aquasecurity · idanch4 · Oct 21, 2025 · Oct 5, 2025 · Oct 14, 2025 · Oct 14, 2025
diff --git a/README.md b/README.md
@@ -106,7 +106,9 @@ Before using this module, ensure that you have the following:
 | <a name="input_custom_cspm_role_name"></a> [custom\_cspm\_role\_name](#input\_custom\_cspm\_role\_name) | Custom CSPM role Name | `string` | `""` | no |
 | <a name="input_custom_internet_gateway_name"></a> [custom\_internet\_gateway\_name](#input\_custom\_internet\_gateway\_name) | Custom Internet Gateway Name | `string` | `""` | no |
 | <a name="input_custom_processor_lambda_role_name"></a> [custom\_processor\_lambda\_role\_name](#input\_custom\_processor\_lambda\_role\_name) | Custom Processor lambda role Name | `string` | `""` | no |
+| <a name="input_custom_registry_scanning_role_name"></a> [custom\_registry\_scanning\_role\_name](#input\_custom\_registry\_scanning\_role\_name) | Custom Registry Scanning role Name | `string` | `""` | no |
 | <a name="input_custom_security_group_name"></a> [custom\_security\_group\_name](#input\_custom\_security\_group\_name) | Custom Security Group Name | `string` | `""` | no |
+| <a name="input_custom_serverless_scanning_role_name"></a> [custom\_serverless\_scanning\_role\_name](#input\_custom\_serverless\_scanning\_role\_name) | Custom Serverless Scanning role Name | `string` | `""` | no |
 | <a name="input_custom_vpc_name"></a> [custom\_vpc\_name](#input\_custom\_vpc\_name) | Custom VPC Name | `string` | `""` | no |
 | <a name="input_custom_vpc_subnet1_name"></a> [custom\_vpc\_subnet1\_name](#input\_custom\_vpc\_subnet1\_name) | Custom VPC Subnet 1 Name | `string` | `""` | no |
 | <a name="input_custom_vpc_subnet2_name"></a> [custom\_vpc\_subnet2\_name](#input\_custom\_vpc\_subnet2\_name) | Custom VPC Subnet 2 Name | `string` | `""` | no |
@@ -115,6 +117,8 @@ Before using this module, ensure that you have the following:
 | <a name="input_organizational_unit_id"></a> [organizational\_unit\_id](#input\_organizational\_unit\_id) | AWS Organizational unit (OU) ID to deploy resources on (This should be provided only if type of onboarding is 'organization') | `string` | `""` | no |
 | <a name="input_region"></a> [region](#input\_region) | Main AWS Region to deploy resources | `string` | n/a | yes |
 | <a name="input_regions"></a> [regions](#input\_regions) | AWS Regions to deploy discovery and scanning resources | `list(string)` | n/a | yes |
+| <a name="input_registry_scanning_deployment"></a> [registry\_scanning\_deployment](#input\_registry\_scanning\_deployment) | Toggle to deploy Registry/ECR scanning resources | `string` | `"true"` | no |
+| <a name="input_serverless_scanning_deployment"></a> [serverless\_scanning\_deployment](#input\_serverless\_scanning\_deployment) | Toggle to deploy Serverless/Lambda scanning resources | `string` | `"true"` | no |
 | <a name="input_show_outputs"></a> [show\_outputs](#input\_show\_outputs) | Whether to show outputs after deployment | `bool` | `false` | no |
 | <a name="input_type"></a> [type](#input\_type) | The type of onboarding. Valid values are 'single' or 'organization' onboarding types | `string` | n/a | yes |
 | <a name="input_volume_scanning_deployment"></a> [volume\_scanning\_deployment](#input\_volume\_scanning\_deployment) | Toggle to deploy Volume Scanning resources | `string` | `"true"` | no |

diff --git a/main.tf b/main.tf
@@ -7,70 +7,80 @@ resource "random_string" "id" {
 }
 
 module "single" {
-  source                              = "./modules/single"
-  count                               = var.type == "single" ? 1 : 0
-  random_id                           = local.random_id
-  region                              = var.region
-  regions                             = var.regions
-  additional_tags                     = var.additional_tags
-  aqua_autoconnect_url                = var.aqua_autoconnect_url
-  aqua_session_id                     = var.aqua_session_id
