{"id":28409947,"url":"https://github.com/crowdstrike/terraform-aws-cloud-registration","last_synced_at":"2026-04-07T07:01:11.270Z","repository":{"id":281041921,"uuid":"913957507","full_name":"CrowdStrike/terraform-aws-cloud-registration","owner":"CrowdStrike","description":"Register AWS account to Falcon","archived":false,"fork":false,"pushed_at":"2026-03-31T19:04:03.000Z","size":590,"stargazers_count":9,"open_issues_count":15,"forks_count":11,"subscribers_count":3,"default_branch":"main","last_synced_at":"2026-04-03T21:33:20.297Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":"https://registry.terraform.io/modules/CrowdStrike/cloud-registration/aws/latest","language":"HCL","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/CrowdStrike.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2025-01-08T17:13:13.000Z","updated_at":"2026-03-10T13:56:51.000Z","dependencies_parsed_at":"2025-03-06T17:43:25.496Z","dependency_job_id":"92ba7822-f8f6-45e7-a8c1-b19eafc931f9","html_url":"https://github.com/CrowdStrike/terraform-aws-cloud-registration","commit_stats":null,"previous_names":["crowdstrike/terraform-aws-cloud-registration"],"tags_count":22,"template":false,"template_full_name":null,"purl":"pkg:github/CrowdStrike/terraform-aws-cloud-registration","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CrowdStrike%2Fterraform-aws-cloud-registration","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CrowdStrike%2Fterraform-aws-cloud-registration/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CrowdStrike%2Fterraform-aws-cloud-registration/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CrowdStrike%2Fterraform-aws-cloud-registration/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/CrowdStrike","download_url":"https://codeload.github.com/CrowdStrike/terraform-aws-cloud-registration/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/CrowdStrike%2Fterraform-aws-cloud-registration/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31503394,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-07T03:10:19.677Z","status":"ssl_error","status_checked_at":"2026-04-07T03:10:13.982Z","response_time":105,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.5:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2025-06-02T11:09:20.719Z","updated_at":"2026-04-07T07:01:11.249Z","avatar_url":"https://github.com/CrowdStrike.png","language":"HCL","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003c!-- BEGIN_TF_DOCS --\u003e\n![CrowdStrike Registration terraform module](https://raw.githubusercontent.com/CrowdStrike/falconpy/main/docs/asset/cs-logo.png)\n\n[![Twitter URL](https://img.shields.io/twitter/url?label=Follow%20%40CrowdStrike\u0026style=social\u0026url=https%3A%2F%2Ftwitter.com%2FCrowdStrike)](https://twitter.com/CrowdStrike)\u003cbr/\u003e\n\n# AWS Falcon Cloud Security Terraform Module\n\nThis Terraform module enables registration and configuration of AWS accounts with CrowdStrike's Falcon Cloud Security.\n\nKey features:\n- Asset Inventory\n- Real-time Visibility and Detection\n- Identity Protection (IDP)\n- Sensor Management\n- Agentless Scanning:\n   - Data Security Posture Management (DSPM)\n   - Vulnerability Scanning\n\n\u003e [!NOTE]\n\u003e For multi-region deployments, this module needs to be instantiated separately for each region where FCS components are required.\n\n## Pre-requisites\n### Generate API Keys\n\nCrowdStrike API keys are required to use this module. It is highly recommended that you create a dedicated API client with only the required scopes.