terraform-aws-cxone

This repo contains a module for deploying Checkmarx One on AWS using Terraform. Checkmarx One has everything you need to embed AppSec in every stage of the SDLC, provide an excellent developer experience, integrate with the technologies you use, and build a successful AppSec program.

Module documentation

Requirements

Name	Version
helm	~> 2.13.0
kubernetes	~> 2.30.0

Providers

Name	Version
aws	n/a
helm	~> 2.13.0
random	n/a

Modules

Name	Source	Version
cluster_autoscaler_irsa	terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks	5.39.0
eks	terraform-aws-modules/eks/aws	20.8.5
eks_node_iam_role	terraform-aws-modules/iam/aws//modules/iam-assumable-role	5.37.2
elasticache_security_group	terraform-aws-modules/security-group/aws	5.1.2
elasticsearch_security_group	terraform-aws-modules/security-group/aws	5.1.2
external_dns_irsa	terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks	5.39.0
karpenter	terraform-aws-modules/eks/aws//modules/karpenter	20.8.5
load_balancer_controller_irsa	terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks	5.39.0
rds	terraform-aws-modules/rds-aurora/aws	9.3.1
rds-analytics	terraform-aws-modules/rds-aurora/aws	9.3.1
rds-proxy	terraform-aws-modules/rds-proxy/aws	3.1.0
rds-proxy-analytics	terraform-aws-modules/rds-proxy/aws	3.1.0
rds_proxy_sg	terraform-aws-modules/security-group/aws	5.1.2
s3_bucket	terraform-aws-modules/s3-bucket/aws	4.1.1

Resources

Name	Type
aws_autoscaling_group_tag.cluster_autoscaler_label	resource
aws_autoscaling_group_tag.cluster_autoscaler_taint	resource
aws_db_subnet_group.main	resource
aws_elasticache_replication_group.redis	resource
aws_elasticache_serverless_cache.main	resource
aws_elasticache_subnet_group.redis	resource
aws_elasticsearch_domain.es	resource
aws_iam_policy.s3_bucket_access	resource
helm_release.analytics-rds-database-preparation	resource
random_string.random_suffix	resource
aws_caller_identity.current	data source
aws_iam_role.karpenter	data source
aws_partition.current	data source
aws_region.current	data source
aws_vpc.main	data source

