_arn" { + description = "The ARN of the lambda execution IAM role created for the CSPM" + value = try(module.lambda.cspm_lambda_execution_role_arn, null) +} + +output "cspm_role_arn" { + description = "The ARN of the IAM role created for the CSPM" + value = try(module.lambda.cspm_role_arn, null) +} + +output "agentless_role_arn" { + description = "The ARN of the IAM role created for the Agentless Volume Scanning" + value = try(module.lambda.agentless_role_arn, null) +} + +# Stackset module outputs +output "stack_set_name" { + description = "Name of the CloudFormation StackSet" + value = try(module.stackset.stack_set_name, null) +} + +output "stack_set_admin_role_arn" { + description = "ARN of the StackSet admin role" + value = try(module.stackset.stack_set_admin_role_arn, null) +} + +output "stack_set_admin_role_name" { + description = "Name of the StackSet admin role" + value = try(module.stackset.stack_set_admin_role_name, null) +} + +output "stack_set_execution_role_arn" { + description = "ARN of the StackSet execution role" + value = try(module.stackset.stack_set_execution_role_arn, null) +} + +output "stack_set_execution_role_name" { + description = "Name of the StackSet execution role" + value = try(module.stackset.stack_set_execution_role_name, null) +} + +output "stack_set_template_url" { + description = "URL of the CloudFormation template used by the StackSet" + value = try(module.stackset.stack_set_template_url, null) +} + +# Trigger module outputs +output "onboarding_status" { + description = "Onboarding API Status Result" + value = try(module.trigger.onboarding_status, null) +} \ No newline at end of file diff --git a/modules/single/variables.tf b/modules/single/variables.tf new file mode 100644 index 0000000..8ba9b1e --- /dev/null +++ b/modules/single/variables.tf @@ -0,0 +1,151 @@ +# modules/single/variables.tf + +variable "random_id" { + description = "Random ID to apply to resource names" + type = string +} + +variable "aqua_volscan_api_url" { + description = "Aqua Volume Scanning API URL" + type = string +} + +variable "aqua_volscan_api_token" { + description = "Aqua Volume Scanning API Token" + type = string +} + +variable "aqua_volscan_aws_account_id" { + description = "Aqua Volume Scanning AWS Account ID" + type = string +} + +variable "aqua_api_key" { + description = "Aqua API key" + type = string +} + +variable "aqua_api_secret" { + description = "Aqua API secret" + type = string +} + +variable "aqua_bucket_name" { + description = "Aqua Bucket Name" + type = string +} + +variable "aqua_cspm_aws_account_id" { + description = "Aqua CSPM AWS Account ID" + type = string +} + +variable "aqua_autoconnect_url" { + description = "Aqua Autoconnect API URL" + type = string +} + +variable "aqua_cspm_url" { + description = "Aqua CSPM API URL" + type = string +} + +variable "aqua_cspm_group_id" { + description = "Aqua CSPM Group ID" + type = number +} + +variable "aqua_cspm_ipv4_address" { + description = "Aqua CSPM IPv4 address" + type = string +} + +variable "aqua_worker_role_arn" { + description = "Aqua Worker Role ARN" + type = string +} + +variable "aqua_session_id" { + description = "Aqua Session ID" + type = string +} + +variable "aqua_cspm_role_prefix" { + description = "Aqua CSPM role name prefix" + type = string +} + +variable "regions" { + description = "AWS Regions to deploy discovery and scanning resources" + type = list(string) +} + +variable "region" { + description = "Main AWS Region to to deploy resources" + type = string +} + +variable "custom_cspm_role_name" { + description = "Custom CSPM role Name" + type = string +} + +variable "custom_bucket_name" { + description = "Custom bucket Name" + type = string +} + +variable "custom_agentless_role_name" { + description = "Custom Agentless role Name" + type = string +} + +variable "custom_processor_lambda_role_name" { + description = "Custom Processor lambda role Name" + type = string +} + +variable "create_vpcs" { + description = "Toggle to create VPCs" + type = bool +} + +variable "custom_vpc_name" { + description = "Custom VPC Name" + type = string +} + +variable "custom_vpc_subnet1_name" { + description = "Custom VPC Subnet 1 Name" + type = string +} + +variable "custom_vpc_subnet2_name" { + description = "Custom VPC Subnet 2 Name" + type = string +} + +variable "custom_vpc_subnet_route_table1_name" { + description = "Custom VPC Route Table 1 Name" + type = string +} + +variable "custom_vpc_subnet_route_table2_name" { + description = "Custom VPC Route Table 2 Name" + type = string +} + +variable "custom_internet_gateway_name" { + description = "Custom Internet Gateway Name" + type = string +} + +variable "custom_security_group_name" { + description = "Custom Security Group Name" + type = string +} + +variable "additional_tags" { + description = "Additional resource tags to will be send to the Autoconnect API" + type = map(string) +} \ No newline at end of file diff --git a/modules/single/versions.tf b/modules/single/versions.tf new file mode 100644 index 0000000..6ac546c --- /dev/null +++ b/modules/single/versions.tf @@ -0,0 +1,11 @@ +# modules/single/versions.tf + +terraform { + required_version = ">= 1.6.4" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.57.0" + } + } +} \ No newline at end of file diff --git a/outputs.tf b/outputs.tf new file mode 100644 index 0000000..fc741f1 --- /dev/null +++ b/outputs.tf @@ -0,0 +1,131 @@ +# outputs.tf + +# Global outputs +output "region" { + description = "AWS Region to to deploy discovery resources" + value = var.show_outputs ? var.region : null +} + +output "regions" { + description = "AWS Regions to to deploy scanning resources" + value = var.show_outputs ? var.regions : null +} + +# Kinesis module outputs +output "cloudwatch_event_bus_arn" { + description = "Cloudwatch Event Bus ARN" + value = var.show_outputs && var.type == "single" ? module.single[0].cloudwatch_event_bus_arn : null +} + +output "cloudwatch_event_rule_arn" { + description = "Cloudwatch Event Rule ARN" + value = var.show_outputs && var.type == "single" ? module.single[0].cloudwatch_event_rule_arn : null +} + +output "kinesis_processor_lambda_log_group_name" { + description = "Kinesis Processor Lambda Cloudwatch Log Group Name" + value = var.show_outputs && var.type == "single" ? module.single[0].kinesis_processor_lambda_log_group_name : null +} + +output "kinesis_stream_events_role_arn" { + description = "Kinesis Stream Events Role ARN" + value = var.show_outputs && var.type == "single" ? module.single[0].kinesis_stream_events_role_arn : null +} + +output "kinesis_firehose_role_arn" { + description = "Kinesis Firehose Role ARN" + value = var.show_outputs && var.type == "single" ? module.single[0].kinesis_firehose_role_arn : null +} + +output "kinesis_processor_lambda_execution_role_arn" { + description = "Kinesis Processor Lambda Execution Role ARN" + value = var.show_outputs && var.type == "single" ? module.single[0].kinesis_processor_lambda_execution_role_arn : null +} + +output "kinesis_firehose_bucket_name" { + description = "Kinesis Firehose S3 Bucket Name" + value = var.show_outputs && var.type == "single" ? module.single[0].kinesis_firehose_bucket_name : null +} + +output "kinesis_processor_lambda_function_arn" { + description = "Kinesis Processor Lambda Function ARN" + value = var.show_outputs && var.type == "single" ? module.single[0].kinesis_processor_lambda_function_arn : null +} + +output "kinesis_stream_arn" { + description = "Kinesis Stream ARN" + value = var.show_outputs && var.type == "single" ? module.single[0].kinesis_stream_arn : null +} + +output "kinesis_firehose_delivery_stream_arn" { + description = "Kinesis Firehose Delivery Stream ARN" + value = var.show_outputs && var.type == "single" ? module.single[0].kinesis_firehose_delivery_stream_arn : null +} + +# Lambda module outputs +output "cspm_external_id" { + description = "Aqua CSPM External ID generated by the 'generate_cspm_external_id_function' Lambda function" + value = var.show_outputs && var.type == "single" ? module.single[0].cspm_external_id : null +} + +output "volscan_external_id" { + description = "Aqua Volume Scanning External ID generated by the 'generate_volscan_external_id_function' Lambda function" + value = var.show_outputs && var.type == "single" ? module.single[0].volscan_external_id : null +} + +output "is_already_cspm_client" { + description = "Boolean indicating if the client is already a CSPM client, to be sent to the Autoconnect API" + value = var.show_outputs && var.type == "single" ? module.single[0].is_already_cspm_client : null +} + +output "cspm_lambda_execution_role_arn" { + description = "The ARN of the lambda execution IAM role created for the CSPM" + value = var.show_outputs && var.type == "single" ? module.single[0].kinesis_processor_lambda_execution_role_arn : null +} + +output "cspm_role_arn" { + description = "The ARN of the IAM role created for the CSPM" + value = var.show_outputs && var.type == "single" ? module.single[0].cspm_role_arn : null +} + +output "agentless_role_arn" { + description = "The ARN of the IAM role created for the Agentless Volume Scanning" + value = var.show_outputs && var.type == "single" ? module.single[0].agentless_role_arn : null +} + +# Stackset module outputs +output "stack_set_name" { + description = "Name of the CloudFormation StackSet" + value = var.show_outputs && var.type == "single" ? module.single[0].stack_set_name : null +} + +output "stack_set_admin_role_arn" { + description = "ARN of the StackSet admin role" + value = var.show_outputs && var.type == "single" ? module.single[0].stack_set_admin_role_arn : null +} + +output "stack_set_admin_role_name" { + description = "Name of the StackSet admin role" + value = var.show_outputs && var.type == "single" ? module.single[0].stack_set_admin_role_name : null +} + +output "stack_set_execution_role_arn" { + description = "ARN of the StackSet execution role" + value = var.show_outputs && var.type == "single" ? module.single[0].stack_set_execution_role_arn : null +} + +output "stack_set_execution_role_name" { + description = "Name of the StackSet execution role" + value = var.show_outputs && var.type == "single" ? module.single[0].stack_set_admin_role_name : null +} + +output "stack_set_template_url" { + description = "URL of the CloudFormation template used by the StackSet" + value = var.show_outputs && var.type == "single" ? module.single[0].stack_set_template_url : null +} + +# Trigger module outputs +output "onboarding_status" { + description = "Onboarding API Status Result" + value = var.type == "single" ? module.single[0].onboarding_status : null +} \ No newline at end of file diff --git a/variables.tf b/variables.tf new file mode 100644 index 0000000..a73b44b --- /dev/null +++ b/variables.tf @@ -0,0 +1,271 @@ +# variables.tf + +variable "type" { + description = "The type of onboarding. Currently only 'single' onboarding types are supported" + type = string + validation { + condition = var.type == "single" + error_message = "Currently Only 'single' onboarding type are supported." + } +} + +variable "region" { + description = "Main AWS Region to to deploy resources" + type = string + validation { + condition = can(regex("^[a-z]{2}-[a-z]+-[0-9]+$", var.region)) + error_message = "Invalid AWS region format. Please provide a valid AWS region in the format 'aa-region-code-1'." + } +} + +variable "regions" { + description = "AWS Regions to deploy discovery and scanning resources" + type = list(string) + validation { + condition = alltrue(flatten([for region in var.regions : can(regex("^[a-z]{2}-[a-z]+-[0-9]+$", region))])) + error_message = "Invalid AWS region format. Please provide a valid AWS region in the format 'aa-region-code-1'." + } +} + +variable "additional_tags" { + description = "Additional tags to be sent to the Autoconnect API" + type = map(string) + default = {} +} + +variable "show_outputs" { + description = "Whether to show outputs after deployment" + type = bool + default = false + validation { + condition = can(regex("^([t][r][u][e]|[f][a][l][s][e])$", var.show_outputs)) + error_message = "Show outputs toggle must be either true or false." + } +} + +variable "aqua_volscan_api_url" { + description = "Aqua Volume Scanning API URL" + type = string + validation { + condition = can(regex("^https?://", var.aqua_volscan_api_url)) + error_message = "Aqua Volume Scanning API URL must start with or 'https://'" + } +} + +variable "aqua_bucket_name" { + description = "Aqua Bucket Name" + type = string + validation { + condition = length(var.aqua_bucket_name) > 0 + error_message = "Aqua Bucket Name must not be empty." + } +} + +variable "aqua_cspm_ipv4_address" { + description = "Aqua CSPM IPv4 address" + type = string + validation { + condition = can(cidrnetmask(var.aqua_cspm_ipv4_address)) + error_message = "Aqua CSPM IP address Must be a valid IPv4 CIDR block address." + } +} + +variable "aqua_volscan_api_token" { + description = "Aqua Volume Scanning API Token" + type = string + validation { + condition = length(var.aqua_volscan_api_token) > 0 + error_message = "Aqua Volume Scanning API Token must not be empty." + } +} + +variable "aqua_volscan_aws_account_id" { + description = "Aqua Volume Scanning AWS Account ID" + type = string + validation { + condition = can(regex("^\\d{12}$", var.aqua_volscan_aws_account_id)) + error_message = "Aqua Volume Scanning AWS account ID must be a 12-digit number." + } +} + +variable "aqua_autoconnect_url" { + description = "Aqua Autoconnect API URL" + type = string + validation { + condition = can(regex("^https?://", var.aqua_autoconnect_url)) + error_message = "Aqua Autoconnect API URL must start with or 'https://'" + } +} + +variable "aqua_cspm_url" { + description = "Aqua CSPM API URL" + type = string + validation { + condition = can(regex("^https?://", var.aqua_cspm_url)) + error_message = "Aqua CSPM API URL must start with or 'https://'" + } +} + +variable "aqua_cspm_group_id" { + description = "Aqua CSPM Group ID" + type = number + validation { + condition = var.aqua_cspm_group_id != null + error_message = "Aqua CSPM Group ID must not be empty." + } +} + +variable "aqua_api_key" { + description = "Aqua API Key" + type = string + validation { + condition = length(var.aqua_api_key) > 0 + error_message = "Aqua API key must not be empty." + } + validation { + condition = var.aqua_api_key != "" + error_message = "Aqua API key must be replaced from its default value of ." + } +} + +variable "aqua_api_secret" { + description = "Aqua API Secret" + type = string + validation { + condition = length(var.aqua_api_secret) > 0 + error_message = "Aqua API secret must not be empty." + } + validation { + condition = var.aqua_api_secret != "" + error_message = "Aqua API secret must be replaced from its default value of ." + } +} + +variable "aqua_cspm_aws_account_id" { + description = "Aqua CSPM AWS Account ID" + type = string + validation { + condition = can(regex("^\\d{12}$", var.aqua_cspm_aws_account_id)) + error_message = "Aqua CSPM AWS account ID must be a 12-digit number." + } +} + +variable "aqua_worker_role_arn" { + description = "Aqua Worker Role ARN" + type = string + validation { + condition = length(var.aqua_worker_role_arn) > 0 + error_message = "Aqua Worker role ARN must not be empty." + } +} + +variable "aqua_session_id" { + description = "Aqua Session ID" + type = string +} + +variable "aqua_cspm_role_prefix" { + description = "Aqua CSPM role name prefix" + type = string +} + +variable "custom_cspm_role_name" { + description = "Custom CSPM role Name" + type = string + default = "" + validation { + condition = length(var.custom_cspm_role_name) == 0 || (length(var.custom_cspm_role_name) >= 1 && length(var.custom_cspm_role_name) <= 64) + error_message = "The CSPM IAM role name must be between 1 and 64 characters." + } + + validation { + condition = length(var.custom_cspm_role_name) == 0 || can(regex("[a-zA-Z0-9+=,.