Skip to content

CrowdStrike/terraform-aws-cloud-registration

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

49 Commits
docs
docs
 
 
examples
examples
 
 
modules
modules
 
 
.gitignore
.gitignore
 
 
.pre-commit-config.yaml
.pre-commit-config.yaml
 
 
.terraform-docs.yml
.terraform-docs.yml
 
 
README.md
README.md
 
 
main.tf
main.tf
 
 
outputs.tf
outputs.tf
 
 
variables.tf
variables.tf
 
 
version.tf
version.tf
 
 

Repository files navigation

CrowdStrike Registration terraform module

Twitter URL

AWS Falcon Cloud Security Terraform Module

This Terraform module enables registration and configuration of AWS accounts with CrowdStrike's Falcon Cloud Security.

Key features:

  • Asset Inventory
  • Real-time Visibility and Detection
  • Identity Protection (IDP)
  • Sensor Management
  • Data Security Posture Management (DSPM)

Note

For multi-region deployments, this module needs to be instantiated separately for each region where FCS components are required.

Pre-requisites

Generate API Keys

CrowdStrike API keys are required to use this module. It is highly recommended that you create a dedicated API client with only the required scopes.

  1. In the CrowdStrike console, navigate to Support and resources > API Clients & Keys. Click Add new API Client.
  2. Add the required scopes for your deployment:
Option Scope Name Permission
Automated account registration CSPM registration Read and Write
Cloud security AWS registration Read and Write
1-click sensor management CSPM sensor management Read and Write
Installation tokens Read
Sensor download Read
DSPM DSPM Data scanner Read and Write

  1. Click Add to create the API client. The next screen will display the API CLIENT ID, SECRET, and BASE URL. You will need all three for the next step.

    picture

    api-client-keys

Note

This page is only shown once. Make sure you copy CLIENT ID, SECRET, and BASE URL to a secure location.

Usage

terraform {
  required_version = ">= 0.15"
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = ">= 4.45"
    }
    crowdstrike = {
      source  = "CrowdStrike/crowdstrike"
      version = ">= 0.0.19"
    }
  }
}

variable "falcon_client_id" {
  type        = string
  sensitive   = true
  description = "Falcon API Client ID"
}

variable "falcon_client_secret" {
  type        = string
  sensitive   = true
  description = "Falcon API Client Secret"
}

variable "account_id" {
  type        = string
  default     = ""
  description = "The AWS 12 digit account ID"
  validation {
    condition     = length(var.account_id) == 0 || can(regex("^[0-9]{12}$", var.account_id))
    error_message = "account_id must be either empty or the 12-digit AWS account ID"
  }
}

locals {
  enable_realtime_visibility = true
  primary_region             = "us-east-1"
  enable_idp                 = true
  enable_sensor_management   = true
  enable_dspm                = true
  dspm_regions               = ["us-east-1", "us-east-2"]
  use_existing_cloudtrail    = true
}

provider "crowdstrike" {
  client_id     = var.falcon_client_id
  client_secret = var.falcon_client_secret
}
provider "aws" {
  region = "us-east-1"
  alias  = "us-east-1"
}
provider "aws" {
  region = "us-east-2"
  alias  = "us-east-2"
}

# Provision AWS account in Falcon.
resource "crowdstrike_cloud_aws_account" "this" {
  account_id = local.account_id

  asset_inventory = {
    enabled = true
  }

  realtime_visibility = {
    enabled                 = local.enable_realtime_visibility
    cloudtrail_region       = local.primary_region
    use_existing_cloudtrail = local.use_existing_cloudtrail
  }

  idp = {
    enabled = local.enable_idp
  }

  sensor_management = {
    enabled = local.enable_sensor_management
  }

  dspm = {
    enabled = local.enable_dspm
  }
}

module "fcs_account_onboarding" {
  source                     = "CrowdStrike/cloud-registration/aws"
  falcon_client_id           = var.falcon_client_id
  falcon_client_secret       = var.falcon_client_secret
  account_id                 = var.account_id
  primary_region             = local.primary_region
  enable_sensor_management   = local.enable_sensor_management
  enable_realtime_visibility = local.enable_realtime_visibility
  enable_idp                 = local.enable_idp
  use_existing_cloudtrail    = local.use_existing_cloudtrail
  enable_dspm                = local.enable_dspm && contains(local.dspm_regions, "us-east-1")
  dspm_regions               = local.dspm_regions

  iam_role_name          = crowdstrike_cloud_aws_account.this.iam_role_name
  external_id            = crowdstrike_cloud_aws_account.this.external_id
  intermediate_role_arn  = crowdstrike_cloud_aws_account.this.intermediate_role_arn
  eventbus_arn           = crowdstrike_cloud_aws_account.this.eventbus_arn
  cloudtrail_bucket_name = crowdstrike_cloud_aws_account.this.cloudtrail_bucket_name

  providers = {
    aws         = aws.us-east-1
    crowdstrike = crowdstrike
  }
}