-  aqua_worker_role_arn                = var.aqua_worker_role_arn
-  aqua_api_key                        = var.aqua_api_key
-  aqua_api_secret                     = var.aqua_api_secret
-  aqua_bucket_name                    = var.aqua_bucket_name
-  aqua_volscan_api_url                = var.aqua_volscan_api_url
-  aqua_volscan_aws_account_id         = var.aqua_volscan_aws_account_id
-  aqua_volscan_api_token              = var.aqua_volscan_api_token
-  aqua_cspm_aws_account_id            = var.aqua_cspm_aws_account_id
-  aqua_cspm_ipv4_address              = var.aqua_cspm_ipv4_address
-  aqua_cspm_url                       = var.aqua_cspm_url
-  aqua_cspm_group_id                  = var.aqua_cspm_group_id
-  aqua_cspm_role_prefix               = var.aqua_cspm_role_prefix
-  custom_cspm_role_name               = var.custom_cspm_role_name
-  custom_bucket_name                  = var.custom_bucket_name
-  custom_agentless_role_name          = var.custom_agentless_role_name
-  custom_processor_lambda_role_name   = var.custom_processor_lambda_role_name
-  create_vpcs                         = var.create_vpcs
-  custom_internet_gateway_name        = var.custom_internet_gateway_name
-  custom_security_group_name          = var.custom_security_group_name
-  custom_vpc_name                     = var.custom_vpc_name
-  custom_vpc_subnet1_name             = var.custom_vpc_subnet1_name
-  custom_vpc_subnet2_name             = var.custom_vpc_subnet2_name
-  custom_vpc_subnet_route_table1_name = var.custom_vpc_subnet_route_table1_name
-  custom_vpc_subnet_route_table2_name = var.custom_vpc_subnet_route_table2_name
-  custom_cspm_regions                 = var.custom_cspm_regions
-  volume_scanning_deployment          = var.volume_scanning_deployment
-  base_cspm                           = var.base_cspm
+  source                               = "./modules/single"
+  count                                = var.type == "single" ? 1 : 0
+  random_id                            = local.random_id
+  region                               = var.region
+  regions                              = var.regions
+  additional_tags                      = var.additional_tags
+  aqua_autoconnect_url                 = var.aqua_autoconnect_url
+  aqua_session_id                      = var.aqua_session_id
+  aqua_worker_role_arn                 = var.aqua_worker_role_arn
+  aqua_api_key                         = var.aqua_api_key
+  aqua_api_secret                      = var.aqua_api_secret
+  aqua_bucket_name                     = var.aqua_bucket_name
+  aqua_volscan_api_url                 = var.aqua_volscan_api_url
+  aqua_volscan_aws_account_id          = var.aqua_volscan_aws_account_id
+  aqua_volscan_api_token               = var.aqua_volscan_api_token
+  aqua_cspm_aws_account_id             = var.aqua_cspm_aws_account_id
+  aqua_cspm_ipv4_address               = var.aqua_cspm_ipv4_address
+  aqua_cspm_url                        = var.aqua_cspm_url
+  aqua_cspm_group_id                   = var.aqua_cspm_group_id
+  aqua_cspm_role_prefix                = var.aqua_cspm_role_prefix
+  custom_cspm_role_name                = var.custom_cspm_role_name
+  custom_bucket_name                   = var.custom_bucket_name
+  custom_agentless_role_name           = var.custom_agentless_role_name
+  custom_processor_lambda_role_name    = var.custom_processor_lambda_role_name
+  create_vpcs                          = var.create_vpcs
+  custom_internet_gateway_name         = var.custom_internet_gateway_name
+  custom_security_group_name           = var.custom_security_group_name
+  custom_vpc_name                      = var.custom_vpc_name
+  custom_vpc_subnet1_name              = var.custom_vpc_subnet1_name
+  custom_vpc_subnet2_name              = var.custom_vpc_subnet2_name
+  custom_vpc_subnet_route_table1_name  = var.custom_vpc_subnet_route_table1_name
+  custom_vpc_subnet_route_table2_name  = var.custom_vpc_subnet_route_table2_name
