InsightCloudSec Docs

Welcome to the InsightCloudSec Docs!

InsightCloudSec by Rapid7 (formerly DivvyCloud) is a Cloud-Native Security Platform that provides real-time analysis and automated remediation for continuous security and compliance for your multi-cloud environment.

For questions reach out to us through [email protected].

Take Me to the Docs!    Release Notes

AWS - EC2 or ECS Fargate - Terraform

Deploying InsightCloudSec to AWS EC2 or ECS Fargate Using Terraform

Overview

This page provides instructions for deploying and installing the InsightCloudSec platform via Terraform, with the option of ECS Fargate (preferred) or EC2 as the compute component. To complete this installation you will need to have some basic knowledge of the AWS console, the appropriate permissions to access your organization’s infrastructure, and the configuration details applicable to your environment. Note: Completing this deployment method should take around 60 minutes.

If you have questions or run into issues at any point during this process we are happy to assist. Reach out to us through [email protected].

📘

Value Names (DivvyCloud vs. InsightCloudSec)

Some components use our former product name (DivvyCloud vs. InsightCloudSec). Updates to the naming of these components will be communicated when changes are made, but note that the name difference does not affect functionality within the product.

Prerequisites

Before getting started with this deployment you will need to have the following:

  • The appropriate AWS permissions to create network, IAM, database, and compute resources
  • An AdministratorAccess policy is recommended
  • Existing SSL certificate in ACM
  • Service-linked roles for the following services: ecs, ecs.application-autoscaling, elasticache, elasticloadbalancing, and rds
  • Terraform 1.0.x

Note: The content on this page applies to self-hosted customers. For hosted customers we recommend that you contact your CSM or [email protected] with any questions or concerns.

Template Download

📘

Internet Connectivity Required

Our default template loads Terraform modules from a InsightCloudSec S3 bucket to allow for streaming updates to our deployment. If connectivity is not possible, download the "stand-alone" deployment template.

Customize Global Deployment Variables

The example file below will allow you to specify/override common configuration parameters specified in variables.tf.

// InsightCloudSec container/version to deploy
divvycloud_version = "public.ecr.aws/divvycloud/divvycloud:v21.6.2"

// Target AWS account ID for deployment
account_id = "XXXXXXXXXXXX"

// Target region
region = "us-east-1"

// Target AZs
az = {
  1 = "us-east-1a"
  2 = "us-east-1b"
}

// Existing ACM SSL certificate to associate with ALB/UI
acm_ssl_arn = "arn:aws:acm:REGION:ACCOUNT-ID:certificate/XXXXXXXXXXXXXX"

// Internet-facing or internal ALB?
private_alb = false

// CIDR range/list allowed access to ALB/UI
ingress_whitelist = ["YOUR-CIDR-RANGE-HERE/32"]

// SNS Topics to send critical monitoring alarms too. This can be left blank if not needed.
alarm_critical_actions = [] // ["arn:aws:sns:REGION:ACCOUNT-ID:XXXXXXXXXXXXXXXXXX"]

// SNS Topics to send low priority monitoring alarms too. This can be left blank if not needed.
alarm_low_actions = [] // ["arn:aws:sns:REGION:ACCOUNT-ID:XXXXXXXXXXXXXXXXXX"]

// Add custom tags to every supported resource
//custom_tags = {
//    Product     = "InsightCloudSec"
//    Environment = "Production"
//}

// If you do *not* want to create a new VPC/subnets, uncomment and populate the following
// module_network_enabled          = false
// override_network_vpc            = "vpc-XXXXXXXXXXXX"
// override_network_subnet_private = ["subnet-XXXXXXXXXXXX", "subnet-XXXXXXXXXXXX"]
// Internet-facing ALB is the only infrastructure attached to public subnets
// If using an internal ALB, populate with same private subnet IDs used above
// override_network_subnet_public  = ["subnet-XXXXXXXXXXXX", "subnet-XXXXXXXXXXXX"]

// Enable RDS storage auto-scaling; set max capacity in GB (recommended)
db_max_allocated_storage = 1024

// If you want to restore from a database snapshot on initial deployment set the snapshot identifier below
// db_snapshot_id = "divvycloud-migration-snapshot"

// If you want to override the iam role used set the arn and role name below
// override_iam_role_arn  = ""
// override_iam_role_name = ""

// Is InsightCloudSec being *deployed* in AWS GovCloud?
govcloud = false

// Is InsightCloudSec being *deployed* in AWS China?
china = false

// Enable IAM/Access Explorer? (requires additional license)
enable_iam_analyzer = false

🚧

Database Instance Sizing

  • We do not recommend decreasing the default instance size of the ElastiCache nodes or RDS instances.
  • RDS instance size may be increased if your environment demands it.
...
// Redis instance type
variable "redis_node_type" {
  default = "cache.m5.large"
}

// Mysql instance type
variable "db_instance_class" {
  default = "db.m5.xlarge"
}
...

