mirror of
https://github.com/prowler-cloud/prowler.git
synced 2026-02-09 02:30:43 +00:00
103 lines
3.3 KiB
YAML
103 lines
3.3 KiB
YAML
AWSTemplateFormatVersion: 2010-09-09
|
|
Description: This Template will create the infrastructure for Prowler with ECS Fargate
|
|
Parameters:
|
|
ProwlerClusterName:
|
|
Type: String
|
|
Description: Name of the ECS Cluster that the Prowler Fargate Task will run in
|
|
Default: ProwlerCluster
|
|
ProwlerContainerName:
|
|
Type: String
|
|
Description: Name of the Prowler Container Definition within the ECS Task
|
|
Default: prowler
|
|
ProwlerContainerInfo:
|
|
Type: String
|
|
Description: ECR URI of the Prowler container
|
|
ProwlerECSLogGroupName:
|
|
Type: String
|
|
Description: Name for the log group to be created
|
|
Default: /aws/ecs/SecurityHub-Prowler
|
|
SecurityGroupVPCId:
|
|
Type: String
|
|
Description: VPC Id for the Security Group to be created
|
|
ProwlerScheduledSubnet1:
|
|
Type: String
|
|
Description: Subnet Id in which Prowler can be scheduled to Run
|
|
ProwlerScheduledSubnet2:
|
|
Type: String
|
|
Description: A secondary Subnet Id in which Prowler can be scheduled to Run
|
|
ECSExecutionRole:
|
|
Type: String
|
|
Description: ECS Execution Task Role ARN.
|
|
ProwlerTaskRole:
|
|
Type: String
|
|
Description: Prowler ECS Task Role ARN.
|
|
ECSEventRole:
|
|
Type: String
|
|
Description: Eventbridge Task Role ARN.
|
|
CronExpression:
|
|
Type: String
|
|
Description: Cron schedule for the event rule.
|
|
Default: cron(0 23 * * ? *)
|
|
Resources:
|
|
ProwlerECSCloudWatchLogsGroup:
|
|
Type: AWS::Logs::LogGroup
|
|
Properties:
|
|
LogGroupName: !Ref ProwlerECSLogGroupName
|
|
RetentionInDays: 90
|
|
ProwlerECSCluster:
|
|
Type: AWS::ECS::Cluster
|
|
Properties:
|
|
ClusterName: !Ref ProwlerClusterName
|
|
ProwlerECSTaskDefinition:
|
|
Type: AWS::ECS::TaskDefinition
|
|
Properties:
|
|
ContainerDefinitions:
|
|
- Image: !Ref ProwlerContainerInfo
|
|
Name: !Ref ProwlerContainerName
|
|
LogConfiguration:
|
|
LogDriver: awslogs
|
|
Options:
|
|
awslogs-group: !Ref ProwlerECSCloudWatchLogsGroup
|
|
awslogs-region: !Ref 'AWS::Region'
|
|
awslogs-stream-prefix: ecs
|
|
Cpu: 1024
|
|
ExecutionRoleArn: !Ref ECSExecutionRole
|
|
Memory: 8192
|
|
NetworkMode: awsvpc
|
|
TaskRoleArn: !Ref ProwlerTaskRole
|
|
Family: SecurityHubProwlerTask
|
|
RequiresCompatibilities:
|
|
- FARGATE
|
|
ProwlerSecurityGroup:
|
|
Type: AWS::EC2::SecurityGroup
|
|
Properties:
|
|
GroupDescription: Allow HTTPS Out - Prowler
|
|
VpcId: !Ref SecurityGroupVPCId
|
|
SecurityGroupEgress:
|
|
- IpProtocol: tcp
|
|
FromPort: 443
|
|
ToPort: 443
|
|
CidrIp: 0.0.0.0/0
|
|
ProwlerTaskScheduler:
|
|
Type: AWS::Events::Rule
|
|
Properties:
|
|
ScheduleExpression: !Ref CronExpression
|
|
State: ENABLED
|
|
Targets:
|
|
- Arn: !GetAtt ProwlerECSCluster.Arn
|
|
RoleArn: !Ref ECSEventRole
|
|
Id: prowlerTaskScheduler
|
|
EcsParameters:
|
|
TaskDefinitionArn: !Ref ProwlerECSTaskDefinition
|
|
TaskCount: 1
|
|
LaunchType: FARGATE
|
|
PlatformVersion: 'LATEST'
|
|
NetworkConfiguration:
|
|
AwsVpcConfiguration:
|
|
AssignPublicIp: DISABLED
|
|
SecurityGroups:
|
|
- !Ref ProwlerSecurityGroup
|
|
Subnets:
|
|
- !Ref ProwlerScheduledSubnet1
|
|
- !Ref ProwlerScheduledSubnet2
|