.amazon.com"
+ type = string
+}
+
+variable "server_port" {
+ description = "Database port being used. Default: 5439"
+ type = number
+ default = 5439
+}
+
+variable "service_name" {
+ description = "The database name (see Service Name Guidelines)."
+ type = string
+ default = null
+}
+
+# Connection variables
+variable "auth_mechanism" {
+ description = "The authentication mechanism to use for the Redshift asset."
+ type = string
+ default = null
+}
+
+variable "username" {
+ description = "The username to use for authentication."
+ type = string
+ default = null
+}
+
+variable "password" {
+ description = "The password to use for authentication."
+ type = string
+ default = null
+}
+
+variable "access_id" {
+ description = "The cluster identifier."
+ type = string
+ default = null
+}
+
+variable "aws_connection_id" {
+ description = "The stringified object ID of the AWS connection document."
+ type = string
+ default = null
+}
+
+variable "tmp_user" {
+ description = "Whether the DSFHUB should create a temp user."
+ type = bool
+ default = null
+}
+
+variable "ssl" {
+ description = "Whether to use SSL for the connection."
+ type = bool
+ default = null
+}
diff --git a/modules/dsfhub-aws-s3-bucket-ds/README.md b/modules/dsfhub-aws-s3-bucket-ds/README.md
new file mode 100644
index 0000000..a72c65f
--- /dev/null
+++ b/modules/dsfhub-aws-s3-bucket-ds/README.md
@@ -0,0 +1,41 @@
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [dsfhub](#provider\_dsfhub) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [dsfhub_data_source.this](https://registry.terraform.io/providers/imperva/dsfhub/latest/docs/resources/data_source) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [admin\_email](#input\_admin\_email) | The email address to notify about this asset | `string` | n/a | yes |
+| [asset\_display\_name](#input\_asset\_display\_name) | User-friendly name of the asset, defined by the user | `string` | n/a | yes |
+| [asset\_id](#input\_asset\_id) | AWS ARN, e.g. "arn:aws:s3:::bucket-name" | `string` | n/a | yes |
+| [audit\_type](#input\_audit\_type) | Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details | `string` | `null` | no |
+| [gateway\_id](#input\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes |
+| [parent\_asset\_id](#input\_parent\_asset\_id) | The asset\_id of AWS cloud account being used. E.g. Key-pair, iam\_role, profile or default | `string` | n/a | yes |
+| [region](#input\_region) | AWS region containing the instance. | `string` | n/a | yes |
+| [server\_host\_name](#input\_server\_host\_name) | S3 bucket name. | `string` | n/a | yes |
+| [server\_port](#input\_server\_port) | Database port being used. | `number` | `443` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [this](#output\_this) | AWS S3 bucket data source asset |
+
\ No newline at end of file
diff --git a/modules/dsfhub-aws-s3-bucket-ds/main.tf b/modules/dsfhub-aws-s3-bucket-ds/main.tf
new file mode 100644
index 0000000..094b95f
--- /dev/null
+++ b/modules/dsfhub-aws-s3-bucket-ds/main.tf
@@ -0,0 +1,26 @@
+terraform {
+ required_providers {
+ dsfhub = {
+ source = "imperva/dsfhub"
+ }
+ }
+}
+
+resource "dsfhub_data_source" "this" {
+ server_type = "AWS S3"
+
+ admin_email = var.admin_email
+ asset_display_name = var.asset_display_name
+ asset_id = var.asset_id
+ audit_type = var.audit_type
+ gateway_id = var.gateway_id
+ parent_asset_id = var.parent_asset_id
+ region = var.region
+ server_host_name = var.server_host_name
+ server_port = var.server_port
+
+ asset_connection {
+ auth_mechanism = "default"
+ reason = "sonargateway"
+ }
+}
diff --git a/modules/dsfhub-aws-s3-bucket-ds/output.tf b/modules/dsfhub-aws-s3-bucket-ds/output.tf
new file mode 100644
index 0000000..080d602
--- /dev/null
+++ b/modules/dsfhub-aws-s3-bucket-ds/output.tf
@@ -0,0 +1,5 @@
+output "this" {
+ description = "AWS S3 bucket data source asset"
+ value = dsfhub_data_source.this
+ sensitive = true
+}
diff --git a/modules/dsfhub-aws-s3-bucket-ds/variables.tf b/modules/dsfhub-aws-s3-bucket-ds/variables.tf
new file mode 100644
index 0000000..d51c53a
--- /dev/null
+++ b/modules/dsfhub-aws-s3-bucket-ds/variables.tf
@@ -0,0 +1,48 @@
+variable "admin_email" {
+ description = "The email address to notify about this asset"
+ type = string
+}
+
+variable "asset_display_name" {
+ description = "User-friendly name of the asset, defined by the user"
+ type = string
+}
+
+variable "asset_id" {
+ description = "AWS ARN, e.g. \"arn:aws:s3:::bucket-name\""
+ type = string
+}
+
+variable "audit_type" {
+ description = "Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details"
+ type = string
+ default = null
+}
+
+variable "gateway_id" {
+ description = "Unique identifier (UID) attached to the jSonar machine controlling the asset"
+ type = string
+}
+
+variable "parent_asset_id" {
+ description = "The asset_id of AWS cloud account being used. E.g. Key-pair, iam_role, profile or default"
+ type = string
+}
+
+variable "region" {
+ description = "AWS region containing the instance."
+ type = string
+}
+
+variable "server_host_name" {
+ description = "S3 bucket name."
+ type = string
+}
+
+variable "server_port" {
+ description = "Database port being used."
+ type = number
+ default = 443
+}
+
+
diff --git a/modules/dsfhub-aws-s3-bucket-la/README.md b/modules/dsfhub-aws-s3-bucket-la/README.md
new file mode 100644
index 0000000..77e053e
--- /dev/null
+++ b/modules/dsfhub-aws-s3-bucket-la/README.md
@@ -0,0 +1,45 @@
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [dsfhub](#provider\_dsfhub) | n/a |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [dsfhub_log_aggregator.this](https://registry.terraform.io/providers/imperva/dsfhub/latest/docs/resources/log_aggregator) | resource |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [admin\_email](#input\_admin\_email) | The email address to notify about this asset | `string` | n/a | yes |
+| [asset\_display\_name](#input\_asset\_display\_name) | User-friendly name of the asset, defined by the user | `string` | n/a | yes |
+| [asset\_id](#input\_asset\_id) | AWS ARN, e.g. "arn:aws:s3:::bucket-name" | `string` | n/a | yes |
+| [audit\_pull\_enabled](#input\_audit\_pull\_enabled) | Whether the DSFHUB should pull logs from the asset. | `bool` | `false` | no |
+| [audit\_type](#input\_audit\_type) | Used to indicate what type of audit will be pulled on systems supporting multiple audit types. Valid values: LOG\_GROUP (default), KINESIS, CLOUDWATCH, REDSHIFT, DYNAMODB | `string` | `"LOG_GROUP"` | no |
+| [bucket\_account\_id](#input\_bucket\_account\_id) | Mandatory for audit types: REDSHIFT and DYNAMODB. Account number found in the prefix of the files we are pulling. e.g: `123456789012` out of `redshift/AWSLogs/123456789012/redshift/us-east-1/2024/06/25/my_file.gz` | `string` | `null` | no |
+| [gateway\_id](#input\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes |
+| [parent\_asset\_id](#input\_parent\_asset\_id) | The asset\_id of AWS cloud account being used. E.g. Key-pair, iam\_role, profile or default | `string` | n/a | yes |
+| [region](#input\_region) | AWS region containing the instance. | `string` | n/a | yes |
+| [s3\_provider](#input\_s3\_provider) | Required only for AWS RDS MS SQL SERVER. Accepted value: 'aws-rds-mssql' | `string` | `null` | no |
+| [server\_host\_name](#input\_server\_host\_name) | S3 bucket name. | `string` | n/a | yes |
+| [server\_ip](#input\_server\_ip) | S3 bucket ARN. | `string` | n/a | yes |
+| [server\_port](#input\_server\_port) | Database port being used. | `number` | `443` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [this](#output\_this) | AWS S3 bucket log aggregator asset |
+
\ No newline at end of file
diff --git a/modules/dsfhub-aws-s3-bucket-la/main.tf b/modules/dsfhub-aws-s3-bucket-la/main.tf
new file mode 100644
index 0000000..aec3c83
--- /dev/null
+++ b/modules/dsfhub-aws-s3-bucket-la/main.tf
@@ -0,0 +1,30 @@
+terraform {
+ required_providers {
+ dsfhub = {
+ source = "imperva/dsfhub"
+ }
+ }
+}
+
+resource "dsfhub_log_aggregator" "this" {
+ server_type = "AWS S3"
+
+ admin_email = var.admin_email
+ asset_display_name = var.asset_display_name
+ asset_id = var.asset_id
+ audit_pull_enabled = var.audit_pull_enabled
+ audit_type = var.audit_type
+ bucket_account_id = var.bucket_account_id
+ gateway_id = var.gateway_id
+ parent_asset_id = var.parent_asset_id
+ region = var.region
+ server_host_name = var.server_host_name
+ server_ip = var.server_ip
+ server_port = var.server_port
+ s3_provider = var.s3_provider
+
+ asset_connection {
+ auth_mechanism = "default"
+ reason = "default"
+ }
+}
diff --git a/modules/dsfhub-aws-s3-bucket-la/output.tf b/modules/dsfhub-aws-s3-bucket-la/output.tf
new file mode 100644
index 0000000..32693b7
--- /dev/null
+++ b/modules/dsfhub-aws-s3-bucket-la/output.tf
@@ -0,0 +1,5 @@
+output "this" {
+ description = "AWS S3 bucket log aggregator asset"
+ value = dsfhub_log_aggregator.this
+ sensitive = true
+}
diff --git a/modules/dsfhub-aws-s3-bucket-la/variables.tf b/modules/dsfhub-aws-s3-bucket-la/variables.tf
new file mode 100644
index 0000000..5b9b7c1
--- /dev/null
+++ b/modules/dsfhub-aws-s3-bucket-la/variables.tf
@@ -0,0 +1,73 @@
+variable "admin_email" {
+ description = "The email address to notify about this asset"
+ type = string
+}
+
+variable "asset_display_name" {
+ description = "User-friendly name of the asset, defined by the user"
+ type = string
+}
+
+variable "asset_id" {
+ description = "AWS ARN, e.g. \"arn:aws:s3:::bucket-name\""
+ type = string
+}
+
+variable "audit_pull_enabled" {
+ description = "Whether the DSFHUB should pull logs from the asset."
+ type = bool
+ default = false
+}
+
+variable "audit_type" {
+ description = "Used to indicate what type of audit will be pulled on systems supporting multiple audit types. Valid values: LOG_GROUP (default), KINESIS, CLOUDWATCH, REDSHIFT, DYNAMODB"
+ type = string
+ default = "LOG_GROUP"
+ validation {
+ condition = can(regex("LOG_GROUP|KINESIS|CLOUDWATCH|REDSHIFT|DYNAMODB", var.audit_type))
+ error_message = "audit_type must be one of LOG_GROUP, KINESIS, CLOUDWATCH, REDSHIFT, DYNAMODB"
+ }
+}
+
+variable "bucket_account_id" {
+ description = "Mandatory for audit types: REDSHIFT and DYNAMODB. Account number found in the prefix of the files we are pulling. e.g: `123456789012` out of `redshift/AWSLogs/123456789012/redshift/us-east-1/2024/06/25/my_file.gz`"
+ type = string
+ default = null
+}
+
+variable "gateway_id" {
+ description = "Unique identifier (UID) attached to the jSonar machine controlling the asset"
+ type = string
+}
+
+variable "parent_asset_id" {
+ description = "The asset_id of AWS cloud account being used. E.g. Key-pair, iam_role, profile or default"
+ type = string
+}
+
+variable "region" {
+ description = "AWS region containing the instance."
+ type = string
+}
+
+variable "server_host_name" {
+ description = "S3 bucket name."
+ type = string
+}
+
+variable "server_ip" {
+ description = "S3 bucket ARN."
+ type = string
+}
+
+variable "server_port" {
+ description = "Database port being used."
+ type = number
+ default = 443
+}
+
+variable "s3_provider" {
+ description = "Required only for AWS RDS MS SQL SERVER. Accepted value: 'aws-rds-mssql'"
+ type = string
+ default = null
+}
diff --git a/modules/onboard-aws-docdb-cluster/README.md b/modules/onboard-aws-docdb-cluster/README.md
new file mode 100644
index 0000000..49c991e
--- /dev/null
+++ b/modules/onboard-aws-docdb-cluster/README.md
@@ -0,0 +1,83 @@
+# onboard-aws-docdb-cluster
+Onboard Amazon DocumentDB to DSF Hub.
+
+## Notes
+There is one prerequisite for using this module:
+1. An AWS cloud account asset onboarded to your DSF Hub with permissions to pull from CloudWatch log groups.
+
+See the corresponding example for more details.
+
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [docdb-cluster](#module\_docdb-cluster) | ../aws-docdb-cluster | n/a |
+| [docdb-cluster-asset](#module\_docdb-cluster-asset) | ../dsfhub-aws-docdb-cluster | n/a |
+| [docdb-cluster-instance](#module\_docdb-cluster-instance) | ../aws-docdb-cluster-instance | n/a |
+| [docdb-log-group](#module\_docdb-log-group) | ../aws-cloudwatch-log-group | n/a |
+| [docdb-log-group-asset](#module\_docdb-log-group-asset) | ../dsfhub-aws-log-group | n/a |
+| [docdb-param-group](#module\_docdb-param-group) | ../aws-docdb-cluster-parameter-group | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [aws\_docdb\_cluster\_admin\_email](#input\_aws\_docdb\_cluster\_admin\_email) | The email address to notify about the asset. | `string` | n/a | yes |
+| [aws\_docdb\_cluster\_gateway\_id](#input\_aws\_docdb\_cluster\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes |
+| [aws\_docdb\_cluster\_parent\_asset\_id](#input\_aws\_docdb\_cluster\_parent\_asset\_id) | The asset\_id that contains this asset (e.g. Asset ID of the database sending audit events) | `string` | n/a | yes |
+| [aws\_docdb\_cluster\_region](#input\_aws\_docdb\_cluster\_region) | AWS region of the DocumentDB Cluster. | `string` | n/a | yes |
+| [aws\_log\_group\_admin\_email](#input\_aws\_log\_group\_admin\_email) | The email address to notify about the asset. | `string` | n/a | yes |
+| [aws\_log\_group\_audit\_pull\_enabled](#input\_aws\_log\_group\_audit\_pull\_enabled) | If true, sonargateway will collect the audit logs for this system if it can. | `bool` | `false` | no |
+| [aws\_log\_group\_gateway\_id](#input\_aws\_log\_group\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes |
+| [aws\_log\_group\_reason](#input\_aws\_log\_group\_reason) | Used to differentiate connections that belong to the same asset | `string` | `"default"` | no |
+| [aws\_log\_group\_region](#input\_aws\_log\_group\_region) | AWS region of the log group | `string` | n/a | yes |
+| [cluster\_apply\_immediately](#input\_cluster\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. | `bool` | `true` | no |
+| [cluster\_db\_subnet\_group\_name](#input\_cluster\_db\_subnet\_group\_name) | A DB subnet group to associate with this DB instance. | `string` | n/a | yes |
+| [cluster\_deletion\_protection](#input\_cluster\_deletion\_protection) | A value that indicates whether the DB cluster has deletion protection enabled. The database can't be deleted when deletion protection is enabled. | `bool` | `false` | no |
+| [cluster\_enabled\_cloudwatch\_logs\_exports](#input\_cluster\_enabled\_cloudwatch\_logs\_exports) | List of log types to export to CloudWatch. | `list(string)` | [
"audit"
]
| no |
+| [cluster\_engine\_version](#input\_cluster\_engine\_version) | Database engine version, e.g. "5.0.0" | `string` | `"5.0.0"` | no |
+| [cluster\_final\_snapshot\_identifier](#input\_cluster\_final\_snapshot\_identifier) | The name of your final DB snapshot when this DB cluster is deleted. If omitted, no final snapshot will be made. Must be provided if skip\_final\_snapshot is set to false. | `string` | `null` | no |
+| [cluster\_identifier](#input\_cluster\_identifier) | Identifier of DocumentDB Cluster. | `string` | n/a | yes |
+| [cluster\_master\_password](#input\_cluster\_master\_password) | Password for the master DB user. | `string` | n/a | yes |
+| [cluster\_master\_username](#input\_cluster\_master\_username) | Master DB username. | `string` | `"docdb"` | no |
+| [cluster\_port](#input\_cluster\_port) | The port on which the DB accepts connections. | `number` | `27017` | no |
+| [cluster\_skip\_final\_snapshot](#input\_cluster\_skip\_final\_snapshot) | Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final\_snapshot\_identifier | `bool` | `true` | no |
+| [cluster\_storage\_type](#input\_cluster\_storage\_type) | The storage type to associate with the DB cluster. | `string` | `"standard"` | no |
+| [cluster\_tags](#input\_cluster\_tags) | A map of tags to assign to the DB cluster. | `map(string)` | `null` | no |
+| [cluster\_vpc\_security\_group\_ids](#input\_cluster\_vpc\_security\_group\_ids) | List of VPC security groups to associate with the Cluster | `list(string)` | n/a | yes |
+| [instance\_apply\_immediately](#input\_instance\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. | `bool` | `true` | no |
+| [instance\_count](#input\_instance\_count) | The number of instances to create in the DocumentDB cluster. | `number` | `1` | no |
+| [instance\_instance\_class](#input\_instance\_instance\_class) | The instance type of the DocumentDB cluster. Example: 'db.r5.large'. Reference: https://docs.aws.amazon.com/documentdb/latest/developerguide/db-instance-classes.html#db-instance-class-specs | `string` | `"db.r5.large"` | no |
+| [instance\_promotion\_tier](#input\_instance\_promotion\_tier) | Failover Priority setting on instance level. The reader who has lower tier has higher priority to get promoted to a writer in case of failover. | `number` | `0` | no |
+| [instance\_tags](#input\_instance\_tags) | A map of tags to assign to the DocumentDB instance. | `map(string)` | `null` | no |
+| [log\_group\_retention\_in\_days](#input\_log\_group\_retention\_in\_days) | The number of days to retain log events. | `number` | `7` | no |
+| [parameter\_group\_description](#input\_parameter\_group\_description) | The description of the DocumentDB cluster parameter group. | `string` | `"Managed by Terraform"` | no |
+| [parameter\_group\_family](#input\_parameter\_group\_family) | Database family version, e.g. "docdb5.0" | `string` | `"docdb5.0"` | no |
+| [parameter\_group\_name](#input\_parameter\_group\_name) | The name of the DocumentDB cluster parameter group. | `string` | `"docdb-parameter-group"` | no |
+| [parameter\_group\_parameters](#input\_parameter\_group\_parameters) | List of objects containing parameters for the DocumentDB parameter group. | list(
object({
name = string
apply_method = optional(string, "immediate")
value = any
})
)
| [
{
"apply_method": "immediate",
"name": "audit_logs",
"value": "all"
}
]
| no |
+| [parameter\_group\_tags](#input\_parameter\_group\_tags) | A map of tags to assign to the cluster. | `map(string)` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [docdb-cluster](#output\_docdb-cluster) | docdb cluster |
+| [docdb-cluster-asset](#output\_docdb-cluster-asset) | docdb cluster asset |
+| [docdb-cluster-instance](#output\_docdb-cluster-instance) | docdb cluster instance |
+| [docdb-log-group](#output\_docdb-log-group) | docdb log group |
+| [docdb-log-group-asset](#output\_docdb-log-group-asset) | docdb log group asset |
+| [docdb-param-group](#output\_docdb-param-group) | docdb parameter group |
+
\ No newline at end of file
diff --git a/modules/onboard-aws-docdb-cluster/main.tf b/modules/onboard-aws-docdb-cluster/main.tf
new file mode 100644
index 0000000..8fcdb37
--- /dev/null
+++ b/modules/onboard-aws-docdb-cluster/main.tf
@@ -0,0 +1,79 @@
+module "docdb-param-group" {
+ source = "../aws-docdb-cluster-parameter-group"
+
+ description = var.parameter_group_description
+ family = var.parameter_group_family
+ name = var.parameter_group_name
+ parameters = var.parameter_group_parameters
+ tags = var.parameter_group_tags
+}
+
+module "docdb-cluster" {
+ source = "../aws-docdb-cluster"
+
+ depends_on = [module.docdb-log-group]
+
+ apply_immediately = var.cluster_apply_immediately
+ cluster_identifier = var.cluster_identifier
+ db_cluster_parameter_group_name = module.docdb-param-group.this.name
+ db_subnet_group_name = var.cluster_db_subnet_group_name
+ deletion_protection = var.cluster_deletion_protection
+ enabled_cloudwatch_logs_exports = var.cluster_enabled_cloudwatch_logs_exports
+ engine_version = var.cluster_engine_version
+ final_snapshot_identifier = var.cluster_final_snapshot_identifier
+ master_password = var.cluster_master_password
+ master_username = var.cluster_master_username
+ port = var.cluster_port
+ skip_final_snapshot = var.cluster_skip_final_snapshot
+ storage_type = var.cluster_storage_type
+ tags = var.cluster_tags
+ vpc_security_group_ids = var.cluster_vpc_security_group_ids
+}
+
+module "docdb-cluster-instance" {
+ source = "../aws-docdb-cluster-instance"
+
+ depends_on = [module.docdb-cluster]
+
+ apply_immediately = var.instance_apply_immediately
+ cluster_identifier = var.cluster_identifier
+ count = var.instance_count
+ instance_class = var.instance_instance_class
+ promotion_tier = var.instance_promotion_tier
+ tags = var.instance_tags
+}
+
+module "docdb-log-group" {
+ source = "../aws-cloudwatch-log-group"
+
+ name = "/aws/docdb/${var.cluster_identifier}/audit"
+ retention_in_days = var.log_group_retention_in_days
+}
+
+module "docdb-cluster-asset" {
+ source = "../dsfhub-aws-docdb-cluster"
+
+ admin_email = var.aws_docdb_cluster_admin_email
+ asset_display_name = module.docdb-cluster.this.cluster_identifier
+ asset_id = module.docdb-cluster.this.arn
+ cluster_identifier = module.docdb-cluster.this.cluster_identifier
+ gateway_id = var.aws_docdb_cluster_gateway_id
+ parent_asset_id = var.aws_docdb_cluster_parent_asset_id
+ region = var.aws_docdb_cluster_region
+ server_host_name = module.docdb-cluster.this.endpoint
+ server_ip = module.docdb-cluster.this.arn
+ server_port = module.docdb-cluster.this.port
+}
+
+module "docdb-log-group-asset" {
+ source = "../dsfhub-aws-log-group"
+
+ admin_email = var.aws_log_group_admin_email
+ asset_display_name = "${module.docdb-log-group.this.arn}:*"
+ asset_id = "${module.docdb-log-group.this.arn}:*"
+ audit_pull_enabled = var.aws_log_group_audit_pull_enabled
+ gateway_id = var.aws_log_group_gateway_id
+ parent_asset_id = module.docdb-cluster-asset.this.asset_id
+ reason = var.aws_log_group_reason
+ region = var.aws_log_group_region
+}
diff --git a/modules/onboard-aws-docdb-cluster/outputs.tf b/modules/onboard-aws-docdb-cluster/outputs.tf
new file mode 100644
index 0000000..5321b7e
--- /dev/null
+++ b/modules/onboard-aws-docdb-cluster/outputs.tf
@@ -0,0 +1,29 @@
+output "docdb-param-group" {
+ description = "docdb parameter group"
+ value = module.docdb-param-group.this
+}
+
+output "docdb-cluster" {
+ description = "docdb cluster"
+ value = module.docdb-cluster.this
+}
+
+output "docdb-cluster-instance" {
+ description = "docdb cluster instance"
+ value = module.docdb-cluster-instance[*].this
+}
+
+output "docdb-log-group" {
+ description = "docdb log group"
+ value = module.docdb-log-group.this
+}
+
+output "docdb-cluster-asset" {
+ description = "docdb cluster asset"
+ value = module.docdb-cluster-asset.this
+}
+
+output "docdb-log-group-asset" {
+ description = "docdb log group asset"
+ value = module.docdb-log-group-asset.this
+}
diff --git a/modules/onboard-aws-docdb-cluster/variables.tf b/modules/onboard-aws-docdb-cluster/variables.tf
new file mode 100644
index 0000000..b29f8d4
--- /dev/null
+++ b/modules/onboard-aws-docdb-cluster/variables.tf
@@ -0,0 +1,221 @@
+# AWS DocumentDB Parameter Group variables
+variable "parameter_group_description" {
+ description = "The description of the DocumentDB cluster parameter group."
+ type = string
+ default = "Managed by Terraform"
+}
+
+variable "parameter_group_family" {
+ description = "Database family version, e.g. \"docdb5.0\""
+ type = string
+ default = "docdb5.0"
+}
+
+variable "parameter_group_name" {
+ description = "The name of the DocumentDB cluster parameter group."
+ type = string
+ default = "docdb-parameter-group"
+}
+
+variable "parameter_group_parameters" {
+ description = "List of objects containing parameters for the DocumentDB parameter group."
