Skip to content

README.md

Latest commit

 

History

History
75 lines (55 loc) · 29 KB

README.md

File metadata and controls

75 lines (55 loc) · 29 KB

elastio-connector-account module

Deploys an AWS CloudFormation stack named elastio-account-level-stack, which is deployed once per AWS account and contains the required IAM resources (roles, policies, etc.) for Elastio Connector to operate in the same account.

See the elastio-connector module implementation for an example of how this module should be used.

Installation

Configure the Elastio terraform module registry, and add this to your project:

module "elastio_connector_account" {
  source  = "terraform.cloudsmith.io/public/elastio-conenctor-account/aws"
  version = "0.33.2"

  // Provide input parameters
}

Requirements

Name Version
terraform ~> 1.9
aws ~> 5.0
http ~> 3.0

Providers

Name Version
aws ~> 5.0
http ~> 3.0
terraform n/a

Modules

No modules.

Resources

Name Type
aws_cloudformation_stack.this resource
terraform_data.service_linked_roles resource
http_http.cloudformation_template data source

Inputs

Name Description Type Default Required
disable_customer_managed_iam_policies If this is set to false (or omitted), then the stack will create
additional customer-managed IAM policies that you can attach to your
IAM identities to grant them direct access to the Elastio Connector stack.
This way you can use elastio CLI directly to list Elastio scan jobs or
submit new scan jobs. Set this to true if you don't need these policies.		 bool null no
ecr_public_prefix Repository prefix for the ECR Public registry. Used to configure a pull-through
cache for elastio images that are downloaded from ECR Public. You can configure
your own cache via ECR private, and then specify the repository prefix here.

This field supports 'account_id' and 'region' interpolation.
For example, such value can be provided:
'{{account_id}}.dkr.ecr.{{region}}.amazonaws.com/ecr-public'		 string null no
elastio_pat Personal Access Token generated by the Elastio Portal string n/a yes
elastio_tenant Name of your Elastio tenant. For example mycompany.app.elastio.com string n/a yes
encrypt_with_cmk Provision additional customer-managed KMS keys to encrypt
Lambda environment variables, DynamoDB tables, S3. Note that
by default data is encrypted with AWS-managed keys.

Enable this option only if your compliance requirements mandate the usage of CMKs.

If this option is disabled Elastio creates only 1 CMK per region where
the Elastio Connector stack is deployed. If this option is enabled then
Elastio creates 1 KMS key per AWS account and 2 KMS keys per every AWS
region where Elastio is deployed in your AWS account.

If you have elastio_nat_provision_stack enabled as well, then 1 more KMS key
will be created as part of that stack as well (for a total of 3 KMS keys per region).		 bool null no
global_managed_policies List of IAM managed policies ARNs to attach to all Elastio IAM roles set(string) null no
global_permission_boundary The ARN of the IAM managed policy to use as a permission boundary for all Elastio IAM roles string null no
iam_resource_names_prefix Add a custom prefix to names of all IAM resources deployed by this stack.
The sum of the length of the prefix and suffix must not exceed 14 characters.		 string null no
iam_resource_names_static If enabled, the stack will use static resource names without random characters in them.

This parameter is set to true by default, and it shouldn't be changed. The older
versions of Elastio stack used random names generated by CloudFormation for IAM
resources, which is inconvenient to work with. New deployments that use the terraform
automation should have this set to true for easier management of IAM resources.		 bool true no
iam_resource_names_suffix Add a custom prefix to names of all IAM resources deployed by this stack.
The sum of the length of the prefix and suffix must not exceed 14 characters.		 string null no
lambda_tracing Enable AWS X-Ray tracing for Lambda functions. This increases the cost of
the stack. Enable only if needed		 bool null no
network_configuration Can be set to either Auto or Manual. If set to Auto, Elastio will
automatically create a VPC and subnets in the specified regions for the
scan clusters to run in.

If set to Manual, you must provide the vpc_id and subnet_ids in the
region module with the network config for each region.		 string "Manual" no
regional_configs Regional configurations for connectors (mostly for regulatory compliance). 
list(object({
 region = string

 s3_access_logging = optional(object({
 target_bucket = string
 target_prefix = optional(string)

 # Can be one of the following:
 # - SimplePrefix
 # - PartitionedPrefix:EventTime
 # - PartitionedPrefix:DeliveryTime
 target_object_key_format = optional(string)
 }))
 }))
 [] no
service_linked_roles By default the CFN stack creates the service-linked IAM roles needed by the stack.
Since these are global in your account, they can't be defined as regular resources
in the CFN, because these roles may already exist in your account and thus
the deployment would fail on a name conflict.

Instead, by default, they are deployed using an AWS::CloudFormation::CustomResource
which invokes an AWS Lambda function that creates the service-linked roles only if
they don't exist and doesn't fail if they do.

The default approach of creating the service-linked roles via the CFN requires
creating a lambda function in your environment that has IAM write permission of
iam:CreateServiceLinkedRole. If you can't afford creating such a lambda function
then set this parameter to tf and this terraform module will create the
service-linked roles without the need for a lambda function.

If you set this to tf, then make sure you have the AWS CLI installed and
configured with the necessary credentials on the machine where you run terraform.		 string "cfn" no

Outputs

Name Description
cloudformation_stack The deployed CloudFormation stack may be used as an input for other stacks
like the nat-provision stack to let it inherit the configurations.