diff --git a/README.md b/README.md
index a714f40..162cbc2 100644
--- a/README.md
+++ b/README.md
@@ -98,6 +98,7 @@ Before using this module, ensure that you have the following:
| [aqua\_volscan\_api\_url](#input\_aqua\_volscan\_api\_url) | Aqua Volume Scanning API URL | `string` | n/a | yes |
| [aqua\_volscan\_aws\_account\_id](#input\_aqua\_volscan\_aws\_account\_id) | Aqua Volume Scanning AWS Account ID | `string` | n/a | yes |
| [aqua\_worker\_role\_arn](#input\_aqua\_worker\_role\_arn) | Aqua Worker Role ARN | `string` | n/a | yes |
+| [base\_cspm](#input\_base\_cspm) | Toggle for base CSPM only | `bool` | `false` | no |
| [create\_vpcs](#input\_create\_vpcs) | Toggle to create VPCs | `bool` | `true` | no |
| [custom\_agentless\_role\_name](#input\_custom\_agentless\_role\_name) | Custom Agentless role Name | `string` | `""` | no |
| [custom\_bucket\_name](#input\_custom\_bucket\_name) | Custom bucket Name | `string` | `""` | no |
@@ -128,7 +129,6 @@ Before using this module, ensure that you have the following:
| [cspm\_external\_id](#output\_cspm\_external\_id) | Aqua CSPM External ID generated by the 'generate\_cspm\_external\_id\_function' Lambda function |
| [cspm\_lambda\_execution\_role\_arn](#output\_cspm\_lambda\_execution\_role\_arn) | The ARN of the lambda execution IAM role created for the CSPM |
| [cspm\_role\_arn](#output\_cspm\_role\_arn) | The ARN of the IAM role created for the CSPM |
-| [is\_already\_cspm\_client](#output\_is\_already\_cspm\_client) | Boolean indicating if the client is already a CSPM client, to be sent to the Autoconnect API |
| [kinesis\_firehose\_bucket\_name](#output\_kinesis\_firehose\_bucket\_name) | Kinesis Firehose S3 Bucket Name |
| [kinesis\_firehose\_delivery\_stream\_arn](#output\_kinesis\_firehose\_delivery\_stream\_arn) | Kinesis Firehose Delivery Stream ARN |
| [kinesis\_firehose\_role\_arn](#output\_kinesis\_firehose\_role\_arn) | Kinesis Firehose Role ARN |
diff --git a/main.tf b/main.tf
index c119906..62099de 100644
--- a/main.tf
+++ b/main.tf
@@ -41,6 +41,7 @@ module "single" {
custom_vpc_subnet_route_table2_name = var.custom_vpc_subnet_route_table2_name
custom_cspm_regions = var.custom_cspm_regions
volume_scanning_deployment = var.volume_scanning_deployment
+ base_cspm = var.base_cspm
}
module "organization" {
diff --git a/modules/single/README.md b/modules/single/README.md
index b35b94a..26bfff3 100644
--- a/modules/single/README.md
+++ b/modules/single/README.md
@@ -81,7 +81,6 @@ This Terraform module provisions the essential AWS infrastructure and configurat
| [cspm\_external\_id](#output\_cspm\_external\_id) | Aqua CSPM External ID generated by the 'generate\_cspm\_external\_id\_function' Lambda function |
| [cspm\_lambda\_execution\_role\_arn](#output\_cspm\_lambda\_execution\_role\_arn) | The ARN of the lambda execution IAM role created for the CSPM |
| [cspm\_role\_arn](#output\_cspm\_role\_arn) | The ARN of the IAM role created for the CSPM |
-| [is\_already\_cspm\_client](#output\_is\_already\_cspm\_client) | Boolean indicating if the client is already a CSPM client, to be sent to the Autoconnect API |
| [kinesis\_firehose\_bucket\_name](#output\_kinesis\_firehose\_bucket\_name) | Kinesis Firehose S3 Bucket Name |
