This article covers running Terraform from any host supported by Terraform to integrate Google Cloud environments with Lacework for configuration assessment, and Google Audit Log analysis.
If you are new to the Lacework Terraform Provider, or Lacework Terraform Modules, read Terraform for Lacework Overview to learn the basics on how to configure the provider and more.
The pattern described within this article is suitable for organizations that plan to continuously run Terraform configuration using a CI/CD pipeline, and/or storing Terraform state.
Lacework also supports running Terraform from Google Cloud Shell, which is more suited for one off integrations. For more information check out the article GCP Compliance and Audit Trail Integration - Terraform Using Google Cloud Shell.
Lacework Google Cloud Integration Overview
Lacework integrates with Google Cloud Platform to analyze Cloud Audit Logs and to assess cloud resource configurations at an Organization level or at a per Project level.
Organization level integrations cover all of the existing projects in the organization, and will automatically add any new projects added after the initial integration.
Project level integrations only covers specific projects and any new projects will need to be added as required.
To integrate at an Organization or Project level Lacework requires the following resources be provisioned in Google Cloud:
- Google Cloud Project - A project to contain the required cloud resources with billing enabled. When integrating at an Organization level, it is recommended that a project is created specifically for Lacework resources. When integrating at a project level all required resources for Lacework may be provisioned within the project being integrated.
- Google Storage Bucket - A storage bucket for Stack Driver logs
- Google Pub/Sub Topic - For Cloud Audit Logs events
- Google Logging Sink - To export Cloud Audit Logs to Cloud Storage Bucket
- Service Account for Lacework - A service account will be created to provide Lacework read-only access to Google Cloud Platform with the following roles:
- Organziation Level Integration
roles/resourcemanager.organizationViewer
roles/iam.securityReviewer
roles/viewer
- Project Level Integration
roles/viewer
roles/iam.securityReviewer
For Organization level integrations, follow the steps in Integrate Google Cloud with Lacework at an Organzational Level.
For Project level integrations, follow the steps in Integrate Google Cloud with Lacework at a Project level
Integrate Google Cloud and Lacework using Terraform on Any Supported Host
This document covers integrating Google Cloud with Lacework where Terraform is installed, configured, and run from any supported system (Linux/macOS/Windows). This approach leverages a user account or Google Cloud service account with proper permissions to run Terraform.
The approach outlined in this document is geared towards companies that store Terraform code in source control, and plan to continue to manage the state of the integration between Lacework and Google cloud using Terraform.
These instructions will show you how to get up-and-running with Lacework Terraform modules to integrate Google Cloud and Lacework at either an Organization Level or a per Project Level.
Requirements
- Google Cloud Console - Administrator access to Google Cloud Console is required to create service accounts, grant access, and provision resources
- Lacework Administrator - Org admin, or Account admin access is required to create API keys and configure integrations with Lacework
- Lacework CLI - The Terraform Provider for Lacework leverages the configuration from the Lacework CLI. It is recommended the Lacework CLI is installed and configured
- Terraform -
>= 0.12.24
,~> 0.13.x
Integrate Google Cloud with Lacework at an Organzational Level
The following section covers integrating Google Cloud and Lacework for analysis of Cloud Audit Logs and configuration assessment at an Organizational level. Organization level integrations cover all of the existing projects in the organization, and will automatically add any new projects added after the initial integration.
Create a GCP Project using the GCP Console
Before you can execute Terraform you will need to create a GCP Project to provision the required resources for the integration between Google Cloud and Lacework.
- Log in to the Google Cloud Console.
- Select the Project drop-down and click NEW PROJECT.
- Give the project a Project Name, select a Billing Account, select the Organization you are integrating.
- Click CREATE to create the new project.
Create a Service Account for Terraform
To integrate GCP and Lacework at an Organizational level, Terraform needs a user account or a service account with the following permissions:
roles/owner
roles/resourcemanager.organizationAdmin
roles/logging.configWriter
If you already have a user account configured with these permissions, along with a key configured, you can skip the next section.
