wokamoto/cloudwatch-events-iam-role.tf

## cloudwatch-events-iam-role.tf
esource "aws_iam_role" "run_inspector_role" {
    name               = "cloudwatch-events-run-inspector-role"
    assume_role_policy = <<POLICY
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "events.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
POLICY
}

resource "aws_iam_policy" "run_inspector_policy" {
    name        = "cloudwatch-events-run-inspector-policy"
    description = ""
    policy      = <<POLICY
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "inspector:StartAssessmentRun"
            ],
            "Resource": "*"
        }
    ]
}
POLICY
}

resource "aws_iam_role_policy_attachment" "run_inspector_role" {
    role       = "${aws_iam_role.run_inspector_role.name}"
    policy_arn = "${aws_iam_policy.run_inspector_policy.arn}"
}

## cloudwatch-events.tf
variable "schedule"    { default = "cron(00 19 ? * Sun *)" }

resource "aws_cloudwatch_event_target" "inspector" {
  target_id = "inspector"
  rule      = "${aws_cloudwatch_event_rule.inspector.name}"
  arn       = "${aws_inspector_assessment_template.inspector.arn}"
  role_arn  = "${aws_iam_role.run_inspector_role.arn}"
}

resource "aws_cloudwatch_event_rule" "inspector" {
  name        = "run-inspector-event-rule"
  description = "Run Inspector"
  schedule_expression = "${var.schedule}"
}

## ec2-instance-role.tf
resource "aws_iam_role" "instance_role" {
    name               = "my-ec2-role"
    path               = "/"
    assume_role_policy = <<POLICY
{
"Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Service": "ec2.amazonaws.com"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
POLICY
}

resource "aws_iam_instance_profile" "instance_role" {
    name = "my-ec2-role"
    role = "${aws_iam_role.instance_role.name}"
}

resource "aws_iam_policy" "inspector" {
    name        = "my-ec2-iam-policy-inspector"
    description = ""
    policy      = <<POLICY
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeCustomerGateways",
                "ec2:DescribeInstances",
                "ec2:DescribeTags",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeNatGateways",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribePrefixLists",
                "ec2:DescribeRegions",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcEndpoints",
                "ec2:DescribeVpcPeeringConnections",
                "ec2:DescribeVpcs",
                "ec2:DescribeVpn",
                "ec2:DescribeVpnGateways",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:DescribeRules",
                "elasticloadbalancing:DescribeTags",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:DescribeTargetHealth"
            ],
            "Resource": "*"
        }
    ]
}
POLICY
}

resource "aws_iam_role_policy_attachment" "inspector" {
    role       = "${aws_iam_role.instance_role.name}"
    policy_arn = "${aws_iam_policy.inspector.arn}"
}

## ec2.tf
## AMI
##
data "aws_ami" "amazonlinux" {
    most_recent = true
    owners      = ["amazon"]

    filter {
        name   = "architecture"
        values = ["x86_64"]
    }

    filter {
        name   = "root-device-type"
        values = ["ebs"]
    }

    filter {
        name   = "name"
        values = ["amzn-ami-hvm-*"]
    }

    filter {
        name   = "virtualization-type"
        values = ["hvm"]
    }

    filter {
        name   = "block-device-mapping.volume-type"
        values = ["gp2"]
    }
}

## SSH Key Pair
##
resource "aws_key_pair" "deployer" {
    key_name   = "ssh-key-name"
    public_key = "${file(ssh-key.pem.pub)}"
}

## EC2
##
resource "aws_instance" "ec2" {
    ami                         = "${data.aws_ami.amazonlinux.id}"
    instance_type               = "t2.micro"
    key_name                    = "${aws_key_pair.deployer.key_name}"
    iam_instance_profile        = "${aws_iam_instance_profile.instance_role.name}"

    user_data                   = <<USERDATA
#!/bin/bash
# install inspector agent
cd /tmp
/usr/bin/curl -O https://d1wk0tztpsntt1.cloudfront.net/linux/latest/install
/bin/bash install -u false
/bin/rm -f install
USERDATA

    tags {
        project   = "${var.project}"
        stage     = "${var.stage}"
        inspector = "true"
    }
}

## file3.txt
# パッケージ一覧の表示
$ aws --region ap-northeast-1 inspector list-rules-packages
{
    "rulesPackageArns": [
        "arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-7WNjqgGu",
        "arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-bBUQnxMq",
        "arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-gHP9oWNT",
        "arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-knGBhqEu"
    ]
}
# 詳細を確認
$ aws --region ap-northeast-1 inspector describe-rules-packages \
  --rules-package-arns "arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-7WNjqgGu"
{
    "rulesPackages": [
        {
            "description": "The CIS Security Benchmarks program provides well-defined, un-biased and consensus-based industry best practicesto help organizations assess and improve their security.\n\nThe rules in this package help establish a secure configuration posture for the following operating systems:\n\n  -   Amazon Linux version 2015.03 (CIS benchmark v1.1.0)\n  \n    ",
            "version": "1.0",
            "name": "CIS Operating System Security Configuration Benchmarks",
            "arn": "arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-7WNjqgGu",
            "provider": "Amazon Web Services, Inc."
        }
    ],
    "failedItems": {}
}

