This Terraform module is designed to enable AWP (Agentless Workload Posture) on AWS account. (https://www.checkpoint.com/dome9/)
This module use Check Point CloudGuard Dome9 Provider
- AWS Account onboarded to CloudGuard
- CloudGuard API Key and Secret (CloudGuard Provider Authentication)
- AWS Credentials (AWS Provider Authentication) with permissions to create IAM roles and policies (for more info follow: AWP Documentation)
module "terraform-dome9-awp-aws" {
source = "dome9/awp-aws/dome9"
# The Id of the AWS account, onboarded to CloudGuard (can be either the CloudGuard Cloud Account ID or the AWS Account Number)
awp_cloud_account_id = dome9_cloudaccount_aws.my_aws_account.id
# The AWP scan mode. Possible values are "inAccount", "saas", "inAccountHub", "inAccountSub"
awp_scan_mode = "inAccount"
# Optional customizations:
# e.g:
awp_cross_account_role_name = "<CrossAccountRoleName>"
awp_cross_account_role_external_id = "<ExternalId>"
awp_centralized_cloud_account_id = "In case of centralized onboarding, this should be the account id (CloudGuard account id or AWS cloud account id) of the centralized account"
awp_additional_tags = {} # e.g {"key1" = "value1", "key2" = "value2"}
# Optional account settings
# e.g:
awp_account_settings_aws = {
scan_machine_interval_in_hours = 24
max_concurrent_scans_per_region = 20
in_account_scanner_vpc = "ManagedByAWP"
scan_aws_licensed_images = false
disabled_regions = [] # e.g ["ap-northeast-1", "ap-northeast-2"]
custom_tags = {} # e.g {"key1" = "value1", "key2" = "value2"}
}
}examples directory contains example usage of this module.
- basic - A basic example of using this module.
- complete - A complete example of using this module with all the available options.
| Version | 8 |
|---|
| Name | Version |
|---|---|
| terraform | >= 1.0 |
| aws | >=5.30.0 |
| dome9 | >=1.40.2 |
| http | >=3.4.2 |
| local | >=2.5.1 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| awp_cloud_account_id | The Id of the AWS account, onboarded to CloudGuard (can be either the CloudGuard Account ID or the AWS Account Number) | string |
n/a | yes |
| awp_centralized_cloud_account_id | The Id of the centralized account (CloudGuard account id or AWS cloud account id) where the scans take place | string |
n/a | only for inAccountSub scan mode |
| awp_scan_mode | The scan mode for the AWP [ "inAccount" | "saas" | "inAccountHub" | "inAccountSub" ] |
string |
"inAccount" | yes |
| awp_cross_account_role_name | AWP Cross account role name | string |
CloudGuardAWPCrossAccountRole |
no |
| awp_cross_account_role_external_id | AWP Cross account role external id | string |
null (auto-generated) |
no |
| awp_additional_tags | Additional tags to be added to all aws resources created by this module | map(string) |
{} |
no |
| awp_account_settings_aws | AWP Account settings for AWS, supported only for inAccount and saas scan mode | object | null |
no |
awp_account_settings_aws variable is an object that contains the following attributes:
| Name | Description | Type | Default | Valid Values | Required |
|---|---|---|---|---|---|
| scan_machine_interval_in_hours | Scan machine interval in hours | number |
24 |
InAccount: >=4, SaaS: >=24 |
no |
| max_concurrent_scans_per_region | Maximum concurrent scans per region | number |
20 |
1 - 20 |
no |
| in_account_scanner_vpc | The VPC Mode | string |
ManagedByAWP |
ManagedByAWP,ManagedByCustomer |
no |
| scan_aws_licensed_images | Scan AWS licensed images | bool |
false |
true or false |
no |
| custom_tags | Custom tags to be added to AWP resources that are created during the scan process | map(string) |
{} |
{"key" = "value", ...} |
no |
| disabled_regions | List of AWS regions to disable AWP scanning | list(string) |
[] |
["us-east-1", ...] |
no |
| Name | Description |
|---|---|
| agentless_protection_enabled | AWP Status |
| awp_cross_account_role_arn | Value of the cross account role arn that AWP assumes to scan the account |
| cloud_account_id | CloudGuard account ID |
| missing_awp_private_network_regions | List of regions in which AWP has issue to create virtual private network (VPC) |
| should_update | This module is out of date and should be updated to the latest version. |
Important
The warning message "Warning: Response body is not recognized as UTF-8" is expected and is a known issue with the http provider.
This warning occurs because the data-source data.http.DownloadCloudGuardAWPSnapshotsUtilsFunctionZip is retrieving a binary file, which may not be encoded in UTF-8 format.
As a result, the http provider raises this warning.
It does not indicate any error or problem with the functionality of the module.