This Terraform module enables registration and configuration of AWS accounts with CrowdStrike's Falcon Cloud Security. It supports multi-region deployments and provides flexibility in AWS provider configuration.
For simplified deployment, two specialized sub-modules are available:
- modules/registration-profile - Streamlined deployment using AWS CLI profiles
- modules/registration-role - Streamlined deployment using cross-account IAM roles
Key features:
- Asset Inventory
- Real-time Visibility and Detection
- Identity Protection (IDP)
- Sensor Management
- Data Security Posture Management (DSPM)
Note: For multi-region deployments, this module needs to be instantiated separately for each region where FCS components are required. The sub-modules handle this automatically. See the examples directory for different deployment patterns.
- You will need to provide CrowdStrike API Keys and CrowdStrike cloud region for the installation. It is recommended to establish new API credentials for the installation at https://falcon.crowdstrike.com/support/api-clients-and-keys, minimal required permissions are:
| Option | Scope Name | Permission |
|---|---|---|
| Automated account registration | CSPM registration | Read and Write |
| Cloud security AWS registration | Read and Write | |
| 1-click sensor management | CSPM sensor management | Read and Write |
| Installation tokens | Read | |
| Sensor download | Read | |
| DSPM | DSPM Data scanner | Read and Write |
| Name | Version |
|---|---|
| aws | >= 4.45 |
| crowdstrike | >= 0.0.16 |
| Name | Type |
|---|---|
| aws_region.current | data source |
| crowdstrike_cloud_aws_account.target | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| account_id | The AWS 12 digit account ID | string |
"" |
no |
| account_type | Account type can be either 'commercial' or 'gov' | string |
"commercial" |
no |
| cloudtrail_bucket_name | n/a | string |
"" |
no |
| dspm_integration_role_unique_id | The unique ID of the DSPM integration role | string |
"" |
no |
| dspm_regions | The regions in which DSPM scanning environments will be created | list(string) |
[ |
no |
| dspm_role_name | The unique name of the IAM role that DSPM will be assuming | string |
"CrowdStrikeDSPMIntegrationRole" |
no |
| dspm_scanner_role_name | The unique name of the IAM role that CrowdStrike Scanner will be assuming | string |
"CrowdStrikeDSPMScannerRole" |
no |
| dspm_scanner_role_unique_id | The unique ID of the DSPM scanner role | string |
"" |
no |
| enable_dspm | Set to true to enable Data Security Posture Managment | bool |
false |
no |
| enable_idp | Set to true to install Identity Protection resources | bool |
false |
no |
| enable_realtime_visibility | Set to true to install realtime visibility resources | bool |
false |
no |
| enable_sensor_management | Set to true to install 1Click Sensor Management resources | bool |
n/a | yes |
| eventbridge_role_name | The eventbridge role name | string |
"CrowdStrikeCSPMEventBridge" |
no |
| eventbus_arn | Eventbus ARN to send events to | string |
"" |
no |
| external_id | The external ID used to assume the AWS reader role | string |
"" |
no |
| falcon_client_id | Falcon API Client ID | string |
n/a | yes |
| falcon_client_secret | Falcon API Client Secret | string |
n/a | yes |
| iam_role_name | The name of the reader role | string |
"" |
no |
| intermediate_role_arn | The intermediate role that is allowed to assume the reader role | string |
"" |
no |
| is_gov | Set to true if you are deploying in gov Falcon | bool |
false |
no |
| organization_id | The AWS Organization ID. Leave blank if when onboarding single account | string |
"" |
no |
| permissions_boundary | The name of the policy used to set the permissions boundary for IAM roles | string |
"" |
no |
| primary_region | Region for deploying global AWS resources (IAM roles, policies, etc.) that are account-wide and only need to be created once. Distinct from dspm_regions which controls region-specific resource deployment. | string |
