Azure Compliance & Activity Log Integrations - Terraform From Any Supported Host – Lacework

Lacework integrates with Microsoft Azure to monitor Activity Logs and cloud resource configurations for designated tenants and subscriptions. This procedure covers how to integrate Microsoft Azure and Lacework running Lacework Terraform Modules for Azure from any host that Terraform supports.

The approach outlined in this document is geared towards companies that store Terraform code in source control, and plan to continue to manage the state of the integration between Lacework and Azure using Terraform.

Lacework also supports running Terraform from Azure Cloud Shell, which comes with Terraform pre-installed. For instructions on running Terraform from Azure Cloud Shell, see Azure Compliance & Activity Log Integrations - Terraform using Azure Cloud Shell.

Overview of Azure Compliance and Activity Log Integration

For Lacework to monitor Microsoft Azure Activity Logs and Compliance, the following resources need to be provisioned in the Tenant being integrated:

Azure AD Application - An Azure AD Application is required in order to delegate Identity and Access Management functions to Azure AD in the Azure AD Tenat. The following API Permissions will be granted to the Azure AD Application:

API	Permission	Type	Description	Admin Consent RQD
Azure Active Directory Graph	`Directory.Read.All`	Application	Read directory data	Yes
Azure Key Vault	`user_impersonation`	Delegated	Have full access to Azure Key Vault service on behalf of the signed in user. This permission does not grant Lacework full access to the Azure Key Vault	-
Azure Storage	`user_impersonation`	Delegated	This permission gives the Lacework AD Application access to the Azure Storage REST APIs. However, Lacework access is limited by the role of Reader	-
Microsoft Graph	`User.Read.All`	Application	Read the full profiles for all userss	Yes

Azure Resource Group - An Azure Resource Group will be created to store all resources provisioned the integration.
Azure Storage Account - Storage account is used to store Activity Logs.
Azure Storage Queue - Azure queue to hold activity log data.
Azure Event Grid Subscription - Used to send notifications about events in Activity Logs.

Requirements

The following is a list of requirements to run Lacework Terraform Modules for Azure locally:

Azure Global Administrator - You must have an Azure Portal account that has a Global Administrator role for your tenant's directory.
Azure Owner Role - Your Azure Portal account must have Owner role in all the subscriptions that you want to monitor.
Azure CLI - The Terraform Provider for Azure leverages configuration from the Azure CLI to configure resources in Azure
Lacework Administrator - You must have Lacework account with administrator privileges.
Lacework CLI - The Terraform Provider for Lacework leverages the configuration from the Lacework CLI. It is recommended the Lacework CLI is installed and configured.
Terraform - >= 0.12.24, ~> 0.13.x.

Integrate Azure for Configuration Assessment and Activity Log monitoring

The next section covers running Lacework Terraform Modules for Azure to integrate Azure subscriptions and tenants with Lacework for Configuration Assessments, and Activity Log monitoring.

By default, the Lacework Modules only configures the default subsciption, but can be configured to integrate all subscriptions, or an array of specific subscriptions. For more details, see the complete list of module inputs.

Log in via the Azure CLI

In order to integrate Lacework with Azure you will need to log in to your Azure console via the Azure CLI by running the command:

$ az login

Enable New Azure Compliance and Activity Log Integrations for the Default Subscription

Ensure you have have the Lacework CLI installed and configured to the Lacework account you plan to integrate.
Open an EDITOR of choice (VSCode, Atom, or VIM) and create a new file called main.tf.

Copy the following code snippet and paste it into the main.tf file:

terraform {
 required_providers {
   azuread = {
     source = "hashicorp/azuread"
   }
   azurerm = {
     source  = "hashicorp/azurerm"
     version = "2.26"
   }
   lacework = {
     source = "lacework/lacework"
   }
 }
}

provider "azurerm" {
 features {}
}

module "az_config" {
 source  = "lacework/config/azure"
 version = "~> 0.1.0"
}

module "az_activity_log" {
 source  = "lacework/activity-log/azure"
 version = "~> 0.1.0"

 use_existing_ad_application = true
 application_id              = module.az_config.application_id
 application_password        = module.az_config.application_password
 service_principal_id        = module.az_config.service_principal_id
}

Lacework modules have various inputs that can be used to customize the configuration of the integration. If you need to customize any of the configuration for this integration such as the subscriptions or tenants to be integrated, check out the full list of inputs for the modules on the Terraform Registry documentation site.
Open a Terminal and change directories to the directory that contains the main.tf and run terraform init to initialize the project and download the required modules.
Run terraform plan to validate the configuration and review pending changes.
When you have reviewed the pending changes run terraform apply to execute changes.

Validate The Configuration

Once Terraform finishes applying changes, use the Lacework CLI or log in to the Lacework Console to confirm the integration is working.

For the CLI open a Terminal and run lacework integrations list (The integrations will be listed as AZURE_CFG and AZURE_AL_SEQ).

To validate the integration via the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.