SLK-100239 - Fix Race and Add Base CSPM

README.md

@@ -98,6 +98,7 @@ Before using this module, ensure that you have the following:
 | <a name="input_aqua_volscan_api_url"></a> [aqua\_volscan\_api\_url](#input\_aqua\_volscan\_api\_url) | Aqua Volume Scanning API URL | `string` | n/a | yes |
 | <a name="input_aqua_volscan_aws_account_id"></a> [aqua\_volscan\_aws\_account\_id](#input\_aqua\_volscan\_aws\_account\_id) | Aqua Volume Scanning AWS Account ID | `string` | n/a | yes |
 | <a name="input_aqua_worker_role_arn"></a> [aqua\_worker\_role\_arn](#input\_aqua\_worker\_role\_arn) | Aqua Worker Role ARN | `string` | n/a | yes |
+| <a name="input_base_cspm"></a> [base\_cspm](#input\_base\_cspm) | Toggle for base CSPM only | `bool` | `false` | no |
 | <a name="input_create_vpcs"></a> [create\_vpcs](#input\_create\_vpcs) | Toggle to create VPCs | `bool` | `true` | no |
 | <a name="input_custom_agentless_role_name"></a> [custom\_agentless\_role\_name](#input\_custom\_agentless\_role\_name) | Custom Agentless role Name | `string` | `""` | no |
 | <a name="input_custom_bucket_name"></a> [custom\_bucket\_name](#input\_custom\_bucket\_name) | Custom bucket Name | `string` | `""` | no |
@@ -128,7 +129,6 @@ Before using this module, ensure that you have the following:
 | <a name="output_cspm_external_id"></a> [cspm\_external\_id](#output\_cspm\_external\_id) | Aqua CSPM External ID generated by the 'generate\_cspm\_external\_id\_function' Lambda function |
 | <a name="output_cspm_lambda_execution_role_arn"></a> [cspm\_lambda\_execution\_role\_arn](#output\_cspm\_lambda\_execution\_role\_arn) | The ARN of the lambda execution IAM role created for the CSPM |
 | <a name="output_cspm_role_arn"></a> [cspm\_role\_arn](#output\_cspm\_role\_arn) | The ARN of the IAM role created for the CSPM |
-| <a name="output_is_already_cspm_client"></a> [is\_already\_cspm\_client](#output\_is\_already\_cspm\_client) | Boolean indicating if the client is already a CSPM client, to be sent to the Autoconnect API |
 | <a name="output_kinesis_firehose_bucket_name"></a> [kinesis\_firehose\_bucket\_name](#output\_kinesis\_firehose\_bucket\_name) | Kinesis Firehose S3 Bucket Name |
 | <a name="output_kinesis_firehose_delivery_stream_arn"></a> [kinesis\_firehose\_delivery\_stream\_arn](#output\_kinesis\_firehose\_delivery\_stream\_arn) | Kinesis Firehose Delivery Stream ARN |
 | <a name="output_kinesis_firehose_role_arn"></a> [kinesis\_firehose\_role\_arn](#output\_kinesis\_firehose\_role\_arn) | Kinesis Firehose Role ARN |

main.tf

@@ -41,6 +41,7 @@ module "single" {
   custom_vpc_subnet_route_table2_name = var.custom_vpc_subnet_route_table2_name
   custom_cspm_regions                 = var.custom_cspm_regions
   volume_scanning_deployment          = var.volume_scanning_deployment
+  base_cspm                           = var.base_cspm
 }
 
 module "organization" {

modules/single/README.md

@@ -81,7 +81,6 @@ This Terraform module provisions the essential AWS infrastructure and configurat
 | <a name="output_cspm_external_id"></a> [cspm\_external\_id](#output\_cspm\_external\_id) | Aqua CSPM External ID generated by the 'generate\_cspm\_external\_id\_function' Lambda function |
 | <a name="output_cspm_lambda_execution_role_arn"></a> [cspm\_lambda\_execution\_role\_arn](#output\_cspm\_lambda\_execution\_role\_arn) | The ARN of the lambda execution IAM role created for the CSPM |
 | <a name="output_cspm_role_arn"></a> [cspm\_role\_arn](#output\_cspm\_role\_arn) | The ARN of the IAM role created for the CSPM |
-| <a name="output_is_already_cspm_client"></a> [is\_already\_cspm\_client](#output\_is\_already\_cspm\_client) | Boolean indicating if the client is already a CSPM client, to be sent to the Autoconnect API |
 | <a name="output_kinesis_firehose_bucket_name"></a> [kinesis\_firehose\_bucket\_name](#output\_kinesis\_firehose\_bucket\_name) | Kinesis Firehose S3 Bucket Name |
 | <a name="output_kinesis_firehose_delivery_stream_arn"></a> [kinesis\_firehose\_delivery\_stream\_arn](#output\_kinesis\_firehose\_delivery\_stream\_arn) | Kinesis Firehose Delivery Stream ARN |
 | <a name="output_kinesis_firehose_role_arn"></a> [kinesis\_firehose\_role\_arn](#output\_kinesis\_firehose\_role\_arn) | Kinesis Firehose Role ARN |

