This is a Terraform module to install the Cyral Repo Crawler as an AWS Lambda function, including all of its dependencies such as IAM permissions, a DynamoDB cache, etc.
Addtional resources will need to be created to trigger it with the correct parameters. Most importantly an Event Bridge rule with configuration.
See the Deployments for usage details.
| Name | Version |
|---|---|
| terraform | >= 0.14 |
| aws | >= 4.0, < 6.0.0 |
| random | ~> 3.1 |
| Name | Version |
|---|---|
| aws | >= 4.0, < 6.0.0 |
| random | ~> 3.1 |
No modules.
| Name | Type |
|---|---|
| aws_dynamodb_table.this | resource |
| aws_iam_role.this | resource |
| aws_lambda_function.this | resource |
| aws_secretsmanager_secret.cyral_secret | resource |
| aws_secretsmanager_secret_version.cyral_secret_version | resource |
| aws_security_group.this | resource |
| random_id.this | resource |
| aws_caller_identity.current | data source |
| aws_iam_policy_document.assume_role_policy | data source |
| aws_iam_policy_document.execution_policy | data source |
| aws_partition.current | data source |
| aws_region.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| control_plane_grpc_port | The TCP/IP port for the Cyral Control Plane gRPC API (default: 443). | number |
443 |
no |
| control_plane_host | The host for the Cyral Control Plane API, e.g. tenant.app.cyral.com. | string |
n/a | yes |
| control_plane_rest_port | The TCP/IP port for the Cyral Control Plane REST API. (default: 443) | number |
443 |
no |
| crawler_name | The name of the Repo Crawler Lambda function. If omitted, it will default to cyral-repo-crawler-16 character random alphanumeric string. |
string |
"" |
no |
| crawler_version | The version of the Cyral Repo Crawler to use, e.g. v1.2.3. | string |
n/a | yes |
| cyral_client_id | The client ID to connect to the Cyral API. This is REQUIRED if thecyral_secret_arn variable is empty. |
string |
"" |
no |
| cyral_client_secret | The client secret to connect to the Cyral API. This is REQUIRED if thecyral_secret_arn variable is empty. |
string |
"" |
no |
| cyral_secret_arn | ARN of the entry in AWS Secrets Manager that stores the secret containing the credentials for the Cyral API. Either this OR the cyral_client_id andcyral_client_secret variables are REQUIRED. If empty, thecyral_client_id and cyral_client_secret variables MUST both beprovided, and a new secret will be created in AWS Secrets Manager. |
string |
"" |
no |
| dynamodb_cache_table_name_suffix | The suffix for the DynamoDB table name used for the classification cache. The full table will be prefixed with the Lambda function name (default: cyralRepoCrawlerCache). |
string |
"cyralRepoCrawlerCache" |
no |
| repo_secret_arns | Secret ARN's to provide get access for the lambda. | list(string) |
n/a | yes |
| subnet_ids | The subnets that the Repo Crawler Lambda function will be deployed to. All subnets must be able to reach both the Cyral Control Plane and the database being crawled. These subnets must also support communication with CloudWatch and Secrets Manager, therefore outbound internet access is likely required. |
list(string) |
[ |
no |
| timeout | The timeout of the Repo Crawler Lambda function, in seconds. | number |
300 |
no |
| vpc_id | The VPC the lambda will be attached to. | string |
"" |
no |
| Name | Description |
|---|---|
| repo_crawler_aws_security_group_id | The Amazon Security Group ID of the Repo Crawler Lambda function. |
| repo_crawler_lambda_function_arn | The Amazon Resource Name (ARN) of the Repo Crawler Lambda function. |
| repo_crawler_lambda_function_name | n/a |