| [kinesis\_firehose\_delivery\_stream\_arn](#output\_kinesis\_firehose\_delivery\_stream\_arn) | Kinesis Firehose Delivery Stream ARN |
| [kinesis\_firehose\_role\_arn](#output\_kinesis\_firehose\_role\_arn) | Kinesis Firehose Role ARN |
diff --git a/modules/single/main.tf b/modules/single/main.tf
index 7e71ae6..751fe81 100644
--- a/modules/single/main.tf
+++ b/modules/single/main.tf
@@ -7,7 +7,7 @@ module "kinesis" {
aqua_volscan_api_token = var.aqua_volscan_api_token
custom_bucket_name = var.custom_bucket_name
custom_processor_lambda_role_name = var.custom_processor_lambda_role_name
- create_vol_scan_resource = var.volume_scanning_deployment == "true" ? true : false
+ create_vol_scan_resource = var.volume_scanning_deployment == "true" ? true : false
}
module "lambda" {
@@ -17,16 +17,13 @@ module "lambda" {
aqua_volscan_aws_account_id = var.aqua_volscan_aws_account_id
aqua_api_key = var.aqua_api_key
aqua_api_secret = var.aqua_api_secret
- aqua_cspm_group_id = var.aqua_cspm_group_id
aqua_cspm_ipv4_address = var.aqua_cspm_ipv4_address
aqua_cspm_aws_account_id = var.aqua_cspm_aws_account_id
aqua_cspm_url = var.aqua_cspm_url
aqua_worker_role_arn = var.aqua_worker_role_arn
- aws_account_id = local.aws_account_id
aqua_cspm_role_prefix = var.aqua_cspm_role_prefix
custom_agentless_role_name = var.custom_agentless_role_name
custom_cspm_role_name = var.custom_cspm_role_name
- custom_cspm_regions = var.custom_cspm_regions
create_vol_scan_resource = var.volume_scanning_deployment == "true" ? true : false
depends_on = [module.kinesis]
}
@@ -52,20 +49,22 @@ module "stackset" {
}
module "trigger" {
- source = "./modules/trigger"
- region = var.region
- aqua_api_key = var.aqua_api_key
- aqua_api_secret = var.aqua_api_secret
- aqua_autoconnect_url = var.aqua_autoconnect_url
- aqua_cspm_url = var.aqua_cspm_url
- aws_account_id = local.aws_account_id
- aqua_session_id = var.aqua_session_id
- cspm_role_arn = module.lambda.cspm_role_arn
- cspm_external_id = module.lambda.cspm_external_id
- is_already_cspm_client = module.lambda.is_already_cspm_client
- volscan_role_arn = module.lambda.agentless_role_arn
- volscan_external_id = module.lambda.volscan_external_id
- additional_tags = var.additional_tags
- create_vol_scan_resource = var.volume_scanning_deployment == "true" ? true : false
- depends_on = [module.stackset]
+ source = "./modules/trigger"
+ region = var.region
+ aqua_api_key = var.aqua_api_key
+ aqua_api_secret = var.aqua_api_secret
+ aqua_autoconnect_url = var.aqua_autoconnect_url
+ aqua_cspm_url = var.aqua_cspm_url
+ aws_account_id = local.aws_account_id
+ aqua_session_id = var.aqua_session_id
+ cspm_role_arn = module.lambda.cspm_role_arn
+ cspm_external_id = module.lambda.cspm_external_id
+ volscan_role_arn = module.lambda.agentless_role_arn
+ volscan_external_id = module.lambda.volscan_external_id
+ additional_tags = var.additional_tags
+ create_vol_scan_resource = var.volume_scanning_deployment == "true" ? true : false
+ cspm_group_id = var.aqua_cspm_group_id
+ custom_cspm_regions = var.custom_cspm_regions
+ base_cspm = var.base_cspm
+ depends_on = [module.stackset]
}
diff --git a/modules/single/modules/lambda/README.md b/modules/single/modules/lambda/README.md
index 951fa43..835e72e 100644
--- a/modules/single/modules/lambda/README.md
+++ b/modules/single/modules/lambda/README.md
@@ -66,6 +66,5 @@ No modules.
