From baeb8db31b4e020d0cdc61354bb09b3c36ee0c45 Mon Sep 17 00:00:00 2001 From: Matthias Theuermann Date: Thu, 6 Jun 2024 11:44:05 +0200 Subject: [PATCH] fix: added documentation Signed-off-by: Matthias Theuermann --- docs/resources/integration_aws_serverless.md | 167 ++++++++++++++++++ .../mondoo_integration_aws_serverless/main.tf | 2 +- .../resource.tf | 113 ++++-------- 3 files changed, 199 insertions(+), 83 deletions(-) create mode 100644 docs/resources/integration_aws_serverless.md diff --git a/docs/resources/integration_aws_serverless.md b/docs/resources/integration_aws_serverless.md new file mode 100644 index 0000000..be979bc --- /dev/null +++ b/docs/resources/integration_aws_serverless.md @@ -0,0 +1,167 @@ +--- +# generated by https://github.com/hashicorp/terraform-plugin-docs +page_title: "mondoo_integration_aws_serverless Resource - terraform-provider-mondoo" +subcategory: "" +description: |- + Continuously scan AWS organization and accounts for misconfigurations and vulnerabilities. +--- + +# mondoo_integration_aws_serverless (Resource) + +Continuously scan AWS organization and accounts for misconfigurations and vulnerabilities. + +## Example Usage + +```terraform +variable "mondoo_org" { + description = "Mondoo Organization" + type = string +} + +variable "origin_aws_account" { + description = "Origin AWS Account" + type = string + default = "764453172858" +} + +variable "aws_region" { + description = "AWS Region" + type = string + default = "us-east-1" +} + +variable "AWS_ACCOUNT_ID" { + description = "value of the AWS account ID" + type = string +} + +provider "mondoo" { + region = "us" +} + +provider "aws" { + region = var.aws_region +} + +data "aws_region" "current" {} + +# Create a new space +resource "mondoo_space" "my_space" { + name = "AWS Terraform" + org_id = var.mondoo_org +} + +# Setup the AWS integration +resource "mondoo_integration_aws_serverless" "aws_serverless" { + space_id = mondoo_space.my_space.id + name = "AWS Integration" + region = data.aws_region.current.name + is_organization = false + console_sign_in_trigger = true + instance_state_change_trigger = true + account_ids = [var.AWS_ACCOUNT_ID] + scan_configuration = { + ec2_scan = true + ecr_scan = false + ecs_scan = false + cron_scanin_hours = 24 + ec2_scan_options = { + ssm = true + ebs_volume_scan = true + ebs_scan_options = { + target_instances_per_scanner = 5 + max_asg_instances = 10 + } + instance_connect = false + } + } +} + +# for single account deploys +resource "aws_cloudformation_stack" "mondoo_stack" { + name = "mondoo-stack" + template_url = "https://s3.amazonaws.com/mondoo.${data.aws_region.current.name}/mondoo-lambda-stackset-cf.json" + capabilities = ["CAPABILITY_NAMED_IAM"] + parameters = { + MondooIntegrationMrn = mondoo_integration_aws_serverless.aws_serverless.mrn + MondooToken = mondoo_integration_aws_serverless.aws_serverless.token + OriginAwsAccount = var.origin_aws_account + } +} + +# for organisation wide deploys use aws_cloudformation_stack_set and aws_cloudformation_stack_set_instance instaed of aws_cloudformation_stack +# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set +# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance +``` + + +## Schema + +### Required + +- `name` (String) Name of the integration. +- `region` (String) AWS region. +- `scan_configuration` (Attributes) (see [below for nested schema](#nestedatt--scan_configuration)) +- `space_id` (String) Mondoo Space Identifier. + +### Optional + +- `account_ids` (List of String) List of AWS account IDs. +- `console_sign_in_trigger` (Boolean) Enable console sign in trigger. +- `instance_state_change_trigger` (Boolean) Enable instance state change trigger. +- `is_organization` (Boolean) Is organization. + +### Read-Only + +- `mrn` (String) Integration identifier +- `token` (String) Integration token + + +### Nested Schema for `scan_configuration` + +Required: + +- `ec2_scan_options` (Attributes) (see [below for nested schema](#nestedatt--scan_configuration--ec2_scan_options)) + +Optional: + +- `cron_scanin_hours` (Number) Cron scan in hours. +- `ec2_scan` (Boolean) Enable EC2 scan. +- `ecr_scan` (Boolean) Enable ECR scan. +- `ecs_scan` (Boolean) Enable ECS scan. +- `event_scan_triggers` (Attributes) (see [below for nested schema](#nestedatt--scan_configuration--event_scan_triggers)) + + +### Nested Schema for `scan_configuration.ec2_scan_options` + +Required: + +- `ebs_scan_options` (Attributes) (see [below for nested schema](#nestedatt--scan_configuration--ec2_scan_options--ebs_scan_options)) + +Optional: + +- `ebs_volume_scan` (Boolean) Enable EBS volume scan. +- `instance_connect` (Boolean) Enable instance connect. +- `instance_ids_filter` (List of String) List of instance IDs filter. +- `regions_filter` (List of String) List of regions filter. +- `ssm` (Boolean) Enable SSM. +- `tags_filter` (Map of String) Tags filter. + + +### Nested Schema for `scan_configuration.ec2_scan_options.ebs_scan_options` + +Optional: + +- `max_asg_instances` (Number) Max ASG instances. +- `target_instances_per_scanner` (Number) Target instances per scanner. + + + + +### Nested Schema for `scan_configuration.event_scan_triggers` + +Optional: + +- `event_detail_type` (String) Event detail type. +- `event_source` (String) Event source. +- `scan_type` (String) Scan type. diff --git a/examples/resources/mondoo_integration_aws_serverless/main.tf b/examples/resources/mondoo_integration_aws_serverless/main.tf index f43ca7f..dd86232 100644 --- a/examples/resources/mondoo_integration_aws_serverless/main.tf +++ b/examples/resources/mondoo_integration_aws_serverless/main.tf @@ -5,7 +5,7 @@ terraform { version = ">= 0.4.0" } aws = { - source = "hashicorp/aws" + source = "hashicorp/aws" version = "5.50.0" } } diff --git a/examples/resources/mondoo_integration_aws_serverless/resource.tf b/examples/resources/mondoo_integration_aws_serverless/resource.tf index 98cf775..626c5f5 100644 --- a/examples/resources/mondoo_integration_aws_serverless/resource.tf +++ b/examples/resources/mondoo_integration_aws_serverless/resource.tf @@ -6,7 +6,18 @@ variable "mondoo_org" { variable "origin_aws_account" { description = "Origin AWS Account" type = string - default = "764453172858" + default = "764453172858" +} + +variable "aws_region" { + description = "AWS Region" + type = string + default = "us-east-1" +} + +variable "AWS_ACCOUNT_ID" { + description = "value of the AWS account ID" + type = string } provider "mondoo" { @@ -14,7 +25,7 @@ provider "mondoo" { } provider "aws" { - region = "us-east-1" + region = var.aws_region } data "aws_region" "current" {} @@ -26,105 +37,43 @@ resource "mondoo_space" "my_space" { } # Setup the AWS integration -resource "mondoo_integration_aws_serverless" "example" { - space_id = mondoo_space.my_space.id - name = "AWS Integration" - region = data.aws_region.current.name - is_organization = true - console_sign_in_trigger = true +resource "mondoo_integration_aws_serverless" "aws_serverless" { + space_id = mondoo_space.my_space.id + name = "AWS Integration" + region = data.aws_region.current.name + is_organization = false + console_sign_in_trigger = true instance_state_change_trigger = true - # account_ids = ["123456789012"] + account_ids = [var.AWS_ACCOUNT_ID] scan_configuration = { - ec2_scan = true - ecr_scan = false - ecs_scan = false + ec2_scan = true + ecr_scan = false + ecs_scan = false cron_scanin_hours = 24 ec2_scan_options = { - ssm = true + ssm = true ebs_volume_scan = true ebs_scan_options = { target_instances_per_scanner = 5 - max_asg_instances = 10 + max_asg_instances = 10 } instance_connect = false } } } +# for single account deploys resource "aws_cloudformation_stack" "mondoo_stack" { - name = "mondoo-stack" + name = "mondoo-stack" template_url = "https://s3.amazonaws.com/mondoo.${data.aws_region.current.name}/mondoo-lambda-stackset-cf.json" capabilities = ["CAPABILITY_NAMED_IAM"] parameters = { - MondooIntegrationMrn = mondoo_integration_aws_serverless.example.mrn - MondooToken = mondoo_integration_aws_serverless.example.token + MondooIntegrationMrn = mondoo_integration_aws_serverless.aws_serverless.mrn + MondooToken = mondoo_integration_aws_serverless.aws_serverless.token OriginAwsAccount = var.origin_aws_account } } +# for organisation wide deploys use aws_cloudformation_stack_set and aws_cloudformation_stack_set_instance instaed of aws_cloudformation_stack # https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set -# data "aws_iam_policy_document" "AWSCloudFormationStackSetAdministrationRole_assume_role_policy" { -# statement { -# actions = ["sts:AssumeRole"] -# effect = "Allow" - -# principals { -# identifiers = ["cloudformation.amazonaws.com"] -# type = "Service" -# } -# } -# } - -# resource "aws_iam_role" "AWSCloudFormationStackSetAdministrationRole" { -# assume_role_policy = data.aws_iam_policy_document.AWSCloudFormationStackSetAdministrationRole_assume_role_policy.json -# name = "AWSCloudFormationStackSetAdministrationRole" -# } - -# resource "aws_cloudformation_stack_set" "example" { -# administration_role_arn = aws_iam_role.AWSCloudFormationStackSetAdministrationRole.arn -# name = "example" - -# parameters = { -# VPCCidr = "10.0.0.0/16" -# } - -# template_body = jsonencode({ -# Parameters = { -# VPCCidr = { -# Type = "String" -# Default = "10.0.0.0/16" -# Description = "Enter the CIDR block for the VPC. Default is 10.0.0.0/16." -# } -# } -# Resources = { -# myVpc = { -# Type = "AWS::EC2::VPC" -# Properties = { -# CidrBlock = { -# Ref = "VPCCidr" -# } -# Tags = [ -# { -# Key = "Name" -# Value = "Primary_CF_VPC" -# } -# ] -# } -# } -# } -# }) -# } - -# data "aws_iam_policy_document" "AWSCloudFormationStackSetAdministrationRole_ExecutionPolicy" { -# statement { -# actions = ["sts:AssumeRole"] -# effect = "Allow" -# resources = ["arn:aws:iam::*:role/${aws_cloudformation_stack_set.example.execution_role_name}"] -# } -# } - -# resource "aws_iam_role_policy" "AWSCloudFormationStackSetAdministrationRole_ExecutionPolicy" { -# name = "ExecutionPolicy" -# policy = data.aws_iam_policy_document.AWSCloudFormationStackSetAdministrationRole_ExecutionPolicy.json -# role = aws_iam_role.AWSCloudFormationStackSetAdministrationRole.name -# } +# https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/cloudformation_stack_set_instance