Inputs

Name	Description	Type	Default	Required
analytics_db_cluster_db_instance_parameter_group_name	The name of the DB Cluster parameter group to use.	string	null	no
analytics_db_final_snapshot_identifier	Identifer for a final DB snapshot for the analytics database. Required when db_skip_final_snapshot is false..	string	null	no
analytics_db_instance_class	The aurora postgres instance class.	string	"db.r6g.xlarge"	no
analytics_db_instances	The DB instance configuration	map(any)	{ "replica1": {}, "writer": {} }	no
analytics_db_master_user_password	The master user password for RDS. Specify to explicitly set the password otherwise RDS will be allowed to manage it.	string	null	no
analytics_db_serverlessv2_scaling_configuration	The serverless v2 scaling minimum and maximum.	object({ min_capacity = number max_capacity = number })	{ "max_capacity": 32, "min_capacity": 0.5 }	no
analytics_db_snapshot_identifer	The snapshot identifier to restore the anatlytics database from.	string	null	no
aws_ebs_csi_driver_version	The version of the EKS EBS CSI Addon.	string	n/a	yes
coredns_version	The version of the EKS Core DNS Addon.	string	n/a	yes
db_allow_major_version_upgrade	Allows major version upgrades.	bool	false	no
db_apply_immediately	Determines if changes will be applied immediately or wait until the next maintenance window.	bool	false	no
db_auto_minor_version_upgrade	Automatically upgrade to latest minor version in maintenance window.	bool	false	no
db_autoscaling_enabled	Enables autoscaling of the aurora database.	bool	true	no
db_autoscaling_max_capacity	The maximum number of replicas via autoscaling.	string	"3"	no
db_autoscaling_min_capacity	The minimum number of replicas via autoscaling.	string	"1"	no
db_autoscaling_scale_in_cooldown	The database scale in cooldown period.	number	300	no
db_autoscaling_scale_out_cooldown	The database scale ou cooldown period.	number	300	no
db_autoscaling_target_cpu	The CPU utilization for autoscaling target tracking.	number	70	no
db_cluster_db_instance_parameter_group_name	The name of the DB Cluster parameter group to use.	string	null	no
db_create	Controls creation of the Aurora postgres database.	bool	true	no
db_create_rds_proxy	Enables an RDS proxy for the Aurora postgres database.	bool	true	no
db_deletion_protection	Enables deletion protection to avoid accidental database deletion.	bool	true	no
db_engine_version	The aurora postgres engine version.	string	"13.8"	no
db_final_snapshot_identifier	Identifer for a final DB snapshot. Required when db_skip_final_snapshot is false..	string	null	no
db_instance_class	The aurora postgres instance class.	string	"db.r6g.xlarge"	no
db_instances	The DB instance configuration	map(any)	{ "replica1": {}, "writer": {} }	no
db_master_user_password	The master user password for RDS. Specify to explicitly set the password otherwise RDS will be allowed to manage it.	string	null	no
db_monitoring_interval	The aurora postgres engine version.	string	"10"	no
db_performance_insights_enabled	Enables database performance insights.	bool	true	no
db_performance_insights_retention_period	Number of days to retain performance insights data. Free tier: 7 days.	number	7	no
db_port	The port on which the DB accepts connections.	string	"5432"	no
db_serverlessv2_scaling_configuration	The serverless v2 scaling minimum and maximum.	object({ min_capacity = number max_capacity = number })	{ "max_capacity": 32, "min_capacity": 0.5 }	no
db_skip_final_snapshot	Enables skipping the final snapshot upon deletion.	bool	false	no
db_snapshot_identifer	The snapshot identifier to restore the database from.	string	null	no
db_subnets	The subnets to deploy RDS into.	list(string)	n/a	yes
deployment_id	The id of the deployment. Will be used to name resources like EKS cluster, etc.	string	n/a	yes
ec2_key_name	The name of the EC2 key pair to access servers.	string	null	no
ec_auto_minor_version_upgrade	Enables automatic minor version upgrades. Does not apply to serverless.	bool	false	no
ec_automatic_failover_enabled	Enables automatic failover. Does not apply to serverless.	bool	true	no
ec_create	Enables the creation of elasticache resources.	bool	true	no
ec_enable_serverless	Enables the use of elasticache for redis serverless.	bool	false	no
ec_engine_version	The version of the elasticache cluster. Does not apply to serverless.	string	"6.x"	no
ec_multi_az_enabled	Enables automatic failover. Does not apply to serverless.	bool	true	no
ec_node_type	The elasticache redis node type. Does not apply to serverless.	string	"cache.m6g.large"	no
ec_number_of_shards	The number of shards for redis. Does not apply to serverless.	number	3	no
ec_parameter_group_name	The elasticache parameter group name. Does not apply to serverless.	string	"default.redis6.x.cluster.on"	no
ec_replicas_per_shard	The number of replicas per shard for redis. Does not apply to serverless.	number	2	no
ec_serverless_max_ecpu_per_second	The max eCPU per second for serverless elasticache for redis.	number	5000	no
ec_serverless_max_storage	The max storage, in GB, for serverless elasticache for redis.	number	5	no
ec_subnets	The subnets to deploy Elasticache into.	list(string)	n/a	yes
eks_administrator_principals	The ARNs of the IAM roles for administrator access to EKS.	list(object({ name = string principal_arn = string }))	[]	no
eks_cluster_endpoint_public_access_cidrs	List of CIDR blocks which can access the Amazon EKS public API server endpoint	list(string)	[ "0.0.0.0/0" ]	no
eks_cluster_security_group_additional_rules	Additional security group rules for the EKS cluster	any	{}	no
eks_create	Enables the EKS resource creation	bool	true	no
eks_create_cluster_autoscaler_irsa	Enables creation of cluster autoscaler IAM role.	bool	true	no
eks_create_external_dns_irsa	Enables creation of external dns IAM role.	bool	true	no
eks_create_karpenter	Enables creation of Karpenter resources.	bool	false	no
eks_create_load_balancer_controller_irsa	Enables creation of load balancer controller IAM role.	bool	true	no
eks_enable_custom_networking	Enables custom networking for the EKS VPC CNI. When true, custom networking is enabled with ENI_CONFIG_LABEL_DEF = topology.kubernetes.io/zone and ENIConfig resources must be created.	bool	false	no
eks_enable_externalsnat	Enables External SNAT for the EKS VPC CNI. When true, the EKS pods must have a route to a NAT Gateway for outbound communication.	bool	false	no
eks_enable_fargate	Enables Fargate profiles for the karpenter and kube-system namespaces.	bool	false	no
eks_node_additional_security_group_ids	Additional security group ids to attach to EKS nodes.	list(string)	[]	no
eks_node_groups	n/a	list(object({ name = string min_size = string desired_size = string max_size = string volume_type = optional(string, "gp3") disk_size = optional(number, 200) disk_iops = optional(number, 3000) disk_throughput = optional(number, 125) device_name = optional(string, "/dev/xvda") instance_types = list(string) capacity_type = optional(string, "ON_DEMAND") labels = optional(map(string), {}) taints = optional(map(object({ key = string, value = string, effect = string })), {}) }))	[ { "desired_size": 3, "instance_types": [ "c5.4xlarge" ], "max_size": 9, "min_size": 3, "name": "ast-app" }, { "desired_size": 0, "instance_types": [ "m5.2xlarge" ], "labels": { "sast-engine": "true" }, "max_size": 100, "min_size": 0, "name": "sast-engine", "taints": { "dedicated": { "effect": "NO_SCHEDULE", "key": "sast-engine", "value": "true" } } }, { "desired_size": 0, "instance_types": [ "m5.4xlarge" ], "labels": { "sast-engine-large": "true" }, "max_size": 100, "min_size": 0, "name": "sast-engine-large", "taints": { "dedicated": { "effect": "NO_SCHEDULE", "key": "sast-engine-large", "value": "true" } } }, { "desired_size": 0, "instance_types": [ "r5.2xlarge" ], "labels": { "sast-engine-extra-large": "true" }, "max_size": 100, "min_size": 0, "name": "sast-engine-extra-large", "taints": { "dedicated": { "effect": "NO_SCHEDULE", "key": "sast-engine-extra-large", "value": "true" } } }, { "desired_size": 0, "instance_types": [ "r5.4xlarge" ], "labels": { "sast-engine-xxl": "true" }, "max_size": 100, "min_size": 0, "name": "sast-engine-xxl", "taints": { "dedicated": { "effect": "NO_SCHEDULE", "key": "sast-engine-xxl", "value": "true" } } }, { "desired_size": 1, "instance_types": [ "c5.2xlarge" ], "labels": { "kics-engine": "true" }, "max_size": 100, "min_size": 1, "name": "kics-engine", "taints": { "dedicated": { "effect": "NO_SCHEDULE", "key": "kics-engine", "value": "true" } } }, { "desired_size": 1, "instance_types": [ "c5.2xlarge" ], "labels": { "repostore": "true" }, "max_size": 100, "min_size": 1, "name": "repostore", "taints": { "dedicated": { "effect": "NO_SCHEDULE", "key": "repostore", "value": "true" } } }, { "desired_size": 1, "instance_types": [ "m5.2xlarge" ], "labels": { "service": "sca-source-resolver" }, "max_size": 100, "min_size": 1, "name": "sca-source-resolver", "taints": { "dedicated": { "effect": "NO_SCHEDULE", "key": "service", "value": "sca-source-resolver" } } } ]	no
eks_pod_subnets	The subnets to use for EKS pods. When specified, custom networking configuration is applied to the EKS cluster.	list(string)	n/a	yes
eks_post_bootstrap_user_data	User data to insert after bootstrapping script.	string	""	no
eks_pre_bootstrap_user_data	User data to insert before bootstrapping script.	string	""	no
eks_private_endpoint_enabled	Enables the EKS VPC private endpoint.	bool	true	no
eks_public_endpoint_enabled	Enables the EKS public endpoint.	bool	false	no
eks_subnets	The subnets to deploy EKS into.	list(string)	n/a	yes
eks_version	The version of the EKS Cluster (e.g. 1.27)	string	n/a	yes
enable_cluster_creator_admin_permissions	Enables the identity used to create the EKS cluster to have administrator access to that EKS cluster. When enabled, do not specify the same principal arn for eks_administrator_principals.	bool	true	no
es_create	Enables creation of elasticsearch resources.	bool	true	no
es_instance_count	The number of nodes in elasticsearch cluster	number	2	no
es_instance_type	The instance type for elasticsearch nodes.	string	"r6g.large.elasticsearch"	no
es_password	The password for the elasticsearch user	string	n/a	yes
es_subnets	The subnets to deploy Elasticsearch into.	list(string)	n/a	yes
es_tls_security_policy	n/a	string	"Policy-Min-TLS-1-2-2019-07"	no
es_username	The username for the elasticsearch user	string	"ast"	no
es_volume_size	The size of volumes for nodes in elasticsearch cluster	number	100	no
kms_key_arn	The ARN of the KMS key to use for encryption in AWS services	string	n/a	yes
kube_proxy_version	The version of the EKS Kube Proxy Addon.	string	n/a	yes
launch_template_tags	Tags to associate with launch templates for node groups	map(string)	null	no
s3_allowed_origins	The allowed orgins for S3 CORS rules.	list(string)	n/a	yes
s3_retention_period	The retention period, in days, to retain s3 objects.	string	"90"	no
vpc_cni_version	The version of the EKS VPC CNI Addon.	string	n/a	yes
vpc_id	The id of the vpc deploying into.	string	n/a	yes