\n\n1. In the CrowdStrike console, navigate to **Support and resources** \u003e **API Clients \u0026 Keys**. Click **Add new API Client**.\n2. Add the required scopes for your deployment:\n\n\u003ctable\u003e\n    \u003ctr\u003e\n        \u003cth\u003eOption\u003c/th\u003e\n        \u003cth\u003eScope Name\u003c/th\u003e\n        \u003cth\u003ePermission\u003c/th\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n        \u003ctd rowspan=\"2\"\u003eAutomated account registration\u003c/td\u003e\n        \u003ctd\u003eCSPM registration\u003c/td\u003e\n        \u003ctd\u003e\u003cstrong\u003eRead\u003c/strong\u003e and \u003cstrong\u003eWrite\u003c/strong\u003e\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n        \u003ctd\u003eCloud security AWS registration\u003c/td\u003e\n        \u003ctd\u003e\u003cstrong\u003eRead\u003c/strong\u003e and \u003cstrong\u003eWrite\u003c/strong\u003e\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n        \u003ctd rowspan=\"3\"\u003e1-click sensor management\u003c/td\u003e\n        \u003ctd\u003eCSPM sensor management\u003c/td\u003e\n        \u003ctd\u003e\u003cstrong\u003eRead\u003c/strong\u003e and \u003cstrong\u003eWrite\u003c/strong\u003e\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n        \u003ctd\u003eInstallation tokens\u003c/td\u003e\n        \u003ctd\u003e\u003cstrong\u003eRead\u003c/strong\u003e\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n        \u003ctd\u003eSensor download\u003c/td\u003e\n        \u003ctd\u003e\u003cstrong\u003eRead\u003c/strong\u003e\u003c/td\u003e\n    \u003c/tr\u003e\n    \u003ctr\u003e\n        \u003ctd\u003eDSPM\u003c/td\u003e\n        \u003ctd\u003eDSPM Data scanner\u003c/td\u003e\n        \u003ctd\u003e\u003cstrong\u003eRead\u003c/strong\u003e and \u003cstrong\u003eWrite\u003c/strong\u003e\u003c/td\u003e\n    \u003c/tr\u003e\n\u003c/table\u003e\n\n3. Click **Add** to create the API client. The next screen will display the API **CLIENT ID**, **SECRET**, and **BASE URL**. You will need all three for the next step.\n\n    \u003cdetails\u003e\u003csummary\u003epicture\u003c/summary\u003e\n    \u003cp\u003e\n\n    ![api-client-keys](https://github.com/CrowdStrike/aws-ssm-distributor/blob/main/official-package/assets/api-client-keys.png)\n\n    \u003c/p\u003e\n    \u003c/details\u003e\n\n\u003e [!NOTE]\n\u003e This page is only shown once. Make sure you copy **CLIENT ID**, **SECRET**, and **BASE URL** to a secure location.\n\n## Usage\n\n```hcl\nterraform {\n  required_version = \"\u003e= 1.5.0\"\n  required_providers {\n    aws = {\n      source  = \"hashicorp/aws\"\n      version = \"\u003e= 5.0.0\"\n    }\n    crowdstrike = {\n      source  = \"CrowdStrike/crowdstrike\"\n      version = \"\u003e= 0.0.58\"\n    }\n  }\n}\n\nvariable \"falcon_client_id\" {\n  type        = string\n  sensitive   = true\n  description = \"Falcon API Client ID\"\n}\n\nvariable \"falcon_client_secret\" {\n  type        = string\n  sensitive   = true\n  description = \"Falcon API Client Secret\"\n}\n\nvariable \"account_id\" {\n  type        = string\n  default     = \"\"\n  description = \"The AWS 12 digit account ID\"\n  validation {\n    condition     = length(var.account_id) == 0 || can(regex(\"^[0-9]{12}$\", var.account_id))\n    error_message = \"account_id must be either empty or the 12-digit AWS account ID\"\n  }\n}\n\nlocals {\n  enable_realtime_visibility    = true\n  