Maskopy solution is to Copy and Obfuscate Production Data to Target Environments in AWS. It uses AWS Serverless services, Step functions, Lambda and Fargate.
Maskopy copies and provides ability to run obfuscation on production data across AWS accounts. Any sensitive information in the production data is obfuscated in a transient instance. The final obfuscated snapshot is shared in the user-specified environments.
Maskopy is a self-serviced solution that allows users to get production data without involving multiple teams. It is fully automated and is implemented to easily plug into CI/CD pipelines and other automation solutions through SNS or SQS.
Maskopy has security controls such as access management via IAM roles, authorization on the caller identity, network access to transient resources controlled through security groups. Bring your own container with third party tools for obfuscation algorithms.
Maskopy is a obfuscation tool agnostic solution. Teams can leverage any encryption tools or obfuscation frameworks based on their needs and bake those into a docker container. Bring the container to Maskopy solution to run data obfuscation
module "maskopy" {
source = "git::https://github.com/DNXLabs/terraform-aws-maskopy.git?ref=0.1.1"
enabled = true
providers = {
aws.source = aws.prod
aws.staging = aws.nonprod
}
staging_vpc_id = data.aws_vpc.selected.id
staging_subnet_ids = data.aws_subnet_ids.staging_subnet_ids.ids
staging_rds_default_kms_key_id = ""
rds_staging_subnet_group_name = ""
obfuscation_scripts_bucket_name = ""
}| Name | Version |
|---|---|
| terraform | >= 0.13 |
| aws | >= 3.26, < 4.0 |
| null | 3.1.0 |
| Name | Version |
|---|---|
| archive | n/a |
| aws | >= 3.26, < 4.0 |
| aws.source | >= 3.26, < 4.0 |
| aws.staging | >= 3.26, < 4.0 |
| null | 3.1.0 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| application_name | The name for the maskopy application, this name should match part of the string with the invoker role name. | string |
"MASKOPY" |
no |
| build_lambda_layer | If true will build the lambda layer. Set to true only with local source module. | bool |
false |
no |
| cost_center | All the temporary resources are tagged with the code. | string |
"MaskopyCost" |
no |
| create_obfuscation_scripts_bucket | Create bucket to store obfuscation scripts. | bool |
true |
no |
| custom_source_kms_key | Custom KMS key, used when variable custom_source_kms_key_enabled equals to true. |
string |
"" |
no |
| custom_source_kms_key_enabled | Only used when encrypt RDS in source account with another KMS key. Remember to add permissions to the existing key. | bool |
false |
no |
| ecs_docker_image | Docker image that ECS task will run with and will download the scripts from S3 obfuscation bucket. | string |
"dnxsolutions/obfuscation" |
no |
| ecs_fargate_role_name | ECS role name. | string |
"ECS_MASKOPY" |
no |
| enabled | If true, will deploy the maskopy solution. | bool |
true |
no |
| lambda_role_name | Lambda role name. | string |
"LAMBDA_MASKOPY" |
no |
| lambdas_names | n/a | list(string) |
[ |
no |
| obfuscation_scripts_bucket_name | Bucket to store the obfuscations scripts, they should be uploaded inside /obfuscation folder. |
string |
n/a | yes |
| rds_staging_subnet_group_name | Staging RDS option group name to deploy the transient database. | string |
n/a | yes |
| replicate_destination_account_id | Name of the bucket to send dumps data from source bucket. | string |
"" |
no |
| replicate_destination_bucket_name | Name of the bucket to send dumps data from source bucket. | string |
"" |
no |
| replicate_obfuscation_bucket | Replicate data inside the bucket to another acount. | bool |
true |
no |
| replicate_obfuscation_bucket_prefix | Name of prefix to replicate inside the bucket to another acount. | string |
"dumps" |
no |
| sqs_queue_name | SNS queue name to send messages when step functions complete running. | string |
"maskopy_sqs_queue" |
no |
| staging_rds_default_kms_key_id | KMS key that maskopy will use for the transient RDS. | string |
n/a | yes |
| staging_subnet_ids | Subnets inside the staging VPC to deploy the lambdas and ECS tasks. | list(string) |
n/a | yes |
| staging_vpc_id | VPC id for the staging account. | string |
n/a | yes |
| step_function_state_machine_name | Name for the step functions state machine. | string |
"maskopy-state-machine" |
no |
No output.
Module managed by DNX Solutions.
Apache 2 Licensed. See LICENSE for full details.