Terraform module for integrating Google Cloud Platform Organizations and Projects with Lacework for cloud resource configuration assessment.
Alternatively, it is possible to remove the offending roles from the state file before destroy, preventing the role(s) from being removed.
e.g. terraform state rm 'google_project_iam_binding.for_lacework_service_account'
roles/browser
roles/iam.securityReviewer
roles/cloudasset.viewer
roles/policyanalyzer.activityAnalysisViewer
The following custom role is required depending on the integration level.
Lacework Compliance Role
or Lacework Org Compliance Role
Both roles include the following permissions:
bigquery.datasets.get
compute.projects.get
pubsub.topics.get
storage.buckets.get
compute.sslPolicies.get
iam.googleapis.com
cloudkms.googleapis.com
dns.googleapis.com
pubsub.googleapis.com
compute.googleapis.com
logging.googleapis.com
bigquery.googleapis.com
sqladmin.googleapis.com
container.googleapis.com
serviceusage.googleapis.com
cloudresourcemanager.googleapis.com
storage-component.googleapis.com
cloudasset.googleapis.com
essentialcontacts.googleapis.com
policyanalyzer.googleapis.com
Name | Version |
---|---|
terraform | >= 0.14.0 |
>= 4.4.0 | |
lacework | ~> 2.0 |
time | ~> 0.6 |
Name | Version |
---|---|
>= 4.4.0 | |
lacework | ~> 2.0 |
random | n/a |
time | ~> 0.6 |
Name | Source | Version |
---|---|---|
lacework_cfg_svc_account | lacework/service-account/gcp | ~> 2.0 |
Name | Type |
---|---|
google_folder_iam_member.for_lacework_service_account | resource |
google_organization_iam_custom_role.lacework_custom_organization_role | resource |
google_organization_iam_member.for_lacework_service_account | resource |
google_organization_iam_member.lacework_custom_organization_role_binding | resource |
google_project_iam_custom_role.lacework_custom_project_role | resource |
google_project_iam_member.for_lacework_service_account | resource |
google_project_iam_member.for_lacework_service_account_root_projects | resource |
google_project_iam_member.lacework_custom_project_role_binding | resource |
google_project_service.required_apis | resource |
lacework_integration_gcp_cfg.default | resource |
random_id.uniq | resource |
time_sleep.wait_time | resource |
google_folders.my-org-folders | data source |
google_project.selected | data source |
google_projects.my-org-projects | data source |
lacework_metric_module.lwmetrics | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
folders_to_exclude | List of root folders to exclude in an organization-level integration. Format is 'folders/1234567890' | set(string) |
[] |
no |
folders_to_include | List of root folders to include in an organization-level integration. Format is 'folders/1234567890' | set(string) |
[] |
no |
include_root_projects | Enables logic to include root-level projects if excluding folders. Default is true | bool |
true |
no |
lacework_integration_name | n/a | string |
"TF config" |
no |
org_integration | If set to true, configure an organization level integration | bool |
false |
no |
organization_id | The organization ID, required if org_integration is set to true | string |
"" |
no |
prefix | The prefix that will be use at the beginning of every generated resource | string |
"lw-cfg" |
no |
project_id | A project ID different from the default defined inside the provider | string |
"" |
no |
required_config_apis | n/a | map(any) |
{ |
no |
service_account_name | The Service Account name (required when use_existing_service_account is set to true). This can also be used to specify the new service account name when use_existing_service_account is set to false | string |
"" |
no |
service_account_private_key | The private key in JSON format, base64 encoded (required when use_existing_service_account is set to true) | string |
"" |
no |
skip_iam_grants | Skip generation of custom role, and IAM grants to the Service Account, for customers who use IAM policy-as-code external to the Lacework module. WARNING - integration will fail if grants are not in place prior to execution. 'use_existing_service_account' must also be set to true |
bool |
false |
no |
use_existing_service_account | Set this to true to use an existing Service Account | bool |
false |
no |
wait_time | Amount of time to wait before the next resource is provisioned | string |
"10s" |
no |
Name | Description |
---|---|
lacework_integration_guid | GUID of the created Lacework integration |
service_account_name | The Service Account name |
service_account_private_key | The private key in JSON format, base64 encoded |