primary_region                = \"us-east-1\"\n  enable_idp                    = true\n  enable_sensor_management      = true\n  enable_dspm                   = true\n  enable_vulnerability_scanning = true\n  agentless_scanning_regions    = [\"us-east-1\", \"us-east-2\"]\n  use_existing_cloudtrail       = true\n}\n\nprovider \"crowdstrike\" {\n  client_id     = var.falcon_client_id\n  client_secret = var.falcon_client_secret\n}\nprovider \"aws\" {\n  region = \"us-east-1\"\n  alias  = \"us-east-1\"\n}\nprovider \"aws\" {\n  region = \"us-east-2\"\n  alias  = \"us-east-2\"\n}\n\n# Provision AWS account in Falcon.\nresource \"crowdstrike_cloud_aws_account\" \"this\" {\n  account_id = local.account_id\n\n  asset_inventory = {\n    enabled = true\n  }\n\n  realtime_visibility = {\n    enabled                 = local.enable_realtime_visibility\n    cloudtrail_region       = local.primary_region\n    use_existing_cloudtrail = local.use_existing_cloudtrail\n  }\n\n  idp = {\n    enabled = local.enable_idp\n  }\n\n  sensor_management = {\n    enabled = local.enable_sensor_management\n  }\n\n  dspm = {\n    enabled = local.enable_dspm\n  }\n\n  vulnerability_scanning = {\n    enabled = local.enable_vulnerability_scanning\n  }\n}\n\nmodule \"fcs_account_onboarding\" {\n  source                        = \"CrowdStrike/cloud-registration/aws\"\n  falcon_client_id              = var.falcon_client_id\n  falcon_client_secret          = var.falcon_client_secret\n  account_id                    = var.account_id\n  primary_region                = local.primary_region\n  enable_sensor_management      = local.enable_sensor_management\n  enable_realtime_visibility    = local.enable_realtime_visibility\n  enable_idp                    = local.enable_idp\n  use_existing_cloudtrail       = local.use_existing_cloudtrail\n  enable_dspm                   = local.enable_dspm \u0026\u0026 contains(local.agentless_scanning_regions, \"us-east-1\")\n  enable_vulnerability_scanning = local.enable_vulnerability_scanning \u0026\u0026 contains(local.agentless_scanning_regions, \"us-east-1\")\n  agentless_scanning_regions    = local.agentless_scanning_regions\n\n  iam_role_name                = crowdstrike_cloud_aws_account.this.iam_role_name\n  external_id                  = crowdstrike_cloud_aws_account.this.external_id\n  intermediate_role_arn        = crowdstrike_cloud_aws_account.this.intermediate_role_arn\n  eventbus_arn                 = crowdstrike_cloud_aws_account.this.eventbus_arn\n  agentless_scanning_role_name = crowdstrike_cloud_aws_account.this.agentless_scanning_role_name\n  cloudtrail_bucket_name       = crowdstrike_cloud_aws_account.this.cloudtrail_bucket_name\n\n  providers = {\n    aws         = aws.us-east-1\n    crowdstrike = crowdstrike\n  }\n}\n\n# For each region where you want to onboard DSPM features or Vulnerability Scanning features\n# - duplicate this module\n# - update the provider with region specific one\n# If you want to onboard Real-time Visibility with 'eventbridge' as the log_ingestion_method, for each region you want to onboard Real-Time Visibility features\n# - duplicate this module\n# - update the provider with region specific one\n# If you want to onboard Real-time Visibility with 's3' as the log_ingestion_method, for the region that your SNS topic is in\n# - duplicate this module\n# - update the provider with region specific one\nmodule \"fcs_account_us_east_2\" {\n  source                        = \"CrowdStrike/cloud-registration/aws\"\n  falcon_client_id              = var.falcon_client_id\n  falcon_client_secret          = var.falcon_client_secret\n  account_id                    = var.account_id\n  primary_region                = local.primary_region\n  enable_sensor_management      = local.enable_sensor_management\n  enable_realtime_visibility    = local.enable_realtime_visibility\n  enable_idp                    = local.enable_idp\n  use_existing_cloudtrail       = local.use_existing_cloudtrail\n  enable_dspm                   = local.enable_dspm \u0026\u0026 contains(local.agentless_scanning_regions, \"us-east-2\")\n  enable_vulnerability_scanning = local.enable_vulnerability_scanning \u0026\u0026 contains(local.agentless_scanning_regions, \"us-east-2\")\n  agentless_scanning_regions    = local.agentless_scanning_regions\n\n  iam_role_name                                 = crowdstrike_cloud_aws_account.this.iam_role_name\n  external_id                                   = crowdstrike_cloud_aws_account.this.external_id\n  intermediate_role_arn                         = crowdstrike_cloud_aws_account.this.intermediate_role_arn\n  eventbus_arn                                  = crowdstrike_cloud_aws_account.this.eventbus_arn\n  agentless_scanning_role_name                  = crowdstrike_cloud_aws_account.this.agentless_scanning_role_name\n  cloudtrail_bucket_name                        = crowdstrike_cloud_aws_account.this.cloudtrail_bucket_name\n  agentless_scanning_integration_role_unique_id = module.fcs_account_onboarding.integration_role_unique_id\n  agentless_scanning_scanner_role_unique_id     = module.fcs_account_onboarding.scanner_role_unique_id\n\n  providers = {\n    aws         = aws.us-east-2\n    crowdstrike = crowdstrike\n  }\n}\n```\n\n## Providers\n\n| Name | Version |\n|------|---------|\n| \u003ca name=\"provider_aws\"\u003e\u003c/a\u003e [aws](#provider\\_aws) | \u003e= 5.0.0 |\n| \u003ca name=\"provider_crowdstrike\"\u003e\u003c/a\u003e [crowdstrike](#provider\\_crowdstrike) | \u003e= 0.0.44 |\n## Resources\n\n| Name | Type |\n|------|------|\n| [aws_caller_identity.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/caller_identity) | data source |\n| [aws_region.current](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/region) | data source |\n| [crowdstrike_cloud_aws_account.target](https://registry.terraform.io/providers/CrowdStrike/crowdstrike/latest/docs/data-sources/cloud_aws_account) | data source |\n## Inputs\n\n| Name | Description | Type | Default | Required |\n|------|-------------|------|---------|:--------:|\n| \u003ca name=\"input_account_id\"\u003e\u003c/a\u003e [account\\_id](#input\\_account\\_id) | The AWS 12 digit account ID | `string` | `\"\"` | no |\n| \u003ca name=\"input_account_type\"\u003e\u003c/a\u003e [account\\_type](#input\\_account\\_type) | Account type can be either 'commercial' or 'gov' | `string` | `\"commercial\"` | no |\n| \u003ca name=\"input_agentless_scanning_create_nat_gateway\"\u003e\u003c/a\u003e [agentless\\_scanning\\_create\\_nat\\_gateway](#input\\_agentless\\_scanning\\_create\\_nat\\_gateway) | Set to true to create a NAT Gateway for agentless scanning environments | `bool` | `true` | no |\n| \u003ca name=\"input_agentless_scanning_custom_vpc_resources_map\"\u003e\u003c/a\u003e [agentless\\_scanning\\_custom\\_vpc\\_resources\\_map](#input\\_agentless\\_scanning\\_custom\\_vpc\\_resources\\_map) | Map of regions to custom VPC resources for Agentless Scanning deployment.