| [cspm\_external\_id](#output\_cspm\_external\_id) | Aqua CSPM External ID generated by the 'generate\_cspm\_external\_id\_function' Lambda function |
| [cspm\_lambda\_execution\_role\_arn](#output\_cspm\_lambda\_execution\_role\_arn) | The ARN of the lambda execution IAM role created for the CSPM |
| [cspm\_role\_arn](#output\_cspm\_role\_arn) | The ARN of the IAM role created for the CSPM |
-| [is\_already\_cspm\_client](#output\_is\_already\_cspm\_client) | Boolean indicating if the client is already a CSPM client, to be sent to the Autoconnect API |
| [volscan\_external\_id](#output\_volscan\_external\_id) | Aqua Volume Scanning External ID generated by the 'generate\_volscan\_external\_id\_function' Lambda function |
-
\ No newline at end of file
+
diff --git a/modules/single/modules/lambda/data.tf b/modules/single/modules/lambda/data.tf
index 0bc4e79..f94db04 100644
--- a/modules/single/modules/lambda/data.tf
+++ b/modules/single/modules/lambda/data.tf
@@ -1,12 +1,5 @@
# modules/single/modules/lambda/data.tf
-# Archive create_cspm_key.py into a zip file
-data "archive_file" "create_cspm_key_function" {
- type = "zip"
- source_file = "${path.module}/functions/create_cspm_key.py"
- output_path = "create_cspm_key.zip"
-}
-
# Archive generate_external_id.py into a zip file
data "archive_file" "generate_external_id_function" {
type = "zip"
diff --git a/modules/single/modules/lambda/functions/create_cspm_key.py b/modules/single/modules/lambda/functions/create_cspm_key.py
index 283e5e1..36130c8 100644
--- a/modules/single/modules/lambda/functions/create_cspm_key.py
+++ b/modules/single/modules/lambda/functions/create_cspm_key.py
@@ -4,6 +4,8 @@
import time
import hmac
+# This Lambda isn't used currently, but it is kept for future use.
+
def handler(event, context):
cspm_url = event.get('ApiUrl')
aqua_api_key = event.get('AquaApiKey')
diff --git a/modules/single/modules/lambda/locals.tf b/modules/single/modules/lambda/locals.tf
index de151d0..5f1787a 100644
--- a/modules/single/modules/lambda/locals.tf
+++ b/modules/single/modules/lambda/locals.tf
@@ -4,5 +4,4 @@ locals {
# Decode the results of Lambda function invocations
cspm_external_id = jsondecode(aws_lambda_invocation.generate_cspm_external_id_function.result)["ExternalId"]
volscan_external_id = try(jsondecode(aws_lambda_invocation.generate_volscan_external_id_function[0].result)["ExternalId"], "")
- is_already_cspm_client = jsondecode(aws_lambda_invocation.create_cspm_key_function.result)["IsAlreadyCSPMClient"]
}
diff --git a/modules/single/modules/lambda/main.tf b/modules/single/modules/lambda/main.tf
index 5e4b6e7..da37c3c 100644
--- a/modules/single/modules/lambda/main.tf
+++ b/modules/single/modules/lambda/main.tf
@@ -446,38 +446,3 @@ resource "time_sleep" "sleep" {
}
depends_on = [aws_iam_role.cspm_role]
}
-
-# Create CSPM key lambda function
-resource "aws_lambda_function" "create_cspm_key_function" {
- architectures = ["x86_64"]
- description = "Trigger CSPM via CSPM Api"
- function_name = "aqua-autoconnect-create-cspm-key-function-${var.random_id}"
- handler = "create_cspm_key.handler"
- role = aws_iam_role.cspm_lambda_execution_role.arn
- runtime = "python3.12"
- timeout = 120
- filename = data.archive_file.create_cspm_key_function.output_path