+  custom_cspm_regions                  = var.custom_cspm_regions
+  volume_scanning_deployment           = var.volume_scanning_deployment
+  base_cspm                            = var.base_cspm
+  registry_scanning_deployment         = var.registry_scanning_deployment
+  serverless_scanning_deployment       = var.serverless_scanning_deployment
+  custom_registry_scanning_role_name   = var.custom_registry_scanning_role_name
+  custom_serverless_scanning_role_name = var.custom_serverless_scanning_role_name
 }
 
 module "organization" {
-  source                              = "./modules/organization"
-  count                               = var.type == "organization" ? 1 : 0
-  region                              = var.region
-  regions                             = var.regions
-  organizational_unit_id              = var.organizational_unit_id
-  additional_tags                     = var.additional_tags
-  aqua_tenant_id                      = var.aqua_tenant_id
-  aqua_random_id                      = var.aqua_random_id
-  aqua_worker_role_arn                = var.aqua_worker_role_arn
-  aqua_bucket_name                    = var.aqua_bucket_name
-  aqua_api_key                        = var.aqua_api_key
-  aqua_api_secret                     = var.aqua_api_secret
-  aqua_volscan_api_token              = var.aqua_volscan_api_token
-  aqua_group_name                     = var.aqua_group_name
-  aqua_session_id                     = var.aqua_session_id
-  custom_cspm_role_name               = var.custom_cspm_role_name
-  custom_bucket_name                  = var.custom_bucket_name
-  custom_agentless_role_name          = var.custom_agentless_role_name
-  custom_processor_lambda_role_name   = var.custom_processor_lambda_role_name
-  custom_internet_gateway_name        = var.custom_internet_gateway_name
-  custom_security_group_name          = var.custom_security_group_name
-  custom_vpc_name                     = var.custom_vpc_name
-  custom_vpc_subnet1_name             = var.custom_vpc_subnet1_name
-  custom_vpc_subnet2_name             = var.custom_vpc_subnet2_name
-  custom_vpc_subnet_route_table1_name = var.custom_vpc_subnet_route_table1_name
-  custom_vpc_subnet_route_table2_name = var.custom_vpc_subnet_route_table2_name
-  custom_cspm_regions                 = var.custom_cspm_regions
-  volume_scanning_deployment          = var.volume_scanning_deployment
+  source                               = "./modules/organization"
+  count                                = var.type == "organization" ? 1 : 0
+  region                               = var.region
+  regions                              = var.regions
+  organizational_unit_id               = var.organizational_unit_id
+  additional_tags                      = var.additional_tags
+  aqua_tenant_id                       = var.aqua_tenant_id
+  aqua_random_id                       = var.aqua_random_id
+  aqua_worker_role_arn                 = var.aqua_worker_role_arn
+  aqua_bucket_name                     = var.aqua_bucket_name
+  aqua_api_key                         = var.aqua_api_key
+  aqua_api_secret                      = var.aqua_api_secret
+  aqua_volscan_api_token               = var.aqua_volscan_api_token
+  aqua_group_name                      = var.aqua_group_name
+  aqua_session_id                      = var.aqua_session_id
+  custom_cspm_role_name                = var.custom_cspm_role_name
+  custom_bucket_name                   = var.custom_bucket_name
+  custom_agentless_role_name           = var.custom_agentless_role_name
+  custom_processor_lambda_role_name    = var.custom_processor_lambda_role_name
+  custom_internet_gateway_name         = var.custom_internet_gateway_name
+  custom_security_group_name           = var.custom_security_group_name
+  custom_vpc_name                      = var.custom_vpc_name
+  custom_vpc_subnet1_name              = var.custom_vpc_subnet1_name
+  custom_vpc_subnet2_name              = var.custom_vpc_subnet2_name