modules/single/main.tf

@@ -7,7 +7,7 @@ module "kinesis" {
   aqua_volscan_api_token            = var.aqua_volscan_api_token
   custom_bucket_name                = var.custom_bucket_name
   custom_processor_lambda_role_name = var.custom_processor_lambda_role_name
-  create_vol_scan_resource    = var.volume_scanning_deployment == "true" ? true : false
+  create_vol_scan_resource          = var.volume_scanning_deployment == "true" ? true : false
 }
 
 module "lambda" {
@@ -17,16 +17,13 @@ module "lambda" {
   aqua_volscan_aws_account_id = var.aqua_volscan_aws_account_id
   aqua_api_key                = var.aqua_api_key
   aqua_api_secret             = var.aqua_api_secret
-  aqua_cspm_group_id          = var.aqua_cspm_group_id
   aqua_cspm_ipv4_address      = var.aqua_cspm_ipv4_address
   aqua_cspm_aws_account_id    = var.aqua_cspm_aws_account_id
   aqua_cspm_url               = var.aqua_cspm_url
   aqua_worker_role_arn        = var.aqua_worker_role_arn
-  aws_account_id              = local.aws_account_id
   aqua_cspm_role_prefix       = var.aqua_cspm_role_prefix
   custom_agentless_role_name  = var.custom_agentless_role_name
   custom_cspm_role_name       = var.custom_cspm_role_name
-  custom_cspm_regions         = var.custom_cspm_regions
   create_vol_scan_resource    = var.volume_scanning_deployment == "true" ? true : false
   depends_on                  = [module.kinesis]
 }
@@ -52,20 +49,22 @@ module "stackset" {
 }
 
 module "trigger" {
-  source                 = "./modules/trigger"
-  region                 = var.region
-  aqua_api_key           = var.aqua_api_key
-  aqua_api_secret        = var.aqua_api_secret
-  aqua_autoconnect_url   = var.aqua_autoconnect_url
-  aqua_cspm_url          = var.aqua_cspm_url
-  aws_account_id         = local.aws_account_id
-  aqua_session_id        = var.aqua_session_id
-  cspm_role_arn          = module.lambda.cspm_role_arn
-  cspm_external_id       = module.lambda.cspm_external_id
-  is_already_cspm_client = module.lambda.is_already_cspm_client
-  volscan_role_arn       = module.lambda.agentless_role_arn
-  volscan_external_id    = module.lambda.volscan_external_id
-  additional_tags        = var.additional_tags
-  create_vol_scan_resource    = var.volume_scanning_deployment == "true" ? true : false
-  depends_on             = [module.stackset]
+  source                   = "./modules/trigger"
+  region                   = var.region
+  aqua_api_key             = var.aqua_api_key
+  aqua_api_secret          = var.aqua_api_secret
+  aqua_autoconnect_url     = var.aqua_autoconnect_url
+  aqua_cspm_url            = var.aqua_cspm_url
+  aws_account_id           = local.aws_account_id
+  aqua_session_id          = var.aqua_session_id
+  cspm_role_arn            = module.lambda.cspm_role_arn
+  cspm_external_id         = module.lambda.cspm_external_id
+  volscan_role_arn         = module.lambda.agentless_role_arn
+  volscan_external_id      = module.lambda.volscan_external_id
+  additional_tags          = var.additional_tags
+  create_vol_scan_resource = var.volume_scanning_deployment == "true" ? true : false
+  cspm_group_id            = var.aqua_cspm_group_id
+  custom_cspm_regions      = var.custom_cspm_regions
+  base_cspm                = var.base_cspm
+  depends_on               = [module.stackset]
 }