- source_code_hash = data.archive_file.create_cspm_key_function.output_base64sha256
- tracing_config {
- mode = "Active"
- }
-}
-
-# Invoking CSPM key lambda function
-resource "aws_lambda_invocation" "create_cspm_key_function" {
- function_name = aws_lambda_function.create_cspm_key_function.function_name
- input = jsonencode({
- ApiUrl = var.aqua_cspm_url
- AquaApiKey = var.aqua_api_key
- AquaSecretKey = var.aqua_api_secret
- RoleArn = aws_iam_role.cspm_role.arn
- ExternalId = local.cspm_external_id
- AccountId = tostring(var.aws_account_id)
- GroupId = var.aqua_cspm_group_id
- CustomCSPMRegions = var.custom_cspm_regions
- })
- triggers = {
- always_run = timestamp()
- }
- depends_on = [time_sleep.sleep]
-}
diff --git a/modules/single/modules/lambda/outputs.tf b/modules/single/modules/lambda/outputs.tf
index a873a07..c1ef45d 100644
--- a/modules/single/modules/lambda/outputs.tf
+++ b/modules/single/modules/lambda/outputs.tf
@@ -10,11 +10,6 @@ output "volscan_external_id" {
value = local.volscan_external_id
}
-output "is_already_cspm_client" {
- description = "Boolean indicating if the client is already a CSPM client, to be sent to the Autoconnect API"
- value = local.is_already_cspm_client
-}
-
output "cspm_lambda_execution_role_arn" {
description = "The ARN of the lambda execution IAM role created for the CSPM"
value = aws_iam_role.cspm_lambda_execution_role.arn
diff --git a/modules/single/modules/lambda/variables.tf b/modules/single/modules/lambda/variables.tf
index dd6395c..4aa9a93 100644
--- a/modules/single/modules/lambda/variables.tf
+++ b/modules/single/modules/lambda/variables.tf
@@ -32,11 +32,6 @@ variable "aqua_cspm_url" {
type = string
}
-variable "aqua_cspm_group_id" {
- description = "Aqua CSPM Group ID"
- type = number
-}
-
variable "aqua_cspm_aws_account_id" {
description = "Aqua CSPM AWS Account ID"
type = string
@@ -67,16 +62,6 @@ variable "custom_agentless_role_name" {
type = string
}
-variable "aws_account_id" {
- description = "AWS Account ID"
- type = number
-}
-
-variable "custom_cspm_regions" {
- description = "Custom CSPM regions"
- type = string
-}
-
variable "create_vol_scan_resource" {
description = "Create Volume Scanning Resource"
type = bool
diff --git a/modules/single/modules/trigger/README.md b/modules/single/modules/trigger/README.md
index 12543a3..b923338b 100644
--- a/modules/single/modules/trigger/README.md
+++ b/modules/single/modules/trigger/README.md
@@ -36,7 +36,6 @@ No modules.
| [aqua\_session\_id](#input\_aqua\_session\_id) | Aqua Session ID | `string` | n/a | yes |
| [cspm\_external\_id](#input\_cspm\_external\_id) | Aqua CSPM External ID | `string` | n/a | yes |
| [cspm\_role\_arn](#input\_cspm\_role\_arn) | CSPM Role ARN | `string` | n/a | yes |
-| [is\_already\_cspm\_client](#input\_is\_already\_cspm\_client) | Boolean indicating if the client is already a CSPM client, to be sent to the Autoconnect API | `bool` | n/a | yes |
| [region](#input\_region) | Main AWS Region to to deploy resources | `string` | n/a | yes |
| [volscan\_external\_id](#input\_volscan\_external\_id) | Aqua Volume Scanning External ID | `string` | n/a | yes |
| [volscan\_role\_arn](#input\_volscan\_role\_arn) | Volume Scanning Role ARN | `string` | n/a | yes |
@@ -46,4 +45,4 @@ No modules.
