Skip to content

austincloudguru/terraform-aws-nessus-appliance

Repository files navigation

AWS Nessus Appliance Module

Terratest Latest Version License

Terraform module which creates a nessus server in AWS from Tenable's AMI for use with Tenable.io or Tenable.sc. You will need to go to the AWS Marketplace and subscribe to the (Pre-Authorized or BYOL) image prior to building with Terraform.

You will need to set the variable license_type to one of the following:

  • preauth: If you are deploying a preauth server with Tenable.io
  • byol: If you are using a BYOL license with Tenable.io
  • byol-sc: If you are using a BYOL license with Tenable.sc

Usage

module "nessus" {
  source                 = "AustinCloudGuru/nessus-appliance/aws"
  # You should pin the module to a specific version
  # version              = "x.x.x"
  name                   = "nessus"
  license_type           = "byol"
  vpc_id                 = "vpc-0156c7c6959ba5858"
  subnet_ids             = ["subnet-05b1a3ffd786709d5", "subnet-0a35212c972a2af05", "subnet-0d0e78f696428aa28"]
  instance_type          = "m5.xlarge"
  nessus_key             = "dloiijfhqoiewrubfoqieuurbfcpoiqweunrcopiqeuhnrfpoiu13ehrwft"
  security_group_ingress = {
                             default = {
                               description = "NFS Inbound"
                               from_port   = 8834
                               protocol    = "tcp"
                               to_port     = 8834
                               self        = true
                               cidr_blocks = []
                             },
                             ssh = {
                               description = "ssh"
                               from_port   = 22
                               protocol    = "tcp"
                               to_port     = 22
                               self        = true
                               cidr_blocks = []
                             }
                           }
  nessus_key             = "dloiijfhqoiewrubfoqieuurbfcpoiqweunrcopiqeuhnrfpoiu13ehrwft"
  tags          = {
                    Terraform = "true"
                    Environment = "development"
                  } 
}

Deploying for Tenable.sc

This module can be used for deploying to Tenable.sc via the byol-sc license type. Credentials are set via the nessus_credentials variable. By default, the variable creates two new shell variables in the user_data script called NESSUS_USER and NESSUS_PASS. This is not secure since the variables will be visible in the Edit user_data section of the console. For a more secure solution, you should pull the credentials from a secure location (S3, AWS Secrets Manager, Hashicorp Vault, etc) and set the variables. For example, with Hashicorp Vault, you could define the nessus_credentials variable like this:

nessus_credentials = <<EOF
## Get Vault Token
VAULT_ADDR="https://vault.example.com"
VAULT_TOKEN=$(curl -X POST "$VAULT_ADDR/v1/auth/aws/login" -d '{"role":"ec2-default-role","pkcs7":"'$(curl -s http://169.254.169.254/latest/dynamic/instance-identity/pkcs7 | tr -d '\n')'"}'|jq -r .auth.client_token)

## Setup Nessus Credentials
NESSUS_USER=$(curl -s --header "X-Vault-Token: $VAULT_TOKEN" $VAULT_ADDR/v1/globals/data/nessus_credentials|jq -r .data.data.username)
NESSUS_PASS=$(curl -s --header "X-Vault-Token: $VAULT_TOKEN" $VAULT_ADDR/v1/globals/data/nessus_credentials|jq -r .data.data.password)
EOF
}

Requirements

Name Version
terraform ~> 1.8.0
aws ~> 5.0

Providers

Name Version
aws ~> 5.0

Modules

No modules.

Resources

Name Type
aws_autoscaling_group.this resource
aws_iam_instance_profile.this resource
aws_iam_role.tenable-connector resource
aws_iam_role.this resource
aws_iam_role_policy.tenable-connector resource
aws_iam_role_policy.this resource
aws_launch_configuration.this resource
aws_security_group.this resource
aws_security_group_rule.this_egress resource
aws_security_group_rule.this_ingress resource
aws_ami.this data source
aws_iam_policy_document.assume_role data source
aws_iam_policy_document.policy data source
aws_iam_policy_document.tenable-connector data source
aws_iam_policy_document.tenable-connector-assume-role data source

Inputs

Name Description Type Default Required
additional_iam_statements Additional IAM statements for the ECS instances
list(object({
effect = string
actions = list(string)
resources = list(string)
}))
[] no
associate_public_ip_address Whether to associate a public IP in the launch configuration bool false no
cloud_connector Set to True if you want to install the IAM roles for cloud connector bool false no
external_id Container ID in Cloud Connecter Advanced Settings string "" no
health_check_grace_period Time (in seconds) after instance comes into service before checking health number 300 no
instance_type The type of instance to start string "m5.xlarge" no
key_name The name of the key pair to use string "aws-main" no
license_type The type of Nessus License to use: byob or preauth string "byol" no
name Application Name string "nessus" no
nessus_credentials Environmental variables to use for Nessus scanner string "NESSUS_USER='nessususer'\nNESSUS_PASS='p@ssw0rd'\n" no
nessus_key Linking key used to register scanner with Tenable.io. string "" no
nessus_proxy FQDN/IP address of proxy, if required. string "" no
nessus_proxy_port Port used to connect to proxy, if required. string "" no
nessus_scanner_name Name of the scanner shown in the Nessus UI string "" no
product_code n/a map(any)
{
"byol": "8fn69npzmbzcs4blc4583jd0y",
"byol-sc": "8fn69npzmbzcs4blc4583jd0y",
"preauth": "4m4uvwtrl5t872c56wb131ttw"
}
no
protect_from_scale_in Allows setting instance protection bool false no
security_group_egress Can be specified multiple times for each egress rule.
map(object({
description = string
from_port = number
protocol = string
to_port = number
self = bool
cidr_blocks = list(string)
}))
{
"default": {
"cidr_blocks": [
"0.0.0.0/0"
],
"description": "Allow All Outbound",
"from_port": 0,
"protocol": "-1",
"self": false,
"to_port": 0
}
}
no
security_group_ingress Can be specified multiple times for each ingress rule.
map(object({
description = string
from_port = number
protocol = string
to_port = number
self = bool
cidr_blocks = list(string)
}))
{
"default": {
"cidr_blocks": null,
"description": "NFS Inbound",
"from_port": 8834,
"protocol": "tcp",
"self": true,
"to_port": 8834
}
}
no
subnet_ids The Subnet IDs list(string) n/a yes
tags A map of tags to add to all resources map(string) {} no
termination_policies A list of policies to decide how the instances in the auto scale group should be terminated list(string)
[
"OldestInstance",
"Default"
]
no
vpc_id The name of the VPC that EFS will be deployed to string n/a yes

Outputs

Name Description
asg_name Name of the Autoscaling Group
image_id n/a
role_arn Role ARN
security_group_arn Security Group ARN
security_group_id Security Group ID
security_group_name Security Group name

About

No description, website, or topics provided.

Resources

License

Stars

Watchers

Forks

Sponsor this project

 

Packages

No packages published