Terraform module which configures AWS datastores for vulnerability assessment and connects them to IBM Guardium Data Protection (GDP).
This module provides automated configuration of datastores for vulnerability assessment with IBM Guardium Data Protection. It handles the setup of necessary database users, permissions, IAM roles, and the registration of datasources with Guardium for ongoing security monitoring.
┌─────────────────────────────────────────────────────────────────────────────┐
│ │
│ Guardium Datastore VA Terraform Module │
│ │
│ Orchestrates configuration and setup of datastores for vulnerability │
│ assessment and onboards them to Guardium Data Protection │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
│
│ Configures
▼
┌─────────────────────────────────────────────────────────────────────────────┐
│ │
│ AWS Datastore Resources │
│ │
│ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ ┌──────────────┐ │
│ │ DynamoDB │ │ RDS │ │ RDS │ │ Redshift │ │
│ │ │ │ PostgreSQL │ │ MariaDB │ │ │ │
│ └──────────────┘ └──────────────┘ └──────────────┘ └──────────────┘ │
│ │
│ • Creates VA users (sqlguard/gdmmonitor) │
│ • Configures IAM roles and policies │
│ • Sets up database permissions │
│ • Prepares datastores for security scanning │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
│
│ Registers & Connects
▼
┌─────────────────────────────────────────────────────────────────────────────┐
│ │
│ Guardium Data Protection (GDP) │
│ │
│ • Datasource Registration │
│ • Vulnerability Assessment Scheduling │
│ • Security Scanning & Compliance Checks │
│ • Assessment Reports & Notifications │
│ │
└─────────────────────────────────────────────────────────────────────────────┘
- Datastore Configuration: The module configures datastores with necessary users, permissions, and IAM roles required for vulnerability assessment
- Database Setup:
- For RDS databases (PostgreSQL, MariaDB): Creates dedicated VA users (sqlguard/gdmmonitor) with appropriate permissions
- For DynamoDB: Configures IAM roles and policies for read-only access
- For Redshift: Creates VA users and grants system table access
- Guardium Integration: Registers datasources with Guardium and configures vulnerability assessment schedules
- Ongoing Monitoring: Guardium performs scheduled security assessments and generates compliance reports
- Multi-Datastore Support: Configure vulnerability assessment for DynamoDB, RDS PostgreSQL, RDS MariaDB, and Redshift
- Automated User Creation: Automatically creates and configures database users with appropriate permissions
- IAM Integration: Sets up IAM roles and policies for secure access
- Lambda-Based Configuration: Uses AWS Lambda for database configuration, eliminating local client requirements
- Guardium Integration: Seamlessly registers datasources with Guardium Data Protection
- Scheduled Assessments: Configure automated vulnerability assessment schedules
- Notification Support: Set up email notifications for assessment results
- Security Best Practices: Implements least-privilege access and secure credential management
Configure vulnerability assessment for AWS DynamoDB tables:
module "datastore-va_aws-dynamodb" {
source = "IBM/datastore-va/guardium//modules/aws-dynamodb"
# IAM Configuration
iam_role_name = "guardium-dynamodb-va-role"
iam_policy_name = "guardium-dynamodb-va-policy"
iam_role_description = "IAM role for Guardium vulnerability assessment of DynamoDB"
# Connection Configuration
connection_username = var.aws_access_key_id
connection_password = var.aws_secret_access_key
# Tags
tags = {
Environment = "Production"
Owner = "Security Team"
}
}
# Connect to Guardium Data Protection
module "connect_dynamodb_to_gdp" {
source = "IBM/datastore-va/guardium//modules/connect-datasource-to-gdp"
gdp_server = "guardium.example.com"
gdp_username = "admin"
gdp_password = var.guardium_password