+  custom_vpc_subnet_route_table1_name  = var.custom_vpc_subnet_route_table1_name
+  custom_vpc_subnet_route_table2_name  = var.custom_vpc_subnet_route_table2_name
+  custom_cspm_regions                  = var.custom_cspm_regions
+  volume_scanning_deployment           = var.volume_scanning_deployment
+  base_cspm                            = var.base_cspm
+  aqua_cspm_group_id                   = var.aqua_cspm_group_id
+  registry_scanning_deployment         = var.registry_scanning_deployment
+  serverless_scanning_deployment       = var.serverless_scanning_deployment
+  custom_registry_scanning_role_name   = var.custom_registry_scanning_role_name
+  custom_serverless_scanning_role_name = var.custom_serverless_scanning_role_name
 }
diff --git a/modules/organization/main.tf b/modules/organization/main.tf
@@ -19,30 +19,36 @@ resource "aws_cloudformation_stack_set" "stack_set" {
   }
 
   parameters = {
-    AquaApiKey                     = sensitive(var.aqua_api_key),
-    AquaSecretKey                  = sensitive(var.aqua_api_secret),
-    AquaGroupName                  = var.aqua_group_name,
-    WorkerRoleArn                  = var.aqua_worker_role_arn,
-    TenantId                       = var.aqua_tenant_id,
-    AquaApiTokenVolScan            = sensitive(var.aqua_volscan_api_token),
-    RandomID                       = var.aqua_random_id,
-    ConfigurationID                = var.aqua_session_id,
-    OrganizationID                 = var.organizational_unit_id,
-    DeployedInfrastructureRegion   = var.region,
-    AdditionalTags                 = join(",", [for key, value in var.additional_tags : "${key}:${value}"])
-    CustomCSPMRoleName             = var.custom_cspm_role_name
-    CustomAgentlessRoleName        = var.custom_agentless_role_name
-    CustomBucketName               = var.custom_bucket_name
-    CustomProcessorLambdaRoleName  = var.custom_processor_lambda_role_name
-    CustomVpcName                  = var.custom_vpc_name
-    CustomVpcSubnet1Name           = var.custom_vpc_subnet1_name
-    CustomVpcSubnetRouteTable1Name = var.custom_vpc_subnet_route_table1_name
-    CustomVpcSubnet2Name           = var.custom_vpc_subnet2_name
-    CustomVpcSubnetRouteTable2Name = var.custom_vpc_subnet_route_table2_name
-    CustomInternetGatewayName      = var.custom_internet_gateway_name
-    CustomSecurityGroupName        = var.custom_security_group_name
-    CustomCSPMRegions              = var.custom_cspm_regions
-    VolumeScanningDeployment       = var.volume_scanning_deployment
+    AquaApiKey                       = sensitive(var.aqua_api_key),
+    AquaSecretKey                    = sensitive(var.aqua_api_secret),
+    AquaGroupName                    = var.aqua_group_name,
+    WorkerRoleArn                    = var.aqua_worker_role_arn,
+    TenantId                         = var.aqua_tenant_id,
+    AquaApiTokenVolScan              = sensitive(var.aqua_volscan_api_token),
+    RandomID                         = var.aqua_random_id,
+    ConfigurationID                  = var.aqua_session_id,
+    OrganizationID                   = var.organizational_unit_id,
+    DeployedInfrastructureRegion     = var.region,
+    AdditionalTags                   = join(",", [for key, value in var.additional_tags : "${key}:${value}"])
+    CustomCSPMRoleName               = var.custom_cspm_role_name
+    CustomAgentlessRoleName          = var.custom_agentless_role_name
+    CustomBucketName                 = var.custom_bucket_name
+    CustomProcessorLambdaRoleName    = var.custom_processor_lambda_role_name
+    CustomVpcName                    = var.custom_vpc_name
+    CustomVpcSubnet1Name             = var.custom_vpc_subnet1_name
+    CustomVpcSubnetRouteTable1Name   = var.custom_vpc_subnet_route_table1_name
+    CustomVpcSubnet2Name             = var.custom_vpc_subnet2_name
+    CustomVpcSubnetRouteTable2Name   = var.custom_vpc_subnet_route_table2_name