n/a | yes |
| use_existing_cloudtrail | Set to true if you already have a cloudtrail | bool |
false |
no |
| Name | Description |
|---|---|
| integration_role_unique_id | The unique ID of the DSPM integration role |
| scanner_role_unique_id | The unique ID of the DSPM scanner role |
terraform {
required_version = ">= 0.15"
required_providers {
aws = {
source = "hashicorp/aws"
version = ">= 4.45"
}
crowdstrike = {
source = "crowdstrike/crowdstrike"
version = ">= 0.0.16"
}
}
}
variable "falcon_client_id" {
type = string
sensitive = true
description = "Falcon API Client ID"
}
variable "falcon_client_secret" {
type = string
sensitive = true
description = "Falcon API Client Secret"
}
variable "account_id" {
type = string
default = ""
description = "The AWS 12 digit account ID"
validation {
condition = length(var.account_id) == 0 || can(regex("^[0-9]{12}$", var.account_id))
error_message = "account_id must be either empty or the 12-digit AWS account ID"
}
}
locals {
enable_realtime_visibility = true
primary_region = "us-east-1"
enable_idp = true
enable_sensor_management = true
enable_dspm = true
dspm_regions = ["us-east-1", "us-east-2"]
use_existing_cloudtrail = true
}
provider "crowdstrike" {
client_id = var.falcon_client_id
client_secret = var.falcon_client_secret
}
provider "aws" {
region = "us-east-1"
alias = "us-east-1"
}
provider "aws" {
region = "us-east-2"
alias = "us-east-2"
}
# Provision AWS account in Falcon.
resource "crowdstrike_cloud_aws_account" "this" {
account_id = local.account_id
asset_inventory = {
enabled = true
}
realtime_visibility = {
enabled = local.enable_realtime_visibility
cloudtrail_region = local.primary_region
use_existing_cloudtrail = local.use_existing_cloudtrail
}
idp = {
enabled = local.enable_idp
}
sensor_management = {
enabled = local.enable_sensor_management
}
dspm = {
enabled = local.enable_dspm
}
provider = crowdstrike
}
module "fcs_account_onboarding" {
source = "CrowdStrike/fcs/aws"
falcon_client_id = var.falcon_client_id
falcon_client_secret = var.falcon_client_secret
account_id = var.account_id
primary_region = local.primary_region
enable_sensor_management = local.enable_sensor_management
enable_realtime_visibility = local.enable_realtime_visibility
enable_idp = local.enable_idp
use_existing_cloudtrail = local.use_existing_cloudtrail
enable_dspm = local.enable_dspm && contains(local.dspm_regions, "us-east-1")
dspm_regions = local.dspm_regions
iam_role_name = crowdstrike_cloud_aws_account.this.iam_role_name
external_id = crowdstrike_cloud_aws_account.this.external_id
intermediate_role_arn = crowdstrike_cloud_aws_account.this.intermediate_role_arn
eventbus_arn = crowdstrike_cloud_aws_account.this.eventbus_arn
cloudtrail_bucket_name = crowdstrike_cloud_aws_account.this.cloudtrail_bucket_name
providers = {
aws = aws.us-east-1
crowdstrike = crowdstrike
}
}
# for each region where you want to onboard Real-time Visibility or DSPM features
# - duplicate this module
# - update the provider with region specific one
module "fcs_account_us-east-2" {
source = "CrowdStrike/fcs/aws"
falcon_client_id = var.falcon_client_id
falcon_client_secret = var.falcon_client_secret
account_id = var.account_id
primary_region = local.primary_region
enable_sensor_management = local.enable_sensor_management
enable_realtime_visibility = local.enable_realtime_visibility
enable_idp = local.enable_idp
use_existing_cloudtrail = local.use_existing_cloudtrail
enable_dspm = local.enable_dspm && contains(local.dspm_regions, "us-east-2")
dspm_regions = local.dspm_regions
iam_role_name = crowdstrike_cloud_aws_account.this.iam_role_name
external_id = crowdstrike_cloud_aws_account.this.external_id
intermediate_role_arn = crowdstrike_cloud_aws_account.this.intermediate_role_arn
eventbus_arn = crowdstrike_cloud_aws_account.this.eventbus_arn
cloudtrail_bucket_name = crowdstrike_cloud_aws_account.this.cloudtrail_bucket_name
providers = {
aws = aws.us-east-2
crowdstrike = crowdstrike
}
}