\u003cbr/\u003eEach region can specify existing VPC resources to use instead of creating new ones.\u003cbr/\u003e\u003cbr/\u003eExample:\u003cbr/\u003e{\u003cbr/\u003e  \"us-east-1\" = {\u003cbr/\u003e    vpc            = \"vpc-0123456789abcdef0\"\u003cbr/\u003e    scanner\\_subnet = \"subnet-0123456789abcdef0\"\u003cbr/\u003e    scanner\\_sg     = \"sg-0123456789abcdef0\"\u003cbr/\u003e    db\\_subnet\\_a    = \"subnet-1123456789abcdef0\"\u003cbr/\u003e    db\\_subnet\\_b    = \"subnet-2123456789abcdef0\"\u003cbr/\u003e    db\\_sg          = \"sg-1123456789abcdef0\"\u003cbr/\u003e  }\u003cbr/\u003e}\u003cbr/\u003e\u003cbr/\u003eAll resource IDs must exist in the specified region. | \u003cpre\u003emap(object({\u003cbr/\u003e    vpc            = string\u003cbr/\u003e    scanner_subnet = string\u003cbr/\u003e    scanner_sg     = string\u003cbr/\u003e    db_subnet_a    = string\u003cbr/\u003e    db_subnet_b    = string\u003cbr/\u003e    db_sg          = string\u003cbr/\u003e  }))\u003c/pre\u003e | `{}` | no |\n| \u003ca name=\"input_agentless_scanning_host_account_id\"\u003e\u003c/a\u003e [agentless\\_scanning\\_host\\_account\\_id](#input\\_agentless\\_scanning\\_host\\_account\\_id) | The AWS account ID where agentless scanning host resources are deployed | `string` | `\"\"` | no |\n| \u003ca name=\"input_agentless_scanning_host_role_name\"\u003e\u003c/a\u003e [agentless\\_scanning\\_host\\_role\\_name](#input\\_agentless\\_scanning\\_host\\_role\\_name) | Name of agentless scanning integration role in host account | `string` | `\"CrowdStrikeAgentlessScanningIntegrationRole\"` | no |\n| \u003ca name=\"input_agentless_scanning_host_scanner_role_name\"\u003e\u003c/a\u003e [agentless\\_scanning\\_host\\_scanner\\_role\\_name](#input\\_agentless\\_scanning\\_host\\_scanner\\_role\\_name) | Name of agentless scanning scanner role in host account | `string` | `\"CrowdStrikeAgentlessScanningScannerRole\"` | no |\n| \u003ca name=\"input_agentless_scanning_integration_role_unique_id\"\u003e\u003c/a\u003e [agentless\\_scanning\\_integration\\_role\\_unique\\_id](#input\\_agentless\\_scanning\\_integration\\_role\\_unique\\_id) | The unique ID of the Agentless scanning integration role | `string` | `\"\"` | no |\n| \u003ca name=\"input_agentless_scanning_regions\"\u003e\u003c/a\u003e [agentless\\_scanning\\_regions](#input\\_agentless\\_scanning\\_regions) | List of regions where agentless scanning will be deployed | `list(string)` | \u003cpre\u003e[\u003cbr/\u003e  \"us-east-1\"\u003cbr/\u003e]\u003c/pre\u003e | no |\n| \u003ca name=\"input_agentless_scanning_role_name\"\u003e\u003c/a\u003e [agentless\\_scanning\\_role\\_name](#input\\_agentless\\_scanning\\_role\\_name) | The unique name of the IAM role that Agentless scanning will be assuming | `string` | `\"CrowdStrikeAgentlessScanningIntegrationRole\"` | no |\n| \u003ca name=\"input_agentless_scanning_scanner_role_name\"\u003e\u003c/a\u003e [agentless\\_scanning\\_scanner\\_role\\_name](#input\\_agentless\\_scanning\\_scanner\\_role\\_name) | The unique name of the IAM role that Agentless scanning scanner will be assuming | `string` | `\"CrowdStrikeAgentlessScanningScannerRole\"` | no |\n| \u003ca name=\"input_agentless_scanning_scanner_role_unique_id\"\u003e\u003c/a\u003e [agentless\\_scanning\\_scanner\\_role\\_unique\\_id](#input\\_agentless\\_scanning\\_scanner\\_role\\_unique\\_id) | The unique ID of the Agentless scanning scanner role | `string` | `\"\"` | no |\n| \u003ca name=\"input_agentless_scanning_use_custom_vpc\"\u003e\u003c/a\u003e [agentless\\_scanning\\_use\\_custom\\_vpc](#input\\_agentless\\_scanning\\_use\\_custom\\_vpc) | Use existing custom VPC resources for ALL deployment regions (requires agentless\\_scanning\\_custom\\_vpc\\_resources\\_map with all regions) | `bool` | `false` | no |\n| \u003ca name=\"input_cloudtrail_bucket_name\"\u003e\u003c/a\u003e [cloudtrail\\_bucket\\_name](#input\\_cloudtrail\\_bucket\\_name) | Name of the S3 bucket for CloudTrail logs | `string` | `\"\"` | no |\n| \u003ca name=\"input_create_rtvd_rules\"\u003e\u003c/a\u003e [create\\_rtvd\\_rules](#input\\_create\\_rtvd\\_rules) | Set to false if you don't want to enable monitoring in this region | `bool` | `true` | no |\n| \u003ca name=\"input_dspm_create_nat_gateway\"\u003e\u003c/a\u003e [dspm\\_create\\_nat\\_gateway](#input\\_dspm\\_create\\_nat\\_gateway) | DEPRECATED: Use agentless\\_scanning\\_create\\_nat\\_gateway instead. Set to true to create a NAT Gateway for DSPM scanning environments | `bool` | `true` | no |\n| \u003ca name=\"input_dspm_dynamodb_access\"\u003e\u003c/a\u003e [dspm\\_dynamodb\\_access](#input\\_dspm\\_dynamodb\\_access) | Apply permissions for DSPM DynamoDB table scanning | `bool` | `true` | no |\n| \u003ca name=\"input_dspm_ebs_access\"\u003e\u003c/a\u003e [dspm\\_ebs\\_access](#input\\_dspm\\_ebs\\_access) | Apply permissions for DSPM VM scanning | `bool` | `true` | no |\n| \u003ca name=\"input_dspm_integration_role_unique_id\"\u003e\u003c/a\u003e [dspm\\_integration\\_role\\_unique\\_id](#input\\_dspm\\_integration\\_role\\_unique\\_id) | DEPRECATED: Use agentless\\_scanning\\_integration\\_role\\_unique\\_id instead. The unique ID of the DSPM integration role | `string` | `\"\"` | no |\n| \u003ca name=\"input_dspm_rds_access\"\u003e\u003c/a\u003e [dspm\\_rds\\_access](#input\\_dspm\\_rds\\_access) | Apply permissions for RDS instance scanning | `bool` | `true` | no |\n| \u003ca name=\"input_dspm_redshift_access\"\u003e\u003c/a\u003e [dspm\\_redshift\\_access](#input\\_dspm\\_redshift\\_access) | Apply permissions for DSPM Redshift cluster scanning | `bool` | `true` | no |\n| \u003ca name=\"input_dspm_regions\"\u003e\u003c/a\u003e [dspm\\_regions](#input\\_dspm\\_regions) | DEPRECATED: Use agentless\\_scanning\\_regions instead. List of regions where DSPM scanning will be deployed | `list(string)` | `[]` | no |\n| \u003ca name=\"input_dspm_role_name\"\u003e\u003c/a\u003e [dspm\\_role\\_name](#input\\_dspm\\_role\\_name) | DEPRECATED: Use agentless\\_scanning\\_role\\_name instead. The unique name of the IAM role that DSPM will be assuming | `string` | `\"\"` | no |\n| \u003ca name=\"input_dspm_s3_access\"\u003e\u003c/a\u003e [dspm\\_s3\\_access](#input\\_dspm\\_s3\\_access) | Apply permissions for DSPM S3 bucket scanning | `bool` | `true` | no |\n| \u003ca name=\"input_dspm_scanner_role_name\"\u003e\u003c/a\u003e [dspm\\_scanner\\_role\\_name](#input\\_dspm\\_scanner\\_role\\_name) | DEPRECATED: Use agentless\\_scanning\\_scanner\\_role\\_name instead. The unique name of the IAM role that CrowdStrike Scanner will be assuming | `string` | `\"\"` | no |\n| \u003ca name=\"input_dspm_scanner_role_unique_id\"\u003e\u003c/a\u003e [dspm\\_scanner\\_role\\_unique\\_id](#input\\_dspm\\_scanner\\_role\\_unique\\_id) | DEPRECATED: Use agentless\\_scanning\\_scanner\\_role\\_unique\\_id instead. The unique ID of the DSPM scanner role | `string` | `\"\"` | no |\n| \u003ca