Skip to content

Commit

Permalink
fix: added documentation
Browse files Browse the repository at this point in the history 
Signed-off-by: Matthias Theuermann <[email protected]>
  • Loading branch information
@mati007thm
mati007thm committed Jun 6, 2024
1 parent 2ae8308 commit baeb8db
Show file tree
Hide file tree
Showing 3 changed files with 199 additions and 83 deletions.
167 changes: 167 additions & 0 deletions docs/resources/integration_aws_serverless.md
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,167 @@
---
# generated by https://github.com/hashicorp/terraform-plugin-docs
page_title: "mondoo_integration_aws_serverless Resource - terraform-provider-mondoo"
subcategory: ""
description: |-
Continuously scan AWS organization and accounts for misconfigurations and vulnerabilities.
---

# mondoo_integration_aws_serverless (Resource)

Continuously scan AWS organization and accounts for misconfigurations and vulnerabilities.

## Example Usage

```terraform
variable "mondoo_org" {
description = "Mondoo Organization"
type = string
}
variable "origin_aws_account" {
description = "Origin AWS Account"
type = string
default = "764453172858"
}
variable "aws_region" {
description = "AWS Region"
type = string
default = "us-east-1"
}
variable "AWS_ACCOUNT_ID" {
description = "value of the AWS account ID"
type = string
}
provider "mondoo" {
region = "us"
}
provider "aws" {
region = var.aws_region
}
data "aws_region" "current" {}
# Create a new space
resource "mondoo_space" "my_space" {
name = "AWS Terraform"
org_id = var.mondoo_org
}
# Setup the AWS integration
resource "mondoo_integration_aws_serverless" "aws_serverless" {
space_id = mondoo_space.my_space.id
name = "AWS Integration"
region = data.aws_region.current.name
is_organization = false
console_sign_in_trigger = true
instance_state_change_trigger = true
account_ids = [var.AWS_ACCOUNT_ID]
scan_configuration = {
ec2_scan = true
ecr_scan = false
ecs_scan = false
cron_scanin_hours = 24
ec2_scan_options = {
ssm = true
ebs_volume_scan = true
ebs_scan_options = {
target_instances_per_scanner = 5
max_asg_instances = 10
}
instance_connect = false
}
}
}
# for single account deploys
resource "aws_cloudformation_stack" "mondoo_stack" {
name = "mondoo-stack"
template_url = "https://s3.amazonaws.com/mondoo.${data.aws_region.current.name}/mondoo-lambda-stackset-cf.json"
capabilities = ["CAPABILITY_NAMED_IAM"]
parameters = {
MondooIntegrationMrn = mondoo_integration_aws_serverless.aws_serverless.mrn
MondooToken = mondoo_integration_aws_serverless.aws_serverless.token
OriginAwsAccount = var.origin_aws_account
}
}
# for organisation wide deploys use aws_cloudformation_stack_set and aws_cloudformation_stack_set_instance instaed of aws_cloudformation_stack
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance
```

<!-- schema generated by tfplugindocs -->
## Schema

### Required

- `name` (String) Name of the integration.
- `region` (String) AWS region.
- `scan_configuration` (Attributes) (see [below for nested schema](#nestedatt--scan_configuration))
- `space_id` (String) Mondoo Space Identifier.

### Optional

- `account_ids` (List of String) List of AWS account IDs.
- `console_sign_in_trigger` (Boolean) Enable console sign in trigger.
- `instance_state_change_trigger` (Boolean) Enable instance state change trigger.
- `is_organization` (Boolean) Is organization.

### Read-Only

- `mrn` (String) Integration identifier
- `token` (String) Integration token

<a id="nestedatt--scan_configuration"></a>
### Nested Schema for `scan_configuration`

Required:

- `ec2_scan_options` (Attributes) (see [below for nested schema](#nestedatt--scan_configuration--ec2_scan_options))

Optional:

- `cron_scanin_hours` (Number) Cron scan in hours.
- `ec2_scan` (Boolean) Enable EC2 scan.
- `ecr_scan` (Boolean) Enable ECR scan.
- `ecs_scan` (Boolean) Enable ECS scan.
- `event_scan_triggers` (Attributes) (see [below for nested schema](#nestedatt--scan_configuration--event_scan_triggers))

<a id="nestedatt--scan_configuration--ec2_scan_options"></a>
### Nested Schema for `scan_configuration.ec2_scan_options`

Required:

- `ebs_scan_options` (Attributes) (see [below for nested schema](#nestedatt--scan_configuration--ec2_scan_options--ebs_scan_options))

Optional:

- `ebs_volume_scan` (Boolean) Enable EBS volume scan.
- `instance_connect` (Boolean) Enable instance connect.
- `instance_ids_filter` (List of String) List of instance IDs filter.
- `regions_filter` (List of String) List of regions filter.
- `ssm` (Boolean) Enable SSM.
- `tags_filter` (Map of String) Tags filter.

<a id="nestedatt--scan_configuration--ec2_scan_options--ebs_scan_options"></a>
### Nested Schema for `scan_configuration.ec2_scan_options.ebs_scan_options`

Optional:

- `max_asg_instances` (Number) Max ASG instances.
- `target_instances_per_scanner` (Number) Target instances per scanner.



