README.md

terraform-aws-agentless-scanning

A Terraform Module to configure the Lacework Agentless Scanner.

Requirements

Name	Version
terraform	>= 0.15.0
aws	>= 4.0
lacework	~> 1.8
random	>= 2.1

Providers

Name	Version
aws	>= 4.0
lacework	~> 1.8
null	n/a
random	>= 2.1

Resources

Name	Type
aws_cloudwatch_event_rule.agentless_scan_event_rule	resource
aws_cloudwatch_event_target.agentless_scan_event_target	resource
aws_cloudwatch_log_group.agentless_scan_log_group	resource
aws_default_network_acl.default	resource
aws_default_security_group.default	resource
aws_ecs_cluster.agentless_scan_ecs_cluster	resource
aws_ecs_cluster_capacity_providers.agentless_scan_capacity_providers	resource
aws_ecs_task_definition.agentless_scan_task_definition	resource
aws_iam_policy.agentless_scan_task_policy	resource
aws_iam_role.agentless_scan_cross_account_role	resource
aws_iam_role.agentless_scan_ecs_event_role	resource
aws_iam_role.agentless_scan_ecs_execution_role	resource
aws_iam_role.agentless_scan_ecs_task_role	resource
aws_iam_role.agentless_scan_snapshot_role	resource
aws_iam_service_linked_role.agentless_scan_linked_role	resource
aws_internet_gateway.agentless_scan_gateway	resource
aws_route.agentless_scan_route	resource
aws_route_table.agentless_scan_route_table	resource
aws_route_table_association.agentless_scan_route_table_association	resource
aws_s3_bucket.agentless_scan_bucket	resource
aws_s3_bucket_lifecycle_configuration.agentless_scan_bucket_lifecyle	resource
aws_s3_bucket_ownership_controls.agentless_scan_bucket_ownership_controls	resource
aws_s3_bucket_policy.agentless_scan_bucket_policy	resource
aws_s3_bucket_public_access_block.agentless_scan_bucket_public_access_block	resource
aws_s3_bucket_server_side_encryption_configuration.agentless_scan_bucket_encryption	resource
aws_s3_bucket_versioning.versioning_example	resource
aws_secretsmanager_secret.agentless_scan_secret	resource
aws_secretsmanager_secret_version.agentless_scan_secret_version	resource
aws_security_group.agentless_scan_sec_group	resource
aws_subnet.agentless_scan_public_subnet	resource
aws_vpc.agentless_scan_vpc	resource
lacework_external_id.aws_iam_external_id	resource
lacework_integration_aws_agentless_scanning.lacework_cloud_account	resource
lacework_integration_aws_org_agentless_scanning.lacework_cloud_account	resource
null_resource.check_organization_requires_global_input	resource
random_id.uniq	resource
aws_caller_identity.current	data source
aws_iam_policy_document.agentless_scan_bucket_policy	data source
aws_iam_policy_document.agentless_scan_cross_account_policy	data source
aws_iam_policy_document.agentless_scan_task_policy_document	data source
aws_iam_policy_document.cross_account_inline_policy_bucket	data source
aws_iam_policy_document.cross_account_inline_policy_ecs	data source
aws_internet_gateway.selected	data source
aws_region.current	data source
aws_vpc.selected	data source
lacework_user_profile.current	data source