+ type = list(
+ object({
+ name = string
+ apply_method = optional(string, "immediate")
+ value = any
+ })
+ )
+ default = [{
+ name = "audit_logs"
+ value = "all"
+ apply_method = "immediate"
+ }]
+}
+
+variable "parameter_group_tags" {
+ description = "A map of tags to assign to the cluster."
+ type = map(string)
+ default = null
+}
+
+# AWS DocumentDB Cluster and AWS DocumentDB Instance shared variables
+variable "cluster_identifier" {
+ description = "Identifier of DocumentDB Cluster."
+ type = string
+}
+
+# AWS DocumentDB Cluster variables
+variable "cluster_apply_immediately" {
+ description = "Specifies whether any cluster modifications are applied immediately, or during the next maintenance window."
+ type = bool
+ default = true
+}
+
+variable "cluster_db_subnet_group_name" {
+ description = "A DB subnet group to associate with this DB instance."
+ type = string
+}
+
+variable "cluster_deletion_protection" {
+ description = "A value that indicates whether the DB cluster has deletion protection enabled. The database can't be deleted when deletion protection is enabled."
+ type = bool
+ default = false
+}
+
+variable "cluster_enabled_cloudwatch_logs_exports" {
+ description = "List of log types to export to CloudWatch."
+ type = list(string)
+ default = ["audit"]
+ validation {
+ condition = alltrue([for log in var.cluster_enabled_cloudwatch_logs_exports : log == "audit" || log == "profiler"])
+ error_message = "Invalid value in cluster_enabled_cloudwatch_logs_exports. Allowed values are (audit, profiler)."
+ }
+ validation {
+ condition = length(var.cluster_enabled_cloudwatch_logs_exports) == length(distinct(var.cluster_enabled_cloudwatch_logs_exports))
+ error_message = "Duplicate item in cluster_enabled_cloudwatch_logs_exports. Allowed values are 'audit' or 'profiler'. Please ensure that each log type is unique."
+ }
+}
+
+variable "cluster_engine_version" {
+ description = "Database engine version, e.g. \"5.0.0\""
+ type = string
+ default = "5.0.0"
+}
+
+variable "cluster_final_snapshot_identifier" {
+ description = "The name of your final DB snapshot when this DB cluster is deleted. If omitted, no final snapshot will be made. Must be provided if skip_final_snapshot is set to false."
+ type = string
+ default = null
+}
+
+variable "cluster_master_password" {
+ description = "Password for the master DB user."
+ type = string
+}
+
+variable "cluster_master_username" {
+ description = "Master DB username."
+ type = string
+ default = "docdb"
+}
+
+variable "cluster_port" {
+ description = "The port on which the DB accepts connections."
+ type = number
+ default = 27017
+}
+
+variable "cluster_skip_final_snapshot" {
+ description = "Determines whether a final DB snapshot is created before the DB cluster is deleted. If true is specified, no DB snapshot is created. If false is specified, a DB snapshot is created before the DB cluster is deleted, using the value from final_snapshot_identifier"
+ type = bool
+ default = true
+}
+
+variable "cluster_storage_type" {
+ description = "The storage type to associate with the DB cluster."
+ type = string
+ default = "standard"
+ validation {
+ condition = can(regex("^(iopt1|standard)$", var.cluster_storage_type))
+ error_message = "Invalid value for storage_type. Allowed values are 'iopt1' or 'standard'."
+ }
+}
+
+variable "cluster_tags" {
+ description = "A map of tags to assign to the DB cluster."
+ type = map(string)
+ default = null
+}
+
+variable "cluster_vpc_security_group_ids" {
+ description = "List of VPC security groups to associate with the Cluster"
+ type = list(string)
+}
+
+# AWS DocumentDB Instance variables
+variable "instance_apply_immediately" {
+ description = "Specifies whether any cluster modifications are applied immediately, or during the next maintenance window."
+ type = bool
+ default = true
+}
+
+variable "instance_count" {
+ description = "The number of instances to create in the DocumentDB cluster."
+ type = number
+ default = 1
+}
+
+variable "instance_instance_class" {
+ description = "The instance type of the DocumentDB cluster. Example: 'db.r5.large'. Reference: https://docs.aws.amazon.com/documentdb/latest/developerguide/db-instance-classes.html#db-instance-class-specs"
+ type = string
+ default = "db.r5.large"
+}
+
+variable "instance_promotion_tier" {
+ description = "Failover Priority setting on instance level. The reader who has lower tier has higher priority to get promoted to a writer in case of failover."
+ type = number
+ default = 0
+}
+
+variable "instance_tags" {
+ description = "A map of tags to assign to the DocumentDB instance."
+ type = map(string)
+ default = null
+}
+
+# AWS CloudWatch Log Group variables
+variable "log_group_retention_in_days" {
+ description = "The number of days to retain log events."
+ type = number
+ default = 7
+}
+
+# DSFHUB AWS DocumentDB Cluster asset variables
+variable "aws_docdb_cluster_admin_email" {
+ description = "The email address to notify about the asset."
+ type = string
+}
+
+variable "aws_docdb_cluster_gateway_id" {
+ description = "Unique identifier (UID) attached to the jSonar machine controlling the asset"
+ type = string
+}
+
+variable "aws_docdb_cluster_region" {
+ description = "AWS region of the DocumentDB Cluster."
+ type = string
+}
+
+variable "aws_docdb_cluster_parent_asset_id" {
+ description = "The asset_id that contains this asset (e.g. Asset ID of the database sending audit events)"
+ type = string
+}
+
+# DSFHUB CloudWatch Log Group variables
+variable "aws_log_group_admin_email" {
+ description = "The email address to notify about the asset."
+ type = string
+}
+
+variable "aws_log_group_audit_pull_enabled" {
+ description = "If true, sonargateway will collect the audit logs for this system if it can."
+ type = bool
+ default = false
+}
+
+variable "aws_log_group_gateway_id" {
+ description = "Unique identifier (UID) attached to the jSonar machine controlling the asset"
+ type = string
+}
+
+variable "aws_log_group_reason" {
+ description = "Used to differentiate connections that belong to the same asset"
+ type = string
+ default = "default"
+}
+
+variable "aws_log_group_region" {
+ description = "AWS region of the log group"
+ type = string
+}
diff --git a/modules/onboard-aws-neptune-slow-query/README.md b/modules/onboard-aws-neptune-slow-query/README.md
new file mode 100644
index 0000000..fc8ca02
--- /dev/null
+++ b/modules/onboard-aws-neptune-slow-query/README.md
@@ -0,0 +1,83 @@
+# onboard-aws-neptune-slow-query
+Onboard Amazon Neptune Slowquery to DSF Hub.
+
+## Notes
+There is one prerequisite for using this module:
+1. An AWS cloud account asset onboarded to your DSF Hub with permissions to pull from CloudWatch log groups.
+
+See the corresponding example for more details.
+
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [aws-log-group-asset](#module\_aws-log-group-asset) | ../dsfhub-aws-log-group | n/a |
+| [aws-log-group-slowquery-asset](#module\_aws-log-group-slowquery-asset) | ../dsfhub-aws-log-group | n/a |
+| [aws-neptune-cluster-asset](#module\_aws-neptune-cluster-asset) | ../dsfhub-aws-neptune-cluster | n/a |
+| [neptune-cluster](#module\_neptune-cluster) | ../aws-neptune-cluster | n/a |
+| [neptune-cluster-parameter-group](#module\_neptune-cluster-parameter-group) | ../aws-neptune-cluster-parameter-group | n/a |
+| [neptune-instance](#module\_neptune-instance) | ../aws-neptune-instance | n/a |
+| [neptune-log-group](#module\_neptune-log-group) | ../aws-cloudwatch-log-group | n/a |
+| [neptune-log-group-slowquery](#module\_neptune-log-group-slowquery) | ../aws-cloudwatch-log-group | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [aws\_log\_group\_audit\_pull\_enabled](#input\_aws\_log\_group\_audit\_pull\_enabled) | If true, sonargateway will collect the audit logs for this system if it can. | `bool` | `false` | no |
+| [aws\_neptune\_cluster\_admin\_email](#input\_aws\_neptune\_cluster\_admin\_email) | The email address to notify about this asset | `string` | n/a | yes |
+| [aws\_neptune\_cluster\_gateway\_id](#input\_aws\_neptune\_cluster\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes |
+| [aws\_neptune\_cluster\_parent\_asset\_id](#input\_aws\_neptune\_cluster\_parent\_asset\_id) | The asset\_id of AWS cloud account being used. E.g. Key-pair, iam\_role, profile or default | `string` | n/a | yes |
+| [aws\_neptune\_cluster\_region](#input\_aws\_neptune\_cluster\_region) | AWS region containing the instance. | `string` | n/a | yes |
+| [cluster\_apply\_immediately](#input\_cluster\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. | `bool` | `true` | no |
+| [cluster\_backup\_retention\_period](#input\_cluster\_backup\_retention\_period) | The days to retain backups for. Default is 1 | `number` | `1` | no |
+| [cluster\_enable\_cloudwatch\_logs\_exports](#input\_cluster\_enable\_cloudwatch\_logs\_exports) | A list of the log types this DB cluster is configured to export to Cloudwatch Logs. Currently only supports audit and slowquery | `list(string)` | [
"audit",
"slowquery"
]
| no |
+| [cluster\_engine](#input\_cluster\_engine) | The name of the database engine to be used for this Neptune cluster. | `string` | `"neptune"` | no |
+| [cluster\_engine\_version](#input\_cluster\_engine\_version) | The database engine version. | `string` | `"1.3.2.0"` | no |
+| [cluster\_iam\_database\_authentication\_enabled](#input\_cluster\_iam\_database\_authentication\_enabled) | Specifies whether or not mappings of AWS Identity and Access Management (IAM) accounts to database accounts is enabled. | `bool` | `true` | no |
+| [cluster\_identifier](#input\_cluster\_identifier) | The cluster identifier | `string` | n/a | yes |
+| [cluster\_preferred\_maintenance\_window](#input\_cluster\_preferred\_maintenance\_window) | Weekly time range during which system maintenance can occur, in (UTC). | `string` | `"sun:18:00-sun:21:00"` | no |
+| [cluster\_skip\_final\_snapshot](#input\_cluster\_skip\_final\_snapshot) | Determines whether a final Neptune snapshot is created before the Neptune cluster is deleted. If true is specified, no Neptune snapshot is created. If false is specified, a Neptune snapshot is created before the Neptune cluster is deleted, using the value from final\_snapshot\_identifier | `bool` | `true` | no |
+| [cluster\_storage\_type](#input\_cluster\_storage\_type) | Storage type associated with the cluster. Default: standard | `string` | `"standard"` | no |
+| [cluster\_vpc\_security\_group\_ids](#input\_cluster\_vpc\_security\_group\_ids) | List of VPC security groups to associate with the Cluster | `list(string)` | `null` | no |
+| [instance\_apply\_immediately](#input\_instance\_apply\_immediately) | Specifies whether any instance modifications are applied immediately, or during the next maintenance window. | `bool` | `true` | no |
+| [instance\_auto\_minor\_version\_upgrade](#input\_instance\_auto\_minor\_version\_upgrade) | Indicates that minor engine upgrades will be applied automatically to the instance during the maintenance window. Default is true | `bool` | `false` | no |
+| [instance\_class](#input\_instance\_class) | The instance class to use. | `string` | `"db.t3.medium"` | no |
+| [instance\_identifier](#input\_instance\_identifier) | The identifier for the neptune instance. | `string` | n/a | yes |
+| [instance\_neptune\_parameter\_group\_name](#input\_instance\_neptune\_parameter\_group\_name) | The name of the neptune parameter group to associate with this instance | `string` | `"default.neptune1"` | no |
+| [instance\_neptune\_subnet\_group\_name](#input\_instance\_neptune\_subnet\_group\_name) | A subnet group to associate with this neptune instance. NOTE: This must match the neptune\_subnet\_group\_name of the attached aws\_neptune\_cluster | `string` | `null` | no |
+| [instance\_port](#input\_instance\_port) | The port on which the DB accepts connections. Defaults to 8182 | `number` | `8182` | no |
+| [instance\_publicly\_accessible](#input\_instance\_publicly\_accessible) | Bool to control if instance is publicly accessible. Default is false | `bool` | `false` | no |
+| [log\_group\_retention\_in\_days](#input\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the specified log group. If you select 0, the events in the log group are always retained and never expire. | `number` | `7` | no |
+| [parameter\_group\_description](#input\_parameter\_group\_description) | Neptune cluster parameter group | `string` | `"Neptune cluster parameter group"` | no |
+| [parameter\_group\_family](#input\_parameter\_group\_family) | The family of the cluster parameter group. | `string` | `"neptune1.3"` | no |
+| [parameter\_group\_name](#input\_parameter\_group\_name) | The name of the cluster parameter group. | `string` | n/a | yes |
+| [parameter\_group\_parameters](#input\_parameter\_group\_parameters) | List of objects containing parameters for the cluster parameter group. | list(
object({
name = string
apply_method = optional(string, "immediate")
value = any
})
)
| [
{
"apply_method": "pending-reboot",
"name": "neptune_enable_audit_log",
"value": 1
},
{
"name": "neptune_enable_slow_query_log",
"value": "info"
},
{
"name": "neptune_slow_query_log_threshold",
"value": 10000
}
]
| no |
+| [parameter\_group\_tags](#input\_parameter\_group\_tags) | A map of tags to assign to the resource. | `map(string)` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [cluster](#output\_cluster) | Neptune Cluster |
+| [cluster\_parameter\_group](#output\_cluster\_parameter\_group) | Neptune Cluster parameter group |
+| [dsf\_neptune\_cluster](#output\_dsf\_neptune\_cluster) | Neptune cluster DSF asset |
+| [dsf\_neptune\_log\_group](#output\_dsf\_neptune\_log\_group) | DSF neptune log group asset |
+| [dsf\_neptune\_log\_group\_slowquery](#output\_dsf\_neptune\_log\_group\_slowquery) | DSF neptune slow query log group asset |
+| [instance](#output\_instance) | Neptune instance |
+| [log\_group](#output\_log\_group) | Neptune log group |
+| [log\_group\_slowquery](#output\_log\_group\_slowquery) | Neptune slow query log group |
+
\ No newline at end of file
diff --git a/modules/onboard-aws-neptune-slow-query/main.tf b/modules/onboard-aws-neptune-slow-query/main.tf
new file mode 100644
index 0000000..c652cca
--- /dev/null
+++ b/modules/onboard-aws-neptune-slow-query/main.tf
@@ -0,0 +1,99 @@
+module "neptune-cluster-parameter-group" {
+ source = "../aws-neptune-cluster-parameter-group"
+
+ description = var.parameter_group_description
+ family = var.parameter_group_family
+ name = var.parameter_group_name
+ parameters = var.parameter_group_parameters
+ tags = var.parameter_group_tags
+}
+
+module "neptune-cluster" {
+ depends_on = [module.neptune-cluster-parameter-group, module.neptune-log-group, module.neptune-log-group-slowquery]
+
+ source = "../aws-neptune-cluster"
+
+ identifier = var.cluster_identifier
+ engine = var.cluster_engine
+ engine_version = var.cluster_engine_version
+ backup_retention_period = var.cluster_backup_retention_period
+ skip_final_snapshot = var.cluster_skip_final_snapshot
+ enable_cloudwatch_logs_exports = var.cluster_enable_cloudwatch_logs_exports
+ parameter_group_name = module.neptune-cluster-parameter-group.this.name
+ storage_type = var.cluster_storage_type
+ preferred_maintenance_window = var.cluster_preferred_maintenance_window
+ iam_database_authentication_enabled = var.cluster_iam_database_authentication_enabled
+ vpc_security_group_ids = var.cluster_vpc_security_group_ids
+ neptune_subnet_group_name = var.instance_neptune_subnet_group_name
+ apply_immediately = var.cluster_apply_immediately
+}
+
+module "neptune-instance" {
+ depends_on = [module.neptune-cluster]
+ source = "../aws-neptune-instance"
+
+ cluster_identifier = module.neptune-cluster.this.cluster_identifier
+ identifier = var.instance_identifier
+ class = var.instance_class
+ port = var.instance_port
+ publicly_accessible = var.instance_publicly_accessible
+ neptune_subnet_group_name = var.instance_neptune_subnet_group_name
+ neptune_parameter_group_name = var.instance_neptune_parameter_group_name
+ auto_minor_version_upgrade = var.instance_auto_minor_version_upgrade
+ apply_immediately = var.instance_apply_immediately
+}
+
+module "neptune-log-group" {
+ source = "../aws-cloudwatch-log-group"
+
+ name = "/aws/neptune/${var.cluster_identifier}/audit"
+ retention_in_days = var.log_group_retention_in_days
+}
+
+module "neptune-log-group-slowquery" {
+ source = "../aws-cloudwatch-log-group"
+
+ name = "/aws/neptune/${var.cluster_identifier}/slowquery"
+ retention_in_days = var.log_group_retention_in_days
+}
+
+module "aws-neptune-cluster-asset" {
+ source = "../dsfhub-aws-neptune-cluster"
+
+ admin_email = var.aws_neptune_cluster_admin_email
+ asset_display_name = module.neptune-cluster.this.id
+ asset_id = module.neptune-cluster.this.arn
+ gateway_id = var.aws_neptune_cluster_gateway_id
+ server_host_name = module.neptune-cluster.this.endpoint
+ server_port = module.neptune-cluster.this.port
+ region = var.aws_neptune_cluster_region
+ parent_asset_id = var.aws_neptune_cluster_parent_asset_id
+}
+
+module "aws-log-group-asset" {
+ depends_on = [module.aws-neptune-cluster-asset]
+ source = "../dsfhub-aws-log-group"
+
+ admin_email = var.aws_neptune_cluster_admin_email
+ asset_display_name = module.neptune-log-group.this.id
+ asset_id = "${module.neptune-log-group.this.arn}:*"
+ audit_pull_enabled = var.aws_log_group_audit_pull_enabled
+ gateway_id = var.aws_neptune_cluster_gateway_id
+ parent_asset_id = module.aws-neptune-cluster-asset.this.asset_id
+ audit_type = "LOG_GROUP"
+ region = var.aws_neptune_cluster_region
+}
+
+module "aws-log-group-slowquery-asset" {
+ depends_on = [module.aws-neptune-cluster-asset, module.aws-log-group-asset]
+ source = "../dsfhub-aws-log-group"
+
+ admin_email = var.aws_neptune_cluster_admin_email
+ asset_display_name = module.neptune-log-group-slowquery.this.id
+ asset_id = "${module.neptune-log-group-slowquery.this.arn}:*"
+ audit_pull_enabled = var.aws_log_group_audit_pull_enabled
+ gateway_id = var.aws_neptune_cluster_gateway_id
+ parent_asset_id = module.aws-neptune-cluster-asset.this.asset_id
+ audit_type = "AWS_NEPTUNE_SLOW"
+ region = var.aws_neptune_cluster_region
+}
\ No newline at end of file
diff --git a/modules/onboard-aws-neptune-slow-query/outputs.tf b/modules/onboard-aws-neptune-slow-query/outputs.tf
new file mode 100644
index 0000000..399a683
--- /dev/null
+++ b/modules/onboard-aws-neptune-slow-query/outputs.tf
@@ -0,0 +1,39 @@
+output "cluster_parameter_group" {
+ description = "Neptune Cluster parameter group"
+ value = module.neptune-cluster-parameter-group.this
+}
+
+output "cluster" {
+ description = "Neptune Cluster"
+ value = module.neptune-cluster.this
+}
+
+output "instance" {
+ description = "Neptune instance"
+ value = module.neptune-instance.this
+}
+
+output "log_group" {
+ description = "Neptune log group"
+ value = module.neptune-log-group.this
+}
+
+output "log_group_slowquery" {
+ description = "Neptune slow query log group"
+ value = module.neptune-log-group-slowquery.this
+}
+
+output "dsf_neptune_cluster" {
+ description = "Neptune cluster DSF asset"
+ value = module.aws-neptune-cluster-asset.this
+}
+
+output "dsf_neptune_log_group" {
+ description = "DSF neptune log group asset"
+ value = module.aws-log-group-asset.this
+}
+
+output "dsf_neptune_log_group_slowquery" {
+ description = "DSF neptune slow query log group asset"
+ value = module.aws-log-group-slowquery-asset.this
+}
\ No newline at end of file
diff --git a/modules/onboard-aws-neptune-slow-query/variables.tf b/modules/onboard-aws-neptune-slow-query/variables.tf
new file mode 100644
index 0000000..741130f
--- /dev/null
+++ b/modules/onboard-aws-neptune-slow-query/variables.tf
@@ -0,0 +1,201 @@
+#AWS neptune cluster parameter group variables
+variable "parameter_group_description" {
+ description = "Neptune cluster parameter group"
+ type = string
+ default = "Neptune cluster parameter group"
+}
+
+variable "parameter_group_family" {
+ description = "The family of the cluster parameter group."
+ type = string
+ default = "neptune1.3"
+}
+
+variable "parameter_group_name" {
+ description = "The name of the cluster parameter group."
+ type = string
+}
+
+variable "parameter_group_parameters" {
+ description = "List of objects containing parameters for the cluster parameter group."
+ type = list(
+ object({
+ name = string
+ apply_method = optional(string, "immediate")
+ value = any
+ })
+ )
+ default = [
+ {
+ name = "neptune_enable_audit_log"
+ value = 1
+ apply_method = "pending-reboot"
+ },
+ {
+ name = "neptune_enable_slow_query_log"
+ value = "info"
+ },
+ {
+ name = "neptune_slow_query_log_threshold"
+ value = 10000
+ }
+ ]
+}
+
+variable "parameter_group_tags" {
+ description = "A map of tags to assign to the resource."
+ type = map(string)
+ default = null
+}
+
+#AWS Neptune cluster variables
+variable "cluster_identifier" {
+ description = "The cluster identifier"
+ type = string
+}
+
+variable "cluster_engine" {
+ description = "The name of the database engine to be used for this Neptune cluster."
+ type = string
+ default = "neptune"
+}
+
+variable "cluster_engine_version" {
+ description = "The database engine version."
+ type = string
+ default = "1.3.2.0"
+}
+
+variable "cluster_backup_retention_period" {
+ description = "The days to retain backups for. Default is 1"
+ type = number
+ default = 1
+}
+
+variable "cluster_skip_final_snapshot" {
+ description = "Determines whether a final Neptune snapshot is created before the Neptune cluster is deleted. If true is specified, no Neptune snapshot is created. If false is specified, a Neptune snapshot is created before the Neptune cluster is deleted, using the value from final_snapshot_identifier"
+ type = bool
+ default = true
+}
+
+variable "cluster_apply_immediately" {
+ description = "Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. "
+ type = bool
+ default = true
+}
+
+variable "cluster_enable_cloudwatch_logs_exports" {
+ description = "A list of the log types this DB cluster is configured to export to Cloudwatch Logs. Currently only supports audit and slowquery"
+ type = list(string)
+ default = ["audit", "slowquery"]
+}
+
+variable "cluster_storage_type" {
+ description = "Storage type associated with the cluster. Default: standard"
+ type = string
+ default = "standard"
+ validation {
+ condition = contains(["standard", "standard/iopt1"], var.cluster_storage_type)
+ error_message = "Invalid value. Pick either standard or standard/iopt1"
+ }
+}
+
+variable "cluster_iam_database_authentication_enabled" {
+ description = " Specifies whether or not mappings of AWS Identity and Access Management (IAM) accounts to database accounts is enabled."
+ type = bool
+ default = true
+}
+
+variable "cluster_preferred_maintenance_window" {
+ description = "Weekly time range during which system maintenance can occur, in (UTC)."
+ type = string
+ default = "sun:18:00-sun:21:00"
+}
+
+variable "cluster_vpc_security_group_ids" {
+ description = "List of VPC security groups to associate with the Cluster"
+ type = list(string)
+ default = null
+}
+
+#AWS Neptune instance variables
+variable "instance_apply_immediately" {
+ description = "Specifies whether any instance modifications are applied immediately, or during the next maintenance window."
+ type = bool
+ default = true
+}
+
+variable "instance_auto_minor_version_upgrade" {
+ description = "Indicates that minor engine upgrades will be applied automatically to the instance during the maintenance window. Default is true"
+ type = bool
+ default = false
+}
+
+variable "instance_identifier" {
+ description = "The identifier for the neptune instance."
+ type = string
+}
+
+variable "instance_class" {
+ description = "The instance class to use."
+ type = string
+ default = "db.t3.medium"
+}
+
+variable "instance_neptune_subnet_group_name" {
+ description = "A subnet group to associate with this neptune instance. NOTE: This must match the neptune_subnet_group_name of the attached aws_neptune_cluster"
+ type = string
+ default = null
+}
+
+variable "instance_neptune_parameter_group_name" {
+ description = "The name of the neptune parameter group to associate with this instance"
+ type = string
+ default = "default.neptune1"
+}
+
+variable "instance_port" {
+ description = "The port on which the DB accepts connections. Defaults to 8182"
+ type = number
+ default = 8182
+}
+
+variable "instance_publicly_accessible" {
+ description = "Bool to control if instance is publicly accessible. Default is false"
+ type = bool
+ default = false
+}
+
+#AWS cloudwatch variables
+variable "log_group_retention_in_days" {
+ description = "Specifies the number of days you want to retain log events in the specified log group. If you select 0, the events in the log group are always retained and never expire."
