Skip to content
/ terraform-azure-agentless-scanning Public

Terraform module for configuring an integration with Lacework and Azure for Agentless scanning

License

MIT license
0 stars 1 fork Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

lacework/terraform-azure-agentless-scanning

BranchesTags

Repository files navigation

terraform-azure-agentless-scanning

GitHub release Codefresh build status

A Terraform Module to configure the Lacework Agentless Scanner on Azure.

All code contributions made by Lacework customers to this repo are considered ‘Feedback’ under section 4.3 of the Lacework Terms of Service.

Requirements

Name Version
terraform >= 1.5
azapi ~> 1.15.0
azuread ~> 2.53.1
azurerm ~> 3.116.0
lacework ~> 2.0

Providers

Name Version
azapi ~> 1.15.0
azuread ~> 2.53.1
azurerm ~> 3.116.0
lacework ~> 2.0
random n/a
terraform n/a

Modules

No modules.

Resources

Name Type
azapi_resource.container_app_job_agentless resource
azuread_application.lw resource
azuread_service_principal.data_loader resource
azuread_service_principal_password.data_loader resource
azurerm_container_app_environment.agentless_orchestrate resource
azurerm_key_vault.lw_orchestrate resource
azurerm_key_vault_access_policy.access_for_sidekick resource
azurerm_key_vault_access_policy.access_for_user resource
azurerm_key_vault_secret.lw_orchestrate resource
azurerm_log_analytics_workspace.agentless_orchestrate resource
azurerm_network_security_group.agentless_orchestrate resource
azurerm_resource_group.scanning_rg resource
azurerm_role_assignment.key_vault_sidekick resource
azurerm_role_assignment.key_vault_user resource
azurerm_role_assignment.orchestrate resource
azurerm_role_assignment.scanner resource
azurerm_role_assignment.storage_data_loader resource
azurerm_role_assignment.storage_sidekick resource
azurerm_role_definition.agentless_monitored_subscription resource
azurerm_role_definition.agentless_scanning_subscription resource
azurerm_storage_account.scanning resource
azurerm_storage_container.scanning resource
azurerm_user_assigned_identity.sidekick resource
azurerm_virtual_network.agentless_orchestrate resource
lacework_integration_azure_agentless_scanning.lacework_cloud_account resource
random_id.uniq resource
terraform_data.job_execution_now resource
azurerm_client_config.current data source
azurerm_resource_group.scanning_rg data source
azurerm_subscription.current data source
azurerm_subscriptions.available data source
lacework_metric_module.lwmetrics data source
lacework_user_profile.current data source

Inputs

Name Description Type Default Required
additional_environment_variables Optional list of additional environment variables passed to the task. 
list(object({
    name  = string
    value = string
  }))
 [] no
blob_container_name name of the blob container used for storing analysis artifacts. Leave blank to generate one string "" no
create_log_analytics_workspace Creates a log analytics workspace to see container logs. Defaults to false to avoid charging bool false no
custom_network The name of the custom Azure Virtual Network subnet. Make sure it allows egress traffic on port 443. Leave empty to create a new one. string "" no
enable_storage_infrastructure_encryption enable Azure storage account-level infrastructure encryption. Defaults to false bool false no
execute_now execute newly created job(s) immediately after deployment bool true no
filter_query_text The LQL query to constrain the scanning to specific resources. If left blank, Lacework will scan all resources available to the account or organization. For more information, see Limit Scanned Workloads. string "" no
global Whether we create global resources for this deployment. Defaults to false bool false no
global_module_reference A reference to the global lacework_azure_agentless_scanning module for this account. 
object({
    scanning_resource_group_name              = string
    scanning_resource_group_id                = string
    key_vault_id                              = string
    key_vault_uri                             = string
    key_vault_secret_name                     = string
    lacework_account                          = string
    lacework_domain                           = string
    lacework_integration_name                 = string
    storage_account_name                      = string
    storage_account_id                        = string
    blob_container_name                       = string
    prefix                                    = string
    suffix                                    = string
    monitored_subscription_role_definition_id = string
    scanning_subscription_role_definition_id  = string
    sidekick_principal_id                     = string
    sidekick_client_id                        = string
    subscriptions_list                        = set(string)
  })
 
{
  "blob_container_name": "",
  "key_vault_id": "",
  "key_vault_secret_name": "",
  "key_vault_uri": "",
  "lacework_account": "",
  "lacework_domain": "",
  "lacework_integration_name": "",
  "monitored_subscription_role_definition_id": "",
  "prefix": "",
  "scanning_resource_group_id": "",
  "scanning_resource_group_name": "",
  "scanning_subscription_role_definition_id": "",
  "sidekick_client_id": "",
  "sidekick_principal_id": "",
  "storage_account_id": "",
  "storage_account_name": "",
  "subscriptions_list": [],
  "suffix": ""
}
 no
image_url The container image url for Lacework Agentless Workload Scanning. string "public.ecr.aws/p5r4i7k7/sidekick:latest" no
integration_level If we are integrating into a subscription or tenant. Valid values are 'SUBSCRIPTION' or 'TENANT' string n/a yes
key_vault_id The ID of the Key Vault containing the Lacework Account and Auth Token string "" no
lacework_account The name of the Lacework account with which to integrate. string "" no
lacework_domain The domain of the Lacework account with with to integrate. string "lacework.net" no
lacework_integration_name The name of the Lacework cloud account integration. Should only be set in global resource string "azure-agentless-scanning" no
notification_email Used for receiving notification on key updates such as those to service principal string "" no
owner_id Owner for service account created. Azure recommends having one string "" no
prefix A string to be prefixed to the name of all new resources. string "lacework" no
region The region where LW scanner is deployed to string "westus2" no
regional Whether or not to create regional resources. Defaults to true. bool true no
scan_containers Whether to includes scanning for containers. Defaults to true. bool true no
scan_frequency_hours How often in hours the scan will run in hours. Defaults to 24. number 24 no
scan_host_vulnerabilities Whether to includes scanning for host vulnerabilities. Defaults to true. bool true no
scan_multi_volume Whether to scan secondary volumes. Defaults to false. bool false no
scan_stopped_instances Whether to scan stopped instances. Defaults to true. bool true no
scanning_resