AWS DynamoDB modules

CHANGELOG.md

@@ -1,5 +1,11 @@
 # Changelog
 
+## 1.0.4 (2024-07-25)
+
+### Features
+- Amazon DynamoDB via CloudWatch module
+- Amazon DynamoDB via S3 Bucket module
+
 ## 1.0.3 (2024-07-22)
 
 ### Features

DSF_VERSION_COMPATABILITY.md

@@ -11,6 +11,14 @@ The following table lists the DSF versions that each module is tested and mainta
       <td>onboard-aws-docdb-cluster</td>
       <td>4.17+</td>
    </tr>
+   <tr>
+      <td>onboard-aws-dynamodb-cloudwatch</td>
+      <td>4.16+</td>
+   </tr>
+   <tr>
+      <td>onboard-aws-dynamodb-s3</td>
+      <td>4.17+</td>
+   </tr>
    <tr>
       <td>onboard-aws-rds-neptune</td>
       <td>4.17+</td>

examples/dsfhub-aws-cloud-account/README.md

@@ -1,3 +1,16 @@
+# AWS Cloud Account Asset
+
+This example covers the various authentication mechanisms that are supported for AWS cloud account assets. This includes the following:
+
+| Auth Mechanism | Notes |
+|----------------|-------|
+| default | DSF uses the IAM role attached to the EC2 instance metadata. If there is no IAM role attached, DSF will look for a profile name called ``default`` in the AWS credentials file located at ``${JSONAR_LOCALDIR}/credentials/.aws/credentials``. |
+| iam_role | The DSF machine (either Hub or Agentless Gateway) will assume the role specified in the ``arn`` field. Only supported for DSF machines that are EC2 instances. |
+| key | Uses ``aws_access_key`` and ``aws_secret_key`` to authenticate with the given IAM user access keys. |
+| profile | Uses an AWS profile specified in the ``profile_name`` field and defined in the AWS credentials file located at ``${JSONAR_LOCALDIR}/credentials/.aws/credentials``. | 
+
+More information can be found in the [AWS Asset Specifications](https://docs.imperva.com/bundle/onboarding-databases-to-sonar-reference-guide/page/AWS-Asset-Specifications_35815635.html).
+
 <!-- BEGIN_TF_DOCS -->
 ## Requirements
 

examples/onboard-aws-dynamodb-cloudwatch/README.md

@@ -0,0 +1,53 @@
+# Onboard Amazon DynamoDB via CloudWatch
+This example will cover the ways to onboard Amazon DynamoDB via CloudWatch, including the various authentication mechanisms that are supported to authenticate to AWS and access the audit logs. This includes the following:
+
+| Auth Mechanism | Notes |
+|----------------|-------|
+| default | DSF uses the IAM role attached to the EC2 instance metadata. If there is no IAM role attached, DSF will look for a profile name called ``default`` in the AWS credentials file located at ``${JSONAR_LOCALDIR}/credentials/.aws/credentials``. |
+| iam_role | The DSF machine (either Hub or Agentless Gateway) will assume the role specified in the ``aws_dynamodb_iam_role_name`` field. Only supported for DSF machines that are EC2 instances. |
+| key | Uses ``aws_dynamodb_access_id`` and ``aws_secret_key`` to authenticate with the given IAM user access keys. |
+| profile | Uses an AWS profile specified in the ``aws_dynamodb_profile_name`` field and defined in the AWS credentials file located at ``${JSONAR_LOCALDIR}/credentials/.aws/credentials``. | 
+
+
+More details can be found in the [onboarding documentation](https://docs.imperva.com/bundle/onboarding-databases-to-sonar-reference-guide/page/Amazon-DynamoDB-Onboarding-Steps_48366959.html).
+
+This example creates both 'aws' and 'dsfhub' resources. More information regarding authentication to each can be found in the relevant provider documentation:
+- [aws](https://registry.terraform.io/providers/hashicorp/aws/latest/docs)
+- [dsfhub](https://registry.terraform.io/providers/imperva/dsfhub/latest/docs)
+
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_dynamodb-1"></a> [dynamodb-1](#module\_dynamodb-1) | ../../modules/onboard-aws-dynamodb-cloudwatch | n/a |
+| <a name="module_dynamodb-2"></a> [dynamodb-2](#module\_dynamodb-2) | ../../modules/onboard-aws-dynamodb-cloudwatch | n/a |
+| <a name="module_dynamodb-3"></a> [dynamodb-3](#module\_dynamodb-3) | ../../modules/onboard-aws-dynamodb-cloudwatch | n/a |
+| <a name="module_dynamodb-4"></a> [dynamodb-4](#module\_dynamodb-4) | ../../modules/onboard-aws-dynamodb-cloudwatch | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_aws_dynamodb_access_id"></a> [aws\_dynamodb\_access\_id](#input\_aws\_dynamodb\_access\_id) | n/a | `any` | n/a | yes |
+| <a name="input_aws_dynamodb_secret_key"></a> [aws\_dynamodb\_secret\_key](#input\_aws\_dynamodb\_secret\_key) | n/a | `any` | n/a | yes |
+| <a name="input_dsfhub_host"></a> [dsfhub\_host](#input\_dsfhub\_host) | n/a | `any` | n/a | yes |
+| <a name="input_dsfhub_token"></a> [dsfhub\_token](#input\_dsfhub\_token) | n/a | `any` | n/a | yes |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->