name=\"input_enable_dspm\"\u003e\u003c/a\u003e [enable\\_dspm](#input\\_enable\\_dspm) | Set to true to enable Data Security Posture Managment | `bool` | `false` | no |\n| \u003ca name=\"input_enable_idp\"\u003e\u003c/a\u003e [enable\\_idp](#input\\_enable\\_idp) | Set to true to install Identity Protection resources | `bool` | `false` | no |\n| \u003ca name=\"input_enable_realtime_visibility\"\u003e\u003c/a\u003e [enable\\_realtime\\_visibility](#input\\_enable\\_realtime\\_visibility) | Set to true to install realtime visibility resources | `bool` | `false` | no |\n| \u003ca name=\"input_enable_sensor_management\"\u003e\u003c/a\u003e [enable\\_sensor\\_management](#input\\_enable\\_sensor\\_management) | Set to true to install 1Click Sensor Management resources | `bool` | n/a | yes |\n| \u003ca name=\"input_enable_vulnerability_scanning\"\u003e\u003c/a\u003e [enable\\_vulnerability\\_scanning](#input\\_enable\\_vulnerability\\_scanning) | Set to true to enable Vulnerability Scanning | `bool` | `false` | no |\n| \u003ca name=\"input_eventbridge_role_name\"\u003e\u003c/a\u003e [eventbridge\\_role\\_name](#input\\_eventbridge\\_role\\_name) | The eventbridge role name | `string` | `\"CrowdStrikeCSPMEventBridge\"` | no |\n| \u003ca name=\"input_eventbus_arn\"\u003e\u003c/a\u003e [eventbus\\_arn](#input\\_eventbus\\_arn) | Eventbus ARN to send events to | `string` | `\"\"` | no |\n| \u003ca name=\"input_external_id\"\u003e\u003c/a\u003e [external\\_id](#input\\_external\\_id) | The external ID used to assume the AWS reader role | `string` | `\"\"` | no |\n| \u003ca name=\"input_falcon_client_id\"\u003e\u003c/a\u003e [falcon\\_client\\_id](#input\\_falcon\\_client\\_id) | Falcon API Client ID | `string` | n/a | yes |\n| \u003ca name=\"input_falcon_client_secret\"\u003e\u003c/a\u003e [falcon\\_client\\_secret](#input\\_falcon\\_client\\_secret) | Falcon API Client Secret | `string` | n/a | yes |\n| \u003ca name=\"input_iam_role_name\"\u003e\u003c/a\u003e [iam\\_role\\_name](#input\\_iam\\_role\\_name) | The name of the reader role | `string` | `\"\"` | no |\n| \u003ca name=\"input_intermediate_role_arn\"\u003e\u003c/a\u003e [intermediate\\_role\\_arn](#input\\_intermediate\\_role\\_arn) | The intermediate role that is allowed to assume the reader role | `string` | `\"\"` | no |\n| \u003ca name=\"input_is_gov\"\u003e\u003c/a\u003e [is\\_gov](#input\\_is\\_gov) | Set to true if you are deploying in gov Falcon | `bool` | `false` | no |\n| \u003ca name=\"input_log_ingestion_kms_key_arn\"\u003e\u003c/a\u003e [log\\_ingestion\\_kms\\_key\\_arn](#input\\_log\\_ingestion\\_kms\\_key\\_arn) | Optional KMS key ARN for decrypting S3 objects (when log\\_ingestion\\_method=s3)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                 | `string` | `\"\"` | no |\n| \u003ca name=\"input_log_ingestion_method\"\u003e\u003c/a\u003e [log\\_ingestion\\_method](#input\\_log\\_ingestion\\_method) | Choose the method for ingesting CloudTrail logs - eventbridge (default) or s3                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                   | `string` | `\"eventbridge\"` | no |\n| \u003ca name=\"input_log_ingestion_s3_bucket_name\"\u003e\u003c/a\u003e [log\\_ingestion\\_s3\\_bucket\\_name](#input\\_log\\_ingestion\\_s3\\_bucket\\_name) | S3 bucket name containing CloudTrail logs (required when log\\_ingestion\\_method=s3)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | `string` | `\"\"` | no |\n| \u003ca