This Terraform module provides an easy way to configure Aqua Security’s CSPM and agentless solutions on Azure.
It creates the necessary resources, such as service accounts, roles, and permissions, to enable seamless integration with Aqua’s platform.
- Pre-requisites
- Usage
- Examples
- Using Existing Network
- Requirements
- Providers
- Modules
- Resources
- Inputs
- Outputs
Before using this module, ensure that you have the following:
- Terraform version
1.6.4
or later. azure
CLI installed and configured.Python
3+ installed.- Aqua Security account API credentials.
- Leverage the Aqua platform to generate the local variables required by the module.
- Important: Replace
<aqua_api_key>
and<aqua_api_secret>
with your generated API credentials. - Get from Azure console your Tenant ID.
- Run
az login --tenant <tenant_id>
to set your tenant. - Only for single subscription --> run
az account set --subscription <subscription_name>
to set azure cli context. - Run
terraform init
to initialize the module. - Run
terraform apply
to create the resources.
Here's an example of how to use this module:
module "aqua_azure_onboarding" {
source = "aquasecurity/onboarding/azure"
onboarding_type = "single-subscription"
aqua_bucket_name = "aqua-bucket-name"
aqua_cspm_url = "aqua-cspm-url"
aqua_volscan_api_url = "aqua-volscan-api-url"
aqua_volscan_api_token = "aqua-volscan-api-token"
aqua_volscan_resource_group_location = "westus2"
aqua_volscan_scan_locations = ["australiaeast", "australiasoutheast"]
aqua_cspm_group_id = "cspm-group-id"
aqua_configuration_id = "aqua-configuration-id"
aqua_autoconnect_url = "aqua-autoconnect-url"
aqua_api_key = "aqua-api-key"
aqua_api_secret = "aqua-api-secret"
aqua_custom_tags = { aqua = "true" }
}
module "aqua_azure_onboarding" {
source = "aquasecurity/onboarding/azure"
onboarding_type = "management-group"
aqua_bucket_name = "aqua-bucket-name"
management_group_id = "management-group-id"
aqua_cspm_url = "aqua-cspm-url"
aqua_volscan_api_url = "aqua-volscan-api-url"
aqua_volscan_api_token = "aqua-volscan-api-token"
aqua_volscan_resource_group_location = "westus2"
aqua_volscan_scan_locations = ["australiaeast", "australiasoutheast"]
aqua_cspm_group_id = "cspm-group-id"
aqua_configuration_id = "aqua-configuration-id"
aqua_autoconnect_url = "aqua-autoconnect-url"
aqua_api_key = "aqua-api-key"
aqua_api_secret = "aqua-api-secret"
aqua_custom_tags = { aqua = "true" }
}
If you prefer to use existing networking instead of Aqua provisioning new ones,
you can do so by setting create_network = false
in the module's input variables.
In this case, you will need to create the network per subscription,
prior to onboarding, the following resources with the following naming convention:
- Resource group:
- Name
'aqua-agentless-scanner'
- Tag
aqua-agentless-scanner:true
- Name
- Security group (per each chosen scan location):
- Name
<resource-group-name>-<region>
. E.g.,aqua-agentless-scanner-centralus
- Tag
aqua-agentless-scanner:true
- Name
- Virtual network (per each chosen scan location):
- Name
<resource-group-name>-<region>
. E.g.,aqua-agentless-scanner-centralus
- Tag
aqua-agentless-scanner:true
- Name
- Subnet (attached to the virtual network):
- Name
<resource-group-name>
. E.g.,aqua-agentless-scanner
- Name
Name | Version |
---|---|
terraform | >= 1.6.4 |
azuread | ~>2.47.0 |
azurerm | ~>3.95.0 |
external | ~>2.3.3 |
http | ~>3.4.2 |
Name | Version |
---|---|
azuread | 2.47.0 |
azurerm | 3.95.0 |
Name | Source | Version |
---|---|---|
application | ./modules/application | n/a |
iam | ./modules/iam | n/a |
management_group | ./modules/management_group | n/a |
subscription | ./modules/subscription | n/a |
Name | Type |
---|---|
azuread_client_config.current | data source |
azurerm_management_group.current | data source |
azurerm_subscription.current | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
aqua_api_key | Aqua API key | string |
n/a | yes |
aqua_api_secret | Aqua API secret key | string |
n/a | yes |
aqua_autoconnect_url | Aqua AutoConnect URL | string |
n/a | yes |
aqua_bucket_name | Aqua Bucket Name | string |
n/a | yes |
aqua_configuration_id | Aqua configuration ID | string |
n/a | yes |
aqua_cspm_group_id | CSPM group ID | string |
n/a | yes |
aqua_cspm_role_name | Aqua AutoConnect Scanner Role Name - The default value will be calculated as 'Aqua_Auto_Discovery_Scanner_Role_<subscription_id>' | string |
"" |
no |
aqua_cspm_url | Aqua CSPM url | string |
n/a | yes |
aqua_custom_tags | Client additional resource tags | map(string) |
{} |
no |
aqua_event_subscriptions_name | Aqua volume scanning Event Subscriptions Name | string |
"aqua-agentless-scanner" |
no |
aqua_network_security_group_name | Aqua volume scanning Network Security Group Name | string |
"aqua-agentless-scanner" |
no |
aqua_subnet_name | Aqua volume scanning Subnet Name | string |
"aqua-agentless-scanner" |
no |
aqua_system_topics_name | Aqua volume scanning Event Grid System Topic Name | string |
"aqua-agentless-scanner" |
no |
aqua_virtual_network_name | Aqua volume scanning Virtual Network Name | string |
"aqua-agentless-scanner" |
no |
aqua_volscan_api_token | Aqua volume scanning API token | string |
n/a | yes |
aqua_volscan_api_url | Aqua Event Subscription webhook URL | string |
n/a | yes |
aqua_volscan_resource_group_location | Aqua volume scanning Resource Group Location | string |
"eastus" |
no |
aqua_volscan_resource_group_name | Aqua volume scanning Resource Group Name | string |
"aqua-agentless-scanner" |
no |
aqua_volscan_scan_locations | List of Azure locations to scan - by default, all regions are selected | list(string) |
[ |
no |
create_network | Toggle to create network resources | bool |
true |
no |
management_group_id | Aqua Management Group ID - Relevant when onboarding_type is management-group | string |
"" |
no |
onboarding_type | The type of onboarding. Valid values are 'single-subscription' or 'management-group' onboarding types | string |
n/a | yes |
show_outputs | Toggle to show summary outputs after deployment | bool |
false |
no |
Name | Description |
---|---|
application_id | Application ID |
aqua_agentless_scanner_delete_role_definition_id | The ID of the created Aqua agentless delete role definition |
aqua_agentless_scanner_role_definition_id | The ID of the created Aqua agentless role definition |
aqua_cspm_scanner_role_definition_id | The ID of the created Aqua CSPM role definition |
aqua_volscan_resource_group_name | Aqua volume scanning Resource Group Name |
eventgrid_id | EventGrid ID |
management_group_name | Management Group name |
resource_group_id | Resource Group ID |
security_groups_names | Security Groups names |
subscription_id | Subscription ID |
virtual_networks_names | Virtual Networks names |