CloudGuard AWP (Azure) - Terraform Module

This Terraform module is designed to enable AWP (Agentless Workload Posture) on Azure Subscribtion. (https://www.checkpoint.com/dome9/)

This module use Check Point CloudGuard Dome9 Provider

Prerequisites

• Azure Account onboarded to CloudGuard
• CloudGuard API Key and Secret (CloudGuard Provider Authentication)
• Azure Credentials (Azure Provider Authentication) (for more info follow: AWP Documentation)

Usage

module "terraform-dome9-awp-azure" {
  source = "dome9/awp-azure/dome9"

  # The Id of the Azure account, onboarded to CloudGuard (can be either the CloudGuard Cloud Account ID or the Azure subscription ID)
  awp_cloud_account_id = dome9_cloudaccount_azure.my_azure_cloud_account.id

  # The AWP scan mode. Possible values are "inAccount", "saas", "inAccountHub" or "inAccountSub".
  awp_scan_mode = "inAccount"

  # In case of centralized onboarding, this should be the account id (CloudGuard account id or Azure subscription id) of the centralized account
  awp_centralized_cloud_account_id = dome9_cloudaccount_azure.my_azure_centralized_account.id

  # Optional customizations:
  # e.g:
  management_group_id       = "management group id" # relevat only for inAccountHub mode
    

  # Optional account settings
  # e.g:  
  awp_account_settings_azure = {
    scan_machine_interval_in_hours  = 24
    skip_function_apps_scan         = false
    max_concurrent_scans_per_region = 20
    disabled_regions                = [] # e.g ["eastus", "westus"]
    in_account_scanner_vpc          = "ManagedByAWP" # e.g "ManagedByAWP" or "ManagedByCustomer"
    sse_cmk_encrypted_disks_scan    = false
    custom_tags                     = {}   # e.g {"key1" = "value1", "key2" = "value2"} 
  }
}

Examples

examples directory contains example usage of this module.

• basic - A basic example of using this module.
• complete - A complete example of using this module with all the available options.

AWP Terraform template

Version	2

Requirements

Name	Version
terraform	>= 1.0
azurerm	3.99.0
dome9	>=1.35.9
time	0.11.2

Inputs

Name	Description	Type	Default	Required
awp_cloud_account_id	The Id of the Azure account, onboarded to CloudGuard (can be either the CloudGuard Cloud Account ID or the Azure subscription ID)	string	n/a	yes
awp_scan_mode	The scan mode for the AWP [ "inAccount" | "saas" | "inAccountHub" | "inAccountSub"]	string	"inAccount"	yes
awp_centralized_cloud_account_id	The Id of the centralized Azure account	string	null	in case of inAccountSub scan mode
management_group_id	Management group ID	string	null	no
awp_account_settings_azure	AWP Account settings for Azure	object	null	no

awp_account_settings_azure variable is an object that contains the following attributes:

Name	Description	Type	Default	Valid Values	Required
scan_machine_interval_in_hours	Scan machine interval in hours	number	24	InAccount: >=4, SaaS: >=24	no
skip_function_apps_scan	Skip Azure Function Apps scan	bool	false	true or false	no
max_concurrent_scans_per_region	Maximum concurrent scans per region	number	20	1 - 20	no
in_account_scanner_vpc	The VPC Mode	string	ManagedByAWP	ManagedByAWP,ManagedByCustomer	no
custom_tags	Custom tags to be added to AWP resources that are created during the scan process	map(string)	{}	{"key" = "value", ...}	no
sse_cmk_encrypted_disks_scan	Enable SSE CMK scanning	bool	false	true or false	no
disabled_regions	List of Azure regions to disable AWP scanning	list(string)	[]	["eastus", ...]	no

Resources

Name	Type
azurerm_resource_group.cloudguard	resource
azurerm_resource_group.cloudguard_sub	resource
azurerm_role_assignment.cloudguard_crypto_creator_assignment	resource
azurerm_role_assignment.cloudguard_function_apps_scan_operator_assignment	resource
azurerm_role_assignment.cloudguard_function_apps_scanner_assignment	resource
azurerm_role_assignment.cloudguard_function_apps_scanner_assignment_sub	resource
azurerm_role_assignment.cloudguard_vm_data_share_assignment	resource
azurerm_role_assignment.cloudguard_vm_data_share_assignment_sub	resource
azurerm_role_assignment.cloudguard_vm_scan_operator_assignment	resource
azurerm_role_definition.cloudguard_crypto_creator	resource
azurerm_role_definition.cloudguard_disk_encryptor	resource
azurerm_role_definition.cloudguard_function_apps_scan_operator	resource
azurerm_role_definition.cloudguard_function_apps_scanner	resource
azurerm_role_definition.cloudguard_vm_data_share	resource
azurerm_role_definition.cloudguard_vm_scan_operator	resource
azurerm_user_assigned_identity.cloudguard_identity	resource
dome9_awp_azure_onboarding.awp_azure_onboarding_resource	resource
time_sleep.wait_for_crypto_creator_role_creation	resource
time_sleep.wait_for_function_apps_scan_operator_role_creation	resource
time_sleep.wait_for_function_apps_scanner_role_creation	resource
time_sleep.wait_for_vm_data_share_role_creation	resource
time_sleep.wait_for_vm_scan_operator_role_creation	resource

Outputs

Name	Description
agentless_protection_enabled	AWP Status
azure_subscription_id	Azure Subscription ID
cloud_account_id	CloudGuard account ID
missing_awp_private_network_regions	List of regions in which AWP has issue to create virtual private network (VPC)
should_update	This module is out of date and should be updated to the latest version.

FAQ & Troubleshooting

Centralized Offboarding with sse_cmk_encrypted_disks_scan Enabled

When performing centralized offboarding and sse_cmk_encrypted_disks_scan is enabled, you can delete AWP Keys manually. If using only the Terraform offboarding, the keys will remain in a "soft delete" state for a retention period before being permanently deleted by Azure.

Steps:

1. Identify Key Vaults tagged with CG_AWP_OWNER=CG.AWP.
2. In those Key Vaults, locate and delete the keys tagged with CG_AWP_OWNER=CG.AWP.

This should be done before completing the offboarding process to prevent potential issues.