name=\"input_log_ingestion_s3_bucket_prefix\"\u003e\u003c/a\u003e [log\\_ingestion\\_s3\\_bucket\\_prefix](#input\\_log\\_ingestion\\_s3\\_bucket\\_prefix) | Optional S3 bucket prefix/path for CloudTrail logs (when log\\_ingestion\\_method=s3)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                             | `string` | `\"\"` | no |\n| \u003ca name=\"input_log_ingestion_sns_topic_arn\"\u003e\u003c/a\u003e [log\\_ingestion\\_sns\\_topic\\_arn](#input\\_log\\_ingestion\\_sns\\_topic\\_arn) | SNS topic ARN that publishes S3 object creation events (required when log\\_ingestion\\_method=s3)                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                | `string` | `\"\"` | no |\n|\u003ca name=\"input_organization_id\"\u003e\u003c/a\u003e [organization\\_id](#input\\_organization\\_id) | The AWS Organization ID. Leave blank if when onboarding single account | `string` | `\"\"` | no |\n| \u003ca name=\"input_permissions_boundary\"\u003e\u003c/a\u003e [permissions\\_boundary](#input\\_permissions\\_boundary) | The name of the policy used to set the permissions boundary for IAM roles | `string` | `\"\"` | no |\n| \u003ca name=\"input_primary_region\"\u003e\u003c/a\u003e [primary\\_region](#input\\_primary\\_region) | Region for deploying global AWS resources (IAM roles, policies, etc.) that are account-wide and only need to be created once. Distinct from agentless\\_scanning\\_regions which controls region-specific resource deployment. | `string` | n/a | yes |\n| \u003ca name=\"input_resource_prefix\"\u003e\u003c/a\u003e [resource\\_prefix](#input\\_resource\\_prefix) | The prefix to be added to all resource names | `string` | `\"CrowdStrike\"` | no |\n| \u003ca name=\"input_resource_suffix\"\u003e\u003c/a\u003e [resource\\_suffix](#input\\_resource\\_suffix) | The suffix to be added to all resource names | `string` | `\"\"` | no |\n| \u003ca name=\"input_tags\"\u003e\u003c/a\u003e [tags](#input\\_tags) | A map of tags to add to all resources that support tagging | `map(string)` | `{}` | no |\n| \u003ca name=\"input_use_existing_cloudtrail\"\u003e\u003c/a\u003e [use\\_existing\\_cloudtrail](#input\\_use\\_existing\\_cloudtrail) | Set to true if you already have a cloudtrail | `bool` | `false` | no |\n| \u003ca name=\"input_use_existing_iam_reader_role\"\u003e\u003c/a\u003e [use\\_existing\\_iam\\_reader\\_role](#input\\_use\\_existing\\_iam\\_reader\\_role) | Set to true if you want to use an existing IAM role for asset inventory | `bool` | `false` | no |\n| \u003ca name=\"input_vpc_cidr_block\"\u003e\u003c/a\u003e [vpc\\_cidr\\_block](#input\\_vpc\\_cidr\\_block) | VPC CIDR block | `string` | `\"10.0.0.0/16\"` | no |\n## Outputs\n\n| Name | Description |\n|------|-------------|\n| \u003ca name=\"output_integration_role_unique_id\"\u003e\u003c/a\u003e [integration\\_role\\_unique\\_id](#output\\_integration\\_role\\_unique\\_id) | The unique ID of the DSPM integration role |\n| \u003ca name=\"output_scanner_role_unique_id\"\u003e\u003c/a\u003e [scanner\\_role\\_unique\\_id](#output\\_scanner\\_role\\_unique\\_id) | The unique ID of the DSPM scanner role |\n\u003c!-- END_TF_DOCS --\u003e\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcrowdstrike%2Fterraform-aws-cloud-registration","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fcrowdstrike%2Fterraform-aws-cloud-registration","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fcrowdstrike%2Fterraform-aws-cloud-registration/lists"}