Outputs

Name	Description
analytics_db_database_name	n/a
analytics_db_endpoint	n/a
analytics_db_master_password	n/a
analytics_db_master_username	n/a
analytics_db_port	n/a
analytics_db_reader_endpoint	n/a
bucket_suffix	n/a
cluster_autoscaler_iam_role_arn	n/a
cluster_certificate_authority_data	n/a
cluster_endpoint	n/a
cluster_name	n/a
db_database_name	n/a
db_endpoint	n/a
db_master_password	n/a
db_master_username	n/a
db_port	n/a
db_reader_endpoint	n/a
ec_endpoint	n/a
ec_port	n/a
eks	n/a
es_endpoint	n/a
es_password	n/a
es_username	n/a
external_dns_iam_role_arn	n/a
karpenter_iam_role_arn	n/a
load_balancer_controller_iam_role_arn	n/a
nodegroup_iam_role_name	n/a
s3_bucket_name_suffix	n/a

Regional Considerations

GovCloud

• RDS Proxy is not available in AWS Gov Cloud regions, so create_rds_proxy must be set false. Monitor database for connection usage and scale accordingly.
• RDS's ManageMasterUserPassword capability is not supported. Specify a password via db_master_user_password
• Elasticache's cache.r7g and cache.tg4 instance class is not available. Consider using cache.r6g and cache.t3