# for each region where you want to onboard Real-time Visibility or DSPM features
# - duplicate this module
# - update the provider with region specific one
module "fcs_account_us_east_2" {
  source                     = "CrowdStrike/cloud-registration/aws"
  falcon_client_id           = var.falcon_client_id
  falcon_client_secret       = var.falcon_client_secret
  account_id                 = var.account_id
  primary_region             = local.primary_region
  enable_sensor_management   = local.enable_sensor_management
  enable_realtime_visibility = local.enable_realtime_visibility
  enable_idp                 = local.enable_idp
  use_existing_cloudtrail    = local.use_existing_cloudtrail
  enable_dspm                = local.enable_dspm && contains(local.dspm_regions, "us-east-2")
  dspm_regions               = local.dspm_regions

  iam_role_name          = crowdstrike_cloud_aws_account.this.iam_role_name
  external_id            = crowdstrike_cloud_aws_account.this.external_id
  intermediate_role_arn  = crowdstrike_cloud_aws_account.this.intermediate_role_arn
  eventbus_arn           = crowdstrike_cloud_aws_account.this.eventbus_arn
  cloudtrail_bucket_name = crowdstrike_cloud_aws_account.this.cloudtrail_bucket_name

  providers = {
    aws         = aws.us-east-2
    crowdstrike = crowdstrike
  }
}

Providers

Name Version
aws >= 4.45
crowdstrike >= 0.0.19

Resources

Name Type
aws_region.current data source
crowdstrike_cloud_aws_account.target data source

Inputs

Name Description Type Default Required
account_id The AWS 12 digit account ID string "" no
account_type Account type can be either 'commercial' or 'gov' string "commercial" no
cloudtrail_bucket_name Name of the S3 bucket for CloudTrail logs string "" no
create_rtvd_rules Set to false if you don't want to enable monitoring in this region bool true no
dspm_integration_role_unique_id The unique ID of the DSPM integration role string "" no
dspm_regions The regions in which DSPM scanning environments will be created list(string) 
[
  "us-east-1"
]
 no
dspm_create_nat_gateway Set to true to create a NAT Gateway for DSPM scanning environments bool true no
dspm_role_name The unique name of the IAM role that DSPM will be assuming string "CrowdStrikeDSPMIntegrationRole" no
dspm_scanner_role_name The unique name of the IAM role that CrowdStrike Scanner will be assuming string "CrowdStrikeDSPMScannerRole" no
dspm_scanner_role_unique_id The unique ID of the DSPM scanner role string "" no
enable_dspm Set to true to enable Data Security Posture Managment bool false no
enable_idp Set to true to install Identity Protection resources bool false no
enable_realtime_visibility Set to true to install realtime visibility resources bool false no
enable_sensor_management Set to true to install 1Click Sensor Management resources bool n/a yes
eventbridge_role_name The eventbridge role name string "CrowdStrikeCSPMEventBridge" no
eventbus_arn Eventbus ARN to send events to string "" no
external_id The external ID used to assume the AWS reader role string "" no
falcon_client_id Falcon API Client ID string n/a yes
falcon_client_secret Falcon API Client Secret string n/a yes
iam_role_name The name of the reader role string "" no
intermediate_role_arn The intermediate role that is allowed to assume the reader role string "" no
is_gov Set to true if you are deploying in gov Falcon bool false no
organization_id The AWS Organization ID. Leave blank if when onboarding single account string "" no
permissions_boundary The name of the policy used to set the permissions boundary for IAM roles string "" no
primary_region Region for deploying global AWS resources (IAM roles, policies, etc.) that are account-wide and only need to be created once. Distinct from dspm_regions which controls region-specific resource deployment. string n/a yes
resource_prefix The prefix to be added to all resource names string "CrowdStrike" no
resource_suffix The suffix to be added to all resource names string "" no
tags A map of tags to add to all resources that support tagging map(string) {} no
use_existing_cloudtrail Set to true if you already have a cloudtrail bool false no
use_existing_iam_reader_role Set to true if you want to use an existing IAM role for asset inventory bool false no

Outputs

Name Description
integration_role_unique_id The unique ID of the DSPM integration role
scanner_role_unique_id The unique ID of the DSPM scanner role

About

Register AWS account to Falcon

registry.terraform.io/modules/CrowdStrike/cloud-registration/aws/latest

Resources

Readme
Activity
Custom properties

Stars

3 stars

Watchers

3 watching

Forks

8 forks
Report repository

Releases 6

v0.3.0 Latest
Aug 14, 2025
+ 5 releases

Packages

No packages published

Contributors 9

Languages