This is a Terraform module that creates an Amazon Web Services (AWS) Read Only integration with Bridgecrew.
This stack creates a role with a dedicated External ID which allows only authorized access from Bridgecrew's AWS account
Include module.readonly.tf in your existing Terraform code, and/or see example/examplea as your guide:
module "readonly" {
source = "bridgecrewio/bridgecrew-read-only/aws"
version = "v1.5.4"
org_name = "<your org name>"
aws_profile = "<aws profile>"
api_token = var.api_token
}The module requires that you set your Bridgecrew organisation name and the name of the AWS profile of the AWS account you want to attach Bridgecrew too.
The module expect the Bridgecrew platform API token to be supplied.
On Windows:
$env:TF_VAR_api_token="your-platform-token"On *nix:
export TF_VAR_api_token="your-platform-token"Or you can leave it blank to be prompted at your console.
In the examples folder you'll also find an example that drives this module but obtains the api_token from your AWS SSM parameter store. You'll have to add the variable there once yourself, but any future uses will obtain it without intervention.
aws ssm put-parameter --name /bridgecrew/api_token --value <your_token> --type SecureString
Also in the examples folder you'll find an example that drives this module but obtains the api_token, but this time from AWS secretsmanager.
aws secretsmanager create-secret --name /bridgecrew/api_token
aws secretsmanager put-secret-value --secret-id /bridgecrew/api_token --secret-string <your_token>
This module is supported for deployment in the following AWS regions:
- All US regions
- eu-west-1
- eu-central-1
- ap-northeast-1
However, its functionality will work across all AWS regions.
No requirements.
| Name | Version |
|---|---|
| aws | 3.26.0 |
| null | 3.0.0 |
| random | 3.0.1 |
No modules.
| Name | Type |
|---|---|
| aws_iam_role.bridgecrew_account_role | resource |
| aws_iam_role_policy.bridgecrew_describe_policy | resource |
| aws_iam_role_policy_attachment.bridgecrew_cloud_formation | resource |
| aws_iam_role_policy_attachment.bridgecrew_security_audit | resource |
| null_resource.await_for_role_setup | resource |
| null_resource.create_bridgecrew | resource |
| null_resource.disconnect_bridgecrew | resource |
| null_resource.update_bridgecrew | resource |
| random_uuid.external_id | resource |
| aws_caller_identity.caller | data source |
| aws_iam_policy_document.bridgecrew_account_assume_role | data source |
| aws_iam_policy_document.bridgecrew_describe_policy_document | data source |
| aws_region.region | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| account_alias | The alias of the account the CF is deployed in. This will be prepended to all the resources in the stack. Default is {org_name}-bc | string |
"" |
no |
| api_token | This is your Bridgecrew platform Api token Set as and Environment variable TF_VAR_api_token | string |
n/a | yes |
| aws_profile | The profile that was used to deploy this module. If the default profile / default credentials are used, seet this value to null. | string |
n/a | yes |
| bridgecrew_account_id | The Bridgecrew AWS account ID from which scans will originate. This value should not typically be modified, but is provided here to support testing and troubleshooting, if needed. | string |
"890234264427" |
no |
| common_tags | Implements the common tags scheme | map(any) |
{ |
no |
| org_name | The name of the company the integration is for. Must be alphanumeric. | string |
n/a | yes |
| role_name | The name for the Bridgecrew read-only IAM role. | string |
"" |
no |
| topic_name | The name of the SNS topic for Bridgecrew to receive notifications. This value should not typically be modified, but is provided here to support testing and troubleshooting, if needed. | string |
"handle-customer-actions" |
no |
| Name | Description |
|---|---|
| customer_name | The customer name as defined on Bridgecrew signup |
| message | n/a |
| role | The cross-account access role for Bridgecrew |
| role_arn | The cross-account access role ARN for Bridgecrew |
| role_name | n/a |
| topic | The SNS endpoint that enabled the account |
Check out these related projects.
Got a question?
File a GitHub issue.
Please use the issue tracker to report any bugs or file feature requests.
Copyright © 2020-2021 Bridgecrew
See LICENSE for full details.
Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to you under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
https://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.