Skip to content

Terraform module for integrating Google Cloud Platform Organziations and Projects with Lacework for cloud resource configuration assessment

Notifications You must be signed in to change notification settings

lacework/terraform-gcp-config

Repository files navigation

terraform-gcp-config

GitHub release Codefresh build status

Terraform module for integrating Google Cloud Platform Organizations and Projects with Lacework for cloud resource configuration assessment.

⚠️ - NOTE: When using an existing Service Account, Terraform cannot work out whether a role has already been applied. This means when running the destroy step, existing roles may be removed from the Service Account. If this Service Account is managed by another Terraform module, you can re-run apply on the other module and this will re-add the role.

Alternatively, it is possible to remove the offending roles from the state file before destroy, preventing the role(s) from being removed.

e.g. terraform state rm 'google_project_iam_binding.for_lacework_service_account'

Required Roles

roles/browser
roles/iam.securityReviewer
roles/cloudasset.viewer
roles/policyanalyzer.activityAnalysisViewer

The following custom role is required depending on the integration level. Lacework Compliance Role or Lacework Org Compliance Role Both roles include the following permissions:

bigquery.datasets.get
compute.projects.get
pubsub.topics.get
storage.buckets.get
compute.sslPolicies.get

Required APIs

iam.googleapis.com
cloudkms.googleapis.com
dns.googleapis.com
pubsub.googleapis.com
compute.googleapis.com
logging.googleapis.com
bigquery.googleapis.com
sqladmin.googleapis.com
container.googleapis.com
serviceusage.googleapis.com
cloudresourcemanager.googleapis.com
storage-component.googleapis.com
cloudasset.googleapis.com
essentialcontacts.googleapis.com
policyanalyzer.googleapis.com

Requirements

Name Version
terraform >= 0.14.0
google >= 4.4.0
lacework ~> 2.0
time ~> 0.6

Providers

Name Version
google >= 4.4.0
lacework ~> 2.0
random n/a
time ~> 0.6

Modules

Name Source Version
lacework_cfg_svc_account lacework/service-account/gcp ~> 2.0

Resources

Name Type
google_folder_iam_member.for_lacework_service_account resource
google_organization_iam_custom_role.lacework_custom_organization_role resource
google_organization_iam_member.for_lacework_service_account resource
google_organization_iam_member.lacework_custom_organization_role_binding resource
google_project_iam_custom_role.lacework_custom_project_role resource
google_project_iam_member.for_lacework_service_account resource
google_project_iam_member.for_lacework_service_account_root_projects resource
google_project_iam_member.lacework_custom_project_role_binding resource
google_project_service.required_apis resource
lacework_integration_gcp_cfg.default resource
random_id.uniq resource
time_sleep.wait_time resource
google_folders.my-org-folders data source
google_project.selected data source
google_projects.my-org-projects data source
lacework_metric_module.lwmetrics data source

Inputs

Name Description Type Default Required
folders_to_exclude List of root folders to exclude in an organization-level integration. Format is 'folders/1234567890' set(string) [] no
folders_to_include List of root folders to include in an organization-level integration. Format is 'folders/1234567890' set(string) [] no
include_root_projects Enables logic to include root-level projects if excluding folders. Default is true bool true no
lacework_integration_name n/a string "TF config" no
org_integration If set to true, configure an organization level integration bool false no
organization_id The organization ID, required if org_integration is set to true string "" no
prefix The prefix that will be use at the beginning of every generated resource string "lw-cfg" no
project_id A project ID different from the default defined inside the provider string "" no
required_config_apis n/a map(any)
{
"bigquery": "bigquery.googleapis.com",
"cloudasset_inventory": "cloudasset.googleapis.com",
"compute": "compute.googleapis.com",
"containers": "container.googleapis.com",
"dns": "dns.googleapis.com",
"essentialcontacts": "essentialcontacts.googleapis.com",
"iam": "iam.googleapis.com",
"kms": "cloudkms.googleapis.com",
"logging": "logging.googleapis.com",
"policyanalyzer": "policyanalyzer.googleapis.com",
"pubsub": "pubsub.googleapis.com",
"resourcemanager": "cloudresourcemanager.googleapis.com",
"serviceusage": "serviceusage.googleapis.com",
"sqladmin": "sqladmin.googleapis.com",
"storage_component": "storage-component.googleapis.com"
}
no
service_account_name The Service Account name (required when use_existing_service_account is set to true). This can also be used to specify the new service account name when use_existing_service_account is set to false string "" no
service_account_private_key The private key in JSON format, base64 encoded (required when use_existing_service_account is set to true) string "" no
skip_iam_grants Skip generation of custom role, and IAM grants to the Service Account, for customers who use IAM policy-as-code external to the Lacework module. WARNING - integration will fail if grants are not in place prior to execution. 'use_existing_service_account' must also be set to true bool false no
use_existing_service_account Set this to true to use an existing Service Account bool false no
wait_time Amount of time to wait before the next resource is provisioned string "10s" no

Outputs

Name Description
lacework_integration_guid GUID of the created Lacework integration
service_account_name The Service Account name
service_account_private_key The private key in JSON format, base64 encoded

About

Terraform module for integrating Google Cloud Platform Organziations and Projects with Lacework for cloud resource configuration assessment

Resources

Stars

Watchers

Forks

Packages

No packages published