Create a Google Cloud Service Account with Project Permissions
The following steps covers how to create a Google Cloud Service Account within the project created for Lacework, and give the Service Account 'Owner' permissions to the project.
- Log in to the Google Cloud Console.
- Select the Project created for Lacework Resources.
- Click on the Navigation Menu and select IAM & Admin > Service Accounts.
- Click CREATE SERVICE ACCOUNT.
- Give the service account a name (i.e. terraform-provisioning) and optionally a description, and click CREATE.
- Under the section "Grant this service account access to project" give the service account "Owner" permissions to the project.
- Click SAVE.
Add Google Cloud Service Account to GCP Organization
This section covers adding the Google Cloud Service Account to the GCP Organziation being integrated with Lacework, and adding the required organization level permissions to the Service Account for Terraform to be able to configure the organization being integrated.
- Select the organization you are going to integrate with Lacework, select IAM from the Navigation Menu, and then click the +ADD button to add a member or role to the organization.
- Search for the service account then add permissions for Organization Administrator and Logs Configuration Writer.
- Click SAVE.
Create Service Account Key
To run Terraform locally, you must create and download a key for the service account created in the previous step. This section covers creating a service key and downloading to the local system as a JSON
file.
- Log in to the Google Cloud Console.
- Select the Project created for Lacework Resources.
- Click on the Navigation Menu and select IAM & Admin -> Service Accounts.
- Click on the Actions menu next to the service account.
- Click Create Key.
- Select JSON for the format of the key.
- Click Create to download the key locally.
Run Terraform to integrate GCP at Organization Level
This section covers executing Terraform. It is recommended you use a developer's code editor such as VSCode, or Atom. You will also need a terminal to run terraform
commands such as bash
, zsh
, powershell
or cmd
terraform { required_providers { lacework = { source = "lacework/lacework" version = "~> 0.2.7" } } } provider "google" { credentials = file("account.json") project = "my-project-id" } provider "lacework" {} module "gcp_organization_config" { source = "lacework/config/gcp" version = "~> 0.1.1" org_integration = true organization_id = "my-organization-id" } module "gcp_organization_audit_log" { source = "lacework/audit-log/gcp" version = "~> 0.1.1" bucket_force_destroy = true org_integration = true use_existing_service_account = true service_account_name = module.gcp_organization_config.service_account_name service_account_private_key = module.gcp_organization_config.service_account_private_key organization_id = "my-organization-id" }
- Open an Editor and create a new file called
main.tf
. - Copy/paste the code above into the
main.tf
and save the file. - Update both the
credentials
and theproject
in theprovider "google"
to reference your credentials file downloaded in the previous section and the Google Project ID. - Open a terminal, change the directory to the location where you have saved the
main.tf
and run the commandterraform init
to initialize the project. - Run
terraform plan
to review the changes, and then runterraform apply
when you are ready to apply the changes.
Note: Lacework Terraform modules provide a number of inputs for customization. Visit the documentation on the Terraform Registry for the complete list of inputs for each module.
Validate The Configuration
Once Terraform finishes applying changes, you can use the Lacework CLI or the Lacework Console to validate the integration is working.
To validate the integration with the CLI, open a Terminal and run lacework integrations list (You should see two integrations: GCP_CFG
for the Config integration, and GCP_AT_SES
for the Audit Trail integration)
To validate the integration via the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.
Integrate Google Cloud with Lacework at a Project level
The following section covers integrating Google Cloud and Lacework for analysis of Cloud Audit Logs and configuration assessment at a Project level.
In this method Terraform provisions all of the required resources in the project being integrated into Lacework.
Create a Service Account for Terraform
To integrate GCP and Lacework at a Project level Terraform needs a service account with the following permissions in the Project being integrated:
roles/owner
If you already have an account configured with these permissions you can skip the next section.
Creating a Service Account using the GCP Console
This section covers creating a Google Cloud Service Account with the required permissions to integrate Lacework at a Project level.
- Log in to the Google Cloud Console.
- Select the Project being integrated with Lacework.
- Click on the Navigation Menu and select IAM & Admin -> Service Accounts.
- Click CREATE SERVICE ACCOUNT.
- Give the service account a name (i.e. terraform-provisioning) and optionally a description, and click CREATE.
- Under the section "Grant this service account access to project" give the service account "Owner" permissions to the project.
- Click SAVE.
Create Service Account Key
This section covers creating a service key and downloading to the local system as a JSON
file
- Log in to the Google Cloud Console.
- Select the Project being integrated with Lacework.
- Click on the Navigation Menu and select IAM & Admin -> Service Accounts.
- Locate the Service Account created for Terraform and click on the Actions menu next to the service account.
- Click Create Key.
- Select JSON for the format of the key.
- Click Create to download the key locally.
Run Terraform to integrate GCP at Project Level
This section covers executing Terraform. It is recommended you use a developer's code editor such as VSCode, Atom, or Sublime. You will also need a terminal to run terraform
commands such as bash
, zsh
, powershell
, or cmd
.
terraform { required_providers { lacework = { source = "lacework/lacework" version = "~> 0.2.7" } } } provider "google" { credentials = file("account.json") project = "my-project-id" } provider "lacework" {} module "gcp_project_config" { source = "lacework/config/gcp" version = "~> 0.1.1" } module "gcp_project_audit_log" { source = "lacework/audit-log/gcp" version = "~> 0.1.1" bucket_force_destroy = true use_existing_service_account = true service_account_name = module.gcp_project_config.service_account_name service_account_private_key = module.gcp_project_config.service_account_private_key }
- Open an Editor and create a new file called
main.tf
. - Copy/paste the code above into the
main.tf
and save the file - Update both the
credentials
and theproject
in theprovider "google"
to reference your credentials file downloaded in the previous section and the Google Project ID. - Open a terminal, change the directory to the location where you have saved the
main.tf
and run the commandterraform init
to initialize the project. - Run
terraform plan
to review the changes, and then runterraform apply
when you are ready to apply the changes.
Note: Lacework Terraform modules provide a number of inputs for customization. Visit the documentation on the Terraform Registry for the complete list of inputs for each module
Validate The Configuration
Once Terraform finishes applying changes, you can use the Lacework CLI or the Lacework Console to validate the integration is working.
To validate the integration with the CLI, open a Terminal and run lacework integrations list (You should see two integrations: GCP_CFG
for the Config integration, and GCP_AT_SES
for the Audit Trail integration)
To validate the integration via the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.
Configure Multiple Projects with Terraform
If you plan to continue to integrate GCP Projects with Lacework individually, it may be helpful to leverage the Terraform for_each
meta-argument and pass a map
of projects.
The following code snippet provides an example of using the Terraform for_each
meta-argument to configure mulitple GCP Projects with the same config and audit_log module blocks:
terraform { required_providers { lacework = { source = "lacework/lacework" version = "~> 0.2.7" } } } variable "projects" { description = "Map of projects to configuration with Lacework." type = map default = { project-id-1 = "my project 1", project-id-2 = "my project 2" } } provider "google" {} provider "lacework" {} module "gcp_project_config" { source = "lacework/config/gcp" version = "0.1.1" for_each = var.projects project_id = each.key lacework_integration_name = each.value } module "audit_log" { source = "lacework/audit-log/gcp" version = "~> 0.1.0" bucket_force_destroy = true use_existing_service_account = true for_each = var.projects project_id = each.value service_account_name = module.gcp_project_config[each.key].service_account_name service_account_private_key = module.gcp_project_config[each.key].service_account_private_key }
For more information on using for_each
meta-argument, visit the Terraform documentation site.