GCP Compliance and Audit Trail Integration - Terraform From Any Supported Host

This article covers running Terraform from any host supported by Terraform to integrate Google Cloud environments with Lacework for configuration assessment, and Google Audit Log analysis.

If you are new to the Lacework Terraform Provider, or Lacework Terraform Modules, read Terraform for Lacework Overview to learn the basics on how to configure the provider and more.

The pattern described within this article is suitable for organizations that plan to continuously run Terraform configuration using a CI/CD pipeline, and/or storing Terraform state.

Lacework also supports running Terraform from Google Cloud Shell, which is more suited for one off integrations. For more information check out the article GCP Compliance and Audit Trail Integration - Terraform Using Google Cloud Shell.

Lacework Google Cloud Integration Overview

Lacework integrates with Google Cloud Platform to analyze Cloud Audit Logs and to assess cloud resource configurations at an Organization level or at a per Project level.

Organization level integrations cover all of the existing projects in the organization, and will automatically add any new projects added after the initial integration.

Project level integrations only covers specific projects and any new projects will need to be added as required.

To integrate at an Organization or Project level Lacework requires the following resources be provisioned in Google Cloud:

• Google Cloud Project - A project to contain the required cloud resources with billing enabled. When integrating at an Organization level, it is recommended that a project is created specifically for Lacework resources. When integrating at a project level all required resources for Lacework may be provisioned within the project being integrated.
• Google Storage Bucket - A storage bucket for Stack Driver logs
• Google Pub/Sub Topic - For Cloud Audit Logs events
• Google Logging Sink - To export Cloud Audit Logs to Cloud Storage Bucket
• Service Account for Lacework - A service account will be created to provide Lacework read-only access to Google Cloud Platform with the following roles:
  • Organziation Level Integration
  • roles/resourcemanager.organizationViewer
    • roles/iam.securityReviewer
    • roles/viewer
  • Project Level Integration
    • roles/viewer
    • roles/iam.securityReviewer

For Organization level integrations, follow the steps in Integrate Google Cloud with Lacework at an Organzational Level.

For Project level integrations, follow the steps in Integrate Google Cloud with Lacework at a Project level

Module Dependencies

Lacework Terraform modules for GCP have the following dependencies that will be installed when running terraform init:

• google
• random
• time

For detailed information on these dependencies, visit Lacework on the Terraform Registry.

Integrate Google Cloud and Lacework using Terraform on Any Supported Host

This document covers integrating Google Cloud with Lacework where Terraform is installed, configured, and run from any supported system (Linux/macOS/Windows). This approach leverages a user account or Google Cloud service account with proper permissions to run Terraform.

The approach outlined in this document is geared towards companies that store Terraform code in source control, and plan to continue to manage the state of the integration between Lacework and Google cloud using Terraform.

These instructions will show you how to get up-and-running with Lacework Terraform modules to integrate Google Cloud and Lacework at either an Organization Level or a per Project Level.

Requirements

• Google Cloud Console - Administrator access to Google Cloud Console is required to create service accounts, grant access, and provision resources
• Lacework Administrator - Org admin, or Account admin access is required to create API keys and configure integrations with Lacework
• Lacework CLI - The Terraform Provider for Lacework leverages the configuration from the Lacework CLI. It is recommended the Lacework CLI is installed and configured
• Terraform - >= 0.12.31, ~> 0.13, ~> 0.14, ~> 0.15

Integrate Google Cloud with Lacework at an Organzational Level

The following section covers integrating Google Cloud and Lacework for analysis of Cloud Audit Logs and configuration assessment at an Organizational level. Organization level integrations cover all of the existing projects in the organization, and will automatically add any new projects added after the initial integration.

Create a GCP Project using the GCP Console

Before you can execute Terraform you will need to create a GCP Project to provision the required resources for the integration between Google Cloud and Lacework.

1. Log in to the Google Cloud Console.
2. Select the Project drop-down and click NEW PROJECT.
3. Give the project a Project Name, select a Billing Account, select the Organization you are integrating.
4. Click CREATE to create the new project.