| Name | Description |
|------|-------------|
| [onboarding\_status](#output\_onboarding\_status) | Onboarding API Status Result |
-
\ No newline at end of file
+
diff --git a/modules/single/modules/trigger/trigger-aws.py b/modules/single/modules/trigger/trigger-aws.py
index ab49619..e7ebce0 100644
--- a/modules/single/modules/trigger/trigger-aws.py
+++ b/modules/single/modules/trigger/trigger-aws.py
@@ -13,7 +13,6 @@
aqua_secret = query.get('api_secret')
cspm_role_arn = query.get('cspm_role_arn')
cspm_external_id = query.get('cspm_external_id')
-is_already_cspm_client = query.get('is_already_cspm_client')
session_id = query.get('session_id')
vol_scan_role_arn = query.get('volume_scanning_role_arn')
vol_scan_external_id = query.get('volume_scanning_external_id')
@@ -23,6 +22,9 @@
aws_account_id = query.get('aws_account_id')
volume_scanning_deployment = query.get('volume_scanning_deployment')
tstmp = str(int(time.time() * 1000))
+base_cspm = query.get('base_cspm', 'false').lower() == 'true'
+custom_regions = query.get('custom_cspm_regions')
+cspm_group_id = int(query.get('cspm_group_id'))
def get_signature(aqua_secret, tstmp, path, method, body=''):
@@ -98,10 +100,12 @@ def trigger_discovery():
body = json.dumps({
"cloud": cloud,
"configuration_id": session_id,
- "is_already_cspm_client": is_already_cspm_client,
"deployment_method": "Terraform",
"additional_resource_tags": additional_resource_tags,
"volume_scanning_deployment": volume_scanning_deployment,
+ "base_cspm": base_cspm,
+ "cspm_group_id": cspm_group_id,
+ "enabled_regions": custom_regions,
"payload": {
"cspm": {
"role_arn": cspm_role_arn,
@@ -116,10 +120,20 @@ def trigger_discovery():
})
sig = get_signature(aqua_secret, tstmp, "/v2/internal_apikeys", "GET", '')
+ body_cspm = (
+ '{"autoconnect":true,"base_cspm":' + str(base_cspm).lower() + ',"cloud":"aws","external_id":"' + cspm_external_id + '","group_id":' + str(int(cspm_group_id)) + ',"name":"' + aws_account_id + '","role_arn":"' + cspm_role_arn + '"}'
+ )
+ if custom_regions != "":
+ body_cspm = (
+ '{"autoconnect":true,"base_cspm":' + str(base_cspm).lower() + ',"cloud":"aws","enabled_regions":"' + custom_regions + '","external_id":"' + cspm_external_id + '","group_id":' + str(int(cspm_group_id)) + ',"name":"' + aws_account_id + '","role_arn":"' + cspm_role_arn + '"}'
+ )
+
+ cspm_sig = get_signature(aqua_secret, tstmp, "/v2/keys", "POST", body_cspm)
headers = {
"X-API-Key": aqua_api_key,
"X-Authenticate-Api-Key-Signature": sig,
+ "X-Register-New-Cspm-Signature": cspm_sig,
"X-Timestamp": tstmp
}
diff --git a/modules/single/modules/trigger/trigger.tf b/modules/single/modules/trigger/trigger.tf
index 904502d..2cc3622 100644
--- a/modules/single/modules/trigger/trigger.tf
+++ b/modules/single/modules/trigger/trigger.tf
@@ -12,12 +12,14 @@ data "external" "aws_onboarding" {
api_secret = sensitive(var.aqua_api_secret)
cspm_role_arn = var.cspm_role_arn
cspm_external_id = var.cspm_external_id
- is_already_cspm_client = tostring(var.is_already_cspm_client)
session_id = var.aqua_session_id
volume_scanning_role_arn = var.volscan_role_arn
volume_scanning_external_id = var.volscan_external_id
region = var.region
volume_scanning_deployment = var.create_vol_scan_resource ? "true" : "false"
+ cspm_group_id = var.cspm_group_id
+ custom_cspm_regions = var.custom_cspm_regions
+ base_cspm = var.base_cspm
additional_tags = join(",", [for key, value in var.additional_tags : "${key}:${value}"])
