This Terraform module provides a simple and reusable configuration for installing a Datadog agentless scanner.
Before using this module, make sure you have the following:
- Terraform installed on your local machine.
- AWS credentials configured with the necessary permissions.
To use this module in your Terraform configuration, add the following code in your existing Terraform code:
module "scanner_role" {
source = "git::https://github.com/DataDog/terraform-module-datadog-agentless-scanner//modules/agentless-scanner-role"
account_roles = [module.delegate_role.role.arn]
api_key_secret_arns = [module.agentless_scanner.api_key_secret_arn]
}
module "delegate_role" {
source = "git::https://github.com/DataDog/terraform-module-datadog-agentless-scanner//modules/scanning-delegate-role"
scanner_roles = [module.scanner_role.role.arn]
}
module "agentless_scanner" {
source = "git::https://github.com/DataDog/terraform-module-datadog-agentless-scanner"
api_key = "YOUR API KEY"
instance_profile_name = module.scanner_role.instance_profile.name
}And run:
terraform init
terraform planImportant
Datadog strongly recommends pinning the version of the module to keep repeatable deployment and to avoid unexpected changes.
To uninstall, remove the Agentless scanner module from your Terraform code. Removing this module deletes all resources associated with the Agentless scanner. Alternatively, if you used a separate Terraform state for this setup, you can uninstall the Agentless scanner by executing terraform destroy.
Warning
Exercise caution when deleting Terraform resources. Review the plan carefully to ensure everything is in order.
For complete examples, refer to the examples directory in this repository.
Install pre-commit checks:
pre-commit install
Automatically generate documentation for the Terraform modules:
pre-commit run terraform-docs-go -a
Lint Terraform code:
pre-commit run terraform_fmt -a
pre-commit run terraform_tflint -a
Run all checks:
pre-commit run -a
See changelog.
| Name | Version |
|---|---|
| terraform | >= 1.0 |
| aws | >= 5.0 |
No providers.
| Name | Source | Version |
|---|---|---|
| instance | ./modules/instance | n/a |
| user_data | ./modules/user_data | n/a |
| vpc | ./modules/vpc | n/a |
No resources.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| api_key | Specifies the API keys required by the Datadog Agent to submit vulnerabilities to Datadog | string |
null |
no |
| api_key_secret_arn | ARN of the secret holding the Datadog API key. Takes precedence over api_key variable | string |
null |
no |
| enable_ssm | Whether to enable AWS SSM to facilitate executing troubleshooting commands on the instance | bool |
false |
no |
| enable_ssm_vpc_endpoint | Whether to enable AWS SSM VPC endpoint (only applicable if enable_ssm is true) | bool |
true |
no |
| instance_profile_name | Name of the instance profile to attach to the instance | string |
n/a | yes |
| scanner_channel | Channel of the scanner to install from (stable or beta) | string |
"stable" |
no |
| scanner_version | Version of the scanner to install | string |
"0.11" |
no |
| site | By default the Agent sends its data to Datadog US site. If your organization is on another site, you must update it. See https://docs.datadoghq.com/getting_started/site/ | string |
null |
no |
| tags | A map of additional tags to add to the IAM role/profile created | map(string) |
{} |
no |
| Name | Description |
|---|---|
| api_key_secret_arn | The ARN of the secret containing the Datadog API key |
| vpc | The VPC created for the Datadog agentless scanner |