Inputs

Name	Description	Type	Default	Required
additional_environment_variables	Optional list of additional environment variables passed to the ECS task.	list(object({ name = string value = string }))	[]	no
agentless_scan_ecs_event_role_arn	ECS event role ARN. Required input for regional resources. (Deprecated: use global_module_reference)	string	""	no
agentless_scan_ecs_execution_role_arn	ECS execution role ARN. Required input for regional resources. (Deprecated: use global_module_reference)	string	""	no
agentless_scan_ecs_task_role_arn	ECS task role ARN. Required input for regional resources. (Deprecated: use global_module_reference)	string	""	no
agentless_scan_secret_arn	AWS SecretsManager Secret ARN for Lacework Account/Token. Required if Global is false and Regional is true. (Deprecated: use global_module_reference)	string	""	no
bucket_encryption_enabled	Set this to false to disable setting S3 SSE.	bool	true	no
bucket_force_destroy	Force destroy bucket. (if disabled, terraform will not be able do destroy non-empty bucket)	bool	true	no
bucket_sse_algorithm	The encryption algorithm to use for S3 bucket server-side encryption.	string	"AES256"	no
bucket_sse_key_arn	The ARN of the KMS encryption key to be used for S3 (required when bucket_sse_algorithm is aws:kms).	string	""	no
bucket_tags	Optional collection of tags to apply to the bucket	map(string)	{}	no
cross_account_role_arn	The IAM cross account role ARN is required when setting use_existing_cross_account_role to true	string	""	no
cross_account_role_name	The IAM cross account role name. Required to match with cross_account_role_arn if use_existing_cross_account_role is set to true	string	""	no
external_id	The external ID configured inside the IAM role used for cross account access	string	""	no
filter_query_text	The LQL query text.	string	""	no
global	Whether or not to create global resources. Defaults to false.	bool	false	no
global_module_reference	A reference to the global lacework_aws_agentless_scanning module for this account.	object({ agentless_scan_ecs_task_role_arn = string agentless_scan_ecs_execution_role_arn = string agentless_scan_ecs_event_role_arn = string agentless_scan_secret_arn = string lacework_account = string lacework_domain = string external_id = string prefix = string suffix = string })	{ "agentless_scan_ecs_event_role_arn": "", "agentless_scan_ecs_execution_role_arn": "", "agentless_scan_ecs_task_role_arn": "", "agentless_scan_secret_arn": "", "external_id": "", "lacework_account": "", "lacework_domain": "", "prefix": "", "suffix": "" }	no
iam_service_linked_role	Whether or not to create aws_iam_service_linked_role. Defaults to false.	bool	false	no
image_url	The container image url for Lacework sidekick.	string	"public.ecr.aws/p5r4i7k7/sidekick:latest"	no
lacework_account	The name of the Lacework account with which to integrate.	string	""	no
lacework_aws_account_id	The Lacework AWS account that the IAM role will grant access.	string	"434813966438"	no
lacework_domain	The domain of the Lacework account with with to integrate.	string	"lacework.net"	no
lacework_integration_name	The name of the Lacework cloud account integration.	string	"aws-agentless-scanning"	no
org_account_mappings	Mapping of AWS accounts to Lacework accounts within a Lacework organization	list(object({ default_lacework_account = string mapping = list(object({ lacework_account = string aws_accounts = list(string) })) }))	[]	no
organization	Used for multi-account scanning. Set management_account to the AWS Organizations management account. Set the monitored_accounts list to a list of AWS account IDs or OUs.	object({ management_account = string monitored_accounts = list(string) })	{ "management_account": "", "monitored_accounts": [] }	no
prefix	A string to be prefixed to the name of all new resources.	string	"lacework-agentless-scanning"	no
regional	Whether or not to create regional resources. Defaults to false.	bool	false	no
scan_containers	Whether to includes scanning for containers. Defaults to true.	bool	true	no
scan_frequency_hours	How often in hours the scan will run in hours. Defaults to 24.	number	24	no
scan_host_vulnerabilities	Whether to includes scanning for host vulnerabilities. Defaults to true.	bool	true	no
scan_multi_volume	Whether to scan secondary volumes. Defaults to false.	bool	false	no
scan_stopped_instances	Whether to scan stopped instances. Defaults to true.	bool	true	no
secretsmanager_kms_key_id	ARN or Id of the AWS KMS key to be used to encrypt the secret values in the versions stored in this secret.	string	null	no
security_group_id	The ID of the security group to use for scanning compute resources. Must also set use_existing_security_group to true.	string	""	no
snapshot_role	Whether or not to create an AWS Organization snapshot role. Defaults to false.	bool	false	no
subnet_id	The ID of the subnet to use for scanning compute resources. Must also set use_existing_subnet to true.	string	""	no
suffix	A string to be appended to the end of the name of all new resources.	string	""	no
use_existing_cross_account_role	Set this to true to use an existing IAM cross account role	bool	false	no
use_existing_event_role	Set this to true to use an existing IAM event role	bool	false	no
use_existing_execution_role	Set this to true to use an existing IAM execution role	bool	false	no
use_existing_security_group	Set this to true to use an existing security group for scanning compute resources.	bool	false	no
use_existing_subnet	Set this to true to use an existing subnet for scanning compute resources.	bool	false	no
use_existing_task_role	Set this to true to use an existing IAM task role	bool	false	no
use_existing_vpc	Set this to true to use an existing VPC. The VPC must have a Internet Gateway attached, and vpc_cidr_block will be used to create new subnet to isolate scanning resources.	bool	false	no
use_internet_gateway	Whether or not you want to use an 'AWS internet gateway' for internet facing traffic. Only set this to false if you route internet traffic using a different approach.	bool	true	no
vpc_cidr_block	VPC CIDR block used to isolate scanning VPC and single subnet.	string	"10.10.32.0/24"	no
vpc_id	The ID of an existing AWS VPC to use for deploying regional scan resources. Must have an Internet Gateway attached.	string	""	no

Outputs

Name	Description
agentless_scan_ecs_event_role_arn	Output ECS event role ARN.
agentless_scan_ecs_execution_role_arn	Output ECS execution role ARN.
agentless_scan_ecs_task_role_arn	Output ECS task role ARN.
agentless_scan_secret_arn	AWS SecretsManager Secret ARN for Lacework Account and Token.
external_id	External ID used for assuming snapshot creation and cross-account roles.
lacework_account	Lacework Account Name for Integration.
lacework_domain	Lacework Domain Name for Integration.
prefix	Prefix used to add uniqueness to resource names.
suffix	Suffix used to add uniqueness to resource names.