}
}
diff --git a/modules/single/modules/trigger/variables.tf b/modules/single/modules/trigger/variables.tf
index 4dc466b..ccce6e8 100644
--- a/modules/single/modules/trigger/variables.tf
+++ b/modules/single/modules/trigger/variables.tf
@@ -42,11 +42,6 @@ variable "cspm_external_id" {
type = string
}
-variable "is_already_cspm_client" {
- description = "Boolean indicating if the client is already a CSPM client, to be sent to the Autoconnect API"
- type = bool
-}
-
variable "volscan_role_arn" {
description = "Volume Scanning Role ARN"
type = string
@@ -72,3 +67,20 @@ variable "create_vol_scan_resource" {
type = bool
default = true
}
+
+variable "cspm_group_id" {
+ description = "Aqua CSPM Group ID"
+ type = number
+}
+
+variable "custom_cspm_regions" {
+ description = "Custom CSPM regions"
+ type = string
+ default = ""
+}
+
+variable "base_cspm" {
+ description = "Toggle for base CSPM only"
+ type = bool
+ default = false
+}
diff --git a/modules/single/outputs.tf b/modules/single/outputs.tf
index 6cf4c9b..de7bfed 100644
--- a/modules/single/outputs.tf
+++ b/modules/single/outputs.tf
@@ -62,11 +62,6 @@ output "volscan_external_id" {
value = try(module.lambda.volscan_external_id, null)
}
-output "is_already_cspm_client" {
- description = "Boolean indicating if the client is already a CSPM client, to be sent to the Autoconnect API"
- value = try(module.lambda.is_already_cspm_client, null)
-}
-
output "cspm_lambda_execution_role_arn" {
description = "The ARN of the lambda execution IAM role created for the CSPM"
value = try(module.lambda.cspm_lambda_execution_role_arn, null)
@@ -117,4 +112,4 @@ output "stack_set_template_url" {
output "onboarding_status" {
description = "Onboarding API Status Result"
value = try(module.trigger.onboarding_status, null)
-}
\ No newline at end of file
+}
diff --git a/modules/single/variables.tf b/modules/single/variables.tf
index 2444de8..dff0ff1 100644
--- a/modules/single/variables.tf
+++ b/modules/single/variables.tf
@@ -153,6 +153,7 @@ variable "additional_tags" {
variable "custom_cspm_regions" {
description = "Custom CSPM regions"
type = string
+ default = ""
}
variable "volume_scanning_deployment" {
@@ -160,3 +161,9 @@ variable "volume_scanning_deployment" {
type = string
default = "true"
}
+
+variable "base_cspm" {
+ description = "Toggle for base CSPM only"
+ type = bool
+ default = false
+}
diff --git a/outputs.tf b/outputs.tf
index 178b87b..e39ab9f 100644
--- a/outputs.tf
+++ b/outputs.tf
@@ -75,11 +75,6 @@ output "volscan_external_id" {
value = var.show_outputs && var.type == "single" ? module.single[0].volscan_external_id : null
}
-output "is_already_cspm_client" {
- description = "Boolean indicating if the client is already a CSPM client, to be sent to the Autoconnect API"
- value = var.show_outputs && var.type == "single" ? module.single[0].is_already_cspm_client : null
-}
-
output "cspm_lambda_execution_role_arn" {
description = "The ARN of the lambda execution IAM role created for the CSPM"
value = var.show_outputs && var.type == "single" ? module.single[0].kinesis_processor_lambda_execution_role_arn : null
diff --git a/variables.tf b/variables.tf
index 5ebae28..9a639fe 100644
--- a/variables.tf
+++ b/variables.tf
@@ -405,3 +405,9 @@ variable "volume_scanning_deployment" {
type = string
default = "true"
}
+
+variable "base_cspm" {
+ description = "Toggle for base CSPM only"
+ type = bool
+ default = false
+}