client_id = "client1"
client_secret = var.client_secret
datasource_name = "dynamodb-production"
datasource_type = "DYNAMODB"
hostname = "dynamodb.us-east-1.amazonaws.com"
# Use AWS Secrets Manager for authentication
aws_secrets_manager_name = "my-aws-config"
aws_secrets_manager_region = "us-east-1"
aws_secrets_manager_secret = "dynamodb-credentials"
}Configure vulnerability assessment for AWS RDS PostgreSQL:
module "postgres_va" {
source = "IBM/datastore-va/guardium//modules/aws-rds-postgresql"
db_host = "postgres.rds.amazonaws.com"
db_port = 5432
db_name = "postgres"
db_username = "postgres"
db_password = var.db_password
sqlguard_username = "sqlguard"
sqlguard_password = var.sqlguard_password
}
# Connect to Guardium Data Protection
module "connect_postgres_to_gdp" {
source = "IBM/datastore-va/guardium//modules/connect-datasource-to-gdp"
gdp_server = "guardium.example.com"
gdp_username = "admin"
gdp_password = var.guardium_password
client_id = "client1"
client_secret = var.client_secret
datasource_name = "postgres-production"
datasource_type = "POSTGRESQL"
hostname = "postgres.rds.amazonaws.com"
port = 5432
database_name = "postgres"
connection_username = module.postgres_va.sqlguard_username
connection_password = module.postgres_va.sqlguard_password
enable_vulnerability_assessment = true
assessment_schedule = "WEEKLY"
assessment_day = "Sunday"
assessment_time = "01:00"
}Configure vulnerability assessment for AWS RDS MariaDB:
module "mariadb_va" {
source = "IBM/datastore-va/guardium//modules/aws-rds-mariadb"
name_prefix = "myproject"
# Database connection details
db_host = "mariadb.rds.amazonaws.com"
db_port = 3306
db_username = "admin"
db_password = var.db_password
gdmmonitor_password = var.gdmmonitor_password
# Network configuration
vpc_id = "vpc-12345678"
subnet_ids = ["subnet-12345678", "subnet-87654321"]
aws_region = "us-east-1"
# Guardium Data Protection configuration
gdp_server = "guardium.example.com"
gdp_username = "admin"
gdp_password = var.guardium_password
client_id = "client1"
client_secret = var.client_secret
# Data source configuration
datasource_name = "mariadb-production"
datasource_description = "Production MariaDB database"
# Vulnerability assessment schedule
enable_vulnerability_assessment = true
assessment_schedule = "weekly"
assessment_day = "Sunday"
assessment_time = "01:00"
# Notification configuration
enable_notifications = true
notification_emails = ["[email protected]"]
notification_severity = "MED"
}Configure vulnerability assessment for AWS Redshift:
module "redshift_va" {
source = "IBM/datastore-va/guardium//modules/aws-redshift"
name_prefix = "guardium"
aws_region = "us-east-1"
# Redshift Connection Details
redshift_host = "redshift-cluster.region.redshift.amazonaws.com"
redshift_port = 5439
redshift_database = "dev"
redshift_username = "admin"
redshift_password = var.redshift_password
# VA User Configuration
sqlguard_username = "sqlguard"
sqlguard_password = var.sqlguard_password
# Network Configuration (for private Redshift)
vpc_id = "vpc-12345678"
subnet_ids = ["subnet-12345678", "subnet-87654321"]
}
# Connect to Guardium Data Protection
module "connect_redshift_to_gdp" {
source = "IBM/datastore-va/guardium//modules/connect-datasource-to-gdp"
gdp_server = "guardium.example.com"
gdp_username = "admin"
gdp_password = var.guardium_password
client_id = "client1"
client_secret = var.client_secret
datasource_name = "redshift-production"
datasource_type = "REDSHIFT"
hostname = "redshift-cluster.region.redshift.amazonaws.com"
port = 5439
database_name = "dev"
connection_username = module.redshift_va.sqlguard_username
connection_password = module.redshift_va.sqlguard_password
enable_vulnerability_assessment = true
assessment_schedule = "MONTHLY"
assessment_day = "1"
assessment_time = "03:00"
}Configures IAM roles and policies for Guardium to perform vulnerability assessment on DynamoDB tables.
