AWS with Terraform
This guide walks you through how to deploy Detectify Internal Scanning using our Terraform, with minimal set of options used.
Module Resources: Terraform Registry | GitHub
Following the steps below will create the following infrastructure in your AWS account:
- EKS Cluster with Auto Mode - automatically provisions and scales nodes
- Scanner Application - scheduler, manager, Chrome controller, Redis
- KMS Key - encrypts Kubernetes secrets at rest
- Monitoring - CloudWatch enabled by default
Getting Started
Create Project Folder
Create a directory where all your Terraform code and secrets will live:
mkdir internal-scanner && cd internal-scannerAll subsequent steps assume you are working inside this directory.
Write Terraform Configuration
Add the following to main.tf:
# Provider setup
provider "aws" {
region = "eu-west-1"
}
provider "kubernetes" {
host = module.internal_scanner.cluster_endpoint
cluster_ca_certificate = base64decode(module.internal_scanner.cluster_certificate_authority_data)
token = data.aws_eks_cluster_auth.cluster.token
}
provider "helm" {
kubernetes = {
host = module.internal_scanner.cluster_endpoint
cluster_ca_certificate = base64decode(module.internal_scanner.cluster_certificate_authority_data)
token = data.aws_eks_cluster_auth.cluster.token
}
}
# Retrieves token for Kubernetes and Helm providers
data "aws_eks_cluster_auth" "cluster" {
name = module.internal_scanner.cluster_name
depends_on = [module.internal_scanner.cluster_name]
}
# Scanner deployment
module "internal_scanner" {
source = "detectify/internal-scanning/aws"
version = "~> 2.0"
name = "detectify-scanner"
# Network Configuration
vpc_id = "vpc-xxxxx"
private_subnet_ids = ["subnet-xxxxx", "subnet-yyyyy"]
# License Configuration (provided by Detectify)
license_key = var.license_key
connector_api_key = var.connector_api_key
# Registry Authentication (provided by Detectify)
registry_username = var.registry_username
registry_password = var.registry_password
}
# Sensitive input
variable "license_key" {
description = "Detectify license key"
type = string
sensitive = true
}
variable "connector_api_key" {
description = "Detectify connector API key"
type = string
sensitive = true
}
variable "registry_username" {
description = "Detectify docker registry username"
type = string
sensitive = true
}
variable "registry_password" {
description = "Detectify docker registry password"
type = string
sensitive = true
}Replace the placeholder values under Network Configuration to fit your environment.
Set Credentials
There are multiple ways of setting variables. For simplicity we’ll set them as environment variables here:
# replace with real values
export TF_VAR_license_key='00000000-0000-0000-0000-000000000000'
export TF_VAR_connector_api_key="ABC123"
export TF_VAR_registry_username='robot$ABC123'
export TF_VAR_registry_password='ABC123'These values should be considered secrets and be handled according to your organization’s requirements.
Deploy
# Download modules and providers
terraform init
# Deploy
terraform applyThe first apply may partially fail. In some environments, the EKS cluster gets created successfully but Kubernetes and Helm resources fail because IAM access entries haven’t fully propagated yet. If this happens, run terraform apply again.
Configure kubectl and Verify
After deployment completes, configure kubectl to connect to your cluster:
# Get the kubeconfig command from Terraform output
terraform output kubeconfig_command
# Set context for kubectl:
aws eks update-kubeconfig --region eu-west-1 --name detectify-scanner
# Check that all scanner components are running:
kubectl get pods -n scannerExpected output:
NAME READY STATUS RESTARTS AGE
scan-scheduler-xxxxx 1/1 Running 0 5m
scan-manager-xxxxx 1/1 Running 0 5m
chrome-controller-xxxxx 1/1 Running 0 5m
redis-xxxxx 1/1 Running 0 5m