Skip to content

dome9/terraform-dome9-awp-aws

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

6 Commits
.spectral
.spectral
 
 
examples
examples
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
pre-realease.sh
pre-realease.sh
 
 
variables.tf
variables.tf
 
 
versions.tf
versions.tf
 
 

Repository files navigation

CloudGuard AWP (AWS) - Terraform Module

This Terraform module is designed to enable AWP (Agentless Workload Posture) on AWS account. (https://www.checkpoint.com/dome9/)

This module use Check Point CloudGuard Dome9 Provider

Prerequisites

Usage

module "terraform-dome9-awp-aws" {
  source = "dome9/awp-aws/dome9"

  # The Id of the AWS account, onboarded to CloudGuard (can be either the CloudGuard Cloud Account ID or the AWS Account Number)
  awp_cloud_account_id = dome9_cloudaccount_aws.my_aws_account.id

  # The AWP scan mode. Possible values are "inAccount", "saas", "inAccountHub", "inAccountSub"
  awp_scan_mode = "inAccount"

  # Optional customizations:
  # e.g:
  awp_cross_account_role_name        = "<CrossAccountRoleName>"
  awp_cross_account_role_external_id = "<ExternalId>"
  awp_centralized_cloud_account_id   = "In case of centralized onboarding, this should be the account id (CloudGuard account id or AWS cloud account id) of the centralized account"
  awp_additional_tags                = {}  # e.g {"key1" = "value1", "key2" = "value2"}
    

  # Optional account settings
  # e.g:  
  awp_account_settings_aws = {
    scan_machine_interval_in_hours  = 24
    max_concurrent_scans_per_region = 20
    in_account_scanner_vpc          = "ManagedByAWP"
    disabled_regions                = []   # e.g ["ap-northeast-1", "ap-northeast-2"]
    custom_tags                     = {}   # e.g {"key1" = "value1", "key2" = "value2"} 
  }
}

Examples

examples directory contains example usage of this module.

  • basic - A basic example of using this module.
  • complete - A complete example of using this module with all the available options.

AWP Terraform template

Version 8

Requirements

Name Version
terraform >= 1.0
aws >=5.30.0
dome9 >=1.35.8
http >=3.4.2
local >=2.5.1

Inputs

Name Description Type Default Required
awp_cloud_account_id The Id of the AWS account, onboarded to CloudGuard (can be either the CloudGuard Account ID or the AWS Account Number) string n/a yes
awp_centralized_cloud_account_id The Id of the centralized account (CloudGuard account id or AWS cloud account id) where the scans take place string n/a only for inAccountSub scan mode
awp_scan_mode The scan mode for the AWP [ "inAccount" | "saas" | "inAccountHub" | "inAccountSub" ] string "inAccount" yes
awp_cross_account_role_name AWP Cross account role name string CloudGuardAWPCrossAccountRole no
awp_cross_account_role_external_id AWP Cross account role external id string null (auto-generated) no
awp_additional_tags Additional tags to be added to all aws resources created by this module map(string) {} no
awp_account_settings_aws AWP Account settings for AWS, supported only for inAccount and saas scan mode object null no

awp_account_settings_aws variable is an object that contains the following attributes:

Name Description Type Default Valid Values Required
scan_machine_interval_in_hours Scan machine interval in hours number 24 InAccount: >=4, SaaS: >=24 no
max_concurrent_scans_per_region Maximum concurrent scans per region number 20 1 - 20 no
in_account_scanner_vpc The VPC Mode string ManagedByAWP ManagedByAWP,ManagedByCustomer no
custom_tags Custom tags to be added to AWP resources that are created during the scan process map(string) {} {"key" = "value", ...} no
disabled_regions List of AWS regions to disable AWP scanning list(string) [] ["us-east-1", ...] no