Key Features:
- Creates IAM role with trust policy for Guardium
- Configures read-only permissions for DynamoDB metadata
- Supports AWS Secrets Manager integration
- Provides connection credentials for Guardium
Creates the necessary database users and permissions for Guardium vulnerability assessment on RDS PostgreSQL.
Key Features:
- Creates
sqlguarduser with required permissions - Configures
gdmmonitorgroup - Supports both local and EC2-based execution
- Executes VA configuration scripts
Configures MariaDB databases for vulnerability assessment using Lambda-based deployment.
Key Features:
- Creates
gdmmonitoruser via Lambda function - Integrates with AWS Secrets Manager
- Deploys in VPC for secure access
- Connects directly to Guardium Data Protection
Sets up Redshift clusters for vulnerability assessment with automated user creation.
Key Features:
- Creates
sqlguarduser andgdmmonitorgroup - Uses Lambda for SQL execution
- Supports both public and private clusters
- Grants system table access permissions
Complete working examples are provided for each supported datastore:
- AWS DynamoDB with VA - DynamoDB vulnerability assessment configuration
- AWS RDS PostgreSQL with VA - PostgreSQL vulnerability assessment configuration
- AWS RDS MariaDB with VA - MariaDB vulnerability assessment configuration
- AWS Redshift with VA - Redshift vulnerability assessment configuration
Each example includes:
- Complete Terraform configuration
- Sample
terraform.tfvars.examplefile - Detailed README with setup instructions
- Architecture diagrams
Before using this module, ensure you have:
- Guardium Data Protection Instance: A running GDP cluster with API access enabled
- Guardium Configuration: Complete the one-time manual configurations:
- Enable OAuth client for REST API access
- Configure AWS credentials (for DynamoDB)
- Set up SSH access for Terraform
- AWS Credentials: Valid AWS credentials with appropriate permissions
- Terraform: Version 1.0.0 or later
- AWS Provider: Version 4.0.0 or later
- Guardium Provider: Version 1.0.0 or later
Your AWS credentials must have permissions for:
- Creating and managing IAM roles and policies
- Creating and managing Lambda functions (for MariaDB and Redshift)
- Creating and managing VPC resources and Security Groups
- Creating and managing Secrets Manager secrets
- Access to specific datastores (DynamoDB, RDS, Redshift)
- Credential Management: Store sensitive variables in AWS Secrets Manager or HashiCorp Vault
- Least Privilege: IAM policies grant only necessary read-only permissions
- Network Security: Lambda functions run in VPC with security group restrictions
- Credential Rotation: Regularly rotate database and API credentials
- Audit Logging: Enable CloudTrail for API activity monitoring
- Encryption: Use encrypted connections for database access
-
Clone the repository:
git clone https://github.com/IBM/terraform-guardium-datastore-va.git cd terraform-guardium-datastore-va -
Choose an example:
cd examples/aws-dynamodb # or aws-rds-postgresql, aws-rds-mariadb, aws-redshift
-
Configure variables:
cp terraform.tfvars.example terraform.tfvars # Edit terraform.tfvars with your configuration -
Initialize Terraform:
terraform init
-
Review the plan:
terraform plan
-
Apply the configuration:
terraform apply
| Name | Version |
|---|---|
| terraform | >= 1.0.0 |
| aws | >= 4.0.0 |
| guardium | >= 1.0.0 |
| Name | Version |
|---|---|
| aws | >= 4.0.0 |
| guardium | >= 1.0.0 |
Contributions are welcome! Please read CONTRIBUTING.md for details on our code of conduct and the process for submitting pull requests.
For issues and questions:
- Create an issue in this repository
- Contact the maintainers listed in MAINTAINERS.md
This project is licensed under the Apache 2.0 License - see the LICENSE file for details.
#
# Copyright IBM Corp. 2025
# SPDX-License-Identifier: Apache-2.0
#
Module is maintained by IBM with help from these awesome contributors.