+ type = number
+ default = 7
+}
+
+#DSFHUB variables
+variable "aws_neptune_cluster_admin_email" {
+ description = "The email address to notify about this asset"
+ type = string
+}
+
+variable "aws_neptune_cluster_gateway_id" {
+ description = "Unique identifier (UID) attached to the jSonar machine controlling the asset"
+ type = string
+}
+
+variable "aws_neptune_cluster_parent_asset_id" {
+ description = "The asset_id of AWS cloud account being used. E.g. Key-pair, iam_role, profile or default"
+ type = string
+}
+
+variable "aws_neptune_cluster_region" {
+ description = "AWS region containing the instance."
+ type = string
+}
+
+variable "aws_log_group_audit_pull_enabled" {
+ description = "If true, sonargateway will collect the audit logs for this system if it can."
+ type = bool
+ default = false
+}
\ No newline at end of file
diff --git a/modules/onboard-aws-neptune/README.md b/modules/onboard-aws-neptune/README.md
new file mode 100644
index 0000000..b8735dd
--- /dev/null
+++ b/modules/onboard-aws-neptune/README.md
@@ -0,0 +1,79 @@
+# onboard-aws-neptune
+Onboard Amazon Neptune to DSF Hub.
+
+## Notes
+There is one prerequisite for using this module:
+1. An AWS cloud account asset onboarded to your DSF Hub with permissions to pull from CloudWatch log groups.
+
+See the corresponding example for more details.
+
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [aws-log-group-asset](#module\_aws-log-group-asset) | ../dsfhub-aws-log-group | n/a |
+| [aws-neptune-cluster-asset](#module\_aws-neptune-cluster-asset) | ../dsfhub-aws-neptune-cluster | n/a |
+| [neptune-cluster](#module\_neptune-cluster) | ../aws-neptune-cluster | n/a |
+| [neptune-cluster-parameter-group](#module\_neptune-cluster-parameter-group) | ../aws-neptune-cluster-parameter-group | n/a |
+| [neptune-instance](#module\_neptune-instance) | ../aws-neptune-instance | n/a |
+| [neptune-log-group](#module\_neptune-log-group) | ../aws-cloudwatch-log-group | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [aws\_log\_group\_audit\_pull\_enabled](#input\_aws\_log\_group\_audit\_pull\_enabled) | If true, sonargateway will collect the audit logs for this system if it can. | `bool` | `false` | no |
+| [aws\_neptune\_cluster\_admin\_email](#input\_aws\_neptune\_cluster\_admin\_email) | The email address to notify about this asset | `string` | n/a | yes |
+| [aws\_neptune\_cluster\_gateway\_id](#input\_aws\_neptune\_cluster\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes |
+| [aws\_neptune\_cluster\_parent\_asset\_id](#input\_aws\_neptune\_cluster\_parent\_asset\_id) | The asset\_id of AWS cloud account being used. E.g. Key-pair, iam\_role, profile or default | `string` | n/a | yes |
+| [aws\_neptune\_cluster\_region](#input\_aws\_neptune\_cluster\_region) | AWS region containing the instance. | `string` | n/a | yes |
+| [cluster\_apply\_immediately](#input\_cluster\_apply\_immediately) | Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. | `bool` | `true` | no |
+| [cluster\_backup\_retention\_period](#input\_cluster\_backup\_retention\_period) | The days to retain backups for. Default is 1 | `number` | `1` | no |
+| [cluster\_enable\_cloudwatch\_logs\_exports](#input\_cluster\_enable\_cloudwatch\_logs\_exports) | A list of the log types this DB cluster is configured to export to Cloudwatch Logs. Currently only supports audit and slowquery | `list(string)` | [
"audit"
]
| no |
+| [cluster\_engine](#input\_cluster\_engine) | The name of the database engine to be used for this Neptune cluster. | `string` | `"neptune"` | no |
+| [cluster\_engine\_version](#input\_cluster\_engine\_version) | The database engine version. | `string` | `"1.3.2.0"` | no |
+| [cluster\_iam\_database\_authentication\_enabled](#input\_cluster\_iam\_database\_authentication\_enabled) | Specifies whether or not mappings of AWS Identity and Access Management (IAM) accounts to database accounts is enabled. | `bool` | `true` | no |
+| [cluster\_identifier](#input\_cluster\_identifier) | The cluster identifier | `string` | n/a | yes |
+| [cluster\_preferred\_maintenance\_window](#input\_cluster\_preferred\_maintenance\_window) | Weekly time range during which system maintenance can occur, in (UTC). | `string` | `"sun:18:00-sun:21:00"` | no |
+| [cluster\_skip\_final\_snapshot](#input\_cluster\_skip\_final\_snapshot) | Determines whether a final Neptune snapshot is created before the Neptune cluster is deleted. If true is specified, no Neptune snapshot is created. If false is specified, a Neptune snapshot is created before the Neptune cluster is deleted, using the value from final\_snapshot\_identifier | `bool` | `true` | no |
+| [cluster\_storage\_type](#input\_cluster\_storage\_type) | Storage type associated with the cluster. Default: standard | `string` | `"standard"` | no |
+| [cluster\_vpc\_security\_group\_ids](#input\_cluster\_vpc\_security\_group\_ids) | List of VPC security groups to associate with the Cluster | `list(string)` | `null` | no |
+| [instance\_apply\_immediately](#input\_instance\_apply\_immediately) | Specifies whether any instance modifications are applied immediately, or during the next maintenance window. | `bool` | `true` | no |
+| [instance\_auto\_minor\_version\_upgrade](#input\_instance\_auto\_minor\_version\_upgrade) | Indicates that minor engine upgrades will be applied automatically to the instance during the maintenance window. Default is true | `bool` | `false` | no |
+| [instance\_class](#input\_instance\_class) | The instance class to use. | `string` | `"db.t3.medium"` | no |
+| [instance\_identifier](#input\_instance\_identifier) | The identifier for the neptune instance. | `string` | n/a | yes |
+| [instance\_neptune\_parameter\_group\_name](#input\_instance\_neptune\_parameter\_group\_name) | The name of the neptune parameter group to associate with this instance | `string` | `"default.neptune1"` | no |
+| [instance\_neptune\_subnet\_group\_name](#input\_instance\_neptune\_subnet\_group\_name) | A subnet group to associate with this neptune instance. NOTE: This must match the neptune\_subnet\_group\_name of the attached aws\_neptune\_cluster | `string` | `null` | no |
+| [instance\_port](#input\_instance\_port) | The port on which the DB accepts connections. Defaults to 8182 | `number` | `8182` | no |
+| [instance\_publicly\_accessible](#input\_instance\_publicly\_accessible) | Bool to control if instance is publicly accessible. Default is false | `bool` | `false` | no |
+| [log\_group\_retention\_in\_days](#input\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the specified log group. If you select 0, the events in the log group are always retained and never expire. | `number` | `7` | no |
+| [parameter\_group\_description](#input\_parameter\_group\_description) | Neptune cluster parameter group | `string` | `"Neptune cluster parameter group"` | no |
+| [parameter\_group\_family](#input\_parameter\_group\_family) | The family of the cluster parameter group. | `string` | `"neptune1.3"` | no |
+| [parameter\_group\_name](#input\_parameter\_group\_name) | The name of the cluster parameter group. | `string` | n/a | yes |
+| [parameter\_group\_parameters](#input\_parameter\_group\_parameters) | List of objects containing parameters for the cluster parameter group. | list(
object({
name = string
apply_method = optional(string, "immediate")
value = any
})
)
| [
{
"apply_method": "pending-reboot",
"name": "neptune_enable_audit_log",
"value": 1
}
]
| no |
+| [parameter\_group\_tags](#input\_parameter\_group\_tags) | A map of tags to assign to the resource. | `map(string)` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [cluster](#output\_cluster) | Neptune Cluster |
+| [cluster\_parameter\_group](#output\_cluster\_parameter\_group) | Neptune Cluster parameter group |
+| [dsf\_neptune\_cluster](#output\_dsf\_neptune\_cluster) | Neptune cluster DSF asset |
+| [dsf\_neptune\_log\_group](#output\_dsf\_neptune\_log\_group) | DSF neptune log group asset |
+| [instance](#output\_instance) | Neptune instance |
+| [log\_group](#output\_log\_group) | Neptune log group |
+
\ No newline at end of file
diff --git a/modules/onboard-aws-neptune/main.tf b/modules/onboard-aws-neptune/main.tf
new file mode 100644
index 0000000..be60878
--- /dev/null
+++ b/modules/onboard-aws-neptune/main.tf
@@ -0,0 +1,78 @@
+module "neptune-cluster-parameter-group" {
+ source = "../aws-neptune-cluster-parameter-group"
+
+ description = var.parameter_group_description
+ family = var.parameter_group_family
+ name = var.parameter_group_name
+ parameters = var.parameter_group_parameters
+ tags = var.parameter_group_tags
+}
+
+module "neptune-cluster" {
+ depends_on = [module.neptune-cluster-parameter-group, module.neptune-log-group]
+
+ source = "../aws-neptune-cluster"
+
+ identifier = var.cluster_identifier
+ engine = var.cluster_engine
+ engine_version = var.cluster_engine_version
+ backup_retention_period = var.cluster_backup_retention_period
+ skip_final_snapshot = var.cluster_skip_final_snapshot
+ enable_cloudwatch_logs_exports = var.cluster_enable_cloudwatch_logs_exports
+ parameter_group_name = module.neptune-cluster-parameter-group.this.name
+ storage_type = var.cluster_storage_type
+ preferred_maintenance_window = var.cluster_preferred_maintenance_window
+ iam_database_authentication_enabled = var.cluster_iam_database_authentication_enabled
+ vpc_security_group_ids = var.cluster_vpc_security_group_ids
+ neptune_subnet_group_name = var.instance_neptune_subnet_group_name
+ apply_immediately = var.cluster_apply_immediately
+}
+
+module "neptune-instance" {
+ depends_on = [module.neptune-cluster]
+ source = "../aws-neptune-instance"
+
+ cluster_identifier = module.neptune-cluster.this.cluster_identifier
+ identifier = var.instance_identifier
+ class = var.instance_class
+ port = var.instance_port
+ publicly_accessible = var.instance_publicly_accessible
+ neptune_subnet_group_name = var.instance_neptune_subnet_group_name
+ neptune_parameter_group_name = var.instance_neptune_parameter_group_name
+ auto_minor_version_upgrade = var.instance_auto_minor_version_upgrade
+ apply_immediately = var.instance_apply_immediately
+}
+
+module "neptune-log-group" {
+ source = "../aws-cloudwatch-log-group"
+
+ name = "/aws/neptune/${var.cluster_identifier}/audit"
+ retention_in_days = var.log_group_retention_in_days
+}
+
+module "aws-neptune-cluster-asset" {
+ source = "../dsfhub-aws-neptune-cluster"
+
+ admin_email = var.aws_neptune_cluster_admin_email
+ asset_display_name = module.neptune-cluster.this.id
+ asset_id = module.neptune-cluster.this.arn
+ gateway_id = var.aws_neptune_cluster_gateway_id
+ server_host_name = module.neptune-cluster.this.endpoint
+ server_port = module.neptune-cluster.this.port
+ region = var.aws_neptune_cluster_region
+ parent_asset_id = var.aws_neptune_cluster_parent_asset_id
+}
+
+module "aws-log-group-asset" {
+ depends_on = [module.aws-neptune-cluster-asset]
+ source = "../dsfhub-aws-log-group"
+
+ admin_email = var.aws_neptune_cluster_admin_email
+ asset_display_name = module.neptune-log-group.this.id
+ asset_id = "${module.neptune-log-group.this.arn}:*"
+ audit_pull_enabled = var.aws_log_group_audit_pull_enabled
+ gateway_id = var.aws_neptune_cluster_gateway_id
+ parent_asset_id = module.aws-neptune-cluster-asset.this.asset_id
+ audit_type = "LOG_GROUP"
+ region = var.aws_neptune_cluster_region
+}
\ No newline at end of file
diff --git a/modules/onboard-aws-neptune/outputs.tf b/modules/onboard-aws-neptune/outputs.tf
new file mode 100644
index 0000000..dd1ef93
--- /dev/null
+++ b/modules/onboard-aws-neptune/outputs.tf
@@ -0,0 +1,29 @@
+output "cluster_parameter_group" {
+ description = "Neptune Cluster parameter group"
+ value = module.neptune-cluster-parameter-group.this
+}
+
+output "cluster" {
+ description = "Neptune Cluster"
+ value = module.neptune-cluster.this
+}
+
+output "instance" {
+ description = "Neptune instance"
+ value = module.neptune-instance.this
+}
+
+output "log_group" {
+ description = "Neptune log group"
+ value = module.neptune-log-group.this
+}
+
+output "dsf_neptune_cluster" {
+ description = "Neptune cluster DSF asset"
+ value = module.aws-neptune-cluster-asset.this
+}
+
+output "dsf_neptune_log_group" {
+ description = "DSF neptune log group asset"
+ value = module.aws-log-group-asset.this
+}
\ No newline at end of file
diff --git a/modules/onboard-aws-neptune/variables.tf b/modules/onboard-aws-neptune/variables.tf
new file mode 100644
index 0000000..1a6847b
--- /dev/null
+++ b/modules/onboard-aws-neptune/variables.tf
@@ -0,0 +1,196 @@
+#AWS neptune cluster parameter group variables
+variable "parameter_group_description" {
+ description = "Neptune cluster parameter group"
+ type = string
+ default = "Neptune cluster parameter group"
+}
+
+variable "parameter_group_family" {
+ description = "The family of the cluster parameter group."
+ type = string
+ default = "neptune1.3"
+}
+
+variable "parameter_group_name" {
+ description = "The name of the cluster parameter group."
+ type = string
+}
+
+variable "parameter_group_parameters" {
+ description = "List of objects containing parameters for the cluster parameter group."
+ type = list(
+ object({
+ name = string
+ apply_method = optional(string, "immediate")
+ value = any
+ })
+ )
+ default = [
+ {
+ name = "neptune_enable_audit_log"
+ value = 1
+ apply_method = "pending-reboot"
+ }
+ ]
+}
+
+variable "parameter_group_tags" {
+ description = "A map of tags to assign to the resource."
+ type = map(string)
+ default = null
+}
+
+#AWS Neptune cluster variables
+variable "cluster_identifier" {
+ description = "The cluster identifier"
+ type = string
+}
+
+variable "cluster_engine" {
+ description = "The name of the database engine to be used for this Neptune cluster."
+ type = string
+ default = "neptune"
+}
+
+variable "cluster_engine_version" {
+ description = "The database engine version."
+ type = string
+ default = "1.3.2.0"
+}
+
+variable "cluster_backup_retention_period" {
+ description = "The days to retain backups for. Default is 1"
+ type = number
+ default = 1
+}
+
+variable "cluster_skip_final_snapshot" {
+ description = "Determines whether a final Neptune snapshot is created before the Neptune cluster is deleted. If true is specified, no Neptune snapshot is created. If false is specified, a Neptune snapshot is created before the Neptune cluster is deleted, using the value from final_snapshot_identifier"
+ type = bool
+ default = true
+}
+
+variable "cluster_apply_immediately" {
+ description = "Specifies whether any cluster modifications are applied immediately, or during the next maintenance window. "
+ type = bool
+ default = true
+}
+
+variable "cluster_enable_cloudwatch_logs_exports" {
+ description = "A list of the log types this DB cluster is configured to export to Cloudwatch Logs. Currently only supports audit and slowquery"
+ type = list(string)
+ default = ["audit"]
+}
+
+variable "cluster_storage_type" {
+ description = "Storage type associated with the cluster. Default: standard"
+ type = string
+ default = "standard"
+ validation {
+ condition = contains(["standard", "standard/iopt1"], var.cluster_storage_type)
+ error_message = "Invalid value. Pick either standard or standard/iopt1"
+ }
+}
+
+variable "cluster_iam_database_authentication_enabled" {
+ description = " Specifies whether or not mappings of AWS Identity and Access Management (IAM) accounts to database accounts is enabled."
+ type = bool
+ default = true
+}
+
+variable "cluster_preferred_maintenance_window" {
+ description = "Weekly time range during which system maintenance can occur, in (UTC)."
+ type = string
+ default = "sun:18:00-sun:21:00"
+}
+
+variable "cluster_vpc_security_group_ids" {
+ description = "List of VPC security groups to associate with the Cluster"
+ type = list(string)
+ default = null
+}
+
+#AWS Neptune instance variables
+variable "instance_apply_immediately" {
+ description = "Specifies whether any instance modifications are applied immediately, or during the next maintenance window."
+ type = bool
+ default = true
+}
+
+variable "instance_auto_minor_version_upgrade" {
+ description = "Indicates that minor engine upgrades will be applied automatically to the instance during the maintenance window. Default is true"
+ type = bool
+ default = false
+}
+
+variable "instance_identifier" {
+ description = "The identifier for the neptune instance."
+ type = string
+}
+
+variable "instance_class" {
+ description = "The instance class to use."
+ type = string
+ default = "db.t3.medium"
+}
+
+variable "instance_neptune_subnet_group_name" {
+ description = "A subnet group to associate with this neptune instance. NOTE: This must match the neptune_subnet_group_name of the attached aws_neptune_cluster"
+ type = string
+ default = null
+}
+
+variable "instance_neptune_parameter_group_name" {
+ description = "The name of the neptune parameter group to associate with this instance"
+ type = string
+ default = "default.neptune1"
+}
+
+variable "instance_port" {
+ description = "The port on which the DB accepts connections. Defaults to 8182"
+ type = number
+ default = 8182
+}
+
+variable "instance_publicly_accessible" {
+ description = "Bool to control if instance is publicly accessible. Default is false"
+ type = bool
+ default = false
+}
+
+#AWS cloudwatch variables
+variable "log_group_retention_in_days" {
+ description = "Specifies the number of days you want to retain log events in the specified log group. If you select 0, the events in the log group are always retained and never expire."
+ type = number
+ default = 7
+}
+
+#DSFHUB variables
+variable "aws_neptune_cluster_admin_email" {
+ description = "The email address to notify about this asset"
+ type = string
+}
+
+variable "aws_neptune_cluster_gateway_id" {
+ description = "Unique identifier (UID) attached to the jSonar machine controlling the asset"
+ type = string
+}
+
+variable "aws_neptune_cluster_parent_asset_id" {
+ description = "The asset_id of AWS cloud account being used. E.g. Key-pair, iam_role, profile or default"
+ type = string
+}
+
+variable "aws_neptune_cluster_region" {
+ description = "AWS region containing the instance."
+ type = string
+}
+
+variable "aws_log_group_audit_pull_enabled" {
+ description = "If true, sonargateway will collect the audit logs for this system if it can."
+ type = bool
+ default = false
+}
+
+
+
diff --git a/modules/onboard-aws-rds-mariadb/README.md b/modules/onboard-aws-rds-mariadb/README.md
new file mode 100644
index 0000000..07df834
--- /dev/null
+++ b/modules/onboard-aws-rds-mariadb/README.md
@@ -0,0 +1,80 @@
+# onboard-aws-rds-mariadb
+Onboard Amazon RDS for MariaDB to DSF Hub.
+
+## Notes
+There is one prerequisite for using this module:
+1. An AWS cloud account asset onboarded to your DSF Hub with permissions to pull from CloudWatch log groups.
+
+See the corresponding example for more details.