Compute Deployment Variables

ECS Fargate (Recommended)

📘

Task Count/Definition

  • We do not recommend decreasing the default task counts or resource allocations below the defined defaults.
  • Worker (P2) tasks will be automatically scaled based on workload/demand.
  • Interfaceserver task counts can be increased to accommodate a high request volume (auto-scaling coming soon)
...
// this is ignored if use_instance_docker is set to true, as this will launch 1 per instance configured below.
variable "interface_server_task_count" {
  type    = number
  default = 2
}

// this is ignored if use_instance_docker is set to true, as this will launch 1 per instance configured below.
variable "scheduler_task_count" {
  type    = number
  default = 2
}

// P2 instances. this is ignored if use_instance_docker is set to true
variable "worker_task_count" {
  type    = number
  default = 16
}

// P0/1 persistent instances. This is replicated out to however many worker instances there are if use_instance_docker is set to true.
variable "worker_persistent_task_count" {
  type    = number
  default = 4
}
...
// Cpu for interface docker containers
variable "interface_task_cpu" {
  type    = number
  default = 1024
}

// Memory for interface docker containers
variable "interface_task_mem" {
  type    = number
  default = 2048
}

// Cpu for scheduler docker containers
variable "scheduler_task_cpu" {
  type    = number
  default = 1024
}

// Memory for scheduler docker containers
variable "scheduler_task_mem" {
  type    = number
  default = 2048
}

// Cpu for worker docker containers
variable "worker_task_cpu" {
  type    = number
  default = 512
}

// Memory for worker docker containers
variable "worker_task_mem" {
  type    = number
  default = 2048
}
...

EC2

If ECS Fargate (preferred) is not approved for use, EC2 instances can be used in its place.

📘

Enable EC2 Support

If using EC2 for compute, be sure to set use_instance_docker to true and configure any other related EC2 parameters.

...
// AMI used if use_instance_docker is true.
variable "ami" {
  type = map(any)
  default = {
    us-east-1 = "ami-00a208c7cdba991ea"
    us-east-2 = "ami-0fc20dd1da406780b"
    us-west-1 = "ami-03ba3948f6c37a4b0"
    us-west-2 = "ami-0d1cd67c26f5fca19"
  }
}

// If set to false an existing ssh key is used
variable "ec2_generate_ssh_key" {
  type    = bool
  default = true
}

// arn of existing ssh key
variable "ec2_custom_ssh_key" {
  type    = string
  default = "your-ssh-key-arn"
}
...
// If this is set to true then instances with local docker containers will be created instead of using cloud specific container service
variable "use_instance_docker" {
  type    = bool
  default = false
}
...
// ### use_instance_docker specific settings
variable "worker_instance_count" {
  type    = number
  default = 4
}

variable "worker_instance_type" {
  type    = string
  default = "m5.large"
}

variable "interface_scheduler_instance_count" {
  type    = number
  default = 2
}

variable "interface_scheduler_instance_type" {
  type    = string
  default = "c5.large"
}

Plan and Apply

1. Move your customized insightcloudsec-example.tfvars file to insightcloudsec.tfvars.

2. Update Terraform to ensure you have the latest modules:
terraform get -update

3. Update providers.tf to include your environment's backend configuration.

4. Create the Terraform plan from your .tfvars file:
terraform plan -var-file=insightcloudsec.tfvars

5. Apply the new Terraform plan:
terraform apply insightcloudsec.tfplan

Updated 4 days ago

AWS - EC2 or ECS Fargate - Terraform


Deploying InsightCloudSec to AWS EC2 or ECS Fargate Using Terraform

Suggested Edits are limited on API Reference Pages

You can only suggest edits to Markdown body content, but not to the API spec.