modules/single/modules/lambda/README.md

@@ -66,6 +66,5 @@ No modules.
 | <a name="output_cspm_external_id"></a> [cspm\_external\_id](#output\_cspm\_external\_id) | Aqua CSPM External ID generated by the 'generate\_cspm\_external\_id\_function' Lambda function |
 | <a name="output_cspm_lambda_execution_role_arn"></a> [cspm\_lambda\_execution\_role\_arn](#output\_cspm\_lambda\_execution\_role\_arn) | The ARN of the lambda execution IAM role created for the CSPM |
 | <a name="output_cspm_role_arn"></a> [cspm\_role\_arn](#output\_cspm\_role\_arn) | The ARN of the IAM role created for the CSPM |
-| <a name="output_is_already_cspm_client"></a> [is\_already\_cspm\_client](#output\_is\_already\_cspm\_client) | Boolean indicating if the client is already a CSPM client, to be sent to the Autoconnect API |
 | <a name="output_volscan_external_id"></a> [volscan\_external\_id](#output\_volscan\_external\_id) | Aqua Volume Scanning External ID generated by the 'generate\_volscan\_external\_id\_function' Lambda function |
-<!-- END_TF_DOCS -->
+<!-- END_TF_DOCS -->

modules/single/modules/lambda/data.tf

@@ -1,12 +1,5 @@
 # modules/single/modules/lambda/data.tf
 
-# Archive create_cspm_key.py into a zip file
-data "archive_file" "create_cspm_key_function" {
-  type        = "zip"
-  source_file = "${path.module}/functions/create_cspm_key.py"
-  output_path = "create_cspm_key.zip"
-}
-
 # Archive generate_external_id.py into a zip file
 data "archive_file" "generate_external_id_function" {
   type        = "zip"

modules/single/modules/lambda/functions/create_cspm_key.py

@@ -4,6 +4,8 @@
 import time
 import hmac
 
+# This Lambda isn't used currently, but it is kept for future use.
+
 def handler(event, context):
     cspm_url = event.get('ApiUrl')
     aqua_api_key = event.get('AquaApiKey')

modules/single/modules/lambda/locals.tf

@@ -4,5 +4,4 @@ locals {
   # Decode the results of Lambda function invocations
   cspm_external_id       = jsondecode(aws_lambda_invocation.generate_cspm_external_id_function.result)["ExternalId"]
   volscan_external_id    = try(jsondecode(aws_lambda_invocation.generate_volscan_external_id_function[0].result)["ExternalId"], "")
-  is_already_cspm_client = jsondecode(aws_lambda_invocation.create_cspm_key_function.result)["IsAlreadyCSPMClient"]
 }

modules/single/modules/lambda/main.tf

@@ -446,38 +446,3 @@ resource "time_sleep" "sleep" {
   }
   depends_on = [aws_iam_role.cspm_role]
 }
-
-# Create CSPM key lambda function
-resource "aws_lambda_function" "create_cspm_key_function" {
-  architectures    = ["x86_64"]
-  description      = "Trigger CSPM via CSPM Api"
-  function_name    = "aqua-autoconnect-create-cspm-key-function-${var.random_id}"
-  handler          = "create_cspm_key.handler"
-  role             = aws_iam_role.cspm_lambda_execution_role.arn
-  runtime          = "python3.12"
-  timeout          = 120
-  filename         = data.archive_file.create_cspm_key_function.output_path
-  source_code_hash = data.archive_file.create_cspm_key_function.output_base64sha256
-  tracing_config {
-    mode = "Active"
-  }
-}
-
-# Invoking CSPM key lambda function
-resource "aws_lambda_invocation" "create_cspm_key_function" {
-  function_name = aws_lambda_function.create_cspm_key_function.function_name
-  input = jsonencode({
-    ApiUrl            = var.aqua_cspm_url
-    AquaApiKey        = var.aqua_api_key
-    AquaSecretKey     = var.aqua_api_secret
-    RoleArn           = aws_iam_role.cspm_role.arn
-    ExternalId        = local.cspm_external_id
-    AccountId         = tostring(var.aws_account_id)
-    GroupId           = var.aqua_cspm_group_id
-    CustomCSPMRegions = var.custom_cspm_regions
-  })
-  triggers = {
-    always_run = timestamp()
-  }
-  depends_on = [time_sleep.sleep]
-}

modules/single/modules/lambda/outputs.tf

@@ -10,11 +10,6 @@ output "volscan_external_id" {
   value       = local.volscan_external_id
 }
 
-output "is_already_cspm_client" {
-  description = "Boolean indicating if the client is already a CSPM client, to be sent to the Autoconnect API"
-  value       = local.is_already_cspm_client
-}
-
 output "cspm_lambda_execution_role_arn" {
   description = "The ARN of the lambda execution IAM role created for the CSPM"
   value       = aws_iam_role.cspm_lambda_execution_role.arn

modules/single/modules/lambda/variables.tf

@@ -32,11 +32,6 @@ variable "aqua_cspm_url" {
   type        = string
 }
 
-variable "aqua_cspm_group_id" {
-  description = "Aqua CSPM Group ID"
-  type        = number
-}
-
 variable "aqua_cspm_aws_account_id" {
   description = "Aqua CSPM AWS Account ID"
   type        = string
@@ -67,16 +62,6 @@ variable "custom_agentless_role_name" {
   type        = string
 }
 
