Skip to content
/ terraform-aws-enrichment Public

Terraform for Corelight's AWS Cloud Enrichment.

License

MIT license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

corelight/terraform-aws-enrichment

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

13 Commits

.github

.github

 
 

docs

docs

 
 

examples/deployment

examples/deployment

 
 

modules

modules

 
 

.gitignore

.gitignore

 
 

LICENSE

LICENSE

 
 

README.md

README.md

 
 

Taskfile.yml

Taskfile.yml

 
 

data.tf

data.tf

 
 

eventbridge_cron_trigger.tf

eventbridge_cron_trigger.tf

 
 

eventbridge_iam.tf

eventbridge_iam.tf

 
 

eventbridge_primary.tf

eventbridge_primary.tf

 
 

lambda.tf

lambda.tf

 
 

lambda_iam.tf

lambda_iam.tf

 
 

outputs.tf

outputs.tf

 
 

variables.tf

variables.tf

 
 

versions.tf

versions.tf

 
 

Repository files navigation

terraform-aws-enrichment

overview

Usage

module "enrichment" {
  source = "github.com/corelight/terraform-aws-enrichment"

  corelight_cloud_enrichment_image = "123456789111.dkr.ecr.us-east-1.amazonaws.com/corelight-sensor-enrichment-aws"
  corelight_cloud_enrichment_image_tag = "0.1.0"
  enrichment_bucket_name = "corelight-enrichment"
}

Preparation

Image based Lambdas must be deployed from a private Elastic Container Registry (ECR) repository and therefore the data collection serverless container image provided by Corelight must be copied from Dockerhub and pushed to your own ECR repository.

Copying the Corelight image

Log into the destination ECR

aws ecr get-login-password --region <region> | docker login \
    --username AWS \
    --password-stdin <[account id].dkr.ecr.[region].amazonaws.com>

Corelight recommends install skopeo to assist with copying this image.

AWS_ACCOUNT=<enter aws account id>
AWS_REGION=<enter ecr repository region>
ECR_REGISTRY="${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com"

# Pull from Dockerhub
CORELIGHT_REPO=corelight
CORELIGHT_IMAGE_NAME=sensor-enrichment-aws
CORELIGHT_IMAGE_TAG=0.1.0

SRC_IMAGE="$CORELIGHT_REPO/$CORELIGHT_IMAGE_NAME:$CORELIGHT_IMAGE_TAG"
DST_IMAGE="$ECR_REGISTRY/$CORELIGHT_IMAGE_NAME:$CORELIGHT_IMAGE_TAG"

# Pull Corelight Image
docker pull $SRC_IMAGE

# Copy Image to ECR
skopeo copy docker://$SRC_IMAGE docker://$DST_IMAGE --dest-tls-verify

If you would prefer not to use Skopeo then the image will need to be pulled, tagged, and pushed to ECR manually.

AWS_ACCOUNT=<enter aws account id>
AWS_REGION=<enter ecr repository region>
ECR_REGISTRY="${AWS_ACCOUNT}.dkr.ecr.${AWS_REGION}.amazonaws.com"

# Pull from Dockerhub
CORELIGHT_REPO=corelight
CORELIGHT_IMAGE_NAME=sensor-enrichment-aws
CORELIGHT_IMAGE_TAG=0.1.0

SRC_IMAGE="$CORELIGHT_REPO/$CORELIGHT_IMAGE_NAME:$CORELIGHT_IMAGE_TAG"
DST_IMAGE="$ECR_REGISTRY/$CORELIGHT_IMAGE_NAME:$CORELIGHT_IMAGE_TAG"

# Pull Corelight Image
docker pull $SRC_IMAGE

docker image tag $SRC_IMAGE $DST_IMAGE

docker image push $DST_IMAGE

Deployment

The variables for this module all have default values that can be overwritten to meet your naming and compliance standards. The only variables without defaults are the Lambda's ECR image name and tag which you will set during preparation.

Deployment examples can be found here

License

The project is licensed under the MIT license.

About

Terraform for Corelight's AWS Cloud Enrichment.

Topics

aws cloud enrichment terraform zeek

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

2 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Contributors 2

  •  
  •  

Languages