## file4.txt
$ aws inspector start-assessment-run \
  --assessment-template-arn arn:aws:inspector:ap-northeast-1:************:target/0-xxxxxxxx/template/0-xxxxxxxx
{
    "assessmentRunArn": "arn:aws:inspector:ap-northeast-1:************:target/0-xxxxxxxx/template/0-xxxxxxxx/run/0-7WNjqgGu"
}

## file5.txt
$ aws inspector describe-assessment-runs \
  --assessment-run-arns arn:aws:inspector:ap-northeast-1:************:target/0-QOvPswHA/template/0-uCIUy636/run/0-n9nnWOem

## inspector_target.tf
variable "project" { default = "my-big-project" }
variable "stage"   { default = "production" }

resource "aws_inspector_resource_group" "inspector" {
    tags = {
        project   = "${var.project}"
        stage     = "${var.stage}"
        inspector = "true"
    }
}

resource "aws_inspector_assessment_target" "inspector" {
    name               = "my-inspector-target"
    resource_group_arn = "${aws_inspector_resource_group.inspector.arn}"
}

## inspector_template.tf
variable "inspector-rule" = {
    type = "list"
    default = [
        "arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-7WNjqgGu",
        "arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-bBUQnxMq",
        "arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-gHP9oWNT",
        "arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-knGBhqEu"
    ]
}

resource "aws_inspector_assessment_template" "inspector" {
    name       = "my-inspector-template"
    target_arn = "${aws_inspector_assessment_target.inspector.arn}"
    duration   = 3600

    rules_package_arns = [ "${var.inspector-rule}" ]
}

output "assessment_template_arn" {
    value = "${aws_inspector_assessment_template.inspector.arn}"
}

## terraform.tfvars
"inspector-rule" = [
    "arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-7WNjqgGu",
    "arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-bBUQnxMq"
]
	esource "aws_iam_role" "run_inspector_role" {
	name = "cloudwatch-events-run-inspector-role"
	assume_role_policy = <<POLICY
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Effect": "Allow",
	"Principal": {
	"Service": "events.amazonaws.com"
	},
	"Action": "sts:AssumeRole"
	}
	]
	}
	POLICY
	}

	resource "aws_iam_policy" "run_inspector_policy" {
	name = "cloudwatch-events-run-inspector-policy"
	description = ""
	policy = <<POLICY
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Effect": "Allow",
	"Action": [
	"inspector:StartAssessmentRun"
	],
	"Resource": "*"
	}
	]
	}
	POLICY
	}

	resource "aws_iam_role_policy_attachment" "run_inspector_role" {
	role = "${aws_iam_role.run_inspector_role.name}"
	policy_arn = "${aws_iam_policy.run_inspector_policy.arn}"
	}
	variable "schedule" { default = "cron(00 19 ? * Sun *)" }

	resource "aws_cloudwatch_event_target" "inspector" {
	target_id = "inspector"
	rule = "${aws_cloudwatch_event_rule.inspector.name}"
	arn = "${aws_inspector_assessment_template.inspector.arn}"
	role_arn = "${aws_iam_role.run_inspector_role.arn}"
	}

	resource "aws_cloudwatch_event_rule" "inspector" {
	name = "run-inspector-event-rule"
	description = "Run Inspector"
	schedule_expression = "${var.schedule}"
	}
	resource "aws_iam_role" "instance_role" {
	name = "my-ec2-role"
	path = "/"
	assume_role_policy = <<POLICY
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Effect": "Allow",
	"Principal": {
	"Service": "ec2.amazonaws.com"
	},
	"Action": "sts:AssumeRole"
	}
	]
	}
	POLICY
	}

	resource "aws_iam_instance_profile" "instance_role" {
	name = "my-ec2-role"
	role = "${aws_iam_role.instance_role.name}"
	}

	resource "aws_iam_policy" "inspector" {
	name = "my-ec2-iam-policy-inspector"
	description = ""
	policy = <<POLICY
	{
	"Version": "2012-10-17",
	"Statement": [
	{
	"Effect": "Allow",
	"Action": [
	"ec2:DescribeAvailabilityZones",
	"ec2:DescribeCustomerGateways",
	"ec2:DescribeInstances",
	"ec2:DescribeTags",
	"ec2:DescribeInternetGateways",
	"ec2:DescribeNatGateways",
	"ec2:DescribeNetworkAcls",
	"ec2:DescribeNetworkInterfaces",
	"ec2:DescribePrefixLists",
	"ec2:DescribeRegions",
	"ec2:DescribeRouteTables",
	"ec2:DescribeSecurityGroups",
	"ec2:DescribeSubnets",
	"ec2:DescribeVpcEndpoints",
	"ec2:DescribeVpcPeeringConnections",
	"ec2:DescribeVpcs",
	"ec2:DescribeVpn",
	"ec2:DescribeVpnGateways",
	"elasticloadbalancing:DescribeListeners",
	"elasticloadbalancing:DescribeLoadBalancers",
	"elasticloadbalancing:DescribeLoadBalancerAttributes",
	"elasticloadbalancing:DescribeRules",
	"elasticloadbalancing:DescribeTags",
	"elasticloadbalancing:DescribeTargetGroups",
	"elasticloadbalancing:DescribeTargetHealth"
	],
	"Resource": "*"
	}
	]
	}
	POLICY
	}