-variable "aws_account_id" {
-  description = "AWS Account ID"
-  type        = number
-}
-
-variable "custom_cspm_regions" {
-  description = "Custom CSPM regions"
-  type        = string
-}
-
 variable "create_vol_scan_resource" {
   description = "Create Volume Scanning Resource"
   type        = bool

modules/single/modules/trigger/README.md

@@ -36,7 +36,6 @@ No modules.
 | <a name="input_aqua_session_id"></a> [aqua\_session\_id](#input\_aqua\_session\_id) | Aqua Session ID | `string` | n/a | yes |
 | <a name="input_cspm_external_id"></a> [cspm\_external\_id](#input\_cspm\_external\_id) | Aqua CSPM External ID | `string` | n/a | yes |
 | <a name="input_cspm_role_arn"></a> [cspm\_role\_arn](#input\_cspm\_role\_arn) | CSPM Role ARN | `string` | n/a | yes |
-| <a name="input_is_already_cspm_client"></a> [is\_already\_cspm\_client](#input\_is\_already\_cspm\_client) | Boolean indicating if the client is already a CSPM client, to be sent to the Autoconnect API | `bool` | n/a | yes |
 | <a name="input_region"></a> [region](#input\_region) | Main AWS Region to to deploy resources | `string` | n/a | yes |
 | <a name="input_volscan_external_id"></a> [volscan\_external\_id](#input\_volscan\_external\_id) | Aqua Volume Scanning External ID | `string` | n/a | yes |
 | <a name="input_volscan_role_arn"></a> [volscan\_role\_arn](#input\_volscan\_role\_arn) | Volume Scanning Role ARN | `string` | n/a | yes |
@@ -46,4 +45,4 @@ No modules.
 | Name | Description |
 |------|-------------|
 | <a name="output_onboarding_status"></a> [onboarding\_status](#output\_onboarding\_status) | Onboarding API Status Result |
-<!-- END_TF_DOCS -->
+<!-- END_TF_DOCS -->

modules/single/modules/trigger/trigger-aws.py

@@ -13,7 +13,6 @@
 aqua_secret = query.get('api_secret')
 cspm_role_arn = query.get('cspm_role_arn')
 cspm_external_id = query.get('cspm_external_id')
-is_already_cspm_client = query.get('is_already_cspm_client')
 session_id = query.get('session_id')
 vol_scan_role_arn = query.get('volume_scanning_role_arn')
 vol_scan_external_id = query.get('volume_scanning_external_id')
@@ -23,6 +22,9 @@
 aws_account_id = query.get('aws_account_id')
 volume_scanning_deployment = query.get('volume_scanning_deployment')
 tstmp = str(int(time.time() * 1000))
+base_cspm = query.get('base_cspm', 'false').lower() == 'true'
+custom_regions = query.get('custom_cspm_regions')
+cspm_group_id = int(query.get('cspm_group_id'))
 
 
 def get_signature(aqua_secret, tstmp, path, method, body=''):
@@ -98,10 +100,12 @@ def trigger_discovery():
     body = json.dumps({
         "cloud": cloud,
         "configuration_id": session_id,
-        "is_already_cspm_client": is_already_cspm_client,
         "deployment_method": "Terraform",
         "additional_resource_tags": additional_resource_tags,
         "volume_scanning_deployment": volume_scanning_deployment,
+        "base_cspm": base_cspm,
+        "cspm_group_id": cspm_group_id,
+        "enabled_regions": custom_regions,
         "payload": {
             "cspm": {
                 "role_arn": cspm_role_arn,
@@ -116,10 +120,20 @@ def trigger_discovery():
     })
 
     sig = get_signature(aqua_secret, tstmp, "/v2/internal_apikeys", "GET", '')
+    body_cspm = (
+        '{"autoconnect":true,"base_cspm":' + str(base_cspm).lower() + ',"cloud":"aws","external_id":"' + cspm_external_id + '","group_id":' + str(int(cspm_group_id)) + ',"name":"' + aws_account_id + '","role_arn":"' + cspm_role_arn + '"}'
+    )
 