+
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [aws-log-group-asset](#module\_aws-log-group-asset) | ../dsfhub-aws-log-group | n/a |
+| [aws-rds-mariadb-asset](#module\_aws-rds-mariadb-asset) | ../dsfhub-aws-rds-mariadb | n/a |
+| [mariadb-instance](#module\_mariadb-instance) | ../aws-rds-instance | n/a |
+| [mariadb-log-group](#module\_mariadb-log-group) | ../aws-cloudwatch-log-group | n/a |
+| [mariadb-option-group](#module\_mariadb-option-group) | ../aws-rds-option-group | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [aws\_log\_group\_admin\_email](#input\_aws\_log\_group\_admin\_email) | The email address to notify about the asset. | `string` | n/a | yes |
+| [aws\_log\_group\_audit\_pull\_enabled](#input\_aws\_log\_group\_audit\_pull\_enabled) | If true, sonargateway will collect the audit logs for this system if it can. | `bool` | `false` | no |
+| [aws\_log\_group\_gateway\_id](#input\_aws\_log\_group\_gateway\_id) | The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'. | `string` | n/a | yes |
+| [aws\_log\_group\_region](#input\_aws\_log\_group\_region) | AWS region of the log group | `string` | n/a | yes |
+| [aws\_rds\_mariadb\_admin\_email](#input\_aws\_rds\_mariadb\_admin\_email) | The email address to notify about this asset | `string` | n/a | yes |
+| [aws\_rds\_mariadb\_gateway\_id](#input\_aws\_rds\_mariadb\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes |
+| [aws\_rds\_mariadb\_parent\_asset\_id](#input\_aws\_rds\_mariadb\_parent\_asset\_id) | The asset\_id that contains this asset (e.g. Asset ID of the database sending audit events) | `string` | n/a | yes |
+| [aws\_rds\_mariadb\_region](#input\_aws\_rds\_mariadb\_region) | AWS region containing the instance. | `string` | n/a | yes |
+| [instance\_allocated\_storage](#input\_instance\_allocated\_storage) | The allocated storage in gibibytes. If max\_allocated\_storage is configured, this argument represents the initial storage allocation and differences from the configuration will be ignored automatically when Storage Autoscaling occurs. If replicate\_source\_db is set, the value is ignored during the creation of the instance. | `number` | `20` | no |
+| [instance\_apply\_immediately](#input\_instance\_apply\_immediately) | Specifies whether any database modifications are applied immediately, or during the next maintenance window. | `bool` | `true` | no |
+| [instance\_db\_name](#input\_instance\_db\_name) | The name of the database to create when the DB instance is created. | `string` | `"testdb"` | no |
+| [instance\_deletion\_protection](#input\_instance\_deletion\_protection) | If the DB instance should have deletion protection enabled. The database can't be deleted when this value is set to true. | `bool` | `false` | no |
+| [instance\_enabled\_cloudwatch\_logs\_exports](#input\_instance\_enabled\_cloudwatch\_logs\_exports) | Set of log types to enable for exporting to CloudWatch logs. If omitted, no logs will be exported. | `list(string)` | `null` | no |
+| [instance\_engine\_version](#input\_instance\_engine\_version) | Database engine version, e.g. "8.0" | `string` | `null` | no |
+| [instance\_final\_snapshot\_identifier](#input\_instance\_final\_snapshot\_identifier) | The name of your final DB snapshot when this DB instance is deleted. Must be provided if skip\_final\_snapshot is set to false. | `string` | `null` | no |
+| [instance\_identifier](#input\_instance\_identifier) | Identifier of RDS instance | `string` | n/a | yes |
+| [instance\_instance\_class](#input\_instance\_instance\_class) | The instance type of the RDS instance. | `string` | `"db.t3.small"` | no |
+| [instance\_max\_allocated\_storage](#input\_instance\_max\_allocated\_storage) | When configured, the upper limit to which Amazon RDS can automatically scale the storage of the DB instance. Configuring this will automatically ignore differences to allocated\_storage. | `number` | `null` | no |
+| [instance\_parameter\_group\_name](#input\_instance\_parameter\_group\_name) | Name of the parameter group to associate with the RDS instance. | `string` | `null` | no |
+| [instance\_password](#input\_instance\_password) | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. | `string` | n/a | yes |
+| [instance\_port](#input\_instance\_port) | The port on which the DB accepts connections. | `string` | `null` | no |
+| [instance\_publicly\_accessible](#input\_instance\_publicly\_accessible) | Bool to control if instance is publicly accessible. | `bool` | `true` | no |
+| [instance\_skip\_final\_snapshot](#input\_instance\_skip\_final\_snapshot) | Determines whether a final DB snapshot is created before the DB instance is deleted. If true is specified, no DBSnapshot is created. If false is specified, a DB snapshot is created before the DB instance is deleted, using the value from final\_snapshot\_identifier. | `bool` | `true` | no |
+| [instance\_subnet\_group\_name](#input\_instance\_subnet\_group\_name) | Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available. | `string` | n/a | yes |
+| [instance\_tags](#input\_instance\_tags) | A map of tags to assign to the RDS instance. | `map(string)` | `null` | no |
+| [instance\_username](#input\_instance\_username) | Username for the master DB user. | `string` | `"admin"` | no |
+| [instance\_vpc\_security\_group\_ids](#input\_instance\_vpc\_security\_group\_ids) | List of VPC security groups to associate. | `list(string)` | `null` | no |
+| [log\_group\_retention\_in\_days](#input\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the specified log group. If you select 0, the events in the log group are always retained and never expire. | `number` | `7` | no |
+| [option\_group\_description](#input\_option\_group\_description) | The description of the DB option group. | `string` | `null` | no |
+| [option\_group\_major\_engine\_version](#input\_option\_group\_major\_engine\_version) | value | `any` | n/a | yes |
+| [option\_group\_name](#input\_option\_group\_name) | The name of the DB option group. | `string` | n/a | yes |
+| [option\_group\_options](#input\_option\_group\_options) | List of objects containing options for the DB option group. | list(
object({
option_name = string
option_settings = optional(
list(
object({
name = string
value = string
})
),
null
)
port = optional(string, null)
version = optional(string, null)
db_security_group_memberships = optional(list(string), null)
vpc_security_group_memberships = optional(list(string), null)
})
)
| n/a | yes |
+| [option\_group\_tags](#input\_option\_group\_tags) | A map of tags to assign to the resource. | `map(string)` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [aws-log-group-asset](#output\_aws-log-group-asset) | aws log group asset |
+| [aws-rds-mariadb-asset](#output\_aws-rds-mariadb-asset) | aws rds mariadb asset |
+| [mariadb-instance](#output\_mariadb-instance) | mariadb instance |
+| [mariadb-log-group](#output\_mariadb-log-group) | mariadb log group |
+| [mariadb-option-group](#output\_mariadb-option-group) | mariadb option group |
+
\ No newline at end of file
diff --git a/modules/onboard-aws-rds-mariadb/main.tf b/modules/onboard-aws-rds-mariadb/main.tf
new file mode 100644
index 0000000..71eefb4
--- /dev/null
+++ b/modules/onboard-aws-rds-mariadb/main.tf
@@ -0,0 +1,71 @@
+module "mariadb-option-group" {
+ source = "../aws-rds-option-group"
+
+ description = var.option_group_description
+ engine_name = "mariadb"
+ major_engine_version = var.option_group_major_engine_version
+ name = var.option_group_name
+ options = var.option_group_options
+ tags = var.option_group_tags
+}
+
+module "mariadb-instance" {
+ depends_on = [module.mariadb-log-group]
+
+ source = "../aws-rds-instance"
+
+ allocated_storage = var.instance_allocated_storage
+ apply_immediately = var.instance_apply_immediately
+ db_name = var.instance_db_name
+ deletion_protection = var.instance_deletion_protection
+ enabled_cloudwatch_logs_exports = var.instance_enabled_cloudwatch_logs_exports
+ engine = "mariadb"
+ engine_version = var.instance_engine_version
+ final_snapshot_identifier = var.instance_final_snapshot_identifier
+ identifier = var.instance_identifier
+ instance_class = var.instance_instance_class
+ max_allocated_storage = var.instance_max_allocated_storage
+ option_group_name = module.mariadb-option-group.this.id
+ parameter_group_name = var.instance_parameter_group_name
+ password = var.instance_password
+ port = var.instance_port
+ publicly_accessible = var.instance_publicly_accessible
+ skip_final_snapshot = var.instance_skip_final_snapshot
+ subnet_group_name = var.instance_subnet_group_name
+ tags = var.instance_tags
+ username = var.instance_username
+ vpc_security_group_ids = var.instance_vpc_security_group_ids
+}
+
+module "mariadb-log-group" {
+ source = "../aws-cloudwatch-log-group"
+
+ name = "/aws/rds/instance/${var.instance_identifier}/audit"
+ retention_in_days = var.log_group_retention_in_days
+}
+
+module "aws-rds-mariadb-asset" {
+ source = "../dsfhub-aws-rds-mariadb"
+
+ admin_email = var.aws_rds_mariadb_admin_email
+ asset_display_name = module.mariadb-instance.this.identifier
+ asset_id = module.mariadb-instance.this.arn
+ database_name = module.mariadb-instance.this.db_name
+ gateway_id = var.aws_rds_mariadb_gateway_id
+ parent_asset_id = var.aws_rds_mariadb_parent_asset_id
+ region = var.aws_rds_mariadb_region
+ server_host_name = module.mariadb-instance.this.address
+ server_port = module.mariadb-instance.this.port
+}
+
+module "aws-log-group-asset" {
+ source = "../dsfhub-aws-log-group"
+
+ admin_email = var.aws_log_group_admin_email
+ asset_display_name = "${module.mariadb-log-group.this.arn}:*"
+ asset_id = "${module.mariadb-log-group.this.arn}:*"
+ audit_pull_enabled = var.aws_log_group_audit_pull_enabled
+ gateway_id = var.aws_log_group_gateway_id
+ parent_asset_id = module.aws-rds-mariadb-asset.this.asset_id
+ region = var.aws_log_group_region
+}
diff --git a/modules/onboard-aws-rds-mariadb/outputs.tf b/modules/onboard-aws-rds-mariadb/outputs.tf
new file mode 100644
index 0000000..a6d06e4
--- /dev/null
+++ b/modules/onboard-aws-rds-mariadb/outputs.tf
@@ -0,0 +1,24 @@
+output "mariadb-option-group" {
+ description = "mariadb option group"
+ value = module.mariadb-option-group.this
+}
+
+output "mariadb-instance" {
+ description = "mariadb instance"
+ value = module.mariadb-instance.this
+}
+
+output "mariadb-log-group" {
+ description = "mariadb log group"
+ value = module.mariadb-log-group.this
+}
+
+output "aws-rds-mariadb-asset" {
+ description = "aws rds mariadb asset"
+ value = module.aws-rds-mariadb-asset.this
+}
+
+output "aws-log-group-asset" {
+ description = "aws log group asset"
+ value = module.aws-log-group-asset.this
+}
diff --git a/modules/onboard-aws-rds-mariadb/variables.tf b/modules/onboard-aws-rds-mariadb/variables.tf
new file mode 100644
index 0000000..fdd47c6
--- /dev/null
+++ b/modules/onboard-aws-rds-mariadb/variables.tf
@@ -0,0 +1,201 @@
+variable "aws_rds_mariadb_admin_email" {
+ description = "The email address to notify about this asset"
+ type = string
+}
+
+variable "aws_rds_mariadb_gateway_id" {
+ description = "Unique identifier (UID) attached to the jSonar machine controlling the asset"
+ type = string
+}
+
+variable "aws_rds_mariadb_parent_asset_id" {
+ description = "The asset_id that contains this asset (e.g. Asset ID of the database sending audit events)"
+ type = string
+}
+
+variable "aws_rds_mariadb_region" {
+ description = "AWS region containing the instance."
+ type = string
+}
+
+variable "aws_log_group_admin_email" {
+ description = "The email address to notify about the asset."
+ type = string
+}
+
+variable "aws_log_group_audit_pull_enabled" {
+ description = "If true, sonargateway will collect the audit logs for this system if it can."
+ type = bool
+ default = false
+}
+
+variable "aws_log_group_gateway_id" {
+ description = "The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'."
+ type = string
+}
+
+variable "aws_log_group_region" {
+ description = "AWS region of the log group"
+ type = string
+}
+
+variable "instance_allocated_storage" {
+ description = "The allocated storage in gibibytes. If max_allocated_storage is configured, this argument represents the initial storage allocation and differences from the configuration will be ignored automatically when Storage Autoscaling occurs. If replicate_source_db is set, the value is ignored during the creation of the instance."
+ type = number
+ default = 20
+}
+
+variable "instance_apply_immediately" {
+ description = "Specifies whether any database modifications are applied immediately, or during the next maintenance window."
+ type = bool
+ default = true
+}
+
+variable "instance_db_name" {
+ description = "The name of the database to create when the DB instance is created."
+ type = string
+ default = "testdb"
+}
+
+variable "instance_subnet_group_name" {
+ description = "Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available."
+ type = string
+}
+
+variable "instance_deletion_protection" {
+ description = "If the DB instance should have deletion protection enabled. The database can't be deleted when this value is set to true."
+ type = bool
+ default = false
+}
+
+variable "instance_enabled_cloudwatch_logs_exports" {
+ description = "Set of log types to enable for exporting to CloudWatch logs. If omitted, no logs will be exported."
+ type = list(string)
+ default = null
+}
+
+variable "instance_engine_version" {
+ description = "Database engine version, e.g. \"8.0\""
+ type = string
+ default = null
+}
+
+variable "instance_final_snapshot_identifier" {
+ description = "The name of your final DB snapshot when this DB instance is deleted. Must be provided if skip_final_snapshot is set to false."
+ type = string
+ default = null
+}
+
+variable "instance_identifier" {
+ description = "Identifier of RDS instance"
+ type = string
+}
+
+variable "instance_instance_class" {
+ description = "The instance type of the RDS instance."
+ type = string
+ default = "db.t3.small"
+}
+
+variable "instance_max_allocated_storage" {
+ description = "When configured, the upper limit to which Amazon RDS can automatically scale the storage of the DB instance. Configuring this will automatically ignore differences to allocated_storage."
+ type = number
+ default = null
+}
+
+variable "instance_parameter_group_name" {
+ description = "Name of the parameter group to associate with the RDS instance."
+ type = string
+ default = null
+}
+
+variable "instance_password" {
+ description = "Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file."
+ type = string
+}
+
+variable "instance_port" {
+ description = "The port on which the DB accepts connections."
+ type = string
+ default = null
+}
+
+variable "instance_publicly_accessible" {
+ description = "Bool to control if instance is publicly accessible."
+ type = bool
+ default = true
+}
+
+variable "instance_skip_final_snapshot" {
+ description = "Determines whether a final DB snapshot is created before the DB instance is deleted. If true is specified, no DBSnapshot is created. If false is specified, a DB snapshot is created before the DB instance is deleted, using the value from final_snapshot_identifier."
+ type = bool
+ default = true
+}
+
+variable "instance_tags" {
+ description = "A map of tags to assign to the RDS instance."
+ type = map(string)
+ default = null
+}
+
+variable "instance_username" {
+ description = "Username for the master DB user."
+ type = string
+ default = "admin"
+}
+
+variable "instance_vpc_security_group_ids" {
+ description = "List of VPC security groups to associate."
+ type = list(string)
+ default = null
+}
+
+variable "log_group_retention_in_days" {
+ description = "Specifies the number of days you want to retain log events in the specified log group. If you select 0, the events in the log group are always retained and never expire."
+ type = number
+ default = 7
+}
+
+variable "option_group_description" {
+ description = "The description of the DB option group."
+ type = string
+ default = null
+}
+
+variable "option_group_major_engine_version" {
+ description = "value"
+ type = any
+}
+
+variable "option_group_name" {
+ description = "The name of the DB option group."
+ type = string
+}
+
+variable "option_group_options" {
+ description = "List of objects containing options for the DB option group."
+ type = list(
+ object({
+ option_name = string
+ option_settings = optional(
+ list(
+ object({
+ name = string
+ value = string
+ })
+ ),
+ null
+ )
+ port = optional(string, null)
+ version = optional(string, null)
+ db_security_group_memberships = optional(list(string), null)
+ vpc_security_group_memberships = optional(list(string), null)
+ })
+ )
+}
+
+variable "option_group_tags" {
+ description = "A map of tags to assign to the resource."
+ type = map(string)
+ default = null
+}
diff --git a/modules/onboard-aws-rds-mysql-slow-query/README.md b/modules/onboard-aws-rds-mysql-slow-query/README.md
new file mode 100644
index 0000000..d80db55
--- /dev/null
+++ b/modules/onboard-aws-rds-mysql-slow-query/README.md
@@ -0,0 +1,90 @@
+# onboard-aws-rds-mysql-slow-query
+Onboard Amazon RDS for MySQL with slow query to DSF Hub.
+
+## Notes
+There is one prerequisite for using this module:
+1. An AWS cloud account asset onboarded to your DSF Hub with permissions to pull from CloudWatch log groups.
+
+See the corresponding example for more details.
+
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [aws-log-group-audit-asset](#module\_aws-log-group-audit-asset) | ../dsfhub-aws-log-group | n/a |
+| [aws-log-group-slow-query-asset](#module\_aws-log-group-slow-query-asset) | ../dsfhub-aws-log-group | n/a |
+| [aws-rds-mysql-asset](#module\_aws-rds-mysql-asset) | ../dsfhub-aws-rds-mysql | n/a |
+| [mysql-audit-log-group](#module\_mysql-audit-log-group) | ../aws-cloudwatch-log-group | n/a |
+| [mysql-instance](#module\_mysql-instance) | ../aws-rds-instance | n/a |
+| [mysql-option-group](#module\_mysql-option-group) | ../aws-rds-option-group | n/a |
+| [mysql-parameter-group](#module\_mysql-parameter-group) | ../aws-rds-parameter-group | n/a |
+| [mysql-slow-query-log-group](#module\_mysql-slow-query-log-group) | ../aws-cloudwatch-log-group | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [aws\_log\_group\_admin\_email](#input\_aws\_log\_group\_admin\_email) | The email address to notify about the asset. | `string` | n/a | yes |
+| [aws\_log\_group\_audit\_pull\_enabled](#input\_aws\_log\_group\_audit\_pull\_enabled) | If true, sonargateway will collect the audit logs for this system if it can. | `bool` | `false` | no |
+| [aws\_log\_group\_gateway\_id](#input\_aws\_log\_group\_gateway\_id) | The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'. | `string` | n/a | yes |
+| [aws\_log\_group\_region](#input\_aws\_log\_group\_region) | AWS region of the log group | `string` | n/a | yes |
+| [aws\_rds\_mysql\_admin\_email](#input\_aws\_rds\_mysql\_admin\_email) | The email address to notify about this asset | `string` | n/a | yes |
+| [aws\_rds\_mysql\_audit\_type](#input\_aws\_rds\_mysql\_audit\_type) | Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details | `string` | `"LOG_GROUP"` | no |
+| [aws\_rds\_mysql\_gateway\_id](#input\_aws\_rds\_mysql\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes |
+| [aws\_rds\_mysql\_parent\_asset\_id](#input\_aws\_rds\_mysql\_parent\_asset\_id) | The asset\_id that contains this asset (e.g. Asset ID of the database sending audit events) | `string` | n/a | yes |
+| [aws\_rds\_mysql\_region](#input\_aws\_rds\_mysql\_region) | AWS region containing the instance. | `string` | n/a | yes |
+| [instance\_allocated\_storage](#input\_instance\_allocated\_storage) | The allocated storage in gibibytes. If max\_allocated\_storage is configured, this argument represents the initial storage allocation and differences from the configuration will be ignored automatically when Storage Autoscaling occurs. If replicate\_source\_db is set, the value is ignored during the creation of the instance. | `number` | `20` | no |
+| [instance\_apply\_immediately](#input\_instance\_apply\_immediately) | Specifies whether any database modifications are applied immediately, or during the next maintenance window. | `bool` | `true` | no |
+| [instance\_db\_name](#input\_instance\_db\_name) | The name of the database to create when the DB instance is created. | `string` | `"testdb"` | no |
+| [instance\_deletion\_protection](#input\_instance\_deletion\_protection) | If the DB instance should have deletion protection enabled. The database can't be deleted when this value is set to true. | `bool` | `false` | no |
+| [instance\_enabled\_cloudwatch\_logs\_exports](#input\_instance\_enabled\_cloudwatch\_logs\_exports) | Set of log types to enable for exporting to CloudWatch logs. If omitted, no logs will be exported. | `list(string)` | [
"audit",
"slowquery"
]
| no |
+| [instance\_engine\_version](#input\_instance\_engine\_version) | Database engine version, e.g. "8.0" | `string` | `null` | no |
+| [instance\_final\_snapshot\_identifier](#input\_instance\_final\_snapshot\_identifier) | The name of your final DB snapshot when this DB instance is deleted. Must be provided if skip\_final\_snapshot is set to false. | `string` | `null` | no |
+| [instance\_identifier](#input\_instance\_identifier) | Identifier of RDS instance | `string` | n/a | yes |
+| [instance\_instance\_class](#input\_instance\_instance\_class) | The instance type of the RDS instance. | `string` | `"db.t3.small"` | no |
+| [instance\_max\_allocated\_storage](#input\_instance\_max\_allocated\_storage) | When configured, the upper limit to which Amazon RDS can automatically scale the storage of the DB instance. Configuring this will automatically ignore differences to allocated\_storage. | `number` | `null` | no |
+| [instance\_password](#input\_instance\_password) | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. | `string` | n/a | yes |
+| [instance\_port](#input\_instance\_port) | The port on which the DB accepts connections. | `string` | `null` | no |
+| [instance\_publicly\_accessible](#input\_instance\_publicly\_accessible) | Bool to control if instance is publicly accessible. | `bool` | `true` | no |
+| [instance\_skip\_final\_snapshot](#input\_instance\_skip\_final\_snapshot) | Determines whether a final DB snapshot is created before the DB instance is deleted. If true is specified, no DBSnapshot is created. If false is specified, a DB snapshot is created before the DB instance is deleted, using the value from final\_snapshot\_identifier. | `bool` | `true` | no |
+| [instance\_subnet\_group\_name](#input\_instance\_subnet\_group\_name) | Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available. | `string` | n/a | yes |
+| [instance\_tags](#input\_instance\_tags) | A map of tags to assign to the RDS instance. | `map(string)` | `null` | no |
+| [instance\_username](#input\_instance\_username) | Username for the master DB user. | `string` | `"admin"` | no |
+| [instance\_vpc\_security\_group\_ids](#input\_instance\_vpc\_security\_group\_ids) | List of VPC security groups to associate. | `list(string)` | `null` | no |
+| [log\_group\_retention\_in\_days](#input\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the specified log group. If you select 0, the events in the log group are always retained and never expire. | `number` | `7` | no |
+| [option\_group\_description](#input\_option\_group\_description) | The description of the DB option group. | `string` | `null` | no |
+| [option\_group\_major\_engine\_version](#input\_option\_group\_major\_engine\_version) | value | `any` | n/a | yes |
+| [option\_group\_name](#input\_option\_group\_name) | The name of the DB option group. | `string` | n/a | yes |
+| [option\_group\_options](#input\_option\_group\_options) | List of objects containing options for the DB option group. | list(
object({
option_name = string
option_settings = optional(
list(
object({
name = string
value = string
})
),
null
)
port = optional(string, null)
version = optional(string, null)
db_security_group_memberships = optional(list(string), null)
vpc_security_group_memberships = optional(list(string), null)
})
)
| [
{
"option_name": "MARIADB_AUDIT_PLUGIN",
"option_settings": [
{
"name": "SERVER_AUDIT_EVENTS",
"value": "CONNECT,QUERY,QUERY_DDL,QUERY_DML,QUERY_DCL"
},
{
"name": "SERVER_AUDIT_EXCL_USERS",
"value": "rdsadmin"
}
]
}
]
| no |
+| [option\_group\_tags](#input\_option\_group\_tags) | A map of tags to assign to the resource. | `map(string)` | `null` | no |
+| [parameter\_group\_description](#input\_parameter\_group\_description) | The description of the DB parameter group. | `string` | `null` | no |
+| [parameter\_group\_family](#input\_parameter\_group\_family) | The family of the DB parameter group. For example, 'oracle-ee', 'postgres', etc. | `string` | n/a | yes |
+| [parameter\_group\_name](#input\_parameter\_group\_name) | The name of the DB parameter group. | `string` | `null` | no |
+| [parameter\_group\_parameters](#input\_parameter\_group\_parameters) | List of objects containing parameters for the DB parameter group. | list(
object({
name = string
apply_method = optional(string, "immediate")
value = any
})
)
| [
{
"name": "slow_query_log",
"value": 1
},
{
"name": "long_query_time",
"value": 60
},
{
"name": "log_output",
"value": "FILE"
},
{
"name": "log_slow_admin_statements",
"value": 1
}
]
| no |
+| [parameter\_group\_tags](#input\_parameter\_group\_tags) | A map of tags to assign to the resource. | `map(string)` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [aws-log-group-audit-asset](#output\_aws-log-group-audit-asset) | aws log group audit asset |
+| [aws-log-group-slow-query-asset](#output\_aws-log-group-slow-query-asset) | aws log group slow query asset |
+| [aws-rds-mysql-asset](#output\_aws-rds-mysql-asset) | aws rds mysql asset |
+| [mysql-audit-log-group](#output\_mysql-audit-log-group) | mysql audit log group |
+| [mysql-instance](#output\_mysql-instance) | mysql instance |
+| [mysql-option-group](#output\_mysql-option-group) | mysql option group |
+| [mysql-slow-query-log-group](#output\_mysql-slow-query-log-group) | mysql slow query log group |
+
\ No newline at end of file
diff --git a/modules/onboard-aws-rds-mysql-slow-query/main.tf b/modules/onboard-aws-rds-mysql-slow-query/main.tf
new file mode 100644
index 0000000..f55c7ce
--- /dev/null
+++ b/modules/onboard-aws-rds-mysql-slow-query/main.tf
@@ -0,0 +1,105 @@
+module "mysql-option-group" {
+ source = "../aws-rds-option-group"
+
+ description = var.option_group_description
+ engine_name = "mysql"
+ major_engine_version = var.option_group_major_engine_version
+ name = var.option_group_name
+ options = var.option_group_options
+ tags = var.option_group_tags
+}
+
+module "mysql-parameter-group" {
+ source = "../aws-rds-parameter-group"
+
+ description = var.parameter_group_description
+ family = var.parameter_group_family
+ name = var.parameter_group_name
+ parameters = var.parameter_group_parameters
+ tags = var.parameter_group_tags
+}
+
+module "mysql-instance" {
+ depends_on = [module.mysql-audit-log-group, module.mysql-slow-query-log-group]
+
+ source = "../aws-rds-instance"
+
+ allocated_storage = var.instance_allocated_storage
+ apply_immediately = var.instance_apply_immediately
+ db_name = var.instance_db_name
+ deletion_protection = var.instance_deletion_protection
+ enabled_cloudwatch_logs_exports = var.instance_enabled_cloudwatch_logs_exports
+ engine = "mysql"
+ engine_version = var.instance_engine_version
+ final_snapshot_identifier = var.instance_final_snapshot_identifier
+ identifier = var.instance_identifier
+ instance_class = var.instance_instance_class
+ max_allocated_storage = var.instance_max_allocated_storage
+ option_group_name = module.mysql-option-group.this.id
+ parameter_group_name = module.mysql-parameter-group.this.name
+ password = var.instance_password
+ port = var.instance_port
+ publicly_accessible = var.instance_publicly_accessible
+ skip_final_snapshot = var.instance_skip_final_snapshot
+ subnet_group_name = var.instance_subnet_group_name
+ tags = var.instance_tags
+ username = var.instance_username
+ vpc_security_group_ids = var.instance_vpc_security_group_ids
+}
+
+module "mysql-audit-log-group" {
+ source = "../aws-cloudwatch-log-group"
+
+ name = "/aws/rds/instance/${var.instance_identifier}/audit"
+ retention_in_days = var.log_group_retention_in_days
+}
+
+module "mysql-slow-query-log-group" {
+ source = "../aws-cloudwatch-log-group"
+
+ name = "/aws/rds/instance/${var.instance_identifier}/slowquery"
+ retention_in_days = var.log_group_retention_in_days
+}
+
+module "aws-rds-mysql-asset" {
+ source = "../dsfhub-aws-rds-mysql"
+
+ admin_email = var.aws_rds_mysql_admin_email
+ asset_display_name = module.mysql-instance.this.identifier
+ asset_id = module.mysql-instance.this.arn
+ audit_type = var.aws_rds_mysql_audit_type
+ database_name = module.mysql-instance.this.db_name
+ gateway_id = var.aws_rds_mysql_gateway_id
+ parent_asset_id = var.aws_rds_mysql_parent_asset_id
+ region = var.aws_rds_mysql_region
+ server_host_name = module.mysql-instance.this.address
+ server_port = module.mysql-instance.this.port
+}
+
+module "aws-log-group-audit-asset" {
+ depends_on = [module.aws-rds-mysql-asset]
+ source = "../dsfhub-aws-log-group"
+
+ admin_email = var.aws_log_group_admin_email
+ asset_display_name = "${module.mysql-audit-log-group.this.arn}:*"
+ asset_id = "${module.mysql-audit-log-group.this.arn}:*"
+ audit_pull_enabled = var.aws_log_group_audit_pull_enabled
+ gateway_id = var.aws_log_group_gateway_id
+ parent_asset_id = module.aws-rds-mysql-asset.this.asset_id
+ region = var.aws_log_group_region
+}
+
+module "aws-log-group-slow-query-asset" {
+ depends_on = [module.aws-log-group-audit-asset]
+
+ source = "../dsfhub-aws-log-group"
+
+ admin_email = var.aws_log_group_admin_email
+ asset_display_name = "${module.mysql-slow-query-log-group.this.arn}:*"
+ asset_id = "${module.mysql-slow-query-log-group.this.arn}:*"
+ audit_pull_enabled = var.aws_log_group_audit_pull_enabled
+ audit_type = "AWS_RDS_MYSQL_SLOW"
+ gateway_id = var.aws_log_group_gateway_id
+ parent_asset_id = module.aws-rds-mysql-asset.this.asset_id
+ region = var.aws_log_group_region
+}
diff --git a/modules/onboard-aws-rds-mysql-slow-query/outputs.tf b/modules/onboard-aws-rds-mysql-slow-query/outputs.tf
new file mode 100644
index 0000000..0322239
--- /dev/null
+++ b/modules/onboard-aws-rds-mysql-slow-query/outputs.tf
@@ -0,0 +1,34 @@
+output "mysql-option-group" {
+ description = "mysql option group"
+ value = module.mysql-option-group.this
+}
+
+output "mysql-instance" {
+ description = "mysql instance"
+ value = module.mysql-instance.this
+}
+
+output "mysql-audit-log-group" {
+ description = "mysql audit log group"
+ value = module.mysql-audit-log-group.this
+}
+
+output "mysql-slow-query-log-group" {
+ description = "mysql slow query log group"
+ value = module.mysql-slow-query-log-group.this
+}
+
+output "aws-rds-mysql-asset" {
+ description = "aws rds mysql asset"
+ value = module.aws-rds-mysql-asset.this
+}
+
+output "aws-log-group-audit-asset" {
+ description = "aws log group audit asset"
+ value = module.aws-log-group-audit-asset.this
+}
+
+output "aws-log-group-slow-query-asset" {
+ description = "aws log group slow query asset"
+ value = module.aws-log-group-slow-query-asset.this
+}
diff --git a/modules/onboard-aws-rds-mysql-slow-query/variables.tf b/modules/onboard-aws-rds-mysql-slow-query/variables.tf
new file mode 100644
index 0000000..a24bead
--- /dev/null
+++ b/modules/onboard-aws-rds-mysql-slow-query/variables.tf
@@ -0,0 +1,272 @@
+variable "aws_log_group_admin_email" {
+ description = "The email address to notify about the asset."
