Articles in this section

Azure Compliance & Activity Log Integrations - Terraform From Any Supported Host

Lacework integrates with Microsoft Azure to monitor Activity Logs and cloud resource configurations for designated tenants and subscriptions. This procedure covers how to integrate Microsoft Azure and Lacework running Lacework Terraform Modules for Azure from any host that Terraform supports.

If you are new to the Lacework Terraform Provider, or Lacework Terraform Modules, be sure to read through the Terraform for Lacework Overview article to learn the basics on how to configure the provider, and more.

The approach outlined in this document is geared towards companies that store Terraform code in source control, and plan to continue to manage the state of the integration between Lacework and Azure using Terraform.

Lacework also supports running Terraform from Azure Cloud Shell, which comes with Terraform pre-installed. For instructions on running Terraform from Azure Cloud Shell, see Azure Compliance & Activity Log Integrations - Terraform using Azure Cloud Shell.

Overview of Azure Compliance and Activity Log Integration

To monitor Microsoft Azure Activity Logs and Compliance, Lacework requires the following resources:

  • Azure AD Application - An AD application with permissions to read directory information (using the Directory Reader Role)
  • Azure Resource Group - A resource group is created to store all resources provisioned the integration
  • Azure Storage Account - A storage account is used to store Activity Logs
  • Azure Storage Queue - A queue to hold activity log data
  • Azure Event Grid Subscription - Used to send notifications about events in Activity Logs

Requirements

The following is a list of requirements to run Lacework Terraform Modules for Azure locally:

  • Azure Global Administrator - You must have an Azure Portal account that has a Global Administrator role for your tenant's directory.
  • Azure Owner Role - Your Azure Portal account must have Owner role in all the subscriptions that you want to monitor.
  • Azure CLI - The Terraform Provider for Azure leverages configuration from the Azure CLI to configure resources in Azure
  • Lacework Administrator - You must have Lacework account with administrator privileges.
  • Terraform - >= 0.12.31, ~> 0.13, ~> 0.14, ~> 0.15.

Module Dependencies

Lacework Terraform modules for Azure have the following dependencies that will be installed when running terraform init:

For detailed information on these dependencies, visit Lacework on the Terraform Registry.

Install and Configure the Lacework CLI

To configure accounts, the Terraform Provider for Lacework leverages the Lacework CLI configuration to authenticate with Lacework's API server. Lacework provides a shell script to install the Lacework CLI in your system.

Follow these instructions to Install and configure the Lacework CLI before continuing this procedure.

Integrate Azure for Configuration Assessment and Activity Log monitoring

The next section covers running Lacework Terraform Modules for Azure to integrate Azure subscriptions and tenants with Lacework for Configuration Assessments, and Activity Log monitoring.

By default, the Lacework modules only configure the default subscription, but you can configure them to integrate all subscriptions, or an array of specific subscriptions. For more details, see the complete list of module inputs.

Log in to Azure via the Azure CLI

To integrate Lacework with Azure you will need to log in to your Azure console via the Azure CLI by running the command:

$ az login

Run Terraform

provider "azuread" {
}
provider "azurerm" {
 features {}
}
module "az_ad_application" {
 source  = "lacework/ad-application/azure"
 version = "~> 1.0"
}

module "az_config" {
 source = "lacework/config/azure"
 version = "~> 1.0"
 all_subscriptions = true
 use_existing_ad_application = true
 application_id        = module.az_ad_application.application_id
 application_password  = module.az_ad_application.application_password
 service_principal_id  = module.az_ad_application.service_principal_id
}

module "az_activity_log" {
 source = "lacework/activity-log/azure"
 version = "~> 1.0"
 all_subscriptions = true
 use_existing_ad_application = true
 application_id        = module.az_ad_application.application_id
 application_password  = module.az_ad_application.application_password
 service_principal_id  = module.az_ad_application.service_principal_id
}
  1. Open an Editor such as VSCode, Atom, or VIM and create a new file called main.tf.
  2. Copy the code snippet above, and paste it into the main.tf.
  3. Open a Terminal and change directories to the directory that contains the main.tf and run terraform init to initialize the project and download the required modules. If you are upgrading an old integration (v0.x), use the upgrade flag terraform init --upgrade. The v1.0 version for this module uses a new Azure AD provider via MS Graph API, check the upgrade documentation in case of issues.
  4. Run terraform plan to validate the configuration and review pending changes.
  5. After you review the pending changes, run terraform apply, and type yes to proceed with the Azure and Lacework integration.

Note: Lacework Terraform modules provide a number of inputs for customization. Visit the documentation on the Terraform Registry for each module's complete list of inputs.

Validate The Configuration

Once Terraform finishes applying changes, use the Lacework CLI or log in to the Lacework Console to confirm the integration is working.

For the CLI open a Terminal and run lacework integrations list (The integrations will be listed as AZURE_CFG and AZURE_AL_SEQ).

To validate the integration via the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.

Deprecated Alternative Procedure for v0.x of the modules

The deprecated v0.x of the modules use Azure AD Graph API, deprecated by Microsoft, and required specific API permissions

  • Azure AD Application - API Permissions

    API Permission Type Description Admin Consent RQD
    Azure Active Directory Graph Directory.Read.All Application Read directory data Yes
    Azure Key Vault user_impersonation Delegated Have full access to Azure Key Vault service on behalf of the signed in user. This permission does not grant Lacework full access to the Azure Key Vault -
    Azure Storage user_impersonation Delegated This permission gives the Lacework AD Application access to the Azure Storage REST APIs. However, Lacework access is limited by the role of Reader -
    Microsoft Graph User.Read.All Application Read the full profiles for all users Yes

Using API permissions, the Azure Active Directory Application created for Lacework requires granting admin consent before the integration will work. Granting admin consent is not possible natively using Terraform, but the Lacework Terraform module will attempt to automate this process by running the following command the Azure CLI:

# Attempt to grant admin consent via the Azure CLI or print a URL to grant admin consent manually
az ad app permission admin-consent --id ${local.application_id} && echo SUCCESS!! \
|| echo ERROR!!! Unable to grant admin consent, grant it manually by following the URL: \
https://login.microsoftonline.com/${local.tenant_id}/adminconsent?client_id=${local.application_id}

If granting admin consent fails, click the link to log in to the Azure console and grant admin consent manually.