+    CustomInternetGatewayName        = var.custom_internet_gateway_name
+    CustomSecurityGroupName          = var.custom_security_group_name
+    CustomCSPMRegions                = var.custom_cspm_regions
+    VolumeScanningDeployment         = var.volume_scanning_deployment
+    BaseCSPM                         = tostring(var.base_cspm)
+    GroupId                          = tostring(var.aqua_cspm_group_id)
+    RegistryScanningDeployment       = var.registry_scanning_deployment
+    ServerlessScanningDeployment     = var.serverless_scanning_deployment
+    CustomRegistryScanningRoleName   = var.custom_registry_scanning_role_name
+    CustomServerlessScanningRoleName = var.custom_serverless_scanning_role_name
   }
 }
 

diff --git a/modules/organization/variables.tf b/modules/organization/variables.tf
@@ -66,6 +66,11 @@ variable "aqua_session_id" {
   type        = string
 }
 
+variable "aqua_cspm_group_id" {
+  description = "Aqua CSPM Group ID"
+  type        = number
+}
+
 variable "custom_cspm_role_name" {
   description = "Custom CSPM role Name"
   type        = string
@@ -131,4 +136,62 @@ variable "volume_scanning_deployment" {
   description = "Toggle to deploy Volume Scanning resources"
   type        = string
   default     = "true"
+  validation {
+    condition     = var.volume_scanning_deployment == "true" || var.volume_scanning_deployment == "false"
+    error_message = "Volume scanning deployment must be either 'true' or 'false'."
+  }
+}
+
+variable "base_cspm" {
+  description = "Toggle for base CSPM only"
+  type        = bool
+  default     = false
+}
+
+variable "registry_scanning_deployment" {
+  description = "Toggle to deploy Registry/ECR scanning resources"
+  type        = string
+  default     = "true"
+  validation {
+    condition     = var.registry_scanning_deployment == "true" || var.registry_scanning_deployment == "false"
+    error_message = "Registry scanning deployment must be either 'true' or 'false'."
+  }
+}
+
+variable "serverless_scanning_deployment" {
+  description = "Toggle to deploy Serverless/Lambda scanning resources"
+  type        = string
+  default     = "true"
+  validation {
+    condition     = var.serverless_scanning_deployment == "true" || var.serverless_scanning_deployment == "false"
+    error_message = "Serverless scanning deployment must be either 'true' or 'false'."
+  }
+}
+
+variable "custom_registry_scanning_role_name" {
+  description = "Custom Registry Scanning role Name"
+  type        = string
+  default     = ""
+  validation {
+    condition     = length(var.custom_registry_scanning_role_name) == 0 || (length(var.custom_registry_scanning_role_name) >= 1 && length(var.custom_registry_scanning_role_name) <= 64)
+    error_message = "The Registry Scanning IAM role name must be between 1 and 64 characters."
+  }
+  validation {
+    condition     = length(var.custom_registry_scanning_role_name) == 0 || can(regex("[a-zA-Z0-9+=,.@_-]+", var.custom_registry_scanning_role_name))
+    error_message = "The Registry Scanning IAM role name can contain only alphanumeric characters and the following special characters: +=,.@_-"
+  }
+}
+
+variable "custom_serverless_scanning_role_name" {
+  description = "Custom Serverless Scanning role Name"
+  type        = string
+  default     = ""
+  validation {
+    condition     = length(var.custom_serverless_scanning_role_name) == 0 || (length(var.custom_serverless_scanning_role_name) >= 1 && length(var.custom_serverless_scanning_role_name) <= 64)
+    error_message = "The Serverless Scanning IAM role name must be between 1 and 64 characters."
+  }
+  validation {
+    condition     = length(var.custom_serverless_scanning_role_name) == 0 || can(regex("[a-zA-Z0-9+=,.@_-]+", var.custom_serverless_scanning_role_name))
+    error_message = "The Serverless Scanning IAM role name can contain only alphanumeric characters and the following special characters: +=,.@_-"
+  }
 }