+ type = string
+}
+
+variable "aws_log_group_audit_pull_enabled" {
+ description = "If true, sonargateway will collect the audit logs for this system if it can."
+ type = bool
+ default = false
+}
+
+variable "aws_log_group_gateway_id" {
+ description = "The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'."
+ type = string
+}
+
+variable "aws_log_group_region" {
+ description = "AWS region of the log group"
+ type = string
+}
+
+variable "aws_rds_mysql_admin_email" {
+ description = "The email address to notify about this asset"
+ type = string
+}
+
+variable "aws_rds_mysql_audit_type" {
+ description = "Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details"
+ type = string
+ default = "LOG_GROUP"
+ validation {
+ condition = contains(["LOG_GROUP", "AGGREGATED"], var.aws_rds_mysql_audit_type)
+ error_message = "Invalid auth mechanism. Pick either LOG_GROUP, or AGGREGATED."
+ }
+}
+
+variable "aws_rds_mysql_gateway_id" {
+ description = "Unique identifier (UID) attached to the jSonar machine controlling the asset"
+ type = string
+}
+
+variable "aws_rds_mysql_parent_asset_id" {
+ description = "The asset_id that contains this asset (e.g. Asset ID of the database sending audit events)"
+ type = string
+}
+
+variable "aws_rds_mysql_region" {
+ description = "AWS region containing the instance."
+ type = string
+}
+
+variable "instance_allocated_storage" {
+ description = "The allocated storage in gibibytes. If max_allocated_storage is configured, this argument represents the initial storage allocation and differences from the configuration will be ignored automatically when Storage Autoscaling occurs. If replicate_source_db is set, the value is ignored during the creation of the instance."
+ type = number
+ default = 20
+}
+
+variable "instance_apply_immediately" {
+ description = "Specifies whether any database modifications are applied immediately, or during the next maintenance window."
+ type = bool
+ default = true
+}
+
+variable "instance_db_name" {
+ description = "The name of the database to create when the DB instance is created."
+ type = string
+ default = "testdb"
+}
+
+variable "instance_subnet_group_name" {
+ description = "Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available."
+ type = string
+}
+
+variable "instance_deletion_protection" {
+ description = "If the DB instance should have deletion protection enabled. The database can't be deleted when this value is set to true."
+ type = bool
+ default = false
+}
+
+variable "instance_enabled_cloudwatch_logs_exports" {
+ description = "Set of log types to enable for exporting to CloudWatch logs. If omitted, no logs will be exported."
+ type = list(string)
+ default = ["audit", "slowquery"]
+}
+
+variable "instance_engine_version" {
+ description = "Database engine version, e.g. \"8.0\""
+ type = string
+ default = null
+}
+
+variable "instance_final_snapshot_identifier" {
+ description = "The name of your final DB snapshot when this DB instance is deleted. Must be provided if skip_final_snapshot is set to false."
+ type = string
+ default = null
+}
+
+variable "instance_identifier" {
+ description = "Identifier of RDS instance"
+ type = string
+}
+
+variable "instance_instance_class" {
+ description = "The instance type of the RDS instance."
+ type = string
+ default = "db.t3.small"
+}
+
+variable "instance_max_allocated_storage" {
+ description = "When configured, the upper limit to which Amazon RDS can automatically scale the storage of the DB instance. Configuring this will automatically ignore differences to allocated_storage."
+ type = number
+ default = null
+}
+
+variable "instance_password" {
+ description = "Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file."
+ type = string
+}
+
+variable "instance_port" {
+ description = "The port on which the DB accepts connections."
+ type = string
+ default = null
+}
+
+variable "instance_publicly_accessible" {
+ description = "Bool to control if instance is publicly accessible."
+ type = bool
+ default = true
+}
+
+variable "instance_skip_final_snapshot" {
+ description = "Determines whether a final DB snapshot is created before the DB instance is deleted. If true is specified, no DBSnapshot is created. If false is specified, a DB snapshot is created before the DB instance is deleted, using the value from final_snapshot_identifier."
+ type = bool
+ default = true
+}
+
+variable "instance_tags" {
+ description = "A map of tags to assign to the RDS instance."
+ type = map(string)
+ default = null
+}
+
+variable "instance_username" {
+ description = "Username for the master DB user."
+ type = string
+ default = "admin"
+}
+
+variable "instance_vpc_security_group_ids" {
+ description = "List of VPC security groups to associate."
+ type = list(string)
+ default = null
+}
+
+variable "log_group_retention_in_days" {
+ description = "Specifies the number of days you want to retain log events in the specified log group. If you select 0, the events in the log group are always retained and never expire."
+ type = number
+ default = 7
+}
+
+variable "option_group_description" {
+ description = "The description of the DB option group."
+ type = string
+ default = null
+}
+
+variable "option_group_major_engine_version" {
+ description = "value"
+ type = any
+}
+
+variable "option_group_name" {
+ description = "The name of the DB option group."
+ type = string
+}
+
+variable "option_group_options" {
+ description = "List of objects containing options for the DB option group."
+ type = list(
+ object({
+ option_name = string
+ option_settings = optional(
+ list(
+ object({
+ name = string
+ value = string
+ })
+ ),
+ null
+ )
+ port = optional(string, null)
+ version = optional(string, null)
+ db_security_group_memberships = optional(list(string), null)
+ vpc_security_group_memberships = optional(list(string), null)
+ })
+ )
+ default = [
+ {
+ option_name = "MARIADB_AUDIT_PLUGIN"
+ option_settings = [
+ {
+ name = "SERVER_AUDIT_EVENTS"
+ value = "CONNECT,QUERY,QUERY_DDL,QUERY_DML,QUERY_DCL"
+ },
+ {
+ name = "SERVER_AUDIT_EXCL_USERS"
+ value = "rdsadmin"
+ }
+ ]
+ }
+ ]
+}
+
+variable "option_group_tags" {
+ description = "A map of tags to assign to the resource."
+ type = map(string)
+ default = null
+}
+
+variable "parameter_group_description" {
+ description = "The description of the DB parameter group."
+ type = string
+ default = null
+}
+
+variable "parameter_group_family" {
+ description = "The family of the DB parameter group. For example, 'oracle-ee', 'postgres', etc."
+ type = string
+}
+
+variable "parameter_group_name" {
+ description = "The name of the DB parameter group."
+ type = string
+ default = null
+}
+
+variable "parameter_group_parameters" {
+ description = "List of objects containing parameters for the DB parameter group."
+ type = list(
+ object({
+ name = string
+ apply_method = optional(string, "immediate")
+ value = any
+ })
+ )
+ default = [
+ {
+ name = "slow_query_log"
+ value = 1
+ },
+ {
+ name = "long_query_time"
+ value = 60
+ },
+ {
+ name = "log_output"
+ value = "FILE"
+ },
+ {
+ name = "log_slow_admin_statements"
+ value = 1
+ },
+ ]
+}
+
+variable "parameter_group_tags" {
+ description = "A map of tags to assign to the resource."
+ type = map(string)
+ default = null
+}
\ No newline at end of file
diff --git a/modules/onboard-aws-rds-mysql/README.md b/modules/onboard-aws-rds-mysql/README.md
new file mode 100644
index 0000000..1871367
--- /dev/null
+++ b/modules/onboard-aws-rds-mysql/README.md
@@ -0,0 +1,81 @@
+# onboard-aws-rds-mysql
+Onboard Amazon RDS for MySQL to DSF Hub.
+
+## Notes
+There is one prerequisite for using this module:
+1. An AWS cloud account asset onboarded to your DSF Hub with permissions to pull from CloudWatch log groups.
+
+See the corresponding example for more details.
+
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [aws-log-group-asset](#module\_aws-log-group-asset) | ../dsfhub-aws-log-group | n/a |
+| [aws-rds-mysql-asset](#module\_aws-rds-mysql-asset) | ../dsfhub-aws-rds-mysql | n/a |
+| [mysql-instance](#module\_mysql-instance) | ../aws-rds-instance | n/a |
+| [mysql-log-group](#module\_mysql-log-group) | ../aws-cloudwatch-log-group | n/a |
+| [mysql-option-group](#module\_mysql-option-group) | ../aws-rds-option-group | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [aws\_log\_group\_admin\_email](#input\_aws\_log\_group\_admin\_email) | The email address to notify about the asset. | `string` | n/a | yes |
+| [aws\_log\_group\_audit\_pull\_enabled](#input\_aws\_log\_group\_audit\_pull\_enabled) | If true, sonargateway will collect the audit logs for this system if it can. | `bool` | `false` | no |
+| [aws\_log\_group\_gateway\_id](#input\_aws\_log\_group\_gateway\_id) | The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'. | `string` | n/a | yes |
+| [aws\_log\_group\_region](#input\_aws\_log\_group\_region) | AWS region of the log group | `string` | n/a | yes |
+| [aws\_rds\_mysql\_admin\_email](#input\_aws\_rds\_mysql\_admin\_email) | The email address to notify about this asset | `string` | n/a | yes |
+| [aws\_rds\_mysql\_audit\_type](#input\_aws\_rds\_mysql\_audit\_type) | Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details | `string` | `"LOG_GROUP"` | no |
+| [aws\_rds\_mysql\_gateway\_id](#input\_aws\_rds\_mysql\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes |
+| [aws\_rds\_mysql\_parent\_asset\_id](#input\_aws\_rds\_mysql\_parent\_asset\_id) | The asset\_id that contains this asset (e.g. Asset ID of the database sending audit events) | `string` | n/a | yes |
+| [aws\_rds\_mysql\_region](#input\_aws\_rds\_mysql\_region) | AWS region containing the instance. | `string` | n/a | yes |
+| [instance\_allocated\_storage](#input\_instance\_allocated\_storage) | The allocated storage in gibibytes. If max\_allocated\_storage is configured, this argument represents the initial storage allocation and differences from the configuration will be ignored automatically when Storage Autoscaling occurs. If replicate\_source\_db is set, the value is ignored during the creation of the instance. | `number` | `20` | no |
+| [instance\_apply\_immediately](#input\_instance\_apply\_immediately) | Specifies whether any database modifications are applied immediately, or during the next maintenance window. | `bool` | `true` | no |
+| [instance\_db\_name](#input\_instance\_db\_name) | The name of the database to create when the DB instance is created. | `string` | `"testdb"` | no |
+| [instance\_deletion\_protection](#input\_instance\_deletion\_protection) | If the DB instance should have deletion protection enabled. The database can't be deleted when this value is set to true. | `bool` | `false` | no |
+| [instance\_enabled\_cloudwatch\_logs\_exports](#input\_instance\_enabled\_cloudwatch\_logs\_exports) | Set of log types to enable for exporting to CloudWatch logs. If omitted, no logs will be exported. | `list(string)` | [
"audit"
]
| no |
+| [instance\_engine\_version](#input\_instance\_engine\_version) | Database engine version, e.g. "8.0" | `string` | `null` | no |
+| [instance\_final\_snapshot\_identifier](#input\_instance\_final\_snapshot\_identifier) | The name of your final DB snapshot when this DB instance is deleted. Must be provided if skip\_final\_snapshot is set to false. | `string` | `null` | no |
+| [instance\_identifier](#input\_instance\_identifier) | Identifier of RDS instance | `string` | n/a | yes |
+| [instance\_instance\_class](#input\_instance\_instance\_class) | The instance type of the RDS instance. | `string` | `"db.t3.small"` | no |
+| [instance\_max\_allocated\_storage](#input\_instance\_max\_allocated\_storage) | When configured, the upper limit to which Amazon RDS can automatically scale the storage of the DB instance. Configuring this will automatically ignore differences to allocated\_storage. | `number` | `null` | no |
+| [instance\_parameter\_group\_name](#input\_instance\_parameter\_group\_name) | Name of the parameter group to associate with the RDS instance. | `string` | `null` | no |
+| [instance\_password](#input\_instance\_password) | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. | `string` | n/a | yes |
+| [instance\_port](#input\_instance\_port) | The port on which the DB accepts connections. | `string` | `null` | no |
+| [instance\_publicly\_accessible](#input\_instance\_publicly\_accessible) | Bool to control if instance is publicly accessible. | `bool` | `true` | no |
+| [instance\_skip\_final\_snapshot](#input\_instance\_skip\_final\_snapshot) | Determines whether a final DB snapshot is created before the DB instance is deleted. If true is specified, no DBSnapshot is created. If false is specified, a DB snapshot is created before the DB instance is deleted, using the value from final\_snapshot\_identifier. | `bool` | `true` | no |
+| [instance\_subnet\_group\_name](#input\_instance\_subnet\_group\_name) | Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available. | `string` | n/a | yes |
+| [instance\_tags](#input\_instance\_tags) | A map of tags to assign to the RDS instance. | `map(string)` | `null` | no |
+| [instance\_username](#input\_instance\_username) | Username for the master DB user. | `string` | `"admin"` | no |
+| [instance\_vpc\_security\_group\_ids](#input\_instance\_vpc\_security\_group\_ids) | List of VPC security groups to associate. | `list(string)` | `null` | no |
+| [log\_group\_retention\_in\_days](#input\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the specified log group. If you select 0, the events in the log group are always retained and never expire. | `number` | `7` | no |
+| [option\_group\_description](#input\_option\_group\_description) | The description of the DB option group. | `string` | `null` | no |
+| [option\_group\_major\_engine\_version](#input\_option\_group\_major\_engine\_version) | value | `any` | n/a | yes |
+| [option\_group\_name](#input\_option\_group\_name) | The name of the DB option group. | `string` | n/a | yes |
+| [option\_group\_options](#input\_option\_group\_options) | List of objects containing options for the DB option group. | list(
object({
option_name = string
option_settings = optional(
list(
object({
name = string
value = string
})
),
null
)
port = optional(string, null)
version = optional(string, null)
db_security_group_memberships = optional(list(string), null)
vpc_security_group_memberships = optional(list(string), null)
})
)
| [
{
"option_name": "MARIADB_AUDIT_PLUGIN",
"option_settings": [
{
"name": "SERVER_AUDIT_EVENTS",
"value": "CONNECT,QUERY,QUERY_DDL,QUERY_DML,QUERY_DCL"
},
{
"name": "SERVER_AUDIT_EXCL_USERS",
"value": "rdsadmin"
}
]
}
]
| no |
+| [option\_group\_tags](#input\_option\_group\_tags) | A map of tags to assign to the resource. | `map(string)` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [aws-log-group-asset](#output\_aws-log-group-asset) | aws log group asset |
+| [aws-rds-mysql-asset](#output\_aws-rds-mysql-asset) | aws rds mysql asset |
+| [mysql-instance](#output\_mysql-instance) | mysql instance |
+| [mysql-log-group](#output\_mysql-log-group) | mysql log group |
+| [mysql-option-group](#output\_mysql-option-group) | mysql option group |
+
\ No newline at end of file
diff --git a/modules/onboard-aws-rds-mysql/main.tf b/modules/onboard-aws-rds-mysql/main.tf
new file mode 100644
index 0000000..a90429a
--- /dev/null
+++ b/modules/onboard-aws-rds-mysql/main.tf
@@ -0,0 +1,72 @@
+module "mysql-option-group" {
+ source = "../aws-rds-option-group"
+
+ description = var.option_group_description
+ engine_name = "mysql"
+ major_engine_version = var.option_group_major_engine_version
+ name = var.option_group_name
+ options = var.option_group_options
+ tags = var.option_group_tags
+}
+
+module "mysql-instance" {
+ depends_on = [module.mysql-log-group]
+
+ source = "../aws-rds-instance"
+
+ allocated_storage = var.instance_allocated_storage
+ apply_immediately = var.instance_apply_immediately
+ db_name = var.instance_db_name
+ deletion_protection = var.instance_deletion_protection
+ enabled_cloudwatch_logs_exports = var.instance_enabled_cloudwatch_logs_exports
+ engine = "mysql"
+ engine_version = var.instance_engine_version
+ final_snapshot_identifier = var.instance_final_snapshot_identifier
+ identifier = var.instance_identifier
+ instance_class = var.instance_instance_class
+ max_allocated_storage = var.instance_max_allocated_storage
+ option_group_name = module.mysql-option-group.this.id
+ parameter_group_name = var.instance_parameter_group_name
+ password = var.instance_password
+ port = var.instance_port
+ publicly_accessible = var.instance_publicly_accessible
+ skip_final_snapshot = var.instance_skip_final_snapshot
+ subnet_group_name = var.instance_subnet_group_name
+ tags = var.instance_tags
+ username = var.instance_username
+ vpc_security_group_ids = var.instance_vpc_security_group_ids
+}
+
+module "mysql-log-group" {
+ source = "../aws-cloudwatch-log-group"
+
+ name = "/aws/rds/instance/${var.instance_identifier}/audit"
+ retention_in_days = var.log_group_retention_in_days
+}
+
+module "aws-rds-mysql-asset" {
+ source = "../dsfhub-aws-rds-mysql"
+
+ admin_email = var.aws_rds_mysql_admin_email
+ asset_display_name = module.mysql-instance.this.identifier
+ asset_id = module.mysql-instance.this.arn
+ audit_type = var.aws_rds_mysql_audit_type
+ database_name = module.mysql-instance.this.db_name
+ gateway_id = var.aws_rds_mysql_gateway_id
+ parent_asset_id = var.aws_rds_mysql_parent_asset_id
+ region = var.aws_rds_mysql_region
+ server_host_name = module.mysql-instance.this.address
+ server_port = module.mysql-instance.this.port
+}
+
+module "aws-log-group-asset" {
+ source = "../dsfhub-aws-log-group"
+
+ admin_email = var.aws_log_group_admin_email
+ asset_display_name = "${module.mysql-log-group.this.arn}:*"
+ asset_id = "${module.mysql-log-group.this.arn}:*"
+ audit_pull_enabled = var.aws_log_group_audit_pull_enabled
+ gateway_id = var.aws_log_group_gateway_id
+ parent_asset_id = module.aws-rds-mysql-asset.this.asset_id
+ region = var.aws_log_group_region
+}
diff --git a/modules/onboard-aws-rds-mysql/outputs.tf b/modules/onboard-aws-rds-mysql/outputs.tf
new file mode 100644
index 0000000..f86a84b
--- /dev/null
+++ b/modules/onboard-aws-rds-mysql/outputs.tf
@@ -0,0 +1,24 @@
+output "mysql-option-group" {
+ description = "mysql option group"
+ value = module.mysql-option-group.this
+}
+
+output "mysql-instance" {
+ description = "mysql instance"
+ value = module.mysql-instance.this
+}
+
+output "mysql-log-group" {
+ description = "mysql log group"
+ value = module.mysql-log-group.this
+}
+
+output "aws-rds-mysql-asset" {
+ description = "aws rds mysql asset"
+ value = module.aws-rds-mysql-asset.this
+}
+
+output "aws-log-group-asset" {
+ description = "aws log group asset"
+ value = module.aws-log-group-asset.this
+}
diff --git a/modules/onboard-aws-rds-mysql/variables.tf b/modules/onboard-aws-rds-mysql/variables.tf
new file mode 100644
index 0000000..ea5cd25
--- /dev/null
+++ b/modules/onboard-aws-rds-mysql/variables.tf
@@ -0,0 +1,226 @@
+variable "aws_log_group_admin_email" {
+ description = "The email address to notify about the asset."
+ type = string
+}
+
+variable "aws_log_group_audit_pull_enabled" {
+ description = "If true, sonargateway will collect the audit logs for this system if it can."
+ type = bool
+ default = false
+}
+
+variable "aws_log_group_gateway_id" {
+ description = "The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'."
+ type = string
+}
+
+variable "aws_log_group_region" {
+ description = "AWS region of the log group"
+ type = string
+}
+
+variable "aws_rds_mysql_admin_email" {
+ description = "The email address to notify about this asset"
+ type = string
+}
+
+variable "aws_rds_mysql_audit_type" {
+ description = "Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details"
+ type = string
+ default = "LOG_GROUP"
+ validation {
+ condition = contains(["LOG_GROUP", "AGGREGATED"], var.aws_rds_mysql_audit_type)
+ error_message = "Invalid auth mechanism. Pick either LOG_GROUP, or AGGREGATED."
+ }
+}
+
+variable "aws_rds_mysql_gateway_id" {
+ description = "Unique identifier (UID) attached to the jSonar machine controlling the asset"
+ type = string
+}
+
+variable "aws_rds_mysql_parent_asset_id" {
+ description = "The asset_id that contains this asset (e.g. Asset ID of the database sending audit events)"
+ type = string
+}
+
+variable "aws_rds_mysql_region" {
+ description = "AWS region containing the instance."
+ type = string
+}
+
+variable "instance_allocated_storage" {
+ description = "The allocated storage in gibibytes. If max_allocated_storage is configured, this argument represents the initial storage allocation and differences from the configuration will be ignored automatically when Storage Autoscaling occurs. If replicate_source_db is set, the value is ignored during the creation of the instance."
+ type = number
+ default = 20
+}
+
+variable "instance_apply_immediately" {
+ description = "Specifies whether any database modifications are applied immediately, or during the next maintenance window."
+ type = bool
+ default = true
+}
+
+variable "instance_db_name" {
+ description = "The name of the database to create when the DB instance is created."
+ type = string
+ default = "testdb"
+}
+
+variable "instance_subnet_group_name" {
+ description = "Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available."
+ type = string
+}
+
+variable "instance_deletion_protection" {
+ description = "If the DB instance should have deletion protection enabled. The database can't be deleted when this value is set to true."
+ type = bool
+ default = false
+}
+
+variable "instance_enabled_cloudwatch_logs_exports" {
+ description = "Set of log types to enable for exporting to CloudWatch logs. If omitted, no logs will be exported."
+ type = list(string)
+ default = ["audit"]
+}
+
+variable "instance_engine_version" {
+ description = "Database engine version, e.g. \"8.0\""
+ type = string
+ default = null
+}
+
+variable "instance_final_snapshot_identifier" {
+ description = "The name of your final DB snapshot when this DB instance is deleted. Must be provided if skip_final_snapshot is set to false."
+ type = string
+ default = null
+}
+
+variable "instance_identifier" {
+ description = "Identifier of RDS instance"
+ type = string
+}
+
+variable "instance_instance_class" {
+ description = "The instance type of the RDS instance."
+ type = string
+ default = "db.t3.small"
+}
+
+variable "instance_max_allocated_storage" {
+ description = "When configured, the upper limit to which Amazon RDS can automatically scale the storage of the DB instance. Configuring this will automatically ignore differences to allocated_storage."
+ type = number
+ default = null
+}
+
+variable "instance_parameter_group_name" {
+ description = "Name of the parameter group to associate with the RDS instance."
+ type = string
+ default = null
+}
+
+variable "instance_password" {
+ description = "Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file."
+ type = string
+}
+
+variable "instance_port" {
+ description = "The port on which the DB accepts connections."
+ type = string
+ default = null
+}
+
+variable "instance_publicly_accessible" {
+ description = "Bool to control if instance is publicly accessible."
+ type = bool
+ default = true
+}
+
+variable "instance_skip_final_snapshot" {
+ description = "Determines whether a final DB snapshot is created before the DB instance is deleted. If true is specified, no DBSnapshot is created. If false is specified, a DB snapshot is created before the DB instance is deleted, using the value from final_snapshot_identifier."
+ type = bool
+ default = true
+}
+
+variable "instance_tags" {
+ description = "A map of tags to assign to the RDS instance."
+ type = map(string)
+ default = null
+}
+
+variable "instance_username" {
+ description = "Username for the master DB user."
+ type = string
+ default = "admin"
+}
+
+variable "instance_vpc_security_group_ids" {
+ description = "List of VPC security groups to associate."
+ type = list(string)
+ default = null
+}
+
+variable "log_group_retention_in_days" {
+ description = "Specifies the number of days you want to retain log events in the specified log group. If you select 0, the events in the log group are always retained and never expire."
+ type = number
+ default = 7
+}
+
+variable "option_group_description" {
+ description = "The description of the DB option group."
+ type = string
+ default = null
+}
+
+variable "option_group_major_engine_version" {
+ description = "value"
+ type = any
+}
+
+variable "option_group_name" {
+ description = "The name of the DB option group."
