CloudGuard AWP (AWS) - Terraform Module

This Terraform module is designed to enable AWP (Agentless Workload Posture) on AWS account. (https://www.checkpoint.com/dome9/)

This module use Check Point CloudGuard Dome9 Provider

Prerequisites

• AWS Account onboarded to CloudGuard
• CloudGuard API Key and Secret (CloudGuard Provider Authentication)
• AWS Credentials (AWS Provider Authentication) with permissions to create IAM roles and policies (for more info follow: AWP Documentation)

Usage

module "terraform-dome9-awp-aws" {
  source = "dome9/awp-aws/dome9"

  # The Id of the AWS account, onboarded to CloudGuard (can be either the CloudGuard Cloud Account ID or the AWS Account Number)
  awp_cloud_account_id = dome9_cloudaccount_aws.my_aws_account.id

  # The AWP scan mode. Possible values are "inAccount", "saas", "inAccountHub", "inAccountSub"
  awp_scan_mode = "inAccount"

  # Optional customizations:
  # e.g:
  awp_cross_account_role_name        = "<CrossAccountRoleName>"
  awp_cross_account_role_external_id = "<ExternalId>"
  awp_centralized_cloud_account_id   = "In case of centralized onboarding, this should be the account id (CloudGuard account id or AWS cloud account id) of the centralized account"
  awp_additional_tags                = {}  # e.g {"key1" = "value1", "key2" = "value2"}
    

  # Optional account settings
  # e.g:  
  awp_account_settings_aws = {
    scan_machine_interval_in_hours  = 24
    max_concurrent_scans_per_region = 20
    in_account_scanner_vpc          = "ManagedByAWP"
    disabled_regions                = []   # e.g ["ap-northeast-1", "ap-northeast-2"]
    custom_tags                     = {}   # e.g {"key1" = "value1", "key2" = "value2"} 
  }
}

Examples

examples directory contains example usage of this module.

• basic - A basic example of using this module.
• complete - A complete example of using this module with all the available options.

AWP Terraform template

Version	8

Requirements

Name	Version
terraform	>= 1.0
aws	>=5.30.0
dome9	>=1.39.0
http	>=3.4.2
local	>=2.5.1

Inputs

Name	Description	Type	Default	Required
awp_cloud_account_id	The Id of the AWS account, onboarded to CloudGuard (can be either the CloudGuard Account ID or the AWS Account Number)	string	n/a	yes
awp_centralized_cloud_account_id	The Id of the centralized account (CloudGuard account id or AWS cloud account id) where the scans take place	string	n/a	only for inAccountSub scan mode
awp_scan_mode	The scan mode for the AWP [ "inAccount" | "saas" | "inAccountHub" | "inAccountSub" ]	string	"inAccount"	yes
awp_cross_account_role_name	AWP Cross account role name	string	CloudGuardAWPCrossAccountRole	no
awp_cross_account_role_external_id	AWP Cross account role external id	string	null (auto-generated)	no
awp_additional_tags	Additional tags to be added to all aws resources created by this module	map(string)	{}	no
awp_account_settings_aws	AWP Account settings for AWS, supported only for inAccount and saas scan mode	object	null	no

awp_account_settings_aws variable is an object that contains the following attributes:

Name	Description	Type	Default	Valid Values	Required
scan_machine_interval_in_hours	Scan machine interval in hours	number	24	InAccount: >=4, SaaS: >=24	no
max_concurrent_scans_per_region	Maximum concurrent scans per region	number	20	1 - 20	no
in_account_scanner_vpc	The VPC Mode	string	ManagedByAWP	ManagedByAWP,ManagedByCustomer	no
custom_tags	Custom tags to be added to AWP resources that are created during the scan process	map(string)	{}	{"key" = "value", ...}	no
disabled_regions	List of AWS regions to disable AWP scanning	list(string)	[]	["us-east-1", ...]	no

