Examples: show how to use scan options resource (#218)

Author: diogocp

examples/cross_account/README.md

@@ -5,7 +5,6 @@ This folder shows an example of Terraform code that uses the [datadog-agentless-
 In this example, the full scanner setup is deployed in an account designated for scanning.
 All your other accounts can be scanned from that account by deploying a single IAM role.
 
-
 ## Quick start
 
 To deploy a Datadog Agentless scanner:
@@ -24,8 +23,10 @@ To deploy the delegate role:
 1. Set the ARN of the scanner role you got from the previous step.
 1. Run `terraform output delegate_role` and copy that ARN.
 
-Finally, because cross-account delegate roles need bidirectional permission:
+Finally, to activate Agentless Scanning:
 
-1. Go back to the `scanner_account` folder.
+1. Go to the `activation` folder.
+1. Run `terraform init`.
 1. Run `terraform apply`.
-1. Set the ARN of the delegate role you created in your other account.
+1. Set your Datadog credentials.
+1. List the AWS accounts where you deployed delegate roles (e.g. `["123456789012", "234567890123"]`)

examples/cross_account/activation/main.tf

@@ -0,0 +1,26 @@
+terraform {
+  required_version = ">= 1.0"
+
+  required_providers {
+    datadog = {
+      source  = "DataDog/datadog"
+      version = ">= 3.72.0"
+    }
+  }
+}
+
+provider "datadog" {
+  api_key = var.datadog_api_key
+  app_key = var.datadog_app_key
+  api_url = "https://api.${var.datadog_site}/"
+}
+
+resource "datadog_agentless_scanning_aws_scan_options" "scan_options" {
+  for_each = var.aws_account_ids
+
+  aws_account_id     = each.value
+  vuln_host_os       = true
+  vuln_containers_os = true
+  lambda             = true
+  sensitive_data     = false
+}

examples/cross_account/activation/variables.tf

@@ -0,0 +1,20 @@
+variable "datadog_api_key" {
+  description = "Specifies the API key required by the Agentless Scanner to submit vulnerabilities to Datadog - Make sure the API key is Remote Configuration enabled."
+  type        = string
+}
+
+variable "datadog_app_key" {
+  description = "Datadog Application key"
+  type        = string
+}
+
+variable "datadog_site" {
+  description = "The site of your Datadog account. See https://docs.datadoghq.com/getting_started/site/"
+  type        = string
+  default     = "datadoghq.com"
+}
+
+variable "aws_account_ids" {
+  description = "List of AWS account IDs to activate the Agentless Scanning for. Note that an Agentless Scanning delegate role must be created in each of these accounts."
+  type        = set(string)
+}

examples/cross_account/scanner_account/main.tf

@@ -48,7 +48,8 @@ module "self_delegate_role" {
 module "agentless_scanner" {
   source = "git::https://github.com/DataDog/terraform-module-datadog-agentless-scanner?ref=0.11.11"
 
-  api_key               = var.api_key
+  api_key               = var.datadog_api_key
+  site                  = var.datadog_site
   instance_profile_name = module.scanner_role.instance_profile.name
 }
 

examples/cross_account/scanner_account/variables.tf

@@ -1,8 +1,14 @@
-variable "api_key" {
+variable "datadog_api_key" {
   description = "Specifies the API key required by the Agentless Scanner to submit vulnerabilities to Datadog - Make sure the API key is Remote Configuration enabled."
   type        = string
 }
 
+variable "datadog_site" {
+  description = "The site of your Datadog account. See https://docs.datadoghq.com/getting_started/site/"
+  type        = string
+  default     = "datadoghq.com"
+}
+
 variable "datadog_integration_role" {
   description = "Role name of the Datadog integration that was used to integrate the AWS account to Datadog"
   type        = string

examples/single_region/main.tf

@@ -6,11 +6,31 @@ terraform {
       source  = "hashicorp/aws"
       version = ">= 5.0"
     }
+    datadog = {
+      source  = "DataDog/datadog"
+      version = ">= 3.72.0"
+    }
   }
 }
 
 provider "aws" {
-  region = "eu-west-1"
+  region = "us-east-1"
+}
+
+data "aws_caller_identity" "current" {}
+
+provider "datadog" {
+  api_key = var.datadog_api_key
+  app_key = var.datadog_app_key
+  api_url = "https://api.${var.datadog_site}/"
+}
+
+resource "datadog_agentless_scanning_aws_scan_options" "scan_options" {
+  aws_account_id     = data.aws_caller_identity.current.account_id
+  vuln_host_os       = true
+  vuln_containers_os = true
+  lambda             = true
+  sensitive_data     = false
 }
 
 module "scanner_role" {
@@ -28,7 +48,8 @@ module "delegate_role" {
 module "agentless_scanner" {
   source = "git::https://github.com/DataDog/terraform-module-datadog-agentless-scanner?ref=0.11.11"
 
-  api_key               = var.api_key
+  api_key               = var.datadog_api_key
+  site                  = var.datadog_site
   instance_profile_name = module.scanner_role.instance_profile.name
 }
 

examples/single_region/variables.tf

@@ -1,8 +1,19 @@
-variable "api_key" {
+variable "datadog_api_key" {
   description = "Specifies the API key required by the Agentless Scanner to submit vulnerabilities to Datadog - Make sure the API key is Remote Configuration enabled."
   type        = string
 }
 
+variable "datadog_app_key" {
+  description = "Datadog Application key"
+  type        = string
+}
+
+variable "datadog_site" {
+  description = "The site of your Datadog account. See https://docs.datadoghq.com/getting_started/site/"
+  type        = string
+  default     = "datadoghq.com"
+}
+
 variable "datadog_integration_role" {
   description = "Role name of the Datadog integration that was used to integrate the AWS account to Datadog"
   type        = string