+ type = string
+}
+
+variable "option_group_options" {
+ description = "List of objects containing options for the DB option group."
+ type = list(
+ object({
+ option_name = string
+ option_settings = optional(
+ list(
+ object({
+ name = string
+ value = string
+ })
+ ),
+ null
+ )
+ port = optional(string, null)
+ version = optional(string, null)
+ db_security_group_memberships = optional(list(string), null)
+ vpc_security_group_memberships = optional(list(string), null)
+ })
+ )
+ default = [
+ {
+ option_name = "MARIADB_AUDIT_PLUGIN"
+ option_settings = [
+ {
+ name = "SERVER_AUDIT_EVENTS"
+ value = "CONNECT,QUERY,QUERY_DDL,QUERY_DML,QUERY_DCL"
+ },
+ {
+ name = "SERVER_AUDIT_EXCL_USERS"
+ value = "rdsadmin"
+ }
+ ]
+ }
+ ]
+}
+
+variable "option_group_tags" {
+ description = "A map of tags to assign to the resource."
+ type = map(string)
+ default = null
+}
diff --git a/modules/onboard-aws-rds-oracle-standard/README.md b/modules/onboard-aws-rds-oracle-standard/README.md
new file mode 100644
index 0000000..1108020
--- /dev/null
+++ b/modules/onboard-aws-rds-oracle-standard/README.md
@@ -0,0 +1,82 @@
+# onboard-aws-rds-oracle-standard
+Onboard Amazon RDS for Oracle (Standard Audit via CloudWatch) to DSF Hub.
+
+## Notes
+There are two prerequisites for using this module:
+1. An AWS cloud account asset onboarded to your DSF Hub with permissions to pull from CloudWatch log groups.
+2. A method to create an audit policy on the Oracle instance.
+
+See the corresponding example for more details.
+
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [aws-log-group-asset](#module\_aws-log-group-asset) | ../dsfhub-aws-log-group | n/a |
+| [aws-rds-oracle-asset](#module\_aws-rds-oracle-asset) | ../dsfhub-aws-rds-oracle | n/a |
+| [oracle-instance](#module\_oracle-instance) | ../aws-rds-instance | n/a |
+| [oracle-log-group](#module\_oracle-log-group) | ../aws-cloudwatch-log-group | n/a |
+| [oracle-parameter-group](#module\_oracle-parameter-group) | ../aws-rds-parameter-group | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [aws\_log\_group\_admin\_email](#input\_aws\_log\_group\_admin\_email) | The email address to notify about the asset. | `string` | n/a | yes |
+| [aws\_log\_group\_audit\_pull\_enabled](#input\_aws\_log\_group\_audit\_pull\_enabled) | If true, sonargateway will collect the audit logs for this system if it can. | `bool` | `false` | no |
+| [aws\_log\_group\_gateway\_id](#input\_aws\_log\_group\_gateway\_id) | The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'. | `string` | n/a | yes |
+| [aws\_log\_group\_region](#input\_aws\_log\_group\_region) | AWS region of the log group | `string` | n/a | yes |
+| [aws\_rds\_oracle\_admin\_email](#input\_aws\_rds\_oracle\_admin\_email) | The email address to notify about this asset | `string` | n/a | yes |
+| [aws\_rds\_oracle\_audit\_type](#input\_aws\_rds\_oracle\_audit\_type) | Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details | `string` | `"LOG_GROUP"` | no |
+| [aws\_rds\_oracle\_gateway\_id](#input\_aws\_rds\_oracle\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes |
+| [aws\_rds\_oracle\_parent\_asset\_id](#input\_aws\_rds\_oracle\_parent\_asset\_id) | The asset\_id that contains this asset (e.g. Asset ID of the database sending audit events) | `string` | n/a | yes |
+| [aws\_rds\_oracle\_region](#input\_aws\_rds\_oracle\_region) | AWS region containing the instance. | `string` | `null` | no |
+| [instance\_allocated\_storage](#input\_instance\_allocated\_storage) | The allocated storage in gibibytes. If max\_allocated\_storage is configured, this argument represents the initial storage allocation and differences from the configuration will be ignored automatically when Storage Autoscaling occurs. If replicate\_source\_db is set, the value is ignored during the creation of the instance. | `number` | `20` | no |
+| [instance\_apply\_immediately](#input\_instance\_apply\_immediately) | Specifies whether any database modifications are applied immediately, or during the next maintenance window. | `bool` | `true` | no |
+| [instance\_db\_name](#input\_instance\_db\_name) | The Oracle System ID (SID) of the created RDS Custom DB instance. | `string` | `"ORCL"` | no |
+| [instance\_deletion\_protection](#input\_instance\_deletion\_protection) | If the DB instance should have deletion protection enabled. The database can't be deleted when this value is set to true. | `bool` | `false` | no |
+| [instance\_enabled\_cloudwatch\_logs\_exports](#input\_instance\_enabled\_cloudwatch\_logs\_exports) | Set of log types to enable for exporting to CloudWatch logs. If omitted, no logs will be exported. | `list(string)` | [
"audit"
]
| no |
+| [instance\_engine\_version](#input\_instance\_engine\_version) | Database engine version, e.g. "8.0" | `string` | `null` | no |
+| [instance\_final\_snapshot\_identifier](#input\_instance\_final\_snapshot\_identifier) | The name of your final DB snapshot when this DB instance is deleted. Must be provided if skip\_final\_snapshot is set to false. | `string` | `null` | no |
+| [instance\_identifier](#input\_instance\_identifier) | Identifier of RDS instance | `string` | n/a | yes |
+| [instance\_instance\_class](#input\_instance\_instance\_class) | The instance type of the RDS instance. | `string` | `"db.t3.small"` | no |
+| [instance\_max\_allocated\_storage](#input\_instance\_max\_allocated\_storage) | When configured, the upper limit to which Amazon RDS can automatically scale the storage of the DB instance. Configuring this will automatically ignore differences to allocated\_storage. | `number` | `null` | no |
+| [instance\_option\_group\_name](#input\_instance\_option\_group\_name) | Name of the option group to associate with the RDS instance. | `string` | `null` | no |
+| [instance\_password](#input\_instance\_password) | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. | `string` | n/a | yes |
+| [instance\_port](#input\_instance\_port) | The port on which the DB accepts connections. | `string` | `null` | no |
+| [instance\_publicly\_accessible](#input\_instance\_publicly\_accessible) | Bool to control if instance is publicly accessible. | `bool` | `true` | no |
+| [instance\_skip\_final\_snapshot](#input\_instance\_skip\_final\_snapshot) | Determines whether a final DB snapshot is created before the DB instance is deleted. If true is specified, no DBSnapshot is created. If false is specified, a DB snapshot is created before the DB instance is deleted, using the value from final\_snapshot\_identifier. | `bool` | `true` | no |
+| [instance\_subnet\_group\_name](#input\_instance\_subnet\_group\_name) | Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available. | `string` | n/a | yes |
+| [instance\_tags](#input\_instance\_tags) | A map of tags to assign to the RDS instance. | `map(string)` | `null` | no |
+| [instance\_username](#input\_instance\_username) | Username for the master DB user. | `string` | `"admin"` | no |
+| [instance\_vpc\_security\_group\_ids](#input\_instance\_vpc\_security\_group\_ids) | List of VPC security groups to associate. | `list(string)` | `null` | no |
+| [log\_group\_retention\_in\_days](#input\_log\_group\_retention\_in\_days) | Specifies the number of days you want to retain log events in the specified log group. If you select 0, the events in the log group are always retained and never expire. | `number` | `7` | no |
+| [parameter\_group\_description](#input\_parameter\_group\_description) | The description of the DB parameter group. | `string` | `null` | no |
+| [parameter\_group\_family](#input\_parameter\_group\_family) | The family of the DB parameter group. For example, 'oracle-ee', 'postgres', etc. | `string` | n/a | yes |
+| [parameter\_group\_name](#input\_parameter\_group\_name) | The name of the DB parameter group. | `string` | `null` | no |
+| [parameter\_group\_parameters](#input\_parameter\_group\_parameters) | List of objects containing parameters for the DB parameter group. | list(
object({
name = string
apply_method = optional(string, "immediate")
value = any
})
)
| [
{
"apply_method": "pending-reboot",
"name": "audit_trail",
"value": "OS"
}
]
| no |
+| [parameter\_group\_tags](#input\_parameter\_group\_tags) | A map of tags to assign to the resource. | `map(string)` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [aws-log-group-asset](#output\_aws-log-group-asset) | aws log group asset |
+| [aws-rds-oracle-asset](#output\_aws-rds-oracle-asset) | aws rds oracle asset |
+| [oracle-instance](#output\_oracle-instance) | oracle instance |
+| [oracle-log-group](#output\_oracle-log-group) | value |
+| [oracle-parameter-group](#output\_oracle-parameter-group) | oracle parameter group |
+
\ No newline at end of file
diff --git a/modules/onboard-aws-rds-oracle-standard/main.tf b/modules/onboard-aws-rds-oracle-standard/main.tf
new file mode 100644
index 0000000..5b0dfcd
--- /dev/null
+++ b/modules/onboard-aws-rds-oracle-standard/main.tf
@@ -0,0 +1,69 @@
+module "oracle-parameter-group" {
+ source = "../aws-rds-parameter-group"
+
+ description = var.parameter_group_description
+ family = var.parameter_group_family
+ name = var.parameter_group_name
+ parameters = var.parameter_group_parameters
+ tags = var.parameter_group_tags
+}
+
+module "oracle-instance" {
+ source = "../aws-rds-instance"
+
+ allocated_storage = var.instance_allocated_storage
+ apply_immediately = var.instance_apply_immediately
+ db_name = var.instance_db_name
+ deletion_protection = var.instance_deletion_protection
+ enabled_cloudwatch_logs_exports = var.instance_enabled_cloudwatch_logs_exports
+ engine = "oracle-ee"
+ engine_version = var.instance_engine_version
+ final_snapshot_identifier = var.instance_final_snapshot_identifier
+ identifier = var.instance_identifier
+ instance_class = var.instance_instance_class
+ max_allocated_storage = var.instance_max_allocated_storage
+ option_group_name = var.instance_option_group_name
+ parameter_group_name = module.oracle-parameter-group.this.id
+ password = var.instance_password
+ port = var.instance_port
+ publicly_accessible = var.instance_publicly_accessible
+ skip_final_snapshot = var.instance_skip_final_snapshot
+ subnet_group_name = var.instance_subnet_group_name
+ tags = var.instance_tags
+ username = var.instance_username
+ vpc_security_group_ids = var.instance_vpc_security_group_ids
+}
+
+module "oracle-log-group" {
+ source = "../aws-cloudwatch-log-group"
+
+ name = "/aws/rds/instance/${var.instance_identifier}/audit"
+ retention_in_days = var.log_group_retention_in_days
+}
+
+module "aws-rds-oracle-asset" {
+ source = "../dsfhub-aws-rds-oracle"
+
+ admin_email = var.aws_rds_oracle_admin_email
+ asset_display_name = module.oracle-instance.this.identifier
+ asset_id = module.oracle-instance.this.arn
+ audit_type = var.aws_rds_oracle_audit_type
+ gateway_id = var.aws_rds_oracle_gateway_id
+ parent_asset_id = var.aws_rds_oracle_parent_asset_id
+ region = var.aws_rds_oracle_region
+ server_host_name = module.oracle-instance.this.address
+ server_port = module.oracle-instance.this.port
+ service_name = module.oracle-instance.this.db_name
+}
+
+module "aws-log-group-asset" {
+ source = "../dsfhub-aws-log-group"
+
+ admin_email = var.aws_log_group_admin_email
+ asset_display_name = "${module.oracle-log-group.this.arn}:*"
+ asset_id = "${module.oracle-log-group.this.arn}:*"
+ audit_pull_enabled = var.aws_log_group_audit_pull_enabled
+ gateway_id = var.aws_log_group_gateway_id
+ parent_asset_id = module.aws-rds-oracle-asset.this.asset_id
+ region = var.aws_log_group_region
+}
diff --git a/modules/onboard-aws-rds-oracle-standard/outputs.tf b/modules/onboard-aws-rds-oracle-standard/outputs.tf
new file mode 100644
index 0000000..d37d8cc
--- /dev/null
+++ b/modules/onboard-aws-rds-oracle-standard/outputs.tf
@@ -0,0 +1,24 @@
+output "oracle-parameter-group" {
+ description = "oracle parameter group"
+ value = module.oracle-parameter-group.this
+}
+
+output "oracle-instance" {
+ description = "oracle instance"
+ value = module.oracle-instance.this
+}
+
+output "oracle-log-group" {
+ description = "value"
+ value = module.oracle-log-group.this
+}
+
+output "aws-rds-oracle-asset" {
+ description = "aws rds oracle asset"
+ value = module.aws-rds-oracle-asset.this
+}
+
+output "aws-log-group-asset" {
+ description = "aws log group asset"
+ value = module.aws-log-group-asset.this
+}
diff --git a/modules/onboard-aws-rds-oracle-standard/variables.tf b/modules/onboard-aws-rds-oracle-standard/variables.tf
new file mode 100644
index 0000000..cb0b460
--- /dev/null
+++ b/modules/onboard-aws-rds-oracle-standard/variables.tf
@@ -0,0 +1,209 @@
+variable "aws_log_group_admin_email" {
+ description = "The email address to notify about the asset."
+ type = string
+}
+
+variable "aws_log_group_audit_pull_enabled" {
+ description = "If true, sonargateway will collect the audit logs for this system if it can."
+ type = bool
+ default = false
+}
+
+variable "aws_log_group_gateway_id" {
+ description = "The jsonarUid unique identifier of the agentless gateway. Example: '7a4af7cf-4292-89d9-46ec-183756ksdjd'."
+ type = string
+}
+
+variable "aws_log_group_region" {
+ description = "AWS region of the log group"
+ type = string
+}
+
+variable "aws_rds_oracle_admin_email" {
+ description = "The email address to notify about this asset"
+ type = string
+}
+
+variable "aws_rds_oracle_audit_type" {
+ description = "Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details"
+ type = string
+ default = "LOG_GROUP"
+ validation {
+ condition = contains(["LOG_GROUP", "AGGREGATED"], var.aws_rds_oracle_audit_type)
+ error_message = "Invalid Value. Select from LOG_GROUP, or AGGREGATED."
+ }
+}
+
+variable "aws_rds_oracle_gateway_id" {
+ description = "Unique identifier (UID) attached to the jSonar machine controlling the asset"
+ type = string
+}
+
+variable "aws_rds_oracle_parent_asset_id" {
+ description = "The asset_id that contains this asset (e.g. Asset ID of the database sending audit events)"
+ type = string
+}
+
+variable "aws_rds_oracle_region" {
+ description = "AWS region containing the instance."
+ type = string
+ default = null
+}
+
+variable "log_group_retention_in_days" {
+ description = "Specifies the number of days you want to retain log events in the specified log group. If you select 0, the events in the log group are always retained and never expire."
+ type = number
+ default = 7
+}
+
+variable "parameter_group_description" {
+ description = "The description of the DB parameter group."
+ type = string
+ default = null
+}
+
+variable "parameter_group_family" {
+ description = "The family of the DB parameter group. For example, 'oracle-ee', 'postgres', etc."
+ type = string
+}
+
+variable "parameter_group_name" {
+ description = "The name of the DB parameter group."
+ type = string
+ default = null
+}
+
+variable "parameter_group_parameters" {
+ description = "List of objects containing parameters for the DB parameter group."
+ type = list(
+ object({
+ name = string
+ apply_method = optional(string, "immediate")
+ value = any
+ })
+ )
+ default = [
+ {
+ name = "audit_trail"
+ value = "OS"
+ apply_method = "pending-reboot"
+ }
+ ]
+}
+
+variable "parameter_group_tags" {
+ description = "A map of tags to assign to the resource."
+ type = map(string)
+ default = null
+}
+
+variable "instance_allocated_storage" {
+ description = "The allocated storage in gibibytes. If max_allocated_storage is configured, this argument represents the initial storage allocation and differences from the configuration will be ignored automatically when Storage Autoscaling occurs. If replicate_source_db is set, the value is ignored during the creation of the instance."
+ type = number
+ default = 20
+}
+
+variable "instance_apply_immediately" {
+ description = "Specifies whether any database modifications are applied immediately, or during the next maintenance window."
+ type = bool
+ default = true
+}
+
+variable "instance_db_name" {
+ description = "The Oracle System ID (SID) of the created RDS Custom DB instance."
+ type = string
+ default = "ORCL"
+}
+
+variable "instance_subnet_group_name" {
+ description = "Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available."
+ type = string
+}
+
+variable "instance_deletion_protection" {
+ description = "If the DB instance should have deletion protection enabled. The database can't be deleted when this value is set to true."
+ type = bool
+ default = false
+}
+
+variable "instance_enabled_cloudwatch_logs_exports" {
+ description = "Set of log types to enable for exporting to CloudWatch logs. If omitted, no logs will be exported."
+ type = list(string)
+ default = ["audit"]
+}
+
+variable "instance_engine_version" {
+ description = "Database engine version, e.g. \"8.0\""
+ type = string
+ default = null
+}
+
+variable "instance_final_snapshot_identifier" {
+ description = "The name of your final DB snapshot when this DB instance is deleted. Must be provided if skip_final_snapshot is set to false."
+ type = string
+ default = null
+}
+
+variable "instance_identifier" {
+ description = "Identifier of RDS instance"
+ type = string
+}
+
+variable "instance_instance_class" {
+ description = "The instance type of the RDS instance."
+ type = string
+ default = "db.t3.small"
+}
+
+variable "instance_max_allocated_storage" {
+ description = "When configured, the upper limit to which Amazon RDS can automatically scale the storage of the DB instance. Configuring this will automatically ignore differences to allocated_storage."
+ type = number
+ default = null
+}
+
+variable "instance_option_group_name" {
+ description = "Name of the option group to associate with the RDS instance."
+ type = string
+ default = null
+}
+
+variable "instance_password" {
+ description = "Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file."
+ type = string
+}
+
+variable "instance_port" {
+ description = "The port on which the DB accepts connections."
+ type = string
+ default = null
+}
+
+variable "instance_publicly_accessible" {
+ description = "Bool to control if instance is publicly accessible."
+ type = bool
+ default = true
+}
+
+variable "instance_skip_final_snapshot" {
+ description = "Determines whether a final DB snapshot is created before the DB instance is deleted. If true is specified, no DBSnapshot is created. If false is specified, a DB snapshot is created before the DB instance is deleted, using the value from final_snapshot_identifier."
+ type = bool
+ default = true
+}
+
+variable "instance_tags" {
+ description = "A map of tags to assign to the RDS instance."
+ type = map(string)
+ default = null
+}
+
+variable "instance_username" {
+ description = "Username for the master DB user."
+ type = string
+ default = "admin"
+}
+
+variable "instance_vpc_security_group_ids" {
+ description = "List of VPC security groups to associate."
+ type = list(string)
+ default = null
+}
diff --git a/modules/onboard-aws-rds-oracle-unified/README.md b/modules/onboard-aws-rds-oracle-unified/README.md
new file mode 100644
index 0000000..dff850a
--- /dev/null
+++ b/modules/onboard-aws-rds-oracle-unified/README.md
@@ -0,0 +1,80 @@
+# onboard-aws-rds-oracle-unified
+Onboard Amazon RDS for Oracle (Unified Audit) to DSF Hub.
+
+## Notes
+There are two prerequisites for using this module:
+1. An AWS cloud account asset onboarded to your DSF Hub with permissions to pull from CloudWatch log groups.
+2. A method to create an audit pull user, as well as an audit policy on the Oracle instance.
+
+See the corresponding example for more details.
+
+
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [aws-rds-oracle-asset](#module\_aws-rds-oracle-asset) | ../dsfhub-aws-rds-oracle | n/a |
+| [oracle-instance](#module\_oracle-instance) | ../aws-rds-instance | n/a |
+| [oracle-parameter-group](#module\_oracle-parameter-group) | ../aws-rds-parameter-group | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [aws\_rds\_oracle\_admin\_email](#input\_aws\_rds\_oracle\_admin\_email) | The email address to notify about this asset | `string` | n/a | yes |
+| [aws\_rds\_oracle\_audit\_pull\_enabled](#input\_aws\_rds\_oracle\_audit\_pull\_enabled) | If true, sonargateway will collect the audit logs for this system if it can. | `bool` | `false` | no |
+| [aws\_rds\_oracle\_audit\_type](#input\_aws\_rds\_oracle\_audit\_type) | Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details | `string` | `"UNIFIED"` | no |
+| [aws\_rds\_oracle\_auth\_mechanism](#input\_aws\_rds\_oracle\_auth\_mechanism) | Specifies the auth mechanism used by the connection | `string` | `"password"` | no |
+| [aws\_rds\_oracle\_dsn](#input\_aws\_rds\_oracle\_dsn) | Datasource name to use in odbc.ini. If using the asset for SDM, keep a dummy DSN value. | `string` | `null` | no |
+| [aws\_rds\_oracle\_gateway\_id](#input\_aws\_rds\_oracle\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the asset | `string` | n/a | yes |
+| [aws\_rds\_oracle\_password](#input\_aws\_rds\_oracle\_password) | Password to use to connect to Oracle database. Must not include semicolons. | `string` | n/a | yes |
+| [aws\_rds\_oracle\_reason](#input\_aws\_rds\_oracle\_reason) | Used to differentiate connections that belong to the same asset | `string` | `"default"` | no |
+| [aws\_rds\_oracle\_region](#input\_aws\_rds\_oracle\_region) | AWS region containing the instance. | `string` | `null` | no |
+| [aws\_rds\_oracle\_username](#input\_aws\_rds\_oracle\_username) | Username to use to connect to Oracle database. | `string` | n/a | yes |
+| [aws\_rds\_oracle\_wallet\_dir](#input\_aws\_rds\_oracle\_wallet\_dir) | Path to the Oracle wallet directory | `string` | `null` | no |
+| [instance\_allocated\_storage](#input\_instance\_allocated\_storage) | The allocated storage in gibibytes. If max\_allocated\_storage is configured, this argument represents the initial storage allocation and differences from the configuration will be ignored automatically when Storage Autoscaling occurs. If replicate\_source\_db is set, the value is ignored during the creation of the instance. | `number` | `20` | no |
+| [instance\_apply\_immediately](#input\_instance\_apply\_immediately) | Specifies whether any database modifications are applied immediately, or during the next maintenance window. | `bool` | `true` | no |
+| [instance\_db\_name](#input\_instance\_db\_name) | The Oracle System ID (SID) of the created RDS Custom DB instance. | `string` | `"ORCL"` | no |
+| [instance\_deletion\_protection](#input\_instance\_deletion\_protection) | If the DB instance should have deletion protection enabled. The database can't be deleted when this value is set to true. | `bool` | `false` | no |
+| [instance\_enabled\_cloudwatch\_logs\_exports](#input\_instance\_enabled\_cloudwatch\_logs\_exports) | Set of log types to enable for exporting to CloudWatch logs. If omitted, no logs will be exported. | `list(string)` | `null` | no |
+| [instance\_engine\_version](#input\_instance\_engine\_version) | Database engine version, e.g. "8.0" | `string` | `null` | no |
+| [instance\_final\_snapshot\_identifier](#input\_instance\_final\_snapshot\_identifier) | The name of your final DB snapshot when this DB instance is deleted. Must be provided if skip\_final\_snapshot is set to false. | `string` | `null` | no |
+| [instance\_identifier](#input\_instance\_identifier) | Identifier of RDS instance | `string` | n/a | yes |
+| [instance\_instance\_class](#input\_instance\_instance\_class) | The instance type of the RDS instance. | `string` | `"db.t3.small"` | no |
+| [instance\_max\_allocated\_storage](#input\_instance\_max\_allocated\_storage) | When configured, the upper limit to which Amazon RDS can automatically scale the storage of the DB instance. Configuring this will automatically ignore differences to allocated\_storage. | `number` | `null` | no |
+| [instance\_option\_group\_name](#input\_instance\_option\_group\_name) | Name of the option group to associate with the RDS instance. | `string` | `null` | no |
+| [instance\_password](#input\_instance\_password) | Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file. | `string` | n/a | yes |
+| [instance\_port](#input\_instance\_port) | The port on which the DB accepts connections. | `string` | `null` | no |
+| [instance\_publicly\_accessible](#input\_instance\_publicly\_accessible) | Bool to control if instance is publicly accessible. | `bool` | `true` | no |
+| [instance\_skip\_final\_snapshot](#input\_instance\_skip\_final\_snapshot) | Determines whether a final DB snapshot is created before the DB instance is deleted. If true is specified, no DBSnapshot is created. If false is specified, a DB snapshot is created before the DB instance is deleted, using the value from final\_snapshot\_identifier. | `bool` | `true` | no |
+| [instance\_subnet\_group\_name](#input\_instance\_subnet\_group\_name) | Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available. | `string` | n/a | yes |
+| [instance\_tags](#input\_instance\_tags) | A map of tags to assign to the RDS instance. | `map(string)` | `null` | no |
+| [instance\_username](#input\_instance\_username) | Username for the master DB user. | `string` | `"admin"` | no |
+| [instance\_vpc\_security\_group\_ids](#input\_instance\_vpc\_security\_group\_ids) | List of VPC security groups to associate. | `list(string)` | `null` | no |
+| [parameter\_group\_description](#input\_parameter\_group\_description) | The description of the DB parameter group. | `string` | `null` | no |
+| [parameter\_group\_family](#input\_parameter\_group\_family) | The family of the DB parameter group. For example, 'oracle-ee', 'postgres', etc. | `string` | n/a | yes |
+| [parameter\_group\_name](#input\_parameter\_group\_name) | The name of the DB parameter group. | `string` | `null` | no |
+| [parameter\_group\_parameters](#input\_parameter\_group\_parameters) | List of objects containing parameters for the DB parameter group. | list(
object({
name = string
apply_method = optional(string, "immediate")
value = any
})
)
| [
{
"apply_method": "pending-reboot",
"name": "audit_trail",
"value": "DB,EXTENDED"
},
{
"apply_method": "pending-reboot",
"name": "audit_sys_operations",
"value": "TRUE"
}
]
| no |
+| [parameter\_group\_tags](#input\_parameter\_group\_tags) | A map of tags to assign to the resource. | `map(string)` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [aws-rds-oracle-asset](#output\_aws-rds-oracle-asset) | aws rds oracle asset |
+| [oracle-instance](#output\_oracle-instance) | oracle instance |
+| [oracle-parameter-group](#output\_oracle-parameter-group) | oracle parameter group |
+
\ No newline at end of file
diff --git a/modules/onboard-aws-rds-oracle-unified/main.tf b/modules/onboard-aws-rds-oracle-unified/main.tf
new file mode 100644
index 0000000..ae4e46e
--- /dev/null
+++ b/modules/onboard-aws-rds-oracle-unified/main.tf
@@ -0,0 +1,56 @@
+module "oracle-parameter-group" {
+ source = "../aws-rds-parameter-group"
+
+ description = var.parameter_group_description
+ family = var.parameter_group_family
+ name = var.parameter_group_name
+ parameters = var.parameter_group_parameters
+ tags = var.parameter_group_tags
+}
+
+module "oracle-instance" {
+ source = "../aws-rds-instance"
+
+ allocated_storage = var.instance_allocated_storage
+ apply_immediately = var.instance_apply_immediately
+ db_name = var.instance_db_name
+ deletion_protection = var.instance_deletion_protection
+ enabled_cloudwatch_logs_exports = var.instance_enabled_cloudwatch_logs_exports
+ engine = "oracle-ee"
+ engine_version = var.instance_engine_version
+ final_snapshot_identifier = var.instance_final_snapshot_identifier
+ identifier = var.instance_identifier
+ instance_class = var.instance_instance_class
+ max_allocated_storage = var.instance_max_allocated_storage
+ option_group_name = var.instance_option_group_name
+ parameter_group_name = module.oracle-parameter-group.this.id
+ password = var.instance_password
+ port = var.instance_port
+ publicly_accessible = var.instance_publicly_accessible
+ skip_final_snapshot = var.instance_skip_final_snapshot
+ subnet_group_name = var.instance_subnet_group_name
+ tags = var.instance_tags
+ username = var.instance_username
+ vpc_security_group_ids = var.instance_vpc_security_group_ids
+}
+
+module "aws-rds-oracle-asset" {
+ source = "../dsfhub-aws-rds-oracle"
+
+ admin_email = var.aws_rds_oracle_admin_email
+ asset_display_name = module.oracle-instance.this.identifier
+ asset_id = module.oracle-instance.this.arn
+ audit_pull_enabled = var.aws_rds_oracle_audit_pull_enabled
+ audit_type = var.aws_rds_oracle_audit_type
+ auth_mechanism = var.aws_rds_oracle_auth_mechanism
+ dsn = var.aws_rds_oracle_dsn
+ gateway_id = var.aws_rds_oracle_gateway_id
+ password = var.aws_rds_oracle_password
+ reason = var.aws_rds_oracle_reason
+ region = var.aws_rds_oracle_region
+ server_host_name = module.oracle-instance.this.address
+ server_port = module.oracle-instance.this.port
+ service_name = module.oracle-instance.this.db_name
+ username = var.aws_rds_oracle_username
+ wallet_dir = var.aws_rds_oracle_wallet_dir
+}
diff --git a/modules/onboard-aws-rds-oracle-unified/outputs.tf b/modules/onboard-aws-rds-oracle-unified/outputs.tf
new file mode 100644
index 0000000..a0202c5
--- /dev/null
+++ b/modules/onboard-aws-rds-oracle-unified/outputs.tf
@@ -0,0 +1,14 @@
+output "oracle-parameter-group" {
+ description = "oracle parameter group"
+ value = module.oracle-parameter-group.this
+}
+
+output "oracle-instance" {
+ description = "oracle instance"
+ value = module.oracle-instance.this
+}
+
+output "aws-rds-oracle-asset" {
+ description = "aws rds oracle asset"
+ value = module.aws-rds-oracle-asset.this
+}
diff --git a/modules/onboard-aws-rds-oracle-unified/variables.tf b/modules/onboard-aws-rds-oracle-unified/variables.tf
new file mode 100644
index 0000000..783310f
--- /dev/null
+++ b/modules/onboard-aws-rds-oracle-unified/variables.tf
@@ -0,0 +1,226 @@
+variable "aws_rds_oracle_admin_email" {
+ description = "The email address to notify about this asset"
+ type = string
+}
+
+variable "aws_rds_oracle_audit_pull_enabled" {
+ description = "If true, sonargateway will collect the audit logs for this system if it can."
