GCP Compliance and Audit Trail Integration - Terraform From Any Supported Host

Lacework integrates with Google Cloud Platform to analyze Cloud Audit Logs and to assess cloud resource configurations at an Organization level or at a per Project level.

Organization level integrations cover all of the existing projects in the organization, and will automatically add any new projects added after the initial integration.

Project level integrations only covers specific projects and any new projects will need to be added as required.

To integrate at an Organization or Project level Lacework requires the following resources be provisioned in Google Cloud:

• Google Cloud Project - A project to contain the required cloud resources with billing enabled. When integrating at an Organization level, it is recommended that a project is created specifically for Lacework resources. When integrating at a project level all required resources for Lacework may be provisioned within the project being integrated.
• Google Storage Bucket - A storage bucket for Stack Driver logs
• Google Pub/Sub Topic - For Cloud Audit Logs events
• Google Logging Sink - To export Cloud Audit Logs to Cloud Storage Bucket
• Service Account for Lacework - A service account will be created to provide Lacework read-only access to Google Cloud Platform with the following roles:
  • Organziation Level Integration
  • roles/resourcemanager.organizationViewer
    • roles/iam.securityReviewer
    • roles/viewer
  • Project Level Integration
    • roles/viewer
    • roles/iam.securityReviewer

For Organization level integrations, follow the steps in Integrate Google Cloud with Lacework at an Organzational Level.

For Project level integrations, follow the steps in Integrate Google Cloud with Lacework at a Project level

Integrate Google Cloud and Lacework using Terraform on Any Supported Host

This document covers integrating Google Cloud with Lacework where Terraform is installed, configured, and run from any supported system (Linux/macOS/Windows). This approach leverages a user account or Google Cloud service account with proper permissions to run Terraform.

The approach outlined in this document is geared towards companies that store Terraform code in source control, and plan to continue to manage the state of the integration between Lacework and Google cloud using Terraform.

These instructions will show you how to get up-and-running with Lacework Terraform modules to integrate Google Cloud and Lacework at either an Organization Level or a per Project Level.

Requirements

• Google Cloud Console - Administrator access to Google Cloud Console is required to create service accounts, grant access, and provision resources
• Lacework Administrator - Org admin, or Account admin access is required to create API keys and configure integrations with Lacework
• Lacework CLI - The Terraform Provider for Lacework leverages the configuration from the Lacework CLI. It is recommended the Lacework CLI is installed and configured
• Terraform - >= 0.12.24, ~> 0.13.x

Integrate Google Cloud with Lacework at an Organzational Level

The following section covers integrating Google Cloud and Lacework for analysis of Cloud Audit Logs and configuration assessment at an Organizational level. Organization level integrations cover all of the existing projects in the organization, and will automatically add any new projects added after the initial integration.

Create a GCP Project using the GCP Console

Before you can execute Terraform you will need to create a GCP Project to provision the required resources for the integration between Google Cloud and Lacework.

1. Log in to the Google Cloud Console.
2. Select the Project drop-down and click NEW PROJECT.
3. Give the project a Project Name, select a Billing Account, select the Organization you are integrating.
4. Click CREATE to create the new project.

Create a Service Account for Terraform

To integrate GCP and Lacework at an Organizational level, Terraform needs a user account or a service account with the following permissions:

• roles/owner
• roles/resourcemanager.organizationAdmin
• roles/logging.configWriter

If you already have a user account configured with these permissions, along with a key configured, you can skip the next section.

Create a Google Cloud Service Account with Project Permissions

The following steps covers how to create a Google Cloud Service Account within the project created for Lacework, and give the Service Account 'Owner' permissions to the project.

1. Log in to the Google Cloud Console.
2. Select the Project created for Lacework Resources.
3. Click on the Navigation Menu and select IAM & Admin -> Service Accounts.
4. Click CREATE SERVICE ACCOUNT.
5. Give the service account a name (i.e. terraform-provisioning) and optionally a description, and click CREATE.
6. Under the section "Grant this service account access to project" give the service account "Owner" permissions to the project.
7. Click SAVE.

Add Google Cloud Service Account to GCP Organization

This section covers adding the Google Cloud Service Account to the GCP Organziation being integrated with Lacework, and adding the required organization level permissions to the Service Account for Terraform to be able to configure the organization being integrated.

1. Select the organization you are going to integrate with Lacework, select IAM from the Navigation Menu, and then click the +ADD button to add a member or role to the organization.
2. Search for the service account then add permissions for Organization Administrator and Logs Configuration Writer.
3. Click SAVE.

Create Service Account Key

To run Terraform locally, you must create and download a key for the service account created in the previous step. This section covers creating a service key and downloading to the local system as a JSON file.

1. Log in to the Google Cloud Console.
2. Select the Project created for Lacework Resources.
3. Click on the Navigation Menu and select IAM & Admin -> Service Accounts.
4. Click on the Actions menu next to the service account.
5. Click Create Key.
6. Select JSON for the format of the key.
7. Click Create to download the key locally.

