Terraform-azure-onboarding

This Terraform module provides an easy way to configure Aqua Security’s CSPM and agentless solutions on Azure.

It creates the necessary resources, such as service accounts, roles, and permissions, to enable seamless integration with Aqua’s platform.

Pre-requisites
Usage
Examples
Using Existing Network
Requirements
Providers
Modules
Resources
Inputs
Outputs

Pre-requisites

Before using this module, ensure that you have the following:

Terraform version 1.6.4 or later.
azure CLI installed and configured.
Python 3+ installed.
Aqua Security account API credentials.

Usage

Leverage the Aqua platform to generate the local variables required by the module.
Important: Replace <aqua_api_key> and <aqua_api_secret> with your generated API credentials.
Get from Azure console your Tenant ID.
Run az login --tenant <tenant_id> to set your tenant.
Only for single subscription --> run az account set --subscription <subscription_name> to set azure cli context.
Run terraform init to initialize the module.
Run terraform apply to create the resources.

Examples

Here's an example of how to use this module:

Single subscription

module "aqua_azure_onboarding" {
  source                               = "aquasecurity/onboarding/azure"
  onboarding_type                      = "single-subscription"
  aqua_bucket_name                     = "aqua-bucket-name"
  aqua_cspm_url                        = "aqua-cspm-url"
  aqua_volscan_api_url                  = "aqua-volscan-api-url"
  aqua_volscan_api_token                = "aqua-volscan-api-token"
  aqua_volscan_resource_group_location = "westus2"
  aqua_volscan_scan_locations          = ["australiaeast", "australiasoutheast"]
  aqua_cspm_group_id                   = "cspm-group-id"
  aqua_configuration_id                 = "aqua-configuration-id"
  aqua_autoconnect_url                  = "aqua-autoconnect-url"
  aqua_api_key                          = "aqua-api-key"
  aqua_api_secret                       = "aqua-api-secret"
  aqua_custom_tags                      = { aqua = "true" }
}

Management Group

module "aqua_azure_onboarding" {
  source                               = "aquasecurity/onboarding/azure"
  onboarding_type                      = "management-group"
  aqua_bucket_name                     = "aqua-bucket-name"
  management_group_id                  = "management-group-id"
  aqua_cspm_url                        = "aqua-cspm-url"
  aqua_volscan_api_url                 = "aqua-volscan-api-url"
  aqua_volscan_api_token               = "aqua-volscan-api-token"
  aqua_volscan_resource_group_location = "westus2"
  aqua_volscan_scan_locations          = ["australiaeast", "australiasoutheast"]
  aqua_cspm_group_id                   = "cspm-group-id"
  aqua_configuration_id                = "aqua-configuration-id"
  aqua_autoconnect_url                 = "aqua-autoconnect-url"
  aqua_api_key                         = "aqua-api-key"
  aqua_api_secret                      = "aqua-api-secret"
  aqua_custom_tags                     = { aqua = "true" }
}

Using Existing Network

If you prefer to use existing networking instead of Aqua provisioning new ones, you can do so by setting create_network = false in the module's input variables. In this case, you will need to create the network per subscription, prior to onboarding, the following resources with the following naming convention:

Resource group:
- Name 'aqua-agentless-scanner'
- Tag aqua-agentless-scanner:true
Security group (per each chosen scan location):
- Name <resource-group-name>-<region>. E.g., aqua-agentless-scanner-centralus
- Tag aqua-agentless-scanner:true
Virtual network (per each chosen scan location):
- Name <resource-group-name>-<region>. E.g., aqua-agentless-scanner-centralus
- Tag aqua-agentless-scanner:true
Subnet (attached to the virtual network):
- Name <resource-group-name>. E.g., aqua-agentless-scanner

Requirements

Name	Version
terraform	>= 1.6.4
azuread	~>2.47.0
azurerm	~>3.95.0
external	~>2.3.3
http	~>3.4.2

Providers

Name	Version
azuread	2.47.0
azurerm	3.95.0

Modules

Name	Source	Version
application	./modules/application	n/a
iam	./modules/iam	n/a
management_group	./modules/management_group	n/a
subscription	./modules/subscription	n/a

