module "cyral_sidecar" {
source = "cyralinc/sidecar-aws/cyral"
version = "2.7.1" # terraform module version
sidecar_version = ""
sidecar_id = ""
name_prefix = ""
control_plane = ""
sidecar_ports = [443, 3306, 5432, 27017, 27018, 27019]
mongodb_port_alloc_range_low = 27017
mongodb_port_alloc_range_high = 27019
vpc_id = ""
subnets = [""]
ssh_inbound_cidr = ["0.0.0.0/0"]
db_inbound_cidr = ["0.0.0.0/0"]
healthcheck_inbound_cidr = ["0.0.0.0/0"]
container_registry = ""
client_id = ""
client_secret = ""
}Note:
name_prefixis filled automatically when you download the Terraform sidecar template from the Cyral control plane. If you wish to define a customname_prefix, please keep in mind that its length must be at most 24 characters.
Check the upgrade notes section if you are upgrading an existing sidecar.
| Name | Version |
|---|---|
| terraform | >= 0.12 |
| aws | >= 3.22.0 |
| Name | Version |
|---|---|
| aws | >= 3.22.0 |
No modules.
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| additional_security_groups | Additional security groups to attach to sidecar instances | list(string) |
[] |
no |
| ami_id | Amazon Linux 2 AMI ID for sidecar EC2 instances. The default behavior is to use the latest version. In order to define a new image, provide the desired image id. |
string |
"" |
no |
| asg_count | Set to 1 to enable the ASG, 0 to disable. Only for debugging. | number |
1 |
no |
| asg_desired | The desired number of hosts to create in the auto scaling group | number |
1 |
no |
| asg_max | The maximum number of hosts to create in the auto scaling group | number |
2 |
no |
| asg_min | The minimum number of hosts to create in the auto scaling group | number |
1 |
no |
| associate_public_ip_address | Associates a public IP to sidecar EC2 instances | bool |
false |
no |
| client_id | The client id assigned to the sidecar | string |
n/a | yes |
| client_secret | The client secret assigned to the sidecar | string |
n/a | yes |
| cloudwatch_logs_retention | Cloudwatch logs retention in days | number |
14 |
no |
| container_registry | Address of the container registry where Cyral images are stored | string |
n/a | yes |
| container_registry_key | Key provided by Cyral for authenticating on Cyral's container registry | string |
"" |
no |
| container_registry_username | Username provided by Cyral for authenticating on Cyral's container registry | string |
"" |
no |
| control_plane | Address of the control plane - .cyral.com | string |
n/a | yes |
| custom_user_data | Auxiliary user-data script. Appended to existing user-data sidecar bootstrapping scripts (Approx Input Size = 19KB) | string |
"" |
no |
| db_inbound_cidr | Allowed CIDR block for database access to the sidecar. Can't be combined with 'db_inbound_security_group'. | list(string) |
n/a | yes |
| db_inbound_security_group | Pre-existing security group IDs allowed to connect to db in the EC2 host. Can't be combined with 'db_inbound_cidr'. | list(string) |
[] |
no |
| dd_api_key | API key to connect to DataDog | string |
"" |
no |
| deploy_secrets | Create the AWS Secrets Manager resource at secret_location using client_id, client_secret and container_registry_key | bool |
true |
no |
| elk_address | Address to ship logs to ELK | string |
"" |
no |
| elk_password | (Optional) Password to use to ship logs to ELK | string |
"" |
no |
| elk_username | (Optional) Username to use to ship logs to ELK | string |
"" |
no |
| enable_cross_zone_load_balancing | Enable cross zone load balancing | bool |
true |
no |
| external_tls_type | TLS mode for the control plane - tls, tls-skip-verify, no-tls | string |
"tls" |
no |
| hc_vault_integration_id | HashiCorp Vault integration ID | string |
"" |
no |
| health_check_grace_period | The grace period in seconds before the health check will terminate the instance | number |
600 |
no |
| healthcheck_inbound_cidr | Allowed CIDR block for health check requests to the sidecar | list(string) |
n/a | yes |
| healthcheck_port | Port used for the healthcheck | number |
8888 |
no |
| iam_policies | (Optional) List of IAM policies ARNs that will be attached to the sidecar IAM role | list(string) |
[] |
no |
| idp_certificate | (Optional) The certificate used to verify SAML assertions from the IdP being used with Snowflake. Enter this value as a one-line string with literal characters specifying the line breaks. |
string |
"" |
no |
| idp_sso_login_url | (Optional) The IdP SSO URL for the IdP being used with Snowflake. | string |
"" |
no |
| instance_type | Amazon EC2 instance type for the sidecar instances | string |
"t3.medium" |
no |
| key_name | AWS key name | string |
"" |
no |
| load_balancer_certificate_arn | (Optional) ARN of SSL certificate that will be used for client connections to Snowflake. | string |
"" |
no |
| load_balancer_scheme | EC2 network load balancer scheme ('internal' or 'internet-facing') | string |
"internal" |
no |
| load_balancer_sticky_ports | List of ports that will have session stickiness enabled. This parameter must be a subset of 'sidecar_ports'. |