Run Terraform to integrate GCP at Organization Level

This section covers executing Terraform. It is recommended you use a developer's code editor such as VSCode, or Atom. You will also need a terminal to run terraform commands such as bash, zsh, powershell or cmd

1. Open an EDITOR of choice and create a new file called main.tf.

2. Copy/paste the following code into the main.tf and save the file.

   provider "google" {
     credentials = file("account.json")
     project     = "my-project-id"
   }
   
   provider "lacework" {}
   
   module "gcp_organization_config" {
     source  = "lacework/config/gcp"
     version = "0.1.0"
   
     org_integration = true
     organization_id = "my-organization-id"
   }
   
   module "gcp_organization_audit_log" {
     source  = "lacework/audit-log/gcp"
     version = "0.1.0"
   
     bucket_force_destroy         = true
     org_integration              = true
     use_existing_service_account = true
     service_account_name         = module.gcp_organization_config.service_account_name
     service_account_private_key  = module.gcp_organization_config.service_account_private_key
     organization_id              = "my-organization-id"
   }    

3. Update both the credentials and the project in the provider "google" to reference your credentials file downloaded in the previous section and the Google Project ID.

4. Open a terminal, change the directory to the location where you have saved the main.tf and run the command terraform init to initialize the project.
5. Run terraform plan to review the changes, and then run terraform apply when you are ready to apply the changes.

Validate The Configuration

Once Terraform finishes applying changes, you can use the Lacework CLI or the Lacework Console to validate the integration is working.

To validate the integration with the CLI, open a Terminal and run lacework integrations list (You should see two integrations: GCP_CFG for the Config integration, and GCP_AT_SES for the Audit Trail integration)

To validate the integration via the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.

Integrate Google Cloud with Lacework at a Project level

The following section covers integrating Google Cloud and Lacework for analysis of Cloud Audit Logs and configuration assessment at a Project level.

In this method Terraform provisions all of the required resources in the project being integrated into Lacework.

Create a Service Account for Terraform

To integrate GCP and Lacework at a Project level Terraform needs a service account with the following permissions in the Project being integrated:

• roles/owner

If you already have an account configured with these permissions you can skip the next section.

Creating a Service Account using the GCP Console

This section covers creating a Google Cloud Service Account with the required permissions to integrate Lacework at a Project level.

1. Log in to the Google Cloud Console.
2. Select the Project being integrated with Lacework.
3. Click on the Navigation Menu and select IAM & Admin -> Service Accounts.
4. Click CREATE SERVICE ACCOUNT.
5. Give the service account a name (i.e. terraform-provisioning) and optionally a description, and click CREATE.
6. Under the section "Grant this service account access to project" give the service account "Owner" permissions to the project.
7. Click SAVE.

Create Service Account Key

This section covers creating a service key and downloading to the local system as a JSON file

1. Log in to the Google Cloud Console.
2. Select the Project being integrated with Lacework.
3. Click on the Navigation Menu and select IAM & Admin -> Service Accounts.
4. Locate the Service Account created for Terraform and click on the Actions menu next to the service account.
5. Click Create Key.
6. Select JSON for the format of the key.
7. Click Create to download the key locally.

Run Terraform to integrate GCP at Project Level

This section covers executing Terraform. It is recommended you use a developer's code editor such as VSCode, Atom, or Sublime. You will also need a terminal to run terraform commands such as bash, zsh, powershell, or cmd.

1. Open an EDITOR of choice and create a new file called main.tf.

2. Copy/paste the following code into the main.tf and save the file

   provider "google" {
     credentials = file("account.json")
     project     = "my-project-id"
   }
   
   provider "lacework" {}
   
   module "gcp_project_config" {
     source  = "lacework/config/gcp"
     version = "0.1.0"
   }
   
   module "gcp_project_audit_log" {
     source  = "lacework/audit-log/gcp"
     version = "0.1.0"
   
     bucket_force_destroy         = true
     use_existing_service_account = true
     service_account_name         = module.gcp_project_config.service_account_name
     service_account_private_key  = module.gcp_project_config service_account_private_key
   }    

3. Update both the credentials and the project in the provider "google" to reference your credentials file downloaded in the previous section and the Google Project ID.

4. Open a terminal, change the directory to the location where you have saved the main.tf and run the command terraform init to initialize the project.
5. Run terraform plan to review the changes, and then run terraform apply when you are ready to apply the changes.

Validate The Configuration

Once Terraform finishes applying changes, you can use the Lacework CLI or the Lacework Console to validate the integration is working.

To validate the integration with the CLI, open a Terminal and run lacework integrations list (You should see two integrations: GCP_CFG for the Config integration, and GCP_AT_SES for the Audit Trail integration)

To validate the integration via the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.