examples/onboard-aws-dynamodb-cloudwatch/main.tf

@@ -0,0 +1,132 @@
+locals {
+  aws_region  = "us-east-2"
+  admin_email = "[email protected]"
+  gateway_id  = "a1b2c3d4-1234-5678-9123-cd1edcef7642"
+}
+
+################################################################################
+# Providers
+################################################################################
+terraform {
+  required_providers {
+    dsfhub = {
+      source = "imperva/dsfhub"
+    }
+  }
+}
+
+provider "aws" {
+  region = local.aws_region
+}
+
+variable "dsfhub_host" {}  # TF_VAR_dsfhub_host env variable
+variable "dsfhub_token" {} # TF_VAR_dsfhub_token env variable
+
+provider "dsfhub" {
+  dsfhub_host  = var.dsfhub_host
+  dsfhub_token = var.dsfhub_token
+}
+
+################################################################################
+# AWS DynamoDB - default auth_mechanism
+################################################################################
+module "dynamodb-1" {
+  source = "../../modules/onboard-aws-dynamodb-cloudwatch"
+
+  aws_dynamodb_admin_email    = local.admin_email
+  aws_dynamodb_auth_mechanism = "default"
+  aws_dynamodb_gateway_id     = local.gateway_id
+
+  aws_log_group_admin_email        = local.admin_email
+  aws_log_group_audit_pull_enabled = true
+  aws_log_group_gateway_id         = local.gateway_id
+  aws_log_group_reason             = "default"
+
+  cloudtrail_name = "tf-dynamodb-cloudtrail"
+
+  eventbridge_rule_name = "tf-dynamodb-eventbridge-rule"
+
+  log_group_name = "tf-dynamodb-log-group"
+
+  s3_bucket_name = "tf-dynamodb-bucket"
+}
+
+################################################################################
+# AWS DynamoDB - iam_role auth_mechanism
+################################################################################
+module "dynamodb-2" {
+  source = "../../modules/onboard-aws-dynamodb-cloudwatch"
+
+  aws_dynamodb_admin_email    = local.admin_email
+  aws_dynamodb_auth_mechanism = "iam_role"
+  aws_dynamodb_gateway_id     = local.gateway_id
+  aws_dynamodb_iam_role_name  = "arn:aws:iam::0123456789:role/my-example-role"
+
+  aws_log_group_admin_email        = local.admin_email
+  aws_log_group_audit_pull_enabled = true
+  aws_log_group_gateway_id         = local.gateway_id
+  aws_log_group_reason             = "default"
+
+  cloudtrail_name = "tf-dynamodb-cloudtrail"
+
+  eventbridge_rule_name = "tf-dynamodb-eventbridge-rule"
+
+  log_group_name = "tf-dynamodb-log-group"
+
+  s3_bucket_name = "tf-dynamodb-bucket"
+}
+
+################################################################################
+# AWS DynamoDB - key auth_mechanism
+################################################################################
+# Source AWS key pair from environment variables
+variable "aws_dynamodb_access_id" {}  # env var: TF_VAR_aws_dynamodb_access_id
+variable "aws_dynamodb_secret_key" {} # env var: TF_VAR_aws_dynamodb_secret_key
+
+module "dynamodb-3" {
+  source = "../../modules/onboard-aws-dynamodb-cloudwatch"
+
+  aws_dynamodb_admin_email    = local.admin_email
+  aws_dynamodb_auth_mechanism = "key"
+  aws_dynamodb_gateway_id     = local.gateway_id
+  aws_dynamodb_access_id      = var.aws_dynamodb_access_id
+  aws_dynamodb_secret_key     = var.aws_dynamodb_secret_key
+
+  aws_log_group_admin_email        = local.admin_email
+  aws_log_group_audit_pull_enabled = true
+  aws_log_group_gateway_id         = local.gateway_id
+  aws_log_group_reason             = "default"
+
+  cloudtrail_name = "tf-dynamodb-cloudtrail"
+
+  eventbridge_rule_name = "tf-dynamodb-eventbridge-rule"
+
+  log_group_name = "tf-dynamodb-log-group"
+
+  s3_bucket_name = "tf-dynamodb-bucket"
+}
+
+################################################################################
+# AWS DynamoDB - profile auth_mechanism
+################################################################################
+module "dynamodb-4" {
+  source = "../../modules/onboard-aws-dynamodb-cloudwatch"
+
+  aws_dynamodb_admin_email    = local.admin_email
+  aws_dynamodb_auth_mechanism = "profile"
+  aws_dynamodb_gateway_id     = local.gateway_id
+  aws_dynamodb_profile_name   = "my-profile"
+
+  aws_log_group_admin_email        = local.admin_email
+  aws_log_group_audit_pull_enabled = true
+  aws_log_group_gateway_id         = local.gateway_id
+  aws_log_group_reason             = "default"
+
+  cloudtrail_name = "tf-dynamodb-cloudtrail"
+
+  eventbridge_rule_name = "tf-dynamodb-eventbridge-rule"
+
+  log_group_name = "tf-dynamodb-log-group"
+
+  s3_bucket_name = "tf-dynamodb-bucket"
+}