@_-]+", var.custom_cspm_role_name)) + error_message = "The CSPM IAM role name can contain only alphanumeric characters and the following special characters: +=,.@_-" + } +} + +variable "custom_bucket_name" { + description = "Custom bucket Name" + type = string + default = "" +} + +variable "custom_agentless_role_name" { + description = "Custom Agentless role Name" + type = string + default = "" + validation { + condition = length(var.custom_agentless_role_name) == 0 || (length(var.custom_agentless_role_name) >= 1 && length(var.custom_agentless_role_name) <= 64) + error_message = "The Agentless IAM role name must be between 1 and 64 characters." + } + validation { + condition = length(var.custom_agentless_role_name) == 0 || can(regex("[a-zA-Z0-9+=,.@_-]+", var.custom_agentless_role_name)) + error_message = "The Agentless IAM role name can contain only alphanumeric characters and the following special characters: +=,.@_-" + } +} + +variable "custom_processor_lambda_role_name" { + description = "Custom Processor lambda role Name" + type = string + default = "" + validation { + condition = length(var.custom_processor_lambda_role_name) == 0 || (length(var.custom_processor_lambda_role_name) >= 1 && length(var.custom_processor_lambda_role_name) <= 64) + error_message = "The Processor Lambda IAM role name must be between 1 and 64 characters." + } + validation { + condition = length(var.custom_processor_lambda_role_name) == 0 || can(regex("[a-zA-Z0-9+=,.@_-]+", var.custom_processor_lambda_role_name)) + error_message = "The Processor Lambda IAM role name can contain only alphanumeric characters and the following special characters: +=,.@_-" + } +} + +variable "create_vpcs" { + description = "Toggle to create VPCs" + type = bool + default = true + validation { + condition = can(regex("^([t][r][u][e]|[f][a][l][s][e])$", var.create_vpcs)) + error_message = "Create vpcs must be either true or false." + } +} + +variable "custom_vpc_name" { + description = "Custom VPC Name" + type = string + default = "" +} + +variable "custom_vpc_subnet1_name" { + description = "Custom VPC Subnet 1 Name" + type = string + default = "" +} + +variable "custom_vpc_subnet2_name" { + description = "Custom VPC Subnet 2 Name" + type = string + default = "" +} + +variable "custom_vpc_subnet_route_table1_name" { + description = "Custom VPC Route Table 1 Name" + type = string + default = "" +} + +variable "custom_vpc_subnet_route_table2_name" { + description = "Custom VPC Route Table 2 Name" + type = string + default = "" +} + +variable "custom_internet_gateway_name" { + description = "Custom Internet Gateway Name" + type = string + default = "" +} + +variable "custom_security_group_name" { + description = "Custom Security Group Name" + type = string + default = "" +} diff --git a/versions.tf b/versions.tf new file mode 100644 index 0000000..285c610 --- /dev/null +++ b/versions.tf @@ -0,0 +1,27 @@ +# versions.tf + +terraform { + required_version = ">= 1.6.4" + required_providers { + aws = { + source = "hashicorp/aws" + version = "~> 5.57.0" + } + random = { + source = "hashicorp/random" + version = "~> 3.6.2" + } + http = { + source = "hashicorp/http" + version = "~> 3.4.3" + } + external = { + source = "hashicorp/external" + version = "~> 2.3.3" + } + archive = { + source = "hashicorp/archive" + version = "~> 2.4.2" + } + } +} \ No newline at end of file