Create a Service Account for Terraform

To integrate GCP and Lacework at an Organizational level, Terraform needs a user account or a service account with the following permissions:

• roles/owner
• roles/resourcemanager.organizationAdmin
• roles/logging.configWriter

If you already have a user account configured with these permissions, along with a key configured, you can skip the next section.

Create a Google Cloud Service Account with Project Permissions

The following steps covers how to create a Google Cloud Service Account within the project created for Lacework, and give the Service Account 'Owner' permissions to the project.

1. Log in to the Google Cloud Console.
2. Select the Project created for Lacework Resources.
3. Click on the Navigation Menu and select IAM & Admin > Service Accounts.
4. Click CREATE SERVICE ACCOUNT.
5. Give the service account a name (i.e. terraform-provisioning) and optionally a description, and click CREATE.
6. Under the section "Grant this service account access to project" give the service account "Owner" permissions to the project.
7. Click SAVE.

Add Google Cloud Service Account to GCP Organization

This section covers adding the Google Cloud Service Account to the GCP Organziation being integrated with Lacework, and adding the required organization level permissions to the Service Account for Terraform to be able to configure the organization being integrated.

1. Select the organization you are going to integrate with Lacework, select IAM from the Navigation Menu, and then click the +ADD button to add a member or role to the organization.
2. Search for the service account then add permissions for Organization Administrator and Logs Configuration Writer.
3. Click SAVE.

Create Service Account Key

To run Terraform locally, you must create and download a key for the service account created in the previous step. This section covers creating a service key and downloading to the local system as a JSON file.

1. Log in to the Google Cloud Console.
2. Select the Project created for Lacework Resources.
3. Click on the Navigation Menu and select IAM & Admin -> Service Accounts.
4. Click on the Actions menu next to the service account.
5. Click Create Key.
6. Select JSON for the format of the key.
7. Click Create to download the key locally.

Run Terraform to integrate GCP at Organization Level

This section covers executing Terraform. It is recommended you use a developer's code editor such as VSCode, or Atom. You will also need a terminal to run terraform commands such as bash, zsh, powershell or cmd

terraform {
  required_providers {
    lacework = {
      source = "lacework/lacework"
      version = "~> 0.5"
    }
  }
}

provider "google" {
  credentials = file("account.json")
  project     = "my-project-id"
}

provider "lacework" {}

module "gcp_organization_config" {
  source  = "lacework/config/gcp"
  version = "~> 1.0"

  org_integration = true
  organization_id = "my-organization-id"
}

module "gcp_organization_audit_log" {
  source  = "lacework/audit-log/gcp"
  version = "~> 2.0"

  bucket_force_destroy         = true
  org_integration              = true
  use_existing_service_account = true
  service_account_name         = module.gcp_organization_config.service_account_name
  service_account_private_key  = module.gcp_organization_config.service_account_private_key
  organization_id              = "my-organization-id"
}

1. Open an Editor and create a new file called main.tf.
2. Copy/paste the code above into the main.tf and save the file.
3. Update both the credentials and the project in the provider "google" to reference your credentials file downloaded in the previous section and the Google Project ID.
4. Open a terminal, change the directory to the location where you have saved the main.tf and run the command terraform init to initialize the project.
5. Run terraform plan to review the changes, and then run terraform apply when you are ready to apply the changes.

Note: Lacework Terraform modules provide a number of inputs for customization. Visit the documentation on the Terraform Registry for the complete list of inputs for each module.

Validate The Configuration

Once Terraform finishes applying changes, you can use the Lacework CLI or the Lacework Console to validate the integration is working.

To validate the integration with the CLI, open a Terminal and run lacework integrations list (You should see two integrations: GCP_CFG for the Config integration, and GCP_AT_SES for the Audit Trail integration)

To validate the integration via the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.

Integrate Google Cloud with Lacework at a Project level

The following section covers integrating Google Cloud and Lacework for analysis of Cloud Audit Logs and configuration assessment at a Project level.

In this method Terraform provisions all of the required resources in the project being integrated into Lacework.

Create a Service Account for Terraform

To integrate GCP and Lacework at a Project level Terraform needs a service account with the following permissions in the Project being integrated:

• roles/owner

If you already have an account configured with these permissions you can skip the next section.