examples/onboard-aws-dynamodb-s3/README.md

@@ -0,0 +1,52 @@
+# Onboard Amazon DynamoDB via S3 Bucket
+This example will cover the ways to onboard Amazon DynamoDB via S3, including the various authentication mechanisms that are supported to authenticate to AWS and access the audit logs. This includes the following:
+
+| Auth Mechanism | Notes |
+|----------------|-------|
+| default | DSF uses the IAM role attached to the EC2 instance metadata. If there is no IAM role attached, DSF will look for a profile name called ``default`` in the AWS credentials file located at ``${JSONAR_LOCALDIR}/credentials/.aws/credentials``. |
+| iam_role | The DSF machine (either Hub or Agentless Gateway) will assume the role specified in the ``aws_dynamodb_iam_role_name`` field. Only supported for DSF machines that are EC2 instances. |
+| key | Uses ``aws_dynamodb_access_id`` and ``aws_secret_key`` to authenticate with the given IAM user access keys. |
+| profile | Uses an AWS profile specified in the ``aws_dynamodb_profile_name`` field and defined in the AWS credentials file located at ``${JSONAR_LOCALDIR}/credentials/.aws/credentials``. | 
+
+
+More details can be found in the [onboarding documentation](https://docs.imperva.com/bundle/onboarding-databases-to-sonar-reference-guide/page/Amazon-DynamoDB-via-S3-Onboarding-Steps_152764418.html).
+
+This example creates both 'aws' and 'dsfhub' resources. More information regarding authentication to each can be found in the relevant provider documentation:
+- [aws](https://registry.terraform.io/providers/hashicorp/aws/latest/docs)
+- [dsfhub](https://registry.terraform.io/providers/imperva/dsfhub/latest/docs)
+
+<!-- BEGIN_TF_DOCS -->
+## Requirements
+
+No requirements.
+
+## Providers
+
+No providers.
+
+## Modules
+
+| Name | Source | Version |
+|------|--------|---------|
+| <a name="module_dynamodb-1"></a> [dynamodb-1](#module\_dynamodb-1) | ../../modules/onboard-aws-dynamodb-s3 | n/a |
+| <a name="module_dynamodb-2"></a> [dynamodb-2](#module\_dynamodb-2) | ../../modules/onboard-aws-dynamodb-s3 | n/a |
+| <a name="module_dynamodb-3"></a> [dynamodb-3](#module\_dynamodb-3) | ../../modules/onboard-aws-dynamodb-s3 | n/a |
+| <a name="module_dynamodb-4"></a> [dynamodb-4](#module\_dynamodb-4) | ../../modules/onboard-aws-dynamodb-s3 | n/a |
+
+## Resources
+
+No resources.
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_aws_dynamodb_access_id"></a> [aws\_dynamodb\_access\_id](#input\_aws\_dynamodb\_access\_id) | n/a | `any` | n/a | yes |
+| <a name="input_aws_dynamodb_secret_key"></a> [aws\_dynamodb\_secret\_key](#input\_aws\_dynamodb\_secret\_key) | n/a | `any` | n/a | yes |
+| <a name="input_dsfhub_host"></a> [dsfhub\_host](#input\_dsfhub\_host) | n/a | `any` | n/a | yes |
+| <a name="input_dsfhub_token"></a> [dsfhub\_token](#input\_dsfhub\_token) | n/a | `any` | n/a | yes |
+
+## Outputs
+
+No outputs.
+<!-- END_TF_DOCS -->