# terraform-aws-enrichment
resource "aws_s3_bucket" "enrichment_bucket" {
bucket = "corelight-enrichment"
module "enrichment_eventbridge_role" {
source = "github.com/corelight/terraform-aws-enrichment//modules/iam/eventbridge"
primary_event_bus_arn = module.enrichment.primary_event_bus_arn
module "enrichment_lambda_role" {
source = "github.com/corelight/terraform-aws-enrichment//modules/iam/lambda"
enrichment_bucket_arn = aws_s3_bucket.enrichment_bucket.arn
enrichment_ecr_repository_arn = data.aws_ecr_repository.enrichment_repo.arn
lambda_cloudwatch_log_group_arn = module.enrichment.cloudwatch_log_group_arn
module "enrichment" {
source = "github.com/corelight/terraform-aws-enrichment"
corelight_cloud_enrichment_image = "123456789111.dkr.ecr.us-east-1.amazonaws.com/corelight-sensor-enrichment-aws"
corelight_cloud_enrichment_image_tag = "0.1.0"
enrichment_bucket_name = aws_s3_bucket.enrichment_bucket.bucket
eventbridge_iam_cross_region_role_arn = module.enrichment_eventbridge_role.cross_region_role_arn
lambda_iam_role_arn = module.enrichment_lambda_role.lambda_iam_role_arn
Image based Lambdas must be deployed from a private Elastic Container Registry (ECR) repository and therefore the data collection serverless container image provided by Corelight must be copied from Dockerhub and pushed to your own ECR repository.
aws ecr create-repository --repository-name corelight/sensor-enrichment-aws
resource "aws_ecr_repository" "enrichemnt_repo" {
name = "corelight/sensor-enrichment-aws"
Log into the AWS account's registry
aws ecr get-login-password --region <region> | docker login \
--username AWS \
--password-stdin <[account id].dkr.ecr.[region].amazonaws.com>
Pull from Dockerhub and push the image to ECR
AWS_ACCOUNT=<enter aws account id>
AWS_REGION=<enter ecr repository region>
# Pull from Dockerhub
# Dockerhub image: corelight/sensor-enrichment-aws:0.1.1
# ECR Destination: <AWS_ACCOUNT>.dkr.ecr.<AWS_REGION>.amazonaws.com/corelight/sensor-enrichment-aws:0.1.1
# Pull Corelight Image
docker pull $SRC_IMAGE --platform linux/arm64
docker image tag $SRC_IMAGE $DST_IMAGE
docker image push $DST_IMAGE --platform linux/arm64
The variables for this module all have default values that can be overwritten to meet your naming and compliance standards. The only variables without defaults are the Lambda's ECR image name and tag which you will set during preparation.
Deployment examples can be found here.
The project is licensed under the MIT license.