terraform-gcp-agentless-scanning

A Terraform Module to configure the Lacework Agentless Scanner.

Requirements

Name	Version
terraform	>= 1.5
google	>= 4.46
lacework	~> 2.0

Providers

Name	Version
google	>= 4.46
lacework	~> 2.0
random	n/a
terraform	n/a

Modules

Name	Source	Version
lacework_agentless_scan_svc_account	lacework/service-account/gcp	~> 2.0

Resources

Name	Type
google_cloud_run_v2_job.agentless_orchestrate	resource
google_cloud_scheduler_job.agentless_orchestrate	resource
google_organization_iam_custom_role.agentless_orchestrate	resource
google_organization_iam_custom_role.agentless_orchestrate_monitored_project_resource_group	resource
google_organization_iam_member.agentless_orchestrate	resource
google_organization_iam_member.agentless_orchestrate_monitored_project_resource_group	resource
google_project_iam_custom_role.agentless_orchestrate	resource
google_project_iam_custom_role.agentless_orchestrate_monitored_project	resource
google_project_iam_custom_role.agentless_scan	resource
google_project_iam_member.agentless_orchestrate	resource
google_project_iam_member.agentless_orchestrate_invoker	resource
google_project_iam_member.agentless_orchestrate_monitored_project	resource
google_project_iam_member.agentless_orchestrate_service_account_user	resource
google_project_iam_member.agentless_scan	resource
google_project_iam_member.lacework_svc_account	resource
google_project_service.required_apis	resource
google_secret_manager_secret.agentless_orchestrate	resource
google_secret_manager_secret_iam_member.member_orchestrate_service_account	resource
google_secret_manager_secret_iam_member.member_scan_service_account	resource
google_secret_manager_secret_version.agentless_orchestrate	resource
google_service_account.agentless_orchestrate	resource
google_service_account.agentless_scan	resource
google_storage_bucket.lacework_bucket	resource
google_storage_bucket_iam_binding.lacework_bucket	resource
lacework_integration_gcp_agentless_scanning.lacework_cloud_account	resource
random_id.uniq	resource
terraform_data.execute_cloud_run_job	resource
google_client_config.default	data source
google_compute_default_service_account.default	data source
google_project.selected	data source
lacework_metric_module.lwmetrics	data source
lacework_user_profile.current	data source

Inputs

Name	Description	Type	Default	Required
additional_environment_variables	Optional list of additional environment variables passed to the Cloud Run task.	list(object({ name = string value = string }))	[]	no
agentless_orchestrate_service_account_email	The email of the service account for which to use during scan tasks.	string	""	no
agentless_scan_secret_id	The ID of the Google Secret containing the Lacework Account and Auth Token	string	""	no
agentless_scan_service_account_email	The email of the service account for which to use during scan tasks.	string	""	no
bucket_enable_ubla	Boolean for enabling Uniform Bucket Level Access on the created bucket. Default is true.	bool	true	no
bucket_force_destroy	Force destroy bucket (if disabled, terraform will not be able to destroy non-empty bucket)	bool	true	no
bucket_lifecycle_rule_age	Number of days to keep agentless scan objects in bucket before deletion.	number	30	no
custom_vpc_subnet	The name of the custom Google Cloud VPC subnet to use for scanning compute resources	string	""	no
execute_job_at_deployment	execute newly created cloud run job(s) immediately after deployment	bool	false	no
global	Whether or not to create global resources. Defaults to false.	bool	false	no
global_module_reference	A reference to the global lacework_gcp_agentless_scanning module for this account.	object({ agentless_orchestrate_service_account_email = string agentless_scan_service_account_email = string agentless_scan_secret_id = string lacework_account = string lacework_domain = string prefix = string suffix = string project_filter_list = list(any) integration_type = string })	{ "agentless_orchestrate_service_account_email": "", "agentless_scan_secret_id": "", "agentless_scan_service_account_email": "", "integration_type": "", "lacework_account": "", "lacework_domain": "", "prefix": "", "project_filter_list": [], "suffix": "" }	no
image_url	The container image url for Lacework Agentless Workload Scanning.	string	"us-docker.pkg.dev/agentless-sidekick-images-tl48/sidekick/sidekick"	no
integration_type	Specify the integration type. Can only be PROJECT or ORGANIZATION. Defaults to PROJECT	string	"PROJECT"	no
labels	Set of labels which will be added to the resources managed by the module.	map(string)	{}	no
lacework_account	The name of the Lacework account with which to integrate.	string	""	no
lacework_domain	The domain of the Lacework account with with to integrate.	string	"lacework.net"	no
lacework_integration_name	The name of the Lacework cloud account integration.	string	"google-cloud-agentless-scanning"	no
lacework_integration_service_account_name	The name of the service account Lacework will use to access scan results.	string	""	no
organization_id	The organization ID, required if integration_type is set to ORGANIZATION	string	""	no
prefix	A string to be prefixed to the name of all new resources.	string	"lacework-awls"	no
project_filter_list	A list of projects to include/exclude for integration.	list(any)	[]	no
regional	Whether or not to create regional resources. Defaults to false.	bool	false	no
required_apis	n/a	map(any)	{ "cloudscheduler": "cloudscheduler.googleapis.com", "compute": "compute.googleapis.com", "iam": "iam.googleapis.com", "run": "run.googleapis.com", "secretmanager": "secretmanager.googleapis.com" }	no
scan_containers	Whether to includes scanning for containers. Defaults to true.	bool	true	no
scan_frequency_hours	How often in hours the scan will run in hours. Defaults to 24.	number	24	no
scan_host_vulnerabilities	Whether to includes scanning for host vulnerabilities. Defaults to true.	bool	true	no
scan_multi_volume	Whether to scan secondary volumes. Defaults to false.	bool	false	no
scan_stopped_instances	Whether to scan stopped instances. Defaults to false.	bool	true	no
scanning_project_id	A project ID different from the default defined inside the provider - used for scanning resources	string	""	no
suffix	A string to be appended to the end of the name of all new resources.	string	""	no

Outputs

Name	Description
agentless_orchestrate_service_account_email	Output Cloud Run service account email.
agentless_scan_secret_id	Google Secret Manager ID for Lacework Account and Token.
agentless_scan_service_account_email	Output Compute service account email.
bucket_name	The storage bucket name for Agentless Workload Scanning data.
integration_type	The scope of integration.
lacework_account	Lacework Account Name for Integration.
lacework_domain	Lacework Domain Name for Integration.
lacework_integration_guid	GUID of the created Lacework integration
prefix	Prefix used to add uniqueness to resource names.
project_filter_list	The list of projects to scan in this module.
service_account_name	The service account name for Lacework.
service_account_private_key	The base64 encoded private key in JSON format for Lacework.
suffix	Suffix used to add uniqueness to resource names.