Creating a Service Account using the GCP Console

This section covers creating a Google Cloud Service Account with the required permissions to integrate Lacework at a Project level.

1. Log in to the Google Cloud Console.
2. Select the Project being integrated with Lacework.
3. Click on the Navigation Menu and select IAM & Admin -> Service Accounts.
4. Click CREATE SERVICE ACCOUNT.
5. Give the service account a name (i.e. terraform-provisioning) and optionally a description, and click CREATE.
6. Under the section "Grant this service account access to project" give the service account "Owner" permissions to the project.
7. Click SAVE.

Create Service Account Key

This section covers creating a service key and downloading to the local system as a JSON file

1. Log in to the Google Cloud Console.
2. Select the Project being integrated with Lacework.
3. Click on the Navigation Menu and select IAM & Admin -> Service Accounts.
4. Locate the Service Account created for Terraform and click on the Actions menu next to the service account.
5. Click Create Key.
6. Select JSON for the format of the key.
7. Click Create to download the key locally.

Run Terraform to integrate GCP at Project Level

This section covers executing Terraform. It is recommended you use a developer's code editor such as VSCode, Atom, or Sublime. You will also need a terminal to run terraform commands such as bash, zsh, powershell, or cmd.

terraform {
  required_providers {
    lacework = {
      source = "lacework/lacework"
      version = "~> 0.5"
    }
  }
}

provider "google" {
  credentials = file("account.json")
  project     = "my-project-id"
}

provider "lacework" {}

module "gcp_project_config" {
  source  = "lacework/config/gcp"
  version = "~> 1.0"
}

module "gcp_project_audit_log" {
  source  = "lacework/audit-log/gcp"
  version = "~> 2.0"

  bucket_force_destroy         = true
  use_existing_service_account = true
  service_account_name         = module.gcp_project_config.service_account_name
  service_account_private_key  = module.gcp_project_config.service_account_private_key
}

1. Open an Editor and create a new file called main.tf.
2. Copy/paste the code above into the main.tf and save the file
3. Update both the credentials and the project in the provider "google" to reference your credentials file downloaded in the previous section and the Google Project ID.
4. Open a terminal, change the directory to the location where you have saved the main.tf and run the command terraform init to initialize the project.
5. Run terraform plan to review the changes, and then run terraform apply when you are ready to apply the changes.

Note: Lacework Terraform modules provide a number of inputs for customization. Visit the documentation on the Terraform Registry for the complete list of inputs for each module

Validate The Configuration

Once Terraform finishes applying changes, you can use the Lacework CLI or the Lacework Console to validate the integration is working.

To validate the integration with the CLI, open a Terminal and run lacework integrations list (You should see two integrations: GCP_CFG for the Config integration, and GCP_AT_SES for the Audit Trail integration)

To validate the integration via the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.

Configure Multiple Projects with Terraform

If you plan to continue to integrate GCP Projects with Lacework individually, it may be helpful to leverage the Terraform for_each meta-argument and pass a map of projects.

The following code snippet provides an example of using the Terraform for_each meta-argument to configure mulitple GCP Projects with the same config and audit_log module blocks:

terraform {
  required_providers {
    lacework = {
      source = "lacework/lacework"
      version = "~> 0.5"
    }
  }
}

variable "projects" {
  description = "Map of projects to configuration with Lacework."
  type        = map
  default     = {
    project-id-1 = "my project 1",
    project-id-2 = "my project 2"
  }
}
provider "google" {}

provider "lacework" {}

module "gcp_project_config" {
  source     = "lacework/config/gcp"
  version    = "~> 1.0"
  for_each   = var.projects
  project_id = each.key

  lacework_integration_name = each.value 
}

module "audit_log" {
  source  = "lacework/audit-log/gcp"
  version = "~> 2.0"

  bucket_force_destroy         = true
  use_existing_service_account = true

  for_each   = var.projects
  project_id = each.value
  service_account_name         = module.gcp_project_config[each.key].service_account_name
  service_account_private_key  = module.gcp_project_config[each.key].service_account_private_key
}

For more information on using for_each meta-argument, visit the Terraform documentation site.