Articles in this section

Azure Compliance & Activity Log Integrations - Terraform From Any Supported Host

Lacework integrates with Microsoft Azure to monitor Activity Logs and cloud resource configurations for designated tenants and subscriptions. This procedure covers how to integrate Microsoft Azure and Lacework running Lacework Terraform Modules for Azure from any host that Terraform supports.

If you are new to the Lacework Terraform Provider, or Lacework Terraform Modules, be sure to read through the Terraform for Lacework Overview article to learn the basics on how to configure the provider, and more.

The approach outlined in this document is geared towards companies that store Terraform code in source control, and plan to continue to manage the state of the integration between Lacework and Azure using Terraform.

Lacework also supports running Terraform from Azure Cloud Shell, which comes with Terraform pre-installed. For instructions on running Terraform from Azure Cloud Shell, see Azure Compliance & Activity Log Integrations - Terraform using Azure Cloud Shell.

Overview of Azure Compliance and Activity Log Integration

For Lacework to monitor Microsoft Azure Activity Logs and Compliance, the following resources need to be provisioned in the Tenant being integrated:

  • Azure AD Application - An Azure AD Application is required in order to delegate Identity and Access Management functions to Azure AD in the Azure AD Tenant. The following API Permissions will be granted to the Azure AD Application:

    API Permission Type Description Admin Consent RQD
    Azure Active Directory Graph Directory.Read.All Application Read directory data Yes
    Azure Key Vault user_impersonation Delegated Have full access to Azure Key Vault service on behalf of the signed in user. This permission does not grant Lacework full access to the Azure Key Vault -
    Azure Storage user_impersonation Delegated This permission gives the Lacework AD Application access to the Azure Storage REST APIs. However, Lacework access is limited by the role of Reader -
    Microsoft Graph User.Read.All Application Read the full profiles for all users Yes
  • Azure Resource Group - An Azure Resource Group will be created to store all resources provisioned the integration.
  • Azure Storage Account - Storage account is used to store Activity Logs.
  • Azure Storage Queue - Azure queue to hold activity log data.
  • Azure Event Grid Subscription - Used to send notifications about events in Activity Logs.

Requirements

The following is a list of requirements to run Lacework Terraform Modules for Azure locally:

  • Azure Global Administrator - You must have an Azure Portal account that has a Global Administrator role for your tenant's directory.
  • Azure Owner Role - Your Azure Portal account must have Owner role in all the subscriptions that you want to monitor.
  • Azure CLI - The Terraform Provider for Azure leverages configuration from the Azure CLI to configure resources in Azure
  • Lacework Administrator - You must have Lacework account with administrator privileges.
  • Terraform - >= 0.12.26, ~> 0.13.0, ~> 0.14.0.

Integrate Azure for Configuration Assessment and Activity Log monitoring

The next section covers running Lacework Terraform Modules for Azure to integrate Azure subscriptions and tenants with Lacework for Configuration Assessments, and Activity Log monitoring.

By default, the Lacework Modules only configures the default subsciption, but can be configured to integrate all subscriptions, or an array of specific subscriptions. For more details, see the complete list of module inputs.

Log in to Azure via the Azure CLI

To integrate Lacework with Azure you will need to log in to your Azure console via the Azure CLI by running the command:

$ az login

About Granting Admin Consent

Before running Terraform, it is important to understand the Azure Active Directory Application created for Lacework requires granting admin consent before the integration will work. Granting admin consent is not possible natively using Terraform, but the Lacework Terraform Module will attempt to automate this process by running the following command the Azure CLI:

# Attempt to grant admin consent via the Azure CLI or print a URL to grant admin consent manually

az ad app permission admin-consent --id ${local.application_id} && echo SUCCESS!! \
|| echo ERROR!!! Unable to grant admin consent, grant it manually by following the URL: \
https://login.microsoftonline.com/${local.tenant_id}/adminconsent?client_id=${local.application_id}

If the granting admin consent fails, click the link to login to the Azure console and grant admin consent manually.

Run Terraform

terraform {
  required_providers {
    azuread = {
      source = "hashicorp/azuread"
    }
    azurerm = {
      source  = "hashicorp/azurerm"
      version = "2.26"
    }
    lacework = {
      source = "lacework/lacework"
      version = "~> 0.3"
    }
  }
}

provider "azurerm" {
  features {}
}

module "az_config" {
  source  = "lacework/config/azure"
  version = "~> 0.1"
}

module "az_activity_log" {
  source  = "lacework/activity-log/azure"
  version = "~> 0.1"

  use_existing_ad_application = true
  application_id              = module.az_config.application_id
  application_password        = module.az_config.application_password
  service_principal_id        = module.az_config.service_principal_id
}
  1. Open an Editor such as VSCode, Atom, or VIM and create a new file called main.tf.
  2. Copy the code snippet above, and paste it into the main.tf.
  3. Open a Terminal and change directories to the directory that contains the main.tf and run terraform init to initialize the project and download the required modules.
  4. Run terraform plan to validate the configuration and review pending changes.
  5. When you have reviewed the pending changes run terraform apply to execute changes.
  6. When Terraform completes, validate whether admin consent was granted using the Azure CLI, or follow the link (see above) to manually grant admin consent via the Azure Console.

Note: Lacework Terraform modules provide a number of inputs for customization. Visit the documentation on the Terraform Registry for the complete list of inputs for each module.

Validate The Configuration

Once Terraform finishes applying changes, use the Lacework CLI or log in to the Lacework Console to confirm the integration is working.

For the CLI open a Terminal and run lacework integrations list (The integrations will be listed as AZURE_CFG and AZURE_AL_SEQ).

To validate the integration via the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.