Skip to content

Latest commit

 

History

History
126 lines (105 loc) · 12.2 KB

README.md

File metadata and controls

126 lines (105 loc) · 12.2 KB
Raw

terraform-gcp-audit-log

GitHub release Codefresh build status

Terraform module for configuring an integration with Google Cloud Platform Organizations and Projects for Audit Logs analysis.

⚠️ - NOTE: When using an existing Service Account, Terraform cannot work out whether a role has already been applied. This means when running the destroy step, existing roles may be removed from the Service Account. If this Service Account is managed by another Terraform module, you can re-run apply on the other module and this will re-add the role.

Alternatively, it is possible to remove the offending roles from the state file before destroy, preventing the role(s) from being removed.

e.g. terraform state rm 'google_project_iam_binding.for_lacework_service_account'

Required Roles

roles/storage.objectViewer

Required APIs

iam.googleapis.com
pubsub.googleapis.com
serviceusage.googleapis.com
cloudresourcemanager.googleapis.com

Requirements

Name Version
terraform >= 0.15.1
google >= 4.4.0
lacework ~> 2.0
time ~> 0.6

Providers

Name Version
google >= 4.4.0
lacework ~> 2.0
random n/a
time ~> 0.6

Modules

Name Source Version
lacework_at_svc_account lacework/service-account/gcp ~> 2.0

Resources

Name Type
google_logging_folder_sink.lacework_folder_sink resource
google_logging_organization_sink.lacework_organization_sink resource
google_logging_project_sink.lacework_project_sink resource
google_logging_project_sink.lacework_root_project_sink resource
google_organization_iam_member.for_lacework_service_account resource
google_project_iam_member.for_lacework_service_account resource
google_project_service.required_apis resource
google_pubsub_subscription.lacework_subscription resource
google_pubsub_subscription_iam_binding.lacework resource
google_pubsub_topic.lacework_topic resource
google_pubsub_topic_iam_binding.topic_publisher resource
google_storage_bucket.lacework_bucket resource
google_storage_bucket_iam_binding.policies resource
google_storage_notification.lacework_notification resource
lacework_integration_gcp_at.default resource
random_id.uniq resource
time_sleep.wait_time resource
google_folders.my-org-folders data source
google_project.selected data source
google_projects.my-org-projects data source
google_storage_project_service_account.lw data source
lacework_metric_module.lwmetrics data source

Inputs

Name Description Type Default Required
bucket_force_destroy Force destroy bucket (if disabled, terraform will not be able do destroy non-empty bucket) bool true no
bucket_labels Set of labels which will be added to the audit log bucket map(string) {} no
bucket_region The region where the new bucket will be created, valid values for Multi-regions are (EU, US or ASIA) alternatively you can set a single region or Dual-regions follow the naming convention as outlined in the GCP bucket locations documentation https://cloud.google.com/storage/docs/locations#available-locations|string|US|false| string "US" no
custom_bucket_name Override prefix based storage bucket name generation with custom name string null no
custom_filter Customer defined Audit Log filter which will supersede all other filter options when defined string "" no
enable_ubla Boolean for enabling Uniform Bucket Level Access on the audit log bucket. Default is true bool true no
existing_bucket_name The name of an existing bucket you want to send the logs to string "" no
existing_sink_name The name of an existing sink to be re-used for this integration string "" no
folders_to_exclude List of root folders to exclude in an organization-level integration. Format is 'folders/1234567890' list(string) [] no
folders_to_include List of root folders to include in an organization-level integration. Format is 'folders/1234567890' set(string) [] no
google_workspace_filter Filter out Google Workspace login logs from GCP Audit Log sinks. Default is true bool true no
include_root_projects Enables logic to include root-level projects if excluding folders. Default is true bool true no
k8s_filter Filter out GKE logs from GCP Audit Log sinks. Default is true bool true no
labels Set of labels which will be added to the resources managed by the module map(string) {} no
lacework_integration_name n/a string "TF audit_log" no
lifecycle_rule_age Number of days to keep audit logs in Lacework GCS bucket before deleting. Leave default to keep indefinitely number -1 no
org_integration If set to true, configure an organization level integration bool false no
organization_id The organization ID, required if org_integration is set to true string "" no
prefix The prefix that will be use at the beginning of every generated resource string "lw-at" no
project_id A project ID different from the default defined inside the provider string "" no
pubsub_subscription_labels Set of labels which will be added to the subscription map(string) {} no
pubsub_topic_labels Set of labels which will be added to the topic map(string) {} no
required_apis n/a map(any) 
{
  "iam": "iam.googleapis.com",
  "pubsub": "pubsub.googleapis.com",
  "resourcemanager": "cloudresourcemanager.googleapis.com",
  "serviceusage": "serviceusage.googleapis.com"
}
 no
service_account_name The Service Account name (required when use_existing_service_account is set to true) string "" no
service_account_private_key The private key in JSON format, base64 encoded (required when use_existing_service_account is set to true) string "" no
use_existing_service_account Set this to true to use an existing Service Account bool false no
wait_time Amount of time to wait before the next resource is provisioned. string "10s" no

Outputs

Name Description
bucket_name The storage bucket name
pubsub_topic_name The PubSub topic name
service_account_name The Service Account name
service_account_private_key The private key in JSON format, base64 encoded
sink_name The sink name