Welcome to the CyberArk PAMonCloud Controller Terraform Module repository! This project provides a tool to simplify the deployment of PAMonCloud Controller node, which includes everything you need in order to run PAMonCloud BYOI on Amazon Web Services (AWS). It consists the required software installed, as well as permissions delegated from an IAM Instance Profile. The controller node is Amazon Linux 2023 based.
Before using these modules, ensure you have the following:
- Terraform installed
- AWS account with necessary permissions for deploying resources
- A valid PAM_Self-Hosted_on_AWS.zip file containing the BYOI solution
Instructions for downloading the PAM_Self-Hosted_on_AWS.zip file can be found here. It should be uploaded to an S3 bucket, the deployment will ask for the S3 bucket & names in order to upload it to the controller.
Below is an example usage of this Terraform module:
module "pamoncloud_controller" {
source = "cyberark/pamoncloud-controller/aws"
instance_type = "t3.medium"
vpc_cidr = "172.31.0.0/16"
subnet_cidr = "172.31.1.0/24"
allowed_ssh_cidr = ["3.5.7.9/32", "2.4.6.8/32"]
key_name = "my-key"
s3_bucket_name = "my-s3-bucket"
s3_file_name = "PAM_Self-Hosted_on_AWS.zip"
}See examples directory for working examples to reference.
| Name | Version |
|---|---|
| terraform | 1.9.8 |
| Name | Version |
|---|---|
| aws | 5.73.0 |
No modules.
| Name | Description | Type | Default |
|---|---|---|---|
| instance_type | EC2 instance type for the controller node | string |
"t2.micro" |
| vpc_cidr | CIDR block for the VPC | string |
"10.0.0.0/16" |
| subnet_cidr | CIDR block for the subnet | string |
"10.0.1.0/24" |
| allowed_ssh_cidr | CIDR blocks allowed for SSH inbound access | list |
["0.0.0.0/0"] |
| key_name | EC2 key pair name | string |
n/a |
| s3_bucket_name | Name for the S3 bucket containing the BYOI zip | string |
n/a |
| s3_file_name | BYOI zip file name to be downloaded from S3 | string |
n/a |
| Name | Description |
|---|---|
| instance_public_ip | Controller's instance public IP address. |
| instance_public_dns | Controller's instance public DNS. |
| instance_id | Controller's instance ID. |
You can use the terraform state show command followed by: module.<module_name>.<resource_name>
Example: terraform state show 'module.pamoncloud_controller.aws_instance.ec2_instance'
For list objects, you can use terraform state list to get all objects within the list.
| Resource | Description |
|---|---|
aws_instance.ec2_instance |
Component EC2 instance resource. |
| Resource | Description |
|---|---|
aws_iam_instance_profile.instance_profile |
IAM instance profile for the EC2 instance. |
aws_iam_policy.instance_policy |
IAM policy for the EC2 instance. |
aws_iam_role.instance_role |
IAM role for the EC2 instance. |
aws_iam_role_policy_attachment.instance_policy_attachment |
IAM role policy attachment for the EC2 instance. |
| Resource | Description |
|---|---|
aws_internet_gateway.gw |
Internet gateway for the VPC. |
aws_route_table.public |
Route table for the public subnet. |
aws_route_table_association.public |
Route table association for the public subnet. |
aws_security_group.instance_sg |
Security group for the EC2 instance. |
aws_subnet.public |
Public subnet for the VPC. |
aws_vpc.main |
Main VPC for the deployment. |
| Resource | Description |
|---|---|
data.aws_ami.latest_amazon_linux |
Base Amazon Linux AMI used for controller creation. |
data.aws_partition.current |
AWS partition data source. |
- Examples: Ready-to-use examples.
This repository is subject to the following licenses:
- Terraform templates: Licensed under the Apache License, Version 2.0 (LICENSE).
We welcome contributions! Please see our Contributing Guidelines for more details.
CyberArk is a global leader in Identity Security, providing powerful solutions for managing privileged access. Learn more at www.cyberark.com.