Resources

Name	Type
azuread_client_config.current	data source
azurerm_management_group.current	data source
azurerm_subscription.current	data source

Inputs

Name	Description	Type	Default	Required
aqua_api_key	Aqua API key	`string`	n/a	yes
aqua_api_secret	Aqua API secret key	`string`	n/a	yes
aqua_autoconnect_url	Aqua AutoConnect URL	`string`	n/a	yes
aqua_bucket_name	Aqua Bucket Name	`string`	n/a	yes
aqua_configuration_id	Aqua configuration ID	`string`	n/a	yes
aqua_cspm_group_id	CSPM group ID	`string`	n/a	yes
aqua_cspm_role_name	Aqua AutoConnect Scanner Role Name - The default value will be calculated as 'Aqua_Auto_Discovery_Scanner_Role_<subscription_id>'	`string`	`""`	no
aqua_cspm_url	Aqua CSPM url	`string`	n/a	yes
aqua_custom_tags	Client additional resource tags	`map(string)`	`{}`	no
aqua_event_subscriptions_name	Aqua volume scanning Event Subscriptions Name	`string`	`"aqua-agentless-scanner"`	no
aqua_network_security_group_name	Aqua volume scanning Network Security Group Name	`string`	`"aqua-agentless-scanner"`	no
aqua_subnet_name	Aqua volume scanning Subnet Name	`string`	`"aqua-agentless-scanner"`	no
aqua_system_topics_name	Aqua volume scanning Event Grid System Topic Name	`string`	`"aqua-agentless-scanner"`	no
aqua_virtual_network_name	Aqua volume scanning Virtual Network Name	`string`	`"aqua-agentless-scanner"`	no
aqua_volscan_api_token	Aqua volume scanning API token	`string`	n/a	yes
aqua_volscan_api_url	Aqua Event Subscription webhook URL	`string`	n/a	yes
aqua_volscan_resource_group_location	Aqua volume scanning Resource Group Location	`string`	`"eastus"`	no
aqua_volscan_resource_group_name	Aqua volume scanning Resource Group Name	`string`	`"aqua-agentless-scanner"`	no
aqua_volscan_scan_locations	List of Azure locations to scan - by default, all regions are selected	`list(string)`	[ "eastus", "eastus2", "southcentralus", "westus2", "westus3", "australiaeast", "southeastasia", "northeurope", "swedencentral", "uksouth", "westeurope", "centralus", "southafricanorth", "centralindia", "eastasia", "japaneast", "koreacentral", "canadacentral", "francecentral", "germanywestcentral", "norwayeast", "switzerlandnorth", "uaenorth", "brazilsouth", "qatarcentral", "northcentralus", "westus", "westcentralus", "australiacentral", "australiasoutheast", "japanwest", "koreasouth", "southindia", "westindia", "canadaeast", "ukwest" ]	no
create_network	Toggle to create network resources	`bool`	`true`	no
management_group_id	Aqua Management Group ID - Relevant when onboarding_type is management-group	`string`	`""`	no
onboarding_type	The type of onboarding. Valid values are 'single-subscription' or 'management-group' onboarding types	`string`	n/a	yes
show_outputs	Toggle to show summary outputs after deployment	`bool`	`false`	no

Outputs

Name	Description
application_id	Application ID
aqua_agentless_scanner_delete_role_definition_id	The ID of the created Aqua agentless delete role definition
aqua_agentless_scanner_role_definition_id	The ID of the created Aqua agentless role definition
aqua_cspm_scanner_role_definition_id	The ID of the created Aqua CSPM role definition
aqua_volscan_resource_group_name	Aqua volume scanning Resource Group Name
eventgrid_id	EventGrid ID
management_group_name	Management Group name
resource_group_id	Resource Group ID
security_groups_names	Security Groups names
subscription_id	Subscription ID
virtual_networks_names	Virtual Networks names

aquasecurity / terraform-azure-onboarding Goto Github PK