Resources

Name	Type
aws_cloudwatch_log_group.CloudGuardAWPSnapshotsUtilsLogGroup	resource
aws_iam_policy.CloudGuardAWPCrossAccountRolePolicy	resource
aws_iam_policy.CloudGuardAWPCrossAccountRolePolicySub	resource
aws_iam_policy.CloudGuardAWPKeyReplicationPolicy	resource
aws_iam_policy.CloudGuardAWPKeyUsagePolicy	resource
aws_iam_policy.CloudGuardAWPProxyLambdaManagementPolicy	resource
aws_iam_policy.CloudGuardAWPReEncryptionPolicy	resource
aws_iam_policy.CloudGuardAWPReaderPolicy	resource
aws_iam_policy.CloudGuardAWPScannersPolicy	resource
aws_iam_policy.CloudGuardAWPScannersReaderPolicy	resource
aws_iam_policy.CloudGuardAWPSecurityGroupManagementPolicy	resource
aws_iam_policy.CloudGuardAWPSnapshotsPolicy	resource
aws_iam_policy.CloudGuardAWPSnapshotsUtilsLambdaExecutionRolePolicy	resource
aws_iam_policy.CloudGuardAWPVpcManagementPolicy	resource
aws_iam_policy_attachment.CloudGuardAWPCrossAccountRolePolicyAttachment	resource
aws_iam_policy_attachment.CloudGuardAWPKeyReplicationPolicyAttachment	resource
aws_iam_policy_attachment.CloudGuardAWPKeyUsagePolicyAttachment	resource
aws_iam_policy_attachment.CloudGuardAWPProxyLambdaManagementPolicyAttachment	resource
aws_iam_policy_attachment.CloudGuardAWPReEncryptionPolicyAttachment	resource
aws_iam_policy_attachment.CloudGuardAWPReaderPolicyAttachment	resource
aws_iam_policy_attachment.CloudGuardAWPScannersPolicyAttachment	resource
aws_iam_policy_attachment.CloudGuardAWPScannersReaderPolicyAttachment	resource
aws_iam_policy_attachment.CloudGuardAWPSecurityGroupManagementPolicyAttachment	resource
aws_iam_policy_attachment.CloudGuardAWPSnapshotsPolicyAttachment	resource
aws_iam_policy_attachment.CloudGuardAWPSnapshotsUtilsLambdaExecutionRolePolicyAttachment	resource
aws_iam_policy_attachment.CloudGuardAWPVpcManagementPolicyAttachment	resource
aws_iam_role.CloudGuardAWPCrossAccountRole	resource
aws_iam_role.CloudGuardAWPOperatorRole	resource
aws_iam_role.CloudGuardAWPSnapshotsUtilsLambdaExecutionRole	resource
aws_kms_alias.CloudGuardAWPKeyAlias	resource
aws_kms_key.CloudGuardAWPKey	resource
aws_lambda_function.CloudGuardAWPSnapshotsUtilsFunction	resource
aws_lambda_invocation.CloudGuardAWPSnapshotsUtilsCleanupFunctionInvocation_inAccount	resource
aws_lambda_invocation.CloudGuardAWPSnapshotsUtilsCleanupFunctionInvocation_inAccountHub	resource
aws_lambda_invocation.CloudGuardAWPSnapshotsUtilsCleanupFunctionInvocation_saas	resource
dome9_awp_aws_onboarding.awp_aws_onboarding_resource	resource
local_file.CloudGuardAWPSnapshotsUtilsFunctionZip	resource

Outputs

Name	Description
agentless_protection_enabled	AWP Status
awp_cross_account_role_arn	Value of the cross account role arn that AWP assumes to scan the account
cloud_account_id	CloudGuard account ID
missing_awp_private_network_regions	List of regions in which AWP has issue to create virtual private network (VPC)
should_update	This module is out of date and should be updated to the latest version.

FAQ & Troubleshooting

Important

The warning message "Warning: Response body is not recognized as UTF-8" is expected and is a known issue with the http provider. This warning occurs because the data-source data.http.DownloadCloudGuardAWPSnapshotsUtilsFunctionZip is retrieving a binary file, which may not be encoded in UTF-8 format. As a result, the http provider raises this warning. It does not indicate any error or problem with the functionality of the module.