The module allows you to connect your AWS account to Rad Security to allow them to be able to scan and analyze your AWS resources.
This module is available in the Terraform Registry see here. It uses the official Rad Security Provider to authenticate and connect your AWS account to Rad Security. The Rad Security Provider can be found here in the Terraform Provider Registry.
The most important thing to be aware of when contributing is that we leverage the Semantic Release Action to automate our changelog, see here.
This requires us to use conventional git commits when committing to this repository.
Each PR merge into the main branch will execute the release process defined here.
This module requires you to obtain a set of cloud API credentials from Rad Security (access_key/secret). It will use those credentials to connect your AWS account to your Rad Security account.
The module needs an AWS provider to be configured. It will create an IAM Role in your account called rad-security-connect. The IAM Role has fine-grained policies attached (prefixed with rad-security_connect_policy), which will allow the rad-security-connector role in Rad Security's AWS account to assume the permissions necessary to interact with AWS resources in your account.
When the rad-security-connect Role is created, it will be added to your Rad Security account through the rad-security_aws_register resource.
There is an optional flag enable_eks_audit_logs_pipeline which will create a CloudWatch Logs -> FireHose -> S3 pipeline for all EKS clusters in the account. This is required for Rad Security to be able to analyse EKS audit logs. Make sure to enable EKS audit logs for EKS clusters you wish to be analysed. By default, the pipeline creates policy for CloudWatch in all four US regions. If you have EKS clusters in other regions, you can override the eks_audit_logs_regions variable.
Also, only clusters in the same region as your AWS provider will be included in the pipeline. If you have EKS clusters in multiple regions, you need to enable eks_audit_logs_multi_region flag and create subscription filters in each region outside of this module (see example in the examples/audit_logs_multi_region directory).
| Name | Version |
|---|---|
| terraform | >= 1.0.8 |
| aws | >= 5.0.0 |
| rad-security | >= 1.0.3 |
| Name | Version |
|---|---|
| aws | >= 5.0.0 |
| rad-security | >= 1.0.3 |
| random | n/a |
No modules.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| aws_external_id | External ID to use when connecting an AWS account with Rad | string |
"" |
no |
| eks_audit_log_cloudwatch_role_arn | The ARN of the IAM role that CloudWatch Logs will use to send data to the Firehose. Required for secondary regions. | string |
"" |
no |
| eks_audit_log_firehose_role_arn | The ARN of the IAM role that will be used to write to the Firehose. Required for secondary regions. | string |
"" |
no |
| eks_audit_logs_bucket_object_age | The number of days to retain the objects in the S3 bucket that will store EKS audit logs | number |
7 |
no |
| eks_audit_logs_bucket_versioning_enabled | Enable versioning for the S3 bucket that will store EKS audit logs | bool |
true |
no |
| eks_audit_logs_filter_pattern | The Cloudwatch Log Subscription Filter pattern | string |
"{ $.stage = \"ResponseComplete\" && $.requestURI != \"/version\" && $.requestURI != \"/version?*\" && $.requestURI != \"/metrics\" && $.requestURI != \"/metrics?*\" && $.requestURI != \"/logs\" && $.requestURI != \"/logs?*\" && $.requestURI != \"/swagger*\" && $.requestURI != \"/livez*\" && $.requestURI != \"/readyz*\" && $.requestURI != \"/healthz*\" }" |
no |
| enable_eks_audit_logs_pipeline | Enable EKS Audit Logs Pipeline (CloudWatch Logs -> FireHose -> S3) | bool |
false |
no |
| rad-security_assumed_role_arn | Rad Security Role that will assume the rad-security-connect IAM role you create to interact with resources in your account | string |
"arn:aws:iam::955322216602:role/rad-security-connector" |
no |
| rad-security_deprecated_assumed_role_arn | Deprecated Rad Security Role that will assume the rad-security-connect IAM role you create to interact with resources in your account. This role will be removed in the future. | string |
"arn:aws:iam::955322216602:role/ksoc-connector" |
no |
| rad-security_eks_audit_logs_assumed_role_arn | Rad Security Role dedicated for EKS audit logs that will be allowed to assume | string |
"arn:aws:iam::955322216602:role/ksoc-data-pipeline" |
no |
| secondary_region | Enable this if running in a another region. It will disable the creation of global resources. | bool |
false |
no |
| tags | A set of tags to associate with the resources in this module. | map(string) |
{} |
no |
| Name | Description |
|---|---|
| eks_audit_logs_cloudwatch_iam_role_arn | AWS IAM Role ARN for Cloudwatch to Firehose |
| eks_audit_logs_filter_pattern | The Cloudwatch Log Subscription Filter pattern |
| eks_audit_logs_firehose_arn | The Firehose delivery stream ARN |
| eks_audit_logs_firehose_iam_role_arn | AWS IAM Role ARN for Firehose to S3 |
| role_arn | AWS IAM Role ARN which Rad Security uses to connect |
Apache 2 Licensed. See LICENSE for full details.