Terraform module which creates a nessus server in AWS from Tenable's AMI for use with Tenable.io or Tenable.sc. You will need to go to the AWS Marketplace and subscribe to the (Pre-Authorized or BYOL) image prior to building with Terraform.
You will need to set the variable license_type to one of the following:
- preauth: If you are deploying a preauth server with Tenable.io
- byol: If you are using a BYOL license with Tenable.io
- byol-sc: If you are using a BYOL license with Tenable.sc
module "nessus" {
source = "AustinCloudGuru/nessus-appliance/aws"
# You should pin the module to a specific version
# version = "x.x.x"
name = "nessus"
license_type = "byol"
vpc_id = "vpc-0156c7c6959ba5858"
subnet_ids = ["subnet-05b1a3ffd786709d5", "subnet-0a35212c972a2af05", "subnet-0d0e78f696428aa28"]
instance_type = "m5.xlarge"
nessus_key = "dloiijfhqoiewrubfoqieuurbfcpoiqweunrcopiqeuhnrfpoiu13ehrwft"
security_group_ingress = {
default = {
description = "NFS Inbound"
from_port = 8834
protocol = "tcp"
to_port = 8834
self = true
cidr_blocks = []
},
ssh = {
description = "ssh"
from_port = 22
protocol = "tcp"
to_port = 22
self = true
cidr_blocks = []
}
}
nessus_key = "dloiijfhqoiewrubfoqieuurbfcpoiqweunrcopiqeuhnrfpoiu13ehrwft"
tags = {
Terraform = "true"
Environment = "development"
}
}This module can be used for deploying to Tenable.sc via the byol-sc license type. Credentials are set via the nessus_credentials variable. By default, the variable creates two new shell variables in the user_data script called NESSUS_USER and NESSUS_PASS. This is not secure since the variables will be visible in the Edit user_data section of the console. For a more secure solution, you should pull the credentials from a secure location (S3, AWS Secrets Manager, Hashicorp Vault, etc) and set the variables. For example, with Hashicorp Vault, you could define the nessus_credentials variable like this:
nessus_credentials = <<EOF
## Get Vault Token
VAULT_ADDR="https://vault.example.com"
VAULT_TOKEN=$(curl -X POST "$VAULT_ADDR/v1/auth/aws/login" -d '{"role":"ec2-default-role","pkcs7":"'$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/pkcs7 | tr -d '\n')'"}'|jq -r .auth.client_token)
## Setup Nessus Credentials
NESSUS_USER=$(curl -s --header "X-Vault-Token: $VAULT_TOKEN" $VAULT_ADDR/v1/globals/data/nessus_credentials|jq -r .data.data.username)
NESSUS_PASS=$(curl -s --header "X-Vault-Token: $VAULT_TOKEN" $VAULT_ADDR/v1/globals/data/nessus_credentials|jq -r .data.data.password)
EOF
}
| Name | Version |
|---|---|
| terraform | ~> 1.8.0 |
| aws | ~> 5.0 |
| Name | Version |
|---|---|
| aws | ~> 5.0 |
No modules.
| Name | Type |
|---|---|
| aws_autoscaling_group.this | resource |
| aws_iam_instance_profile.this | resource |
| aws_iam_role.tenable-connector | resource |
| aws_iam_role.this | resource |
| aws_iam_role_policy.tenable-connector | resource |
| aws_iam_role_policy.this | resource |
| aws_launch_configuration.this | resource |
| aws_security_group.this | resource |
| aws_security_group_rule.this_egress | resource |
| aws_security_group_rule.this_ingress | resource |
| aws_ami.this | data source |
| aws_iam_policy_document.assume_role | data source |
| aws_iam_policy_document.policy | data source |
| aws_iam_policy_document.tenable-connector | data source |
| aws_iam_policy_document.tenable-connector-assume-role | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| additional_iam_statements | Additional IAM statements for the ECS instances | list(object({ |
[] |
no |
| associate_public_ip_address | Whether to associate a public IP in the launch configuration | bool |
false |
no |
| cloud_connector | Set to True if you want to install the IAM roles for cloud connector | bool |
false |
no |
| external_id | Container ID in Cloud Connecter Advanced Settings | string |
"" |
no |
| health_check_grace_period | Time (in seconds) after instance comes into service before checking health | number |
300 |
no |
| instance_type | The type of instance to start | string |
"m5.xlarge" |
no |
| key_name | The name of the key pair to use | string |
"aws-main" |
no |
| license_type | The type of Nessus License to use: byob or preauth | string |
"byol" |
no |
| name | Application Name | string |
"nessus" |
no |
| nessus_credentials | Environmental variables to use for Nessus scanner | string |
"NESSUS_USER='nessususer'\nNESSUS_PASS='p@ssw0rd'\n" |
no |
| nessus_key | Linking key used to register scanner with Tenable.io. | string |
"" |
no |
| nessus_proxy | FQDN/IP address of proxy, if required. | string |
"" |
no |
| nessus_proxy_port | Port used to connect to proxy, if required. | string |
"" |
no |
| nessus_scanner_name | Name of the scanner shown in the Nessus UI | string |
"" |
no |
| product_code | n/a | map(any) |
{ |
no |
| protect_from_scale_in | Allows setting instance protection | bool |
false |
no |
| security_group_egress | Can be specified multiple times for each egress rule. | map(object({ |
{ |
no |
| security_group_ingress | Can be specified multiple times for each ingress rule. | map(object({ |
{ |
no |
| subnet_ids | The Subnet IDs | list(string) |
n/a | yes |
| tags | A map of tags to add to all resources | map(string) |
{} |
no |
| termination_policies | A list of policies to decide how the instances in the auto scale group should be terminated | list(string) |
[ |
no |
| vpc_id | The name of the VPC that EFS will be deployed to | string |
n/a | yes |
| Name | Description |
|---|---|
| asg_name | Name of the Autoscaling Group |
| image_id | n/a |
| role_arn | Role ARN |
| security_group_arn | Security Group ARN |
| security_group_id | Security Group ID |
| security_group_name | Security Group name |