+ type = bool
+ default = false
+}
+
+variable "aws_rds_oracle_audit_type" {
+ description = "Used to indicate what mechanism should be used to fetch logs on systems supporting multiple ways to get logs, see asset specific documentation for details"
+ type = string
+ default = "UNIFIED"
+ validation {
+ condition = contains(["UNIFIED", "UNIFIED_AGGREGATED"], var.aws_rds_oracle_audit_type)
+ error_message = "Invalid Value. Select from UNIFIED, or UNIFIED_AGGREGATED."
+ }
+}
+
+variable "aws_rds_oracle_auth_mechanism" {
+ description = "Specifies the auth mechanism used by the connection"
+ type = string
+ default = "password"
+ validation {
+ condition = contains(["password", "oracle_wallet"], var.aws_rds_oracle_auth_mechanism)
+ error_message = "Invalid auth mechanism. Pick either password, or oracle_wallet."
+ }
+}
+
+variable "aws_rds_oracle_dsn" {
+ description = "Datasource name to use in odbc.ini. If using the asset for SDM, keep a dummy DSN value."
+ type = string
+ default = null
+}
+
+variable "aws_rds_oracle_gateway_id" {
+ description = "Unique identifier (UID) attached to the jSonar machine controlling the asset"
+ type = string
+}
+
+variable "aws_rds_oracle_password" {
+ description = "Password to use to connect to Oracle database. Must not include semicolons."
+ type = string
+}
+
+variable "aws_rds_oracle_reason" {
+ description = "Used to differentiate connections that belong to the same asset"
+ type = string
+ default = "default"
+}
+
+variable "aws_rds_oracle_region" {
+ description = "AWS region containing the instance."
+ type = string
+ default = null
+}
+
+variable "aws_rds_oracle_username" {
+ description = "Username to use to connect to Oracle database."
+ type = string
+}
+
+variable "aws_rds_oracle_wallet_dir" {
+ description = "Path to the Oracle wallet directory"
+ type = string
+ default = null
+}
+
+variable "parameter_group_description" {
+ description = "The description of the DB parameter group."
+ type = string
+ default = null
+}
+
+variable "parameter_group_family" {
+ description = "The family of the DB parameter group. For example, 'oracle-ee', 'postgres', etc."
+ type = string
+}
+
+variable "parameter_group_name" {
+ description = "The name of the DB parameter group."
+ type = string
+ default = null
+}
+
+variable "parameter_group_parameters" {
+ description = "List of objects containing parameters for the DB parameter group."
+ type = list(
+ object({
+ name = string
+ apply_method = optional(string, "immediate")
+ value = any
+ })
+ )
+ default = [
+ {
+ name = "audit_trail"
+ value = "DB,EXTENDED"
+ apply_method = "pending-reboot"
+ },
+ {
+ name = "audit_sys_operations"
+ value = "TRUE"
+ apply_method = "pending-reboot"
+ }
+ ]
+}
+
+variable "parameter_group_tags" {
+ description = "A map of tags to assign to the resource."
+ type = map(string)
+ default = null
+}
+
+variable "instance_allocated_storage" {
+ description = "The allocated storage in gibibytes. If max_allocated_storage is configured, this argument represents the initial storage allocation and differences from the configuration will be ignored automatically when Storage Autoscaling occurs. If replicate_source_db is set, the value is ignored during the creation of the instance."
+ type = number
+ default = 20
+}
+
+variable "instance_apply_immediately" {
+ description = "Specifies whether any database modifications are applied immediately, or during the next maintenance window."
+ type = bool
+ default = true
+}
+
+variable "instance_db_name" {
+ description = "The Oracle System ID (SID) of the created RDS Custom DB instance."
+ type = string
+ default = "ORCL"
+}
+
+variable "instance_subnet_group_name" {
+ description = "Name of DB subnet group. DB instance will be created in the VPC associated with the DB subnet group. If unspecified, will be created in the default VPC, or in EC2 Classic, if available."
+ type = string
+}
+
+variable "instance_deletion_protection" {
+ description = "If the DB instance should have deletion protection enabled. The database can't be deleted when this value is set to true."
+ type = bool
+ default = false
+}
+
+variable "instance_enabled_cloudwatch_logs_exports" {
+ description = "Set of log types to enable for exporting to CloudWatch logs. If omitted, no logs will be exported."
+ type = list(string)
+ default = null
+}
+
+variable "instance_engine_version" {
+ description = "Database engine version, e.g. \"8.0\""
+ type = string
+ default = null
+}
+
+variable "instance_final_snapshot_identifier" {
+ description = "The name of your final DB snapshot when this DB instance is deleted. Must be provided if skip_final_snapshot is set to false."
+ type = string
+ default = null
+}
+
+variable "instance_identifier" {
+ description = "Identifier of RDS instance"
+ type = string
+}
+
+variable "instance_instance_class" {
+ description = "The instance type of the RDS instance."
+ type = string
+ default = "db.t3.small"
+}
+
+variable "instance_max_allocated_storage" {
+ description = "When configured, the upper limit to which Amazon RDS can automatically scale the storage of the DB instance. Configuring this will automatically ignore differences to allocated_storage."
+ type = number
+ default = null
+}
+
+variable "instance_option_group_name" {
+ description = "Name of the option group to associate with the RDS instance."
+ type = string
+ default = null
+}
+
+variable "instance_password" {
+ description = "Password for the master DB user. Note that this may show up in logs, and it will be stored in the state file."
+ type = string
+}
+
+variable "instance_port" {
+ description = "The port on which the DB accepts connections."
+ type = string
+ default = null
+}
+
+variable "instance_publicly_accessible" {
+ description = "Bool to control if instance is publicly accessible."
+ type = bool
+ default = true
+}
+
+variable "instance_skip_final_snapshot" {
+ description = "Determines whether a final DB snapshot is created before the DB instance is deleted. If true is specified, no DBSnapshot is created. If false is specified, a DB snapshot is created before the DB instance is deleted, using the value from final_snapshot_identifier."
+ type = bool
+ default = true
+}
+
+variable "instance_tags" {
+ description = "A map of tags to assign to the RDS instance."
+ type = map(string)
+ default = null
+}
+
+variable "instance_username" {
+ description = "Username for the master DB user."
+ type = string
+ default = "admin"
+}
+
+variable "instance_vpc_security_group_ids" {
+ description = "List of VPC security groups to associate."
+ type = list(string)
+ default = null
+}
diff --git a/modules/onboard-aws-redshift-odbc/README.md b/modules/onboard-aws-redshift-odbc/README.md
new file mode 100644
index 0000000..33f038c
--- /dev/null
+++ b/modules/onboard-aws-redshift-odbc/README.md
@@ -0,0 +1,71 @@
+# onboard-aws-redshift-odbc
+Onboard Amazon Redshift (via ODBC) to DSF Hub.
+
+## Notes
+There is one prerequisite for using this module:
+1. A method to create an audit pull user on the Redshift cluster.
+
+See the corresponding example for more details.
+
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [redshift-asset](#module\_redshift-asset) | ../dsfhub-aws-redshift-cluster | n/a |
+| [redshift-cluster](#module\_redshift-cluster) | ../aws-redshift-cluster | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [aws\_redshift\_admin\_email](#input\_aws\_redshift\_admin\_email) | The email address to notify about the Redshift asset | `string` | n/a | yes |
+| [aws\_redshift\_audit\_pull\_enabled](#input\_aws\_redshift\_audit\_pull\_enabled) | A boolean that indicates if the asset should be audited. | `bool` | `false` | no |
+| [aws\_redshift\_gateway\_id](#input\_aws\_redshift\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the Redshift asset | `string` | n/a | yes |
+| [aws\_redshift\_parent\_asset\_id](#input\_aws\_redshift\_parent\_asset\_id) | The asset\_id of AWS cloud account being used. E.g. Key-pair, iam\_role, profile or default | `string` | `null` | no |
+| [aws\_redshift\_password](#input\_aws\_redshift\_password) | The password for the Redshift cluster. | `string` | n/a | yes |
+| [aws\_redshift\_region](#input\_aws\_redshift\_region) | AWS region containing the Redshift cluster. | `string` | n/a | yes |
+| [aws\_redshift\_ssl](#input\_aws\_redshift\_ssl) | Whether to use SSL for the connection. | `bool` | `null` | no |
+| [aws\_redshift\_username](#input\_aws\_redshift\_username) | The username for the Redshift cluster. | `string` | n/a | yes |
+| [redshift\_apply\_immediately](#input\_redshift\_apply\_immediately) | A boolean that indicates whether major version upgrades are applied immediately, regardless of the maintenance window. | `bool` | `true` | no |
+| [redshift\_cluster\_identifier](#input\_redshift\_cluster\_identifier) | Identifier of the Redshift cluster. Must be a lower case string. | `string` | n/a | yes |
+| [redshift\_cluster\_subnet\_group\_name](#input\_redshift\_cluster\_subnet\_group\_name) | The name of a cluster subnet group to be associated with this cluster. | `string` | `null` | no |
+| [redshift\_cluster\_type](#input\_redshift\_cluster\_type) | The type of the cluster. Valid values: single-node \| multi-node. | `string` | `"single-node"` | no |
+| [redshift\_cluster\_version](#input\_redshift\_cluster\_version) | The version of the Amazon Redshift engine software that you want to deploy on the cluster. | `string` | `"1.0"` | no |
+| [redshift\_database\_name](#input\_redshift\_database\_name) | The name of the first database to be created when the cluster is created. | `string` | `"dev"` | no |
+| [redshift\_default\_iam\_role\_arn](#input\_redshift\_default\_iam\_role\_arn) | The Amazon Resource Name (ARN) for the IAM role that was set as default for the cluster when the cluster was created. | `string` | `null` | no |
+| [redshift\_elastic\_ip](#input\_redshift\_elastic\_ip) | The Elastic IP (EIP) address for the cluster. | `string` | `null` | no |
+| [redshift\_final\_snapshot\_identifier](#input\_redshift\_final\_snapshot\_identifier) | The identifier of the final snapshot that is to be created immediately before deleting the cluster. | `string` | `null` | no |
+| [redshift\_iam\_roles](#input\_redshift\_iam\_roles) | A list of IAM roles to associate with the cluster. A maximum of 10 IAM roles can be associated to the cluster at any time. | `list(string)` | `null` | no |
+| [redshift\_master\_password](#input\_redshift\_master\_password) | The password for the master database user. Must contain at least 8 characters and contain at least one uppercase letter, one lowercase letter, and one number. | `string` | n/a | yes |
+| [redshift\_master\_username](#input\_redshift\_master\_username) | The username for the master database user. | `string` | `"admin"` | no |
+| [redshift\_node\_type](#input\_redshift\_node\_type) | The node type to be provisioned for the cluster. | `string` | `"dc2.large"` | no |
+| [redshift\_number\_of\_nodes](#input\_redshift\_number\_of\_nodes) | The number of compute nodes in the cluster. This parameter is required when the ClusterType parameter is specified as multi-node. | `number` | `1` | no |
+| [redshift\_port](#input\_redshift\_port) | The port number on which the cluster accepts incoming connections. Valid values are between 1115 and 65535 | `number` | `5439` | no |
+| [redshift\_preferred\_maintenance\_window](#input\_redshift\_preferred\_maintenance\_window) | The weekly time range (in UTC) during which automated cluster maintenance can occur. | `string` | `null` | no |
+| [redshift\_publicly\_accessible](#input\_redshift\_publicly\_accessible) | A boolean that indicates if the cluster is publicly accessible. If the value is true, the cluster can be accessed from a public network. | `bool` | `true` | no |
+| [redshift\_skip\_final\_snapshot](#input\_redshift\_skip\_final\_snapshot) | A boolean that indicates whether a final snapshot is created before the cluster is deleted. | `bool` | `true` | no |
+| [redshift\_snapshot\_cluster\_identifier](#input\_redshift\_snapshot\_cluster\_identifier) | The name of the cluster the source snapshot was created from. | `string` | `null` | no |
+| [redshift\_snapshot\_identifier](#input\_redshift\_snapshot\_identifier) | The name of the snapshot from which to create the new cluster | `string` | `null` | no |
+| [redshift\_tags](#input\_redshift\_tags) | A map of tags to assign to the resource. | `map(string)` | `null` | no |
+| [redshift\_vpc\_security\_group\_ids](#input\_redshift\_vpc\_security\_group\_ids) | A list of security group identifiers to associate with this cluster. | `list(string)` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [redshift-asset](#output\_redshift-asset) | aws redshift asset |
+| [redshift-cluster](#output\_redshift-cluster) | redshift cluster |
+
\ No newline at end of file
diff --git a/modules/onboard-aws-redshift-odbc/main.tf b/modules/onboard-aws-redshift-odbc/main.tf
new file mode 100644
index 0000000..15d5bb1
--- /dev/null
+++ b/modules/onboard-aws-redshift-odbc/main.tf
@@ -0,0 +1,49 @@
+module "redshift-cluster" {
+ source = "../aws-redshift-cluster"
+
+ apply_immediately = var.redshift_apply_immediately
+ cluster_identifier = var.redshift_cluster_identifier
+ cluster_subnet_group_name = var.redshift_cluster_subnet_group_name
+ cluster_type = var.redshift_cluster_type
+ cluster_version = var.redshift_cluster_version
+ database_name = var.redshift_database_name
+ default_iam_role_arn = var.redshift_default_iam_role_arn
+ elastic_ip = var.redshift_elastic_ip
+ final_snapshot_identifier = var.redshift_final_snapshot_identifier
+ iam_roles = var.redshift_iam_roles
+ master_password = var.redshift_master_password
+ master_username = var.redshift_master_username
+ node_type = var.redshift_node_type
+ number_of_nodes = var.redshift_number_of_nodes
+ port = var.redshift_port
+ preferred_maintenance_window = var.redshift_preferred_maintenance_window
+ publicly_accessible = var.redshift_publicly_accessible
+ skip_final_snapshot = var.redshift_skip_final_snapshot
+ snapshot_cluster_identifier = var.redshift_snapshot_cluster_identifier
+ snapshot_identifier = var.redshift_snapshot_identifier
+ vpc_security_group_ids = var.redshift_vpc_security_group_ids
+ tags = var.redshift_tags
+}
+
+module "redshift-asset" {
+ source = "../dsfhub-aws-redshift-cluster"
+
+ admin_email = var.aws_redshift_admin_email
+ asset_display_name = module.redshift-cluster.this.cluster_identifier
+ asset_id = module.redshift-cluster.this.arn
+ audit_pull_enabled = var.aws_redshift_audit_pull_enabled
+ audit_type = "TABLE"
+ database_name = module.redshift-cluster.this.database_name
+ gateway_id = var.aws_redshift_gateway_id
+ parent_asset_id = var.aws_redshift_parent_asset_id
+ region = var.aws_redshift_region
+ server_host_name = regex("(.*):", module.redshift-cluster.this.endpoint)[0]
+ server_ip = regex("(.*):", module.redshift-cluster.this.endpoint)[0]
+ server_port = module.redshift-cluster.this.port
+ service_name = module.redshift-cluster.this.database_name
+
+ auth_mechanism = "password"
+ username = var.aws_redshift_username
+ password = var.aws_redshift_password
+ ssl = var.aws_redshift_ssl
+}
diff --git a/modules/onboard-aws-redshift-odbc/output.tf b/modules/onboard-aws-redshift-odbc/output.tf
new file mode 100644
index 0000000..574d8f2
--- /dev/null
+++ b/modules/onboard-aws-redshift-odbc/output.tf
@@ -0,0 +1,9 @@
+output "redshift-cluster" {
+ description = "redshift cluster"
+ value = module.redshift-cluster.this
+}
+
+output "redshift-asset" {
+ description = "aws redshift asset"
+ value = module.redshift-asset.this
+}
diff --git a/modules/onboard-aws-redshift-odbc/variables.tf b/modules/onboard-aws-redshift-odbc/variables.tf
new file mode 100644
index 0000000..588ec45
--- /dev/null
+++ b/modules/onboard-aws-redshift-odbc/variables.tf
@@ -0,0 +1,174 @@
+# AWS Redshift Cluster variables
+variable "redshift_cluster_identifier" {
+ description = "Identifier of the Redshift cluster. Must be a lower case string."
+ type = string
+}
+
+variable "redshift_database_name" {
+ description = "The name of the first database to be created when the cluster is created."
+ type = string
+ default = "dev"
+}
+
+variable "redshift_default_iam_role_arn" {
+ description = "The Amazon Resource Name (ARN) for the IAM role that was set as default for the cluster when the cluster was created."
+ type = string
+ default = null
+}
+
+variable "redshift_node_type" {
+ description = "The node type to be provisioned for the cluster."
+ type = string
+ default = "dc2.large"
+}
+
+variable "redshift_cluster_type" {
+ description = "The type of the cluster. Valid values: single-node | multi-node."
+ type = string
+ default = "single-node"
+}
+
+variable "redshift_master_password" {
+ description = "The password for the master database user. Must contain at least 8 characters and contain at least one uppercase letter, one lowercase letter, and one number."
+ type = string
+}
+
+variable "redshift_master_username" {
+ description = "The username for the master database user."
+ type = string
+ default = "admin"
+}
+
+variable "redshift_vpc_security_group_ids" {
+ description = "A list of security group identifiers to associate with this cluster."
+ type = list(string)
+ default = null
+}
+
+variable "redshift_cluster_subnet_group_name" {
+ description = "The name of a cluster subnet group to be associated with this cluster."
+ type = string
+ default = null
+}
+
+variable "redshift_preferred_maintenance_window" {
+ description = "The weekly time range (in UTC) during which automated cluster maintenance can occur."
+ type = string
+ default = null
+}
+
+variable "redshift_port" {
+ description = "The port number on which the cluster accepts incoming connections. Valid values are between 1115 and 65535"
+ type = number
+ default = 5439
+}
+
+variable "redshift_cluster_version" {
+ description = "The version of the Amazon Redshift engine software that you want to deploy on the cluster."
+ type = string
+ default = "1.0"
+}
+
+variable "redshift_apply_immediately" {
+ description = "A boolean that indicates whether major version upgrades are applied immediately, regardless of the maintenance window."
+ type = bool
+ default = true
+}
+
+variable "redshift_number_of_nodes" {
+ description = "The number of compute nodes in the cluster. This parameter is required when the ClusterType parameter is specified as multi-node."
+ type = number
+ default = 1
+}
+
+variable "redshift_publicly_accessible" {
+ description = "A boolean that indicates if the cluster is publicly accessible. If the value is true, the cluster can be accessed from a public network."
+ type = bool
+ default = true
+}
+
+variable "redshift_elastic_ip" {
+ description = "The Elastic IP (EIP) address for the cluster."
+ type = string
+ default = null
+}
+
+variable "redshift_skip_final_snapshot" {
+ description = "A boolean that indicates whether a final snapshot is created before the cluster is deleted."
+ type = bool
+ default = true
+}
+
+variable "redshift_final_snapshot_identifier" {
+ description = "The identifier of the final snapshot that is to be created immediately before deleting the cluster."
+ type = string
+ default = null
+}
+
+variable "redshift_snapshot_identifier" {
+ description = "The name of the snapshot from which to create the new cluster"
+ type = string
+ default = null
+}
+
+variable "redshift_snapshot_cluster_identifier" {
+ description = "The name of the cluster the source snapshot was created from."
+ type = string
+ default = null
+}
+
+variable "redshift_iam_roles" {
+ description = "A list of IAM roles to associate with the cluster. A maximum of 10 IAM roles can be associated to the cluster at any time."
+ type = list(string)
+ default = null
+}
+
+variable "redshift_tags" {
+ description = "A map of tags to assign to the resource."
+ type = map(string)
+ default = null
+}
+
+# AWS Redshift Asset variables
+variable "aws_redshift_admin_email" {
+ description = "The email address to notify about the Redshift asset"
+ type = string
+}
+
+variable "aws_redshift_audit_pull_enabled" {
+ description = "A boolean that indicates if the asset should be audited."