+    if custom_regions != "":
+        body_cspm = (
+            '{"autoconnect":true,"base_cspm":' + str(base_cspm).lower() + ',"cloud":"aws","enabled_regions":"' + custom_regions + '","external_id":"' + cspm_external_id + '","group_id":' + str(int(cspm_group_id)) + ',"name":"' + aws_account_id + '","role_arn":"' + cspm_role_arn + '"}'
+        )
+
+    cspm_sig = get_signature(aqua_secret, tstmp, "/v2/keys", "POST", body_cspm)
     headers = {
         "X-API-Key": aqua_api_key,
         "X-Authenticate-Api-Key-Signature": sig,
+        "X-Register-New-Cspm-Signature": cspm_sig,
         "X-Timestamp": tstmp
     }
 

modules/single/modules/trigger/trigger.tf

@@ -12,12 +12,14 @@ data "external" "aws_onboarding" {
     api_secret                  = sensitive(var.aqua_api_secret)
     cspm_role_arn               = var.cspm_role_arn
     cspm_external_id            = var.cspm_external_id
-    is_already_cspm_client      = tostring(var.is_already_cspm_client)
     session_id                  = var.aqua_session_id
     volume_scanning_role_arn    = var.volscan_role_arn
     volume_scanning_external_id = var.volscan_external_id
     region                      = var.region
     volume_scanning_deployment  = var.create_vol_scan_resource ? "true" : "false"
+    cspm_group_id               = var.cspm_group_id
+    custom_cspm_regions         = var.custom_cspm_regions
+    base_cspm                   = var.base_cspm
     additional_tags             = join(",", [for key, value in var.additional_tags : "${key}:${value}"])
   }
 }

modules/single/modules/trigger/variables.tf

@@ -42,11 +42,6 @@ variable "cspm_external_id" {
   type        = string
 }
 
-variable "is_already_cspm_client" {
-  description = "Boolean indicating if the client is already a CSPM client, to be sent to the Autoconnect API"
-  type        = bool
-}
-
 variable "volscan_role_arn" {
   description = "Volume Scanning Role ARN"
   type        = string
@@ -72,3 +67,20 @@ variable "create_vol_scan_resource" {
   type        = bool
   default     = true
 }
+
+variable "cspm_group_id" {
+  description = "Aqua CSPM Group ID"
+  type        = number
+}
+
+variable "custom_cspm_regions" {
+  description = "Custom CSPM regions"
+  type        = string
+  default = ""
+}
+
+variable "base_cspm" {
+  description = "Toggle for base CSPM only"
+  type        = bool
+  default     = false
+}

modules/single/outputs.tf

@@ -62,11 +62,6 @@ output "volscan_external_id" {
   value       = try(module.lambda.volscan_external_id, null)
 }
 
-output "is_already_cspm_client" {
-  description = "Boolean indicating if the client is already a CSPM client, to be sent to the Autoconnect API"
-  value       = try(module.lambda.is_already_cspm_client, null)
-}
-
 output "cspm_lambda_execution_role_arn" {
   description = "The ARN of the lambda execution IAM role created for the CSPM"
   value       = try(module.lambda.cspm_lambda_execution_role_arn, null)
@@ -117,4 +112,4 @@ output "stack_set_template_url" {
 output "onboarding_status" {
   description = "Onboarding API Status Result"
   value       = try(module.trigger.onboarding_status, null)
-}
+}

modules/single/variables.tf

@@ -153,10 +153,17 @@ variable "additional_tags" {
 variable "custom_cspm_regions" {
   description = "Custom CSPM regions"
   type        = string
+  default     = ""
 }
 
 variable "volume_scanning_deployment" {
   description = "Toggle to deploy volume scanning resources"
   type        = string
   default     = "true"
 }
+
+variable "base_cspm" {
+  description = "Toggle for base CSPM only"
+  type        = bool
+  default     = false
+}

outputs.tf

@@ -75,11 +75,6 @@ output "volscan_external_id" {
   value       = var.show_outputs && var.type == "single" ? module.single[0].volscan_external_id : null
 }
 
-output "is_already_cspm_client" {
-  description = "Boolean indicating if the client is already a CSPM client, to be sent to the Autoconnect API"
-  value       = var.show_outputs && var.type == "single" ? module.single[0].is_already_cspm_client : null
-}
-
 output "cspm_lambda_execution_role_arn" {
   description = "The ARN of the lambda execution IAM role created for the CSPM"
   value       = var.show_outputs && var.type == "single" ? module.single[0].kinesis_processor_lambda_execution_role_arn : null

variables.tf

@@ -405,3 +405,9 @@ variable "volume_scanning_deployment" {
   type        = string
   default     = "true"
 }
+
+variable "base_cspm" {
+  description = "Toggle for base CSPM only"
+  type        = bool
+  default     = false
+}