Creates a Nessus instance using the AWS Marketplace images provided by Tenable.
When using Nessus as a standalone scanner (BYOL), an ELB is created automatically to give a proper SSL certificate to your scanner. When running as a pre-authorized scanner (connected to Tenable.io), the ELB is not created.
preauth_key must be correctly set when running preauth mode, and the instance must be able to reach the tenable.io service.
module "nessus" {
source = "../../terraform-aws-nessus-appliance"
scanner_name = "nessus"
subnet_id = "subnet-1234567890"
vpc_id = "vpc-1234567890"
}| Name | Version |
|---|---|
| terraform | >= 0.13.0 |
| aws | >= 2.65 |
| random | >= 1.2 |
| template | >= 2.1 |
| Name | Version |
|---|---|
| aws | >= 2.65 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| instance_subnet_id | Subnet to create instance in | string |
n/a | yes |
| vpc_id | VPC to create resources in | string |
n/a | yes |
| additional_security_groups | Additional security groups to attach to the instance | list(string) |
[] |
no |
| additional_volume_tags | Additional tags to apply to instance volume | map(string) |
{} |
no |
| allow_instance_egress | Attach an all/all egress rule to the instance automatically (no egress rules are defined if this is set to false, making for a fairly boring vulnerability scanner) |
bool |
true |
no |
| allowed_admin_cidrs | CIDR ranges that are permitted access to SSH | list(string) |
[] |
no |
| create_keypair | Create a keypair for this instance automatically | bool |
false |
no |
| elb_additional_sg_tags | Additional tags to apply to the ELB security group. Useful if you use an external process to manage ingress rules. | map(string) |
{} |
no |
| elb_allowed_cidr_blocks | List of allowed CIDR blocks. If [] is specified, no inbound ingress rules will be created |
list(string) |
[ |
no |
| elb_certificate | ARN of certificate to associate with ELB | string |
null |
no |
| elb_internal | Create as an internal or internet-facing ELB | bool |
true |
no |
| elb_subnets | Subnets to associate ELB to | list(string) |
[] |
no |
| instance_type | Nessus Instance Type | string |
"m5.xlarge" |
no |
| keypair | Keypair to associate instance with (if left null and create_keypair == false, the instance will not have a keypair associated) |
string |
null |
no |
| nessus_dns_entry | DNS entry to create in selected zone (not used if route53_zone_id == null) |
string |
"nessus" |
no |
| preauth_key | Must be set when use_preauth == true for the scanner to function. |
string |
"" |
no |
| root_volume_size | Size of the appliance root volume (needs to be large enough to hold scan results over time) | number |
50 |
no |
| route53_zone_id | Route 53 zone to create Nessus entry in (leave null to skip) | string |
null |
no |
| scanner_name | Name of the nessus scanner (this will be attached to various resource names) | string |
"nessus" |
no |
| tags | Tags to add to supported resources | map(string) |
{} |
no |
| use_preauth | Use pre-authorized scanner? This is an unmanaged instance that talks back to Tenable. An ELB and DNS entry will not be created if this is true. | bool |
false |
no |
| Name | Description |
|---|---|
| instance_id | Instance ID |
| lb_arn | ARN of the ELB |
| lb_dns_name | DNS Name of the ELB |
| lb_listener_arn | ARN of the ELB Listener |
| lb_zone_id | Route53 Zone ID of the ELB |
| role_arn | IAM Role ARN of the instance |