Creates a Nessus instance using the AWS Marketplace images provided by Tenable.
When using Nessus as a standalone scanner (BYOL), an ELB is created automatically to give a proper SSL certificate to your scanner. When running as a pre-authorized scanner (connected to Tenable.io), the ELB is not created.
preauth_key
must be correctly set when running preauth mode, and the instance must be able to reach the tenable.io service.
module "nessus" {
source = "../../terraform-aws-nessus-appliance"
scanner_name = "nessus"
subnet_id = "subnet-1234567890"
vpc_id = "vpc-1234567890"
}
Name | Version |
---|---|
terraform | >= 0.13.0 |
aws | >= 2.65 |
random | >= 1.2 |
template | >= 2.1 |
Name | Version |
---|---|
aws | >= 2.65 |
Name | Description | Type | Default | Required |
---|---|---|---|---|
instance_subnet_id | Subnet to create instance in | string |
n/a | yes |
vpc_id | VPC to create resources in | string |
n/a | yes |
additional_security_groups | Additional security groups to attach to the instance | list(string) |
[] |
no |
additional_volume_tags | Additional tags to apply to instance volume | map(string) |
{} |
no |
allow_instance_egress | Attach an all/all egress rule to the instance automatically (no egress rules are defined if this is set to false , making for a fairly boring vulnerability scanner) |
bool |
true |
no |
allowed_admin_cidrs | CIDR ranges that are permitted access to SSH | list(string) |
[] |
no |
create_keypair | Create a keypair for this instance automatically | bool |
false |
no |
elb_additional_sg_tags | Additional tags to apply to the ELB security group. Useful if you use an external process to manage ingress rules. | map(string) |
{} |
no |
elb_allowed_cidr_blocks | List of allowed CIDR blocks. If [] is specified, no inbound ingress rules will be created |
list(string) |
[ |
no |
elb_certificate | ARN of certificate to associate with ELB | string |
null |
no |
elb_internal | Create as an internal or internet-facing ELB | bool |
true |
no |
elb_subnets | Subnets to associate ELB to | list(string) |
[] |
no |
instance_type | Nessus Instance Type | string |
"m5.xlarge" |
no |
keypair | Keypair to associate instance with (if left null and create_keypair == false , the instance will not have a keypair associated) |
string |
null |
no |
nessus_dns_entry | DNS entry to create in selected zone (not used if route53_zone_id == null ) |
string |
"nessus" |
no |
preauth_key | Must be set when use_preauth == true for the scanner to function. |
string |
"" |
no |
root_volume_size | Size of the appliance root volume (needs to be large enough to hold scan results over time) | number |
50 |
no |
route53_zone_id | Route 53 zone to create Nessus entry in (leave null to skip) | string |
null |
no |
scanner_name | Name of the nessus scanner (this will be attached to various resource names) | string |
"nessus" |
no |
tags | Tags to add to supported resources | map(string) |
{} |
no |
use_preauth | Use pre-authorized scanner? This is an unmanaged instance that talks back to Tenable. An ELB and DNS entry will not be created if this is true. | bool |
false |
no |
Name | Description |
---|---|
instance_id | Instance ID |
lb_arn | ARN of the ELB |
lb_dns_name | DNS Name of the ELB |
lb_listener_arn | ARN of the ELB Listener |
lb_zone_id | Route53 Zone ID of the ELB |
role_arn | IAM Role ARN of the instance |