Resources

Name Type
aws_cloudwatch_log_group.CloudGuardAWPSnapshotsUtilsLogGroup resource
aws_iam_policy.CloudGuardAWPCrossAccountRolePolicy resource
aws_iam_policy.CloudGuardAWPKeyReplicationPolicy resource
aws_iam_policy.CloudGuardAWPKeyUsagePolicy resource
aws_iam_policy.CloudGuardAWPProxyLambdaManagementPolicy resource
aws_iam_policy.CloudGuardAWPReEncryptionPolicy resource
aws_iam_policy.CloudGuardAWPReaderPolicy resource
aws_iam_policy.CloudGuardAWPScannersPolicy resource
aws_iam_policy.CloudGuardAWPScannersReaderPolicy resource
aws_iam_policy.CloudGuardAWPSecurityGroupManagementPolicy resource
aws_iam_policy.CloudGuardAWPSnapshotsPolicy resource
aws_iam_policy.CloudGuardAWPSnapshotsUtilsLambdaExecutionRolePolicy resource
aws_iam_policy.CloudGuardAWPVpcManagementPolicy resource
aws_iam_policy_attachment.CloudGuardAWPCrossAccountRolePolicyAttachment resource
aws_iam_policy_attachment.CloudGuardAWPKeyReplicationPolicyAttachment resource
aws_iam_policy_attachment.CloudGuardAWPKeyUsagePolicyAttachment resource
aws_iam_policy_attachment.CloudGuardAWPProxyLambdaManagementPolicyAttachment resource
aws_iam_policy_attachment.CloudGuardAWPReEncryptionPolicyAttachment resource
aws_iam_policy_attachment.CloudGuardAWPReaderPolicyAttachment resource
aws_iam_policy_attachment.CloudGuardAWPScannersPolicyAttachment resource
aws_iam_policy_attachment.CloudGuardAWPScannersReaderPolicyAttachment resource
aws_iam_policy_attachment.CloudGuardAWPSecurityGroupManagementPolicyAttachment resource
aws_iam_policy_attachment.CloudGuardAWPSnapshotsPolicyAttachment resource
aws_iam_policy_attachment.CloudGuardAWPSnapshotsUtilsLambdaExecutionRolePolicyAttachment resource
aws_iam_policy_attachment.CloudGuardAWPVpcManagementPolicyAttachment resource
aws_iam_role.CloudGuardAWPCrossAccountRole resource
aws_iam_role.CloudGuardAWPOperatorRole resource
aws_iam_role.CloudGuardAWPSnapshotsUtilsLambdaExecutionRole resource
aws_kms_alias.CloudGuardAWPKeyAlias resource
aws_kms_key.CloudGuardAWPKey resource
aws_lambda_function.CloudGuardAWPSnapshotsUtilsFunction resource
aws_lambda_invocation.CloudGuardAWPSnapshotsUtilsCleanupFunctionInvocation_inAccount resource
aws_lambda_invocation.CloudGuardAWPSnapshotsUtilsCleanupFunctionInvocation_inAccountHub resource
aws_lambda_invocation.CloudGuardAWPSnapshotsUtilsCleanupFunctionInvocation_saas resource
dome9_awp_aws_onboarding.awp_aws_onboarding_resource resource
local_file.CloudGuardAWPSnapshotsUtilsFunctionZip resource

Outputs

Name Description
agentless_protection_enabled AWP Status
awp_cross_account_role_arn Value of the cross account role arn that AWP assumes to scan the account
cloud_account_id CloudGuard account ID
missing_awp_private_network_regions List of regions in which AWP has issue to create virtual private network (VPC)
should_update This module is out of date and should be updated to the latest version.

FAQ & Troubleshooting

Important

The warning message "Warning: Response body is not recognized as UTF-8" is expected and is a known issue with the http provider. This warning occurs because the data-source data.http.DownloadCloudGuardAWPSnapshotsUtilsFunctionZip is retrieving a binary file, which may not be encoded in UTF-8 format. As a result, the http provider raises this warning. It does not indicate any error or problem with the functionality of the module.

About

CloudGuard AWP Module (AWS)

Topics

aws-ec2 dome9 awp agentless cloudguard

Resources

Readme

License

MPL-2.0 license
Activity
Custom properties

Stars

1 star

Watchers

4 watching

Forks

0 forks
Report repository

Releases 4

v1.10.1 Latest
Sep 11, 2024
3 releases

Packages

No packages published

Contributors 4

  •  
  •  
  •  
  •  

Languages