terraform-aws-inspector

Configures AWS Inspector. Optionally creates an SNS topic for Inspector findings notifications.

Overview

This module provides flexible configuration options for AWS Inspector, catering to different account types and organizational structures. It can be used in various scenarios, from simple single-account setups to complex multi-account organizations.

Usage Scenarios

1. Single Account (Ad Hoc) Setup

For a simple setup in a single AWS account:

module "inspector" {
  source                    = "rhythmictech/inspector/aws"
  create_notification_topic = true
  auto_enable_ec2           = true
  auto_enable_ecr           = true
  auto_enable_lambda        = true
}

This configuration enables Inspector for the current account, sets up automatic scanning for EC2, ECR, and Lambda resources, and creates an SNS topic for notifications.

2. Management Account in an AWS Organization

When deploying from the management account of an AWS Organization:

module "inspector" {
  source = "rhythmictech/inspector/aws"

  delegated_admin_account_id = "123456789012"
  enable_inspector           = false
}

This setup designates a delegated administrator account, allowing the delegated admin account to manage Inspector settings for the organization.

3. Delegated Administrator Account

For deployment in a delegated administrator account:

module "inspector" {
  source                             = "rhythmictech/inspector/aws"
  is_delegated_admin                 = true
  auto_enable_ec2                    = true
  auto_enable_ecr                    = true
  auto_enable_lambda                 = true
  enable_inspector_for_all_accounts  = true
  create_notification_topic          = true
}

This configuration sets up the account as the delegated administrator, enables automatic scanning for all supported resource types, associates all member accounts, and creates a notification topic.

4. Member Account

For individual member accounts (if needed):

module "inspector" {
  source                    = "rhythmictech/inspector/aws"
  create_notification_topic = true
}

This minimal setup enables Inspector for the member account and creates a local notification topic. Note that in most cases, member accounts are managed through the delegated administrator account.

Features

• Enables AWS Inspector for specified accounts
• Configures organization-wide settings if the account is a delegated administrator
• Optionally sets up a delegated administrator account
• Can automatically associate all member accounts in the organization with Inspector
• Creates an SNS topic for Inspector findings notifications (optional)
• Supports various resource types for scanning (EC2, ECR, Lambda)

Example

module "inspector" {
  source                            = "rhythmictech/inspector/aws"
  is_delegated_admin                = true
  auto_enable_ec2                   = true
  auto_enable_ecr                   = true
  auto_enable_lambda                = true
  create_notification_topic         = true
  enable_inspector_for_all_accounts = true
  exclude_account_ids               = ["123456789012", "210987654321"]
}

This example sets up a comprehensive Inspector configuration for an AWS Organization, including delegated administration, automatic scanning for multiple resource types, and member account association.

Requirements

Name	Version
terraform	>= 1.1
aws	>= 5

Providers

Name	Version
aws	5.66.0

Modules

No modules.

Resources

Name	Type
aws_cloudwatch_event_rule.inspector_findings	resource
aws_cloudwatch_event_target.send_to_sns	resource
aws_inspector2_delegated_admin_account.this	resource
aws_inspector2_enabler.enable_for_all_accounts	resource
aws_inspector2_enabler.this	resource
aws_inspector2_member_association.this	resource
aws_inspector2_organization_configuration.this	resource
aws_sns_topic.inspector_findings	resource
aws_caller_identity.this	data source
aws_organizations_organization.this	data source

Inputs

Name	Description	Type	Default	Required
accounts_to_associate_with_inspector	List of AWS account IDs to associate with Inspector (used for more granular control over which accounts are associated with Inspector; see README for more details)	list(string)	[]	no
auto_enable_ec2	Auto-enable EC2 scanning	bool	false	no
auto_enable_ecr	Auto-enable ECR scanning	bool	false	no
auto_enable_lambda	Auto-enable Lambda function scanning	bool	false	no
auto_enable_lambda_code	Auto-enable Lambda function code scanning (only if auto_enable_lambda is true)	bool	false	no
create_notification_topic	Whether to create SNS topic for Inspector findings notifications	bool	true	no
delegated_admin_account_id	The AWS account ID to be set as a delegated administrator for Inspector	string	null	no
enable_inspector	Whether to enable Inspector for the current account	bool	true	no
enable_inspector_for_all_accounts	Whether to enable Inspector for all accounts in the organization (see README for more details)	bool	false	no
excluded_account_ids	List of account IDs to exclude from Inspector enablement when enable_inspector_for_all_accounts is true	list(string)	[]	no
inspector_name	Name prefix for Inspector-related resources	string	"inspector"	no
is_delegated_admin	Whether this account is a delegated administrator	bool	false	no
resource_types	List of resource types to be scanned	list(string)	[ "EC2", "ECR", "LAMBDA" ]	no
sns_kms_master_key_id	The ID of the AWS KMS key to use for SNS topic encryption	string	"alias/aws/sns"	no
tags	Tags to apply to resources that support tagging	map(string)	{}	no

Outputs

Name	Description
sns_topic_arn	ARN of the SNS topic for Inspector findings