AWSTemplateFormatVersion: 2010-09-09
Description: This Template will create the infrastructure for Prowler with ECS Fargate
Parameters:
  ProwlerClusterName:
    Type: String
    Description: Name of the ECS Cluster that the Prowler Fargate Task will run in
    Default: ProwlerCluster
  ProwlerContainerName:
    Type: String
    Description: Name of the Prowler Container Definition within the ECS Task
    Default: prowler
  ProwlerContainerInfo:
    Type: String
    Description: ECR URI of the Prowler container
  ProwlerECSLogGroupName:
    Type: String
    Description: Name for the log group to be created
    Default: /aws/ecs/SecurityHub-Prowler
  SecurityGroupVPCId:
    Type: String
    Description: VPC Id for the Security Group to be created
  ProwlerScheduledSubnet1:
    Type: String
    Description: Subnet Id in which Prowler can be scheduled to Run
  ProwlerScheduledSubnet2:
    Type: String
    Description: A secondary Subnet Id in which Prowler can be scheduled to Run
  ECSExecutionRole:
    Type: String
    Description: ECS Execution Task Role ARN.
  ProwlerTaskRole:
    Type: String
    Description: Prowler ECS Task Role ARN.
  ECSEventRole:
    Type: String
    Description: Eventbridge Task Role ARN.
  CronExpression:
    Type: String
    Description: Cron schedule for the event rule.
    Default: cron(0 23 * * ? *)
Resources:
  ProwlerECSCloudWatchLogsGroup:
    Type: AWS::Logs::LogGroup
    Properties:
      LogGroupName: !Ref ProwlerECSLogGroupName
      RetentionInDays: 90
  ProwlerECSCluster:
    Type: AWS::ECS::Cluster
    Properties:
      ClusterName: !Ref ProwlerClusterName
  ProwlerECSTaskDefinition:
    Type: AWS::ECS::TaskDefinition
    Properties:
      ContainerDefinitions:
        - Image: !Ref ProwlerContainerInfo
          Name: !Ref ProwlerContainerName
          LogConfiguration:
            LogDriver: awslogs
            Options:
              awslogs-group: !Ref ProwlerECSCloudWatchLogsGroup
              awslogs-region: !Ref 'AWS::Region'
              awslogs-stream-prefix: ecs
      Cpu: 1024
      ExecutionRoleArn: !Ref ECSExecutionRole
      Memory: 2048
      NetworkMode: awsvpc
      TaskRoleArn: !Ref ProwlerTaskRole
      Family: SecurityHubProwlerTask
      RequiresCompatibilities:
        - FARGATE
  ProwlerSecurityGroup:
    Type: AWS::EC2::SecurityGroup
    Properties:
        GroupDescription: Allow HTTPS Out - Prowler
        VpcId: !Ref SecurityGroupVPCId
        SecurityGroupEgress:
        - IpProtocol: tcp
          FromPort: 443
          ToPort: 443
          CidrIp: 0.0.0.0/0
  ProwlerTaskScheduler:
    Type: AWS::Events::Rule
    Properties:
      ScheduleExpression: !Ref CronExpression
      State: ENABLED
      Targets:
        - Arn: !GetAtt ProwlerECSCluster.Arn
          RoleArn: !Ref ECSEventRole
          Id: prowlerTaskScheduler
          EcsParameters:
            TaskDefinitionArn: !Ref ProwlerECSTaskDefinition
            TaskCount: 1
            LaunchType: FARGATE
            PlatformVersion: 'LATEST'
            NetworkConfiguration:
              AwsVpcConfiguration:
                AssignPublicIp: DISABLED
                SecurityGroups:
                  - !Ref ProwlerSecurityGroup
                Subnets:
                  - !Ref ProwlerScheduledSubnet1
                  - !Ref ProwlerScheduledSubnet2