list(number) |
[] |
no |
| load_balancer_subnets | Subnets to add load balancer to. If not provided, the load balancer will assume the subnets specified in the subnets parameter. |
list(string) |
[] |
no |
| load_balancer_tls_ports | List of ports that will have TLS terminated at load balancer level (snowflake support, for example). If assigned, 'load_balancer_certificate_arn' must also be provided. This parameter must be a subset of 'sidecar_ports'. |
list(number) |
[] |
no |
| log_integration | Logs destination | string |
"cloudwatch" |
no |
| metrics_integration | Metrics destination | string |
"" |
no |
| mongodb_port_alloc_range_high | Final value for MongoDB port allocation range. The consecutive ports in the range mongodb_port_alloc_range_low:mongodb_port_alloc_range_high will be usedfor mongodb cluster monitoring. All the ports in this range must be listed in sidecar_ports. |
number |
n/a | yes |
| mongodb_port_alloc_range_low | Initial value for MongoDB port allocation range. The consecutive ports in the range mongodb_port_alloc_range_low:mongodb_port_alloc_range_high will be usedfor mongodb cluster monitoring. All the ports in this range must be listed in sidecar_ports. |
number |
n/a | yes |
| mysql_multiplexed_port | Port that will be used by the sidecar to multiplex connections to MySQL | number |
0 |
no |
| name_prefix | Prefix for names of created resources in AWS. Maximum length is 24 characters. | string |
n/a | yes |
| reduce_security_group_rules_count | If set to false, each port in sidecar_ports will be used individually for each CIDR in db_inbound_cidr to create inbound rules in the sidecar security group, resulting in a number of inbound rules that is equal to the number of sidecar_ports * db_inbound_cidr. If set to true, the entire sidecar port range from min(sidecar_ports) to max(sidecar_ports) will be used to configure each inbound rule for each CIDR in db_inbound_cidr for the sidecar security group. Setting it to true can be useful if you need to use multiple sequential sidecar ports and different CIDRs for DB inbound (db_inbound_cidr) since it will significantly reduce the number of inbound rules and avoid hitting AWS quotas. As a side effect, it will open all the ports between min(sidecar_ports) and max(sidecar_ports) in the security group created by this module. |
bool |
false |
no |
| repositories_supported | List of all repositories that will be supported by the sidecar (lower case only) | list(string) |
[ |
no |
| secrets_kms_key_id | ARN of the KMS key used to encrypt secrets. If not set, secrets will use the default KMS key. | string |
"" |
no |
| secrets_location | Location in AWS Secrets Manager to store client_id, client_secret and container_registry_key | string |
n/a | yes |
| sidecar_certificate_lambda_version | Version of the lambda used to create the sidecar certificate. | string |
"v0.1.0" |
no |
| sidecar_custom_certificate_account_id | (Optional) AWS Account ID where the custom certificate module will be deployed. | string |
"" |
no |
| sidecar_dns_hosted_zone_id | (Optional) Route53 hosted zone ID for the corresponding 'sidecar_dns_name' provided | string |
"" |
no |
| sidecar_dns_name | (Optional) Fully qualified domain name that will be automatically created/updated to reference the sidecar LB | string |
"" |
no |
| sidecar_dns_overwrite | (Optional) Update an existing DNS name informed in 'sidecar_dns_name' variable | bool |
false |
no |
| sidecar_id | Sidecar identifier | string |
n/a | yes |
| sidecar_ports | List of ports allowed to connect to the sidecar. See also 'load_balancer_tls_ports'. | list(number) |
n/a | yes |
| sidecar_version | Version of the sidecar | string |
n/a | yes |
| splunk_host | Splunk host | string |
"" |
no |
| splunk_index | Splunk index | string |
"" |
no |
| splunk_port | Splunk port | number |
0 |
no |
| splunk_tls | Splunk TLS | bool |
false |
no |
| splunk_token | Splunk token | string |
"" |
no |
| ssh_inbound_cidr | Allowed CIDR block for SSH access to the sidecar. Can't be combined with 'ssh_inbound_security_group'. | list(string) |
n/a | yes |
| ssh_inbound_security_group | Pre-existing security group IDs allowed to ssh into the EC2 host. Can't be combined with 'ssh_inbound_cidr'. | list(string) |
[] |
no |
| subnets | Subnets to add sidecar to (list of string) | list(string) |
n/a | yes |
| sumologic_host | Sumologic host | string |
"" |
no |
| sumologic_uri | Sumologic uri | string |
"" |
no |
| volume_size | Size of the sidecar disk | number |
15 |
no |
| vpc_id | AWS VPC ID to deploy sidecar to | string |
n/a | yes |
| Name | Description |
|---|---|
| aws_iam_role_arn | Sidecar IAM role ARN |
| aws_security_group_id | Sidecar security group id |
| sidecar_custom_certificate_role_arn | IAM role ARN to use in the Sidecar Custom Certificate modules. |
| sidecar_custom_certificate_secret_arn | Secret ARN to use in the Sidecar Custom Certificate modules. |
| sidecar_dns | Sidecar DNS endpoint |
| sidecar_load_balancer_dns | Sidecar load balancer DNS endpoint |