	resource "aws_iam_role_policy_attachment" "inspector" {
	role = "${aws_iam_role.instance_role.name}"
	policy_arn = "${aws_iam_policy.inspector.arn}"
	}
	## AMI
	##
	data "aws_ami" "amazonlinux" {
	most_recent = true
	owners = ["amazon"]

	filter {
	name = "architecture"
	values = ["x86_64"]
	}

	filter {
	name = "root-device-type"
	values = ["ebs"]
	}

	filter {
	name = "name"
	values = ["amzn-ami-hvm-*"]
	}

	filter {
	name = "virtualization-type"
	values = ["hvm"]
	}

	filter {
	name = "block-device-mapping.volume-type"
	values = ["gp2"]
	}
	}

	## SSH Key Pair
	##
	resource "aws_key_pair" "deployer" {
	key_name = "ssh-key-name"
	public_key = "${file(ssh-key.pem.pub)}"
	}

	## EC2
	##
	resource "aws_instance" "ec2" {
	ami = "${data.aws_ami.amazonlinux.id}"
	instance_type = "t2.micro"
	key_name = "${aws_key_pair.deployer.key_name}"
	iam_instance_profile = "${aws_iam_instance_profile.instance_role.name}"

	user_data = <<USERDATA
	#!/bin/bash
	# install inspector agent
	cd /tmp
	/usr/bin/curl -O https://d1wk0tztpsntt1.cloudfront.net/linux/latest/install
	/bin/bash install -u false
	/bin/rm -f install
	USERDATA

	tags {
	project = "${var.project}"
	stage = "${var.stage}"
	inspector = "true"
	}
	}
	# パッケージ一覧の表示
	$ aws --region ap-northeast-1 inspector list-rules-packages
	{
	"rulesPackageArns": [
	"arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-7WNjqgGu",
	"arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-bBUQnxMq",
	"arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-gHP9oWNT",
	"arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-knGBhqEu"
	]
	}
	# 詳細を確認
	$ aws --region ap-northeast-1 inspector describe-rules-packages \
	--rules-package-arns "arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-7WNjqgGu"
	{
	"rulesPackages": [
	{
	"description": "The CIS Security Benchmarks program provides well-defined, un-biased and consensus-based industry best practicesto help organizations assess and improve their security.\n\nThe rules in this package help establish a secure configuration posture for the following operating systems:\n\n - Amazon Linux version 2015.03 (CIS benchmark v1.1.0)\n \n ",
	"version": "1.0",
	"name": "CIS Operating System Security Configuration Benchmarks",
	"arn": "arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-7WNjqgGu",
	"provider": "Amazon Web Services, Inc."
	}
	],
	"failedItems": {}
	}
	$ aws inspector start-assessment-run \
	--assessment-template-arn arn:aws:inspector:ap-northeast-1:************:target/0-xxxxxxxx/template/0-xxxxxxxx
	{
	"assessmentRunArn": "arn:aws:inspector:ap-northeast-1:************:target/0-xxxxxxxx/template/0-xxxxxxxx/run/0-7WNjqgGu"
	}
	$ aws inspector describe-assessment-runs \
	--assessment-run-arns arn:aws:inspector:ap-northeast-1:************:target/0-QOvPswHA/template/0-uCIUy636/run/0-n9nnWOem
	variable "project" { default = "my-big-project" }
	variable "stage" { default = "production" }

	resource "aws_inspector_resource_group" "inspector" {
	tags = {
	project = "${var.project}"
	stage = "${var.stage}"
	inspector = "true"
	}
	}

	resource "aws_inspector_assessment_target" "inspector" {
	name = "my-inspector-target"
	resource_group_arn = "${aws_inspector_resource_group.inspector.arn}"
	}
	variable "inspector-rule" = {
	type = "list"
	default = [
	"arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-7WNjqgGu",
	"arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-bBUQnxMq",
	"arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-gHP9oWNT",
	"arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-knGBhqEu"
	]
	}

	resource "aws_inspector_assessment_template" "inspector" {
	name = "my-inspector-template"
	target_arn = "${aws_inspector_assessment_target.inspector.arn}"
	duration = 3600

	rules_package_arns = [ "${var.inspector-rule}" ]
	}

	output "assessment_template_arn" {
	value = "${aws_inspector_assessment_template.inspector.arn}"
	}
	"inspector-rule" = [
	"arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-7WNjqgGu",
	"arn:aws:inspector:ap-northeast-1:406045910587:rulespackage/0-bBUQnxMq"
	]