+ type = bool
+ default = false
+}
+
+variable "aws_redshift_gateway_id" {
+ description = "Unique identifier (UID) attached to the jSonar machine controlling the Redshift asset"
+ type = string
+}
+
+variable "aws_redshift_region" {
+ description = "AWS region containing the Redshift cluster."
+ type = string
+}
+
+variable "aws_redshift_parent_asset_id" {
+ description = "The asset_id of AWS cloud account being used. E.g. Key-pair, iam_role, profile or default"
+ type = string
+ default = null
+}
+
+variable "aws_redshift_username" {
+ description = "The username for the Redshift cluster."
+ type = string
+}
+
+variable "aws_redshift_password" {
+ description = "The password for the Redshift cluster."
+ type = string
+}
+
+variable "aws_redshift_ssl" {
+ description = "Whether to use SSL for the connection."
+ type = bool
+ default = null
+}
diff --git a/modules/onboard-aws-redshift-s3/README.md b/modules/onboard-aws-redshift-s3/README.md
new file mode 100644
index 0000000..243885e
--- /dev/null
+++ b/modules/onboard-aws-redshift-s3/README.md
@@ -0,0 +1,100 @@
+# onboard-aws-redshift-s3
+Onboard Amazon Redshift (via S3 Bucket) to DSF Hub.
+
+## Notes
+There is one prerequisite for using this module:
+1. An AWS cloud account asset onboarded to your DSF Hub with permissions to pull from S3 buckets.
+
+
+## Requirements
+
+No requirements.
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| [aws](#provider\_aws) | n/a |
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| [redshift-asset](#module\_redshift-asset) | ../dsfhub-aws-redshift-cluster | n/a |
+| [redshift-cluster](#module\_redshift-cluster) | ../aws-redshift-cluster | n/a |
+| [redshift-logging](#module\_redshift-logging) | ../aws-redshift-logging | n/a |
+| [redshift-parameter-group](#module\_redshift-parameter-group) | ../aws-redshift-parameter-group | n/a |
+| [s3-bucket](#module\_s3-bucket) | ../aws-s3-bucket | n/a |
+| [s3-bucket-asset](#module\_s3-bucket-asset) | ../dsfhub-aws-s3-bucket-la | n/a |
+| [s3-bucket-policy](#module\_s3-bucket-policy) | ../aws-s3-bucket-policy | n/a |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aws_iam_policy_document.s3_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [aws\_redshift\_admin\_email](#input\_aws\_redshift\_admin\_email) | The email address to notify about the Redshift asset | `string` | n/a | yes |
+| [aws\_redshift\_audit\_pull\_enabled](#input\_aws\_redshift\_audit\_pull\_enabled) | A boolean that indicates if the asset should be audited. | `bool` | `true` | no |
+| [aws\_redshift\_bucket\_account\_id](#input\_aws\_redshift\_bucket\_account\_id) | The account\_id of the bucket owner | `string` | n/a | yes |
+| [aws\_redshift\_gateway\_id](#input\_aws\_redshift\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the Redshift asset | `string` | n/a | yes |
+| [aws\_redshift\_parent\_asset\_id](#input\_aws\_redshift\_parent\_asset\_id) | The asset\_id of AWS cloud account being used. E.g. Key-pair, iam\_role, profile or default | `string` | `null` | no |
+| [aws\_redshift\_region](#input\_aws\_redshift\_region) | AWS region containing the Redshift cluster. | `string` | n/a | yes |
+| [aws\_s3\_admin\_email](#input\_aws\_s3\_admin\_email) | The email address to notify about the S3 asset | `string` | n/a | yes |
+| [aws\_s3\_asset\_display\_name](#input\_aws\_s3\_asset\_display\_name) | User-friendly name of the asset, defined by the user | `string` | n/a | yes |
+| [aws\_s3\_audit\_pull\_enabled](#input\_aws\_s3\_audit\_pull\_enabled) | A boolean that indicates if the asset should be audited. | `bool` | `true` | no |
+| [aws\_s3\_bucket\_account\_id](#input\_aws\_s3\_bucket\_account\_id) | The account\_id of the bucket owner | `string` | `null` | no |
+| [aws\_s3\_gateway\_id](#input\_aws\_s3\_gateway\_id) | Unique identifier (UID) attached to the jSonar machine controlling the S3 asset | `string` | n/a | yes |
+| [aws\_s3\_parent\_asset\_id](#input\_aws\_s3\_parent\_asset\_id) | The asset\_id of AWS cloud account being used. E.g. Key-pair, iam\_role, profile or default | `string` | n/a | yes |
+| [aws\_s3\_region](#input\_aws\_s3\_region) | AWS region containing the S3 bucket. | `string` | n/a | yes |
+| [aws\_s3\_server\_port](#input\_aws\_s3\_server\_port) | Port used by the source server. Default: 443 | `number` | `443` | no |
+| [parameter\_group\_description](#input\_parameter\_group\_description) | The description of the Redshift parameter group. | `string` | `null` | no |
+| [parameter\_group\_family](#input\_parameter\_group\_family) | The family of the Redshift parameter group. | `string` | `"redshift-1.0"` | no |
+| [parameter\_group\_name](#input\_parameter\_group\_name) | The name of the Redshift parameter group. | `string` | n/a | yes |
+| [parameter\_group\_parameters](#input\_parameter\_group\_parameters) | A list of Redshift parameters to apply. | list(
object({
name = string
value = any
})
)
| [
{
"name": "enable_user_activity_logging",
"value": "true"
}
]
| no |
+| [parameter\_group\_tags](#input\_parameter\_group\_tags) | A map of tags to assign to the resource. | `map(string)` | `null` | no |
+| [redshift\_apply\_immediately](#input\_redshift\_apply\_immediately) | A boolean that indicates whether major version upgrades are applied immediately, regardless of the maintenance window. | `bool` | `true` | no |
+| [redshift\_cluster\_identifier](#input\_redshift\_cluster\_identifier) | Identifier of the Redshift cluster. Must be a lower case string. | `string` | n/a | yes |
+| [redshift\_cluster\_parameter\_group\_name](#input\_redshift\_cluster\_parameter\_group\_name) | The name of the parameter group to be associated with this cluster. | `string` | `null` | no |
+| [redshift\_cluster\_subnet\_group\_name](#input\_redshift\_cluster\_subnet\_group\_name) | The name of a cluster subnet group to be associated with this cluster. | `string` | `null` | no |
+| [redshift\_cluster\_type](#input\_redshift\_cluster\_type) | The type of the cluster. Valid values: single-node \| multi-node. | `string` | `"single-node"` | no |
+| [redshift\_cluster\_version](#input\_redshift\_cluster\_version) | The version of the Amazon Redshift engine software that you want to deploy on the cluster. | `string` | `"1.0"` | no |
+| [redshift\_database\_name](#input\_redshift\_database\_name) | The name of the first database to be created when the cluster is created. | `string` | `"dev"` | no |
+| [redshift\_default\_iam\_role\_arn](#input\_redshift\_default\_iam\_role\_arn) | The Amazon Resource Name (ARN) for the IAM role that was set as default for the cluster when the cluster was created. | `string` | `null` | no |
+| [redshift\_elastic\_ip](#input\_redshift\_elastic\_ip) | The Elastic IP (EIP) address for the cluster. | `string` | `null` | no |
+| [redshift\_final\_snapshot\_identifier](#input\_redshift\_final\_snapshot\_identifier) | The identifier of the final snapshot that is to be created immediately before deleting the cluster. | `string` | `null` | no |
+| [redshift\_iam\_roles](#input\_redshift\_iam\_roles) | A list of IAM roles to associate with the cluster. A maximum of 10 IAM roles can be associated to the cluster at any time. | `list(string)` | `null` | no |
+| [redshift\_master\_password](#input\_redshift\_master\_password) | The password for the master database user. Must contain at least 8 characters and contain at least one uppercase letter, one lowercase letter, and one number. | `string` | n/a | yes |
+| [redshift\_master\_username](#input\_redshift\_master\_username) | The username for the master database user. | `string` | `"admin"` | no |
+| [redshift\_node\_type](#input\_redshift\_node\_type) | The node type to be provisioned for the cluster. | `string` | `"dc2.large"` | no |
+| [redshift\_number\_of\_nodes](#input\_redshift\_number\_of\_nodes) | The number of compute nodes in the cluster. This parameter is required when the ClusterType parameter is specified as multi-node. | `number` | `1` | no |
+| [redshift\_port](#input\_redshift\_port) | The port number on which the cluster accepts incoming connections. Valid values are between 1115 and 65535 | `number` | `5439` | no |
+| [redshift\_preferred\_maintenance\_window](#input\_redshift\_preferred\_maintenance\_window) | The weekly time range (in UTC) during which automated cluster maintenance can occur. | `string` | `null` | no |
+| [redshift\_publicly\_accessible](#input\_redshift\_publicly\_accessible) | A boolean that indicates if the cluster is publicly accessible. If the value is true, the cluster can be accessed from a public network. | `bool` | `true` | no |
+| [redshift\_skip\_final\_snapshot](#input\_redshift\_skip\_final\_snapshot) | A boolean that indicates whether a final snapshot is created before the cluster is deleted. | `bool` | `true` | no |
+| [redshift\_snapshot\_cluster\_identifier](#input\_redshift\_snapshot\_cluster\_identifier) | The name of the cluster the source snapshot was created from. | `string` | `null` | no |
+| [redshift\_snapshot\_identifier](#input\_redshift\_snapshot\_identifier) | The name of the snapshot from which to create the new cluster | `string` | `null` | no |
+| [redshift\_tags](#input\_redshift\_tags) | A map of tags to assign to the resource. | `map(string)` | `null` | no |
+| [redshift\_vpc\_security\_group\_ids](#input\_redshift\_vpc\_security\_group\_ids) | A list of security group identifiers to associate with this cluster. | `list(string)` | `null` | no |
+| [s3\_bucket](#input\_s3\_bucket) | The name of the bucket. Must be lowercase and less than or equal to 63 characters in length. | `string` | n/a | yes |
+| [s3\_force\_destroy](#input\_s3\_force\_destroy) | A boolean that indicates all objects should be deleted from the bucket when the bucket is destroyed so that the bucket can be destroyed without error. See more details in the (aws terraform documentation)[https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#force_destroy]. | `bool` | `false` | no |
+| [s3\_object\_lock\_enabled](#input\_s3\_object\_lock\_enabled) | A boolean that indicates whether this bucket should have an Object Lock configuration enabled. | `bool` | `false` | no |
+| [s3\_tags](#input\_s3\_tags) | A map of tags to assign to the resource. | `map(string)` | `null` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| [redshift-asset](#output\_redshift-asset) | aws redshift asset |
+| [redshift-cluster](#output\_redshift-cluster) | redshift cluster |
+| [redshift-logging](#output\_redshift-logging) | redshift logging configuration |
+| [redshift-parameter-group](#output\_redshift-parameter-group) | redshift parameter group |
+| [s3-bucket](#output\_s3-bucket) | s3 bucket |
+| [s3-bucket-asset](#output\_s3-bucket-asset) | aws s3 bucket asset |
+| [s3-bucket-policy](#output\_s3-bucket-policy) | s3 bucket policy |
+| [s3\_policy](#output\_s3\_policy) | s3 iam policy |
+
\ No newline at end of file
diff --git a/modules/onboard-aws-redshift-s3/main.tf b/modules/onboard-aws-redshift-s3/main.tf
new file mode 100644
index 0000000..e392276
--- /dev/null
+++ b/modules/onboard-aws-redshift-s3/main.tf
@@ -0,0 +1,119 @@
+module "s3-bucket" {
+ source = "../aws-s3-bucket"
+
+ bucket = var.s3_bucket
+ force_destroy = var.s3_force_destroy
+ object_lock_enabled = var.s3_object_lock_enabled
+ tags = var.s3_tags
+}
+
+data "aws_iam_policy_document" "s3_policy" {
+ statement {
+ effect = "Allow"
+ principals {
+ type = "Service"
+ identifiers = ["redshift.amazonaws.com"]
+ }
+ actions = [
+ "s3:PutObject",
+ "s3:GetBucketAcl"
+ ]
+ resources = [
+ "arn:aws:s3:::${module.s3-bucket.this.bucket}",
+ "arn:aws:s3:::${module.s3-bucket.this.bucket}/*"
+ ]
+ }
+
+}
+
+module "s3-bucket-policy" {
+ source = "../aws-s3-bucket-policy"
+
+ bucket = module.s3-bucket.this.bucket
+ policy = data.aws_iam_policy_document.s3_policy.json
+}
+
+module "redshift-parameter-group" {
+ source = "../aws-redshift-parameter-group"
+
+ description = var.parameter_group_description
+ family = var.parameter_group_family
+ name = var.parameter_group_name
+ parameters = var.parameter_group_parameters
+ tags = var.parameter_group_tags
+}
+
+module "redshift-logging" {
+ source = "../aws-redshift-logging"
+
+ depends_on = [module.s3-bucket-policy]
+
+ bucket_name = module.s3-bucket.this.bucket
+ cluster_identifier = module.redshift-cluster.this.cluster_identifier
+ log_destination_type = "s3"
+ s3_key_prefix = "redshift"
+}
+
+module "redshift-cluster" {
+ source = "../aws-redshift-cluster"
+
+ apply_immediately = var.redshift_apply_immediately
+ cluster_identifier = var.redshift_cluster_identifier
+ cluster_parameter_group_name = module.redshift-parameter-group.this.name
+ cluster_subnet_group_name = var.redshift_cluster_subnet_group_name
+ cluster_type = var.redshift_cluster_type
+ cluster_version = var.redshift_cluster_version
+ database_name = var.redshift_database_name
+ default_iam_role_arn = var.redshift_default_iam_role_arn
+ elastic_ip = var.redshift_elastic_ip
+ final_snapshot_identifier = var.redshift_final_snapshot_identifier
+ iam_roles = var.redshift_iam_roles
+ master_password = var.redshift_master_password
+ master_username = var.redshift_master_username
+ node_type = var.redshift_node_type
+ number_of_nodes = var.redshift_number_of_nodes
+ port = var.redshift_port
+ preferred_maintenance_window = var.redshift_preferred_maintenance_window
+ publicly_accessible = var.redshift_publicly_accessible
+ skip_final_snapshot = var.redshift_skip_final_snapshot
+ snapshot_cluster_identifier = var.redshift_snapshot_cluster_identifier
+ snapshot_identifier = var.redshift_snapshot_identifier
+ vpc_security_group_ids = var.redshift_vpc_security_group_ids
+ tags = var.redshift_tags
+}
+
+module "redshift-asset" {
+ source = "../dsfhub-aws-redshift-cluster"
+
+ admin_email = var.aws_redshift_admin_email
+ asset_display_name = module.redshift-cluster.this.cluster_identifier
+ asset_id = module.redshift-cluster.this.arn
+ audit_pull_enabled = var.aws_redshift_audit_pull_enabled
+ audit_type = "REDSHIFT"
+ bucket_account_id = var.aws_redshift_bucket_account_id
+ database_name = module.redshift-cluster.this.database_name
+ gateway_id = var.aws_redshift_gateway_id
+ logs_destination_asset_id = module.s3-bucket-asset.this.asset_id
+ parent_asset_id = var.aws_redshift_parent_asset_id
+ region = var.aws_redshift_region
+ server_host_name = regex("(.*):", module.redshift-cluster.this.endpoint)[0]
+ server_ip = regex("(.*):", module.redshift-cluster.this.endpoint)[0]
+ server_port = module.redshift-cluster.this.port
+}
+
+module "s3-bucket-asset" {
+ source = "../dsfhub-aws-s3-bucket-la"
+
+ admin_email = var.aws_s3_admin_email
+ asset_display_name = var.aws_s3_asset_display_name
+ asset_id = module.s3-bucket.this.arn
+ audit_pull_enabled = var.aws_s3_audit_pull_enabled
+ audit_type = "REDSHIFT"
+ bucket_account_id = var.aws_s3_bucket_account_id
+ gateway_id = var.aws_s3_gateway_id
+ parent_asset_id = var.aws_s3_parent_asset_id
+ region = var.aws_s3_region
+ server_host_name = module.s3-bucket.this.id
+ server_ip = module.s3-bucket.this.arn
+ server_port = var.aws_s3_server_port
+}
diff --git a/modules/onboard-aws-redshift-s3/output.tf b/modules/onboard-aws-redshift-s3/output.tf
new file mode 100644
index 0000000..c396e59
--- /dev/null
+++ b/modules/onboard-aws-redshift-s3/output.tf
@@ -0,0 +1,39 @@
+output "s3-bucket" {
+ description = "s3 bucket"
+ value = module.redshift-cluster.this
+}
+
+output "s3_policy" {
+ description = "s3 iam policy"
+ value = data.aws_iam_policy_document.s3_policy.json
+}
+
+output "s3-bucket-policy" {
+ description = "s3 bucket policy"
+ value = module.s3-bucket-policy.this
+}
+
+output "redshift-parameter-group" {
+ description = "redshift parameter group"
+ value = module.redshift-parameter-group.this
+}
+
+output "redshift-logging" {
+ description = "redshift logging configuration"
+ value = module.redshift-logging.this
+}
+
+output "redshift-cluster" {
+ description = "redshift cluster"
+ value = module.redshift-cluster.this
+}
+
+output "redshift-asset" {
+ description = "aws redshift asset"
+ value = module.redshift-asset.this
+}
+
+output "s3-bucket-asset" {
+ description = "aws s3 bucket asset"
+ value = module.s3-bucket-asset.this
+}
diff --git a/modules/onboard-aws-redshift-s3/variables.tf b/modules/onboard-aws-redshift-s3/variables.tf
new file mode 100644
index 0000000..a2229f4
--- /dev/null
+++ b/modules/onboard-aws-redshift-s3/variables.tf
@@ -0,0 +1,274 @@
+# AWS S3 Bucket variables
+variable "s3_bucket" {
+ description = "The name of the bucket. Must be lowercase and less than or equal to 63 characters in length."
+ type = string
+}
+
+variable "s3_force_destroy" {
+ description = "A boolean that indicates all objects should be deleted from the bucket when the bucket is destroyed so that the bucket can be destroyed without error. See more details in the (aws terraform documentation)[https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/s3_bucket#force_destroy]."
+ type = bool
+ default = false
+}
+
+variable "s3_object_lock_enabled" {
+ description = "A boolean that indicates whether this bucket should have an Object Lock configuration enabled."
+ type = bool
+ default = false
+}
+
+variable "s3_tags" {
+ description = "A map of tags to assign to the resource."
+ type = map(string)
+ default = null
+}
+
+# AWS Redshift Parameter Group variables
+variable "parameter_group_description" {
+ description = "The description of the Redshift parameter group."
+ type = string
+ default = null
+}
+
+variable "parameter_group_family" {
+ description = "The family of the Redshift parameter group."
+ type = string
+ default = "redshift-1.0"
+}
+
+variable "parameter_group_name" {
+ description = "The name of the Redshift parameter group."
+ type = string
+}
+
+variable "parameter_group_parameters" {
+ description = "A list of Redshift parameters to apply."
+ type = list(
+ object({
+ name = string
+ value = any
+ })
+ )
+ default = [{
+ name = "enable_user_activity_logging"
+ value = "true"
+ }]
+}
+
+variable "parameter_group_tags" {
+ description = "A map of tags to assign to the resource."
+ type = map(string)
+ default = null
+}
+
+# AWS Redshift Cluster variables
+variable "redshift_cluster_identifier" {
+ description = "Identifier of the Redshift cluster. Must be a lower case string."
+ type = string
+}
+
+variable "redshift_database_name" {
+ description = "The name of the first database to be created when the cluster is created."
+ type = string
+ default = "dev"
+}
+
+variable "redshift_default_iam_role_arn" {
+ description = "The Amazon Resource Name (ARN) for the IAM role that was set as default for the cluster when the cluster was created."
+ type = string
+ default = null
+}
+
+variable "redshift_node_type" {
+ description = "The node type to be provisioned for the cluster."
+ type = string
+ default = "dc2.large"
+}
+
+variable "redshift_cluster_type" {
+ description = "The type of the cluster. Valid values: single-node | multi-node."
+ type = string
+ default = "single-node"
+}
+
+variable "redshift_master_password" {
+ description = "The password for the master database user. Must contain at least 8 characters and contain at least one uppercase letter, one lowercase letter, and one number."
+ type = string
+}
+
+variable "redshift_master_username" {
+ description = "The username for the master database user."
+ type = string
+ default = "admin"
+}
+
+variable "redshift_vpc_security_group_ids" {
+ description = "A list of security group identifiers to associate with this cluster."
+ type = list(string)
+ default = null
+}
+
+variable "redshift_cluster_subnet_group_name" {
+ description = "The name of a cluster subnet group to be associated with this cluster."
+ type = string
+ default = null
+}
+
+variable "redshift_preferred_maintenance_window" {
+ description = "The weekly time range (in UTC) during which automated cluster maintenance can occur."
+ type = string
+ default = null
+}
+
+variable "redshift_cluster_parameter_group_name" {
+ description = "The name of the parameter group to be associated with this cluster."
+ type = string
+ default = null
+}
+
+variable "redshift_port" {
+ description = "The port number on which the cluster accepts incoming connections. Valid values are between 1115 and 65535"
+ type = number
+ default = 5439
+}
+
+variable "redshift_cluster_version" {
+ description = "The version of the Amazon Redshift engine software that you want to deploy on the cluster."
+ type = string
+ default = "1.0"
+}
+
+variable "redshift_apply_immediately" {
+ description = "A boolean that indicates whether major version upgrades are applied immediately, regardless of the maintenance window."
+ type = bool
+ default = true
+}
+
+variable "redshift_number_of_nodes" {
+ description = "The number of compute nodes in the cluster. This parameter is required when the ClusterType parameter is specified as multi-node."
+ type = number
+ default = 1
+}
+
+variable "redshift_publicly_accessible" {
+ description = "A boolean that indicates if the cluster is publicly accessible. If the value is true, the cluster can be accessed from a public network."
+ type = bool
+ default = true
+}
+
+variable "redshift_elastic_ip" {
+ description = "The Elastic IP (EIP) address for the cluster."
+ type = string
+ default = null
+}
+
+variable "redshift_skip_final_snapshot" {
+ description = "A boolean that indicates whether a final snapshot is created before the cluster is deleted."
+ type = bool
+ default = true
+}
+
+variable "redshift_final_snapshot_identifier" {
+ description = "The identifier of the final snapshot that is to be created immediately before deleting the cluster."
+ type = string
+ default = null
+}
+
+variable "redshift_snapshot_identifier" {
+ description = "The name of the snapshot from which to create the new cluster"
+ type = string
+ default = null
+}
+
+variable "redshift_snapshot_cluster_identifier" {
+ description = "The name of the cluster the source snapshot was created from."
+ type = string
+ default = null
+}
+
+variable "redshift_iam_roles" {
+ description = "A list of IAM roles to associate with the cluster. A maximum of 10 IAM roles can be associated to the cluster at any time."
+ type = list(string)
+ default = null
+}
+
+variable "redshift_tags" {
+ description = "A map of tags to assign to the resource."
+ type = map(string)
+ default = null
+}
+
+# AWS Redshift Asset variables
+variable "aws_redshift_admin_email" {
+ description = "The email address to notify about the Redshift asset"
+ type = string
+}
+
+variable "aws_redshift_audit_pull_enabled" {
+ description = "A boolean that indicates if the asset should be audited."
+ type = bool
+ default = true
+}
+
+variable "aws_redshift_bucket_account_id" {
+ description = "The account_id of the bucket owner"
+ type = string
+}
+
+variable "aws_redshift_gateway_id" {
+ description = "Unique identifier (UID) attached to the jSonar machine controlling the Redshift asset"
+ type = string
+}
+
+variable "aws_redshift_parent_asset_id" {
+ description = "The asset_id of AWS cloud account being used. E.g. Key-pair, iam_role, profile or default"
+ type = string
+ default = null
+}
+
+variable "aws_redshift_region" {
+ description = "AWS region containing the Redshift cluster."
+ type = string
+}
+
+# AWS S3 Asset variables
+variable "aws_s3_admin_email" {
+ description = "The email address to notify about the S3 asset"
+ type = string
+}
+variable "aws_s3_asset_display_name" {
+ description = "User-friendly name of the asset, defined by the user"
+ type = string
+}
+
+variable "aws_s3_audit_pull_enabled" {
+ description = "A boolean that indicates if the asset should be audited."
+ type = bool
+ default = true
+}
+
+variable "aws_s3_bucket_account_id" {
+ description = "The account_id of the bucket owner"
+ type = string
+ default = null
+}
+
+variable "aws_s3_gateway_id" {
+ description = "Unique identifier (UID) attached to the jSonar machine controlling the S3 asset"
+ type = string
+}
+
+variable "aws_s3_parent_asset_id" {
+ description = "The asset_id of AWS cloud account being used. E.g. Key-pair, iam_role, profile or default"
+ type = string
+}
+
+variable "aws_s3_server_port" {
+ description = "Port used by the source server. Default: 443"
+ type = number
+ default = 443
+}
+
+variable "aws_s3_region" {
+ description = "AWS region containing the S3 bucket."
+ type = string
+}