<a id="nestedatt--scan_configuration--event_scan_triggers"></a>
### Nested Schema for `scan_configuration.event_scan_triggers`

Optional:

- `event_detail_type` (String) Event detail type.
- `event_source` (String) Event source.
- `scan_type` (String) Scan type.
2 changes: 1 addition & 1 deletion examples/resources/mondoo_integration_aws_serverless/main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ terraform {
version = ">= 0.4.0"
}
aws = {
source = "hashicorp/aws"
source = "hashicorp/aws"
version = "5.50.0"
}
}
Expand Down
113 changes: 31 additions & 82 deletions examples/resources/mondoo_integration_aws_serverless/resource.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,15 +6,26 @@ variable "mondoo_org" {
variable "origin_aws_account" {
description = "Origin AWS Account"
type = string
default = "764453172858"
default = "764453172858"
}

variable "aws_region" {
description = "AWS Region"
type = string
default = "us-east-1"
}

variable "AWS_ACCOUNT_ID" {
description = "value of the AWS account ID"
type = string
}

provider "mondoo" {
region = "us"
}

provider "aws" {
region = "us-east-1"
region = var.aws_region
}

data "aws_region" "current" {}
Expand All @@ -26,105 +37,43 @@ resource "mondoo_space" "my_space" {
}

# Setup the AWS integration
resource "mondoo_integration_aws_serverless" "example" {
space_id = mondoo_space.my_space.id
name = "AWS Integration"
region = data.aws_region.current.name
is_organization = true
console_sign_in_trigger = true
resource "mondoo_integration_aws_serverless" "aws_serverless" {
space_id = mondoo_space.my_space.id
name = "AWS Integration"
region = data.aws_region.current.name
is_organization = false
console_sign_in_trigger = true
instance_state_change_trigger = true
# account_ids = ["123456789012"]
account_ids = [var.AWS_ACCOUNT_ID]
scan_configuration = {
ec2_scan = true
ecr_scan = false
ecs_scan = false
ec2_scan = true
ecr_scan = false
ecs_scan = false
cron_scanin_hours = 24
ec2_scan_options = {
ssm = true
ssm = true
ebs_volume_scan = true
ebs_scan_options = {
target_instances_per_scanner = 5
max_asg_instances = 10
max_asg_instances = 10
}
instance_connect = false
}
}
}

# for single account deploys
resource "aws_cloudformation_stack" "mondoo_stack" {
name = "mondoo-stack"
name = "mondoo-stack"
template_url = "https://s3.amazonaws.com/mondoo.${data.aws_region.current.name}/mondoo-lambda-stackset-cf.json"
capabilities = ["CAPABILITY_NAMED_IAM"]
parameters = {
MondooIntegrationMrn = mondoo_integration_aws_serverless.example.mrn
MondooToken = mondoo_integration_aws_serverless.example.token
MondooIntegrationMrn = mondoo_integration_aws_serverless.aws_serverless.mrn
MondooToken = mondoo_integration_aws_serverless.aws_serverless.token
OriginAwsAccount = var.origin_aws_account
}
}

# for organisation wide deploys use aws_cloudformation_stack_set and aws_cloudformation_stack_set_instance instaed of aws_cloudformation_stack
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set
# data "aws_iam_policy_document" "AWSCloudFormationStackSetAdministrationRole_assume_role_policy" {
# statement {
# actions = ["sts:AssumeRole"]
# effect = "Allow"

# principals {
# identifiers = ["cloudformation.amazonaws.com"]
# type = "Service"
# }
# }
# }

# resource "aws_iam_role" "AWSCloudFormationStackSetAdministrationRole" {
# assume_role_policy = data.aws_iam_policy_document.AWSCloudFormationStackSetAdministrationRole_assume_role_policy.json
# name = "AWSCloudFormationStackSetAdministrationRole"
# }

# resource "aws_cloudformation_stack_set" "example" {
# administration_role_arn = aws_iam_role.AWSCloudFormationStackSetAdministrationRole.arn
# name = "example"

# parameters = {
# VPCCidr = "10.0.0.0/16"
# }

# template_body = jsonencode({
# Parameters = {
# VPCCidr = {
# Type = "String"
# Default = "10.0.0.0/16"
# Description = "Enter the CIDR block for the VPC. Default is 10.0.0.0/16."
# }
# }
# Resources = {
# myVpc = {
# Type = "AWS::EC2::VPC"
# Properties = {
# CidrBlock = {
# Ref = "VPCCidr"
# }
# Tags = [
# {
# Key = "Name"
# Value = "Primary_CF_VPC"
# }
# ]
# }
# }
# }
# })
# }

# data "aws_iam_policy_document" "AWSCloudFormationStackSetAdministrationRole_ExecutionPolicy" {
# statement {
# actions = ["sts:AssumeRole"]
# effect = "Allow"
# resources = ["arn:aws:iam::*:role/${aws_cloudformation_stack_set.example.execution_role_name}"]
# }
# }

# resource "aws_iam_role_policy" "AWSCloudFormationStackSetAdministrationRole_ExecutionPolicy" {
# name = "ExecutionPolicy"
# policy = data.aws_iam_policy_document.AWSCloudFormationStackSetAdministrationRole_ExecutionPolicy.json
# role = aws_iam_role.AWSCloudFormationStackSetAdministrationRole.name
# }
# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance

0 comments on commit baeb8db

Please sign in to comment.