terraform-gcp-audit-log

Terraform module for configuring an integration with Google Cloud Platform Organizations and Projects for Audit Logs analysis.

⚠️ - NOTE: When using an existing Service Account, Terraform cannot work out whether a role has already been applied. This means when running the destroy step, existing roles may be removed from the Service Account. If this Service Account is managed by another Terraform module, you can re-run apply on the other module and this will re-add the role.

Alternatively, it is possible to remove the offending roles from the state file before destroy, preventing the role(s) from being removed.

e.g. terraform state rm 'google_project_iam_binding.for_lacework_service_account'

Required Roles

roles/storage.objectViewer

Required APIs

iam.googleapis.com
pubsub.googleapis.com
serviceusage.googleapis.com
cloudresourcemanager.googleapis.com

Requirements

Name	Version
terraform	>= 0.15.1
google	>= 4.4.0
lacework	~> 2.0
time	~> 0.6

Providers

Name	Version
google	>= 4.4.0
lacework	~> 2.0
random	n/a
time	~> 0.6

Modules

Name	Source	Version
lacework_at_svc_account	lacework/service-account/gcp	~> 2.0

Resources

Name	Type
google_logging_folder_sink.lacework_folder_sink	resource
google_logging_organization_sink.lacework_organization_sink	resource
google_logging_project_sink.lacework_project_sink	resource
google_logging_project_sink.lacework_root_project_sink	resource
google_organization_iam_member.for_lacework_service_account	resource
google_project_iam_member.for_lacework_service_account	resource
google_project_service.required_apis	resource
google_pubsub_subscription.lacework_subscription	resource
google_pubsub_subscription_iam_binding.lacework	resource
google_pubsub_topic.lacework_topic	resource
google_pubsub_topic_iam_binding.topic_publisher	resource
google_storage_bucket.lacework_bucket	resource
google_storage_bucket_iam_binding.policies	resource
google_storage_notification.lacework_notification	resource
lacework_integration_gcp_at.default	resource
random_id.uniq	resource
time_sleep.wait_time	resource
google_folders.my-org-folders	data source
google_project.selected	data source
google_projects.my-org-projects	data source
google_storage_project_service_account.lw	data source
lacework_metric_module.lwmetrics	data source

Inputs

Name	Description	Type	Default	Required
bucket_force_destroy	Force destroy bucket (if disabled, terraform will not be able do destroy non-empty bucket)	bool	true	no
bucket_labels	Set of labels which will be added to the audit log bucket	map(string)	{}	no
bucket_region	The region where the new bucket will be created, valid values for Multi-regions are (EU, US or ASIA) alternatively you can set a single region or Dual-regions follow the naming convention as outlined in the GCP bucket locations documentation https://cloud.google.com/storage/docs/locations#available-locations|string|US|false|	string	"US"	no
custom_bucket_name	Override prefix based storage bucket name generation with custom name	string	null	no
custom_filter	Customer defined Audit Log filter which will supersede all other filter options when defined	string	""	no
enable_ubla	Boolean for enabling Uniform Bucket Level Access on the audit log bucket. Default is true	bool	true	no
existing_bucket_name	The name of an existing bucket you want to send the logs to	string	""	no
existing_sink_name	The name of an existing sink to be re-used for this integration	string	""	no
folders_to_exclude	List of root folders to exclude in an organization-level integration. Format is 'folders/1234567890'	list(string)	[]	no
folders_to_include	List of root folders to include in an organization-level integration. Format is 'folders/1234567890'	set(string)	[]	no
google_workspace_filter	Filter out Google Workspace login logs from GCP Audit Log sinks. Default is true	bool	true	no
include_root_projects	Enables logic to include root-level projects if excluding folders. Default is true	bool	true	no
k8s_filter	Filter out GKE logs from GCP Audit Log sinks. Default is true	bool	true	no
labels	Set of labels which will be added to the resources managed by the module	map(string)	{}	no
lacework_integration_name	n/a	string	"TF audit_log"	no
lifecycle_rule_age	Number of days to keep audit logs in Lacework GCS bucket before deleting. Leave default to keep indefinitely	number	-1	no
org_integration	If set to true, configure an organization level integration	bool	false	no
organization_id	The organization ID, required if org_integration is set to true	string	""	no
prefix	The prefix that will be use at the beginning of every generated resource	string	"lw-at"	no
project_id	A project ID different from the default defined inside the provider	string	""	no
pubsub_subscription_labels	Set of labels which will be added to the subscription	map(string)	{}	no
pubsub_topic_labels	Set of labels which will be added to the topic	map(string)	{}	no
required_apis	n/a	map(any)	{ "iam": "iam.googleapis.com", "pubsub": "pubsub.googleapis.com", "resourcemanager": "cloudresourcemanager.googleapis.com", "serviceusage": "serviceusage.googleapis.com" }	no
service_account_name	The Service Account name (required when use_existing_service_account is set to true)	string	""	no
service_account_private_key	The private key in JSON format, base64 encoded (required when use_existing_service_account is set to true)	string	""	no
use_existing_service_account	Set this to true to use an existing Service Account	bool	false	no
wait_time	Amount of time to wait before the next resource is provisioned.	string	"10s"	no

Outputs

Name	Description
bucket_name	The storage bucket name
pubsub_topic_name	The PubSub topic name
service_account_name	The Service Account name
service_account_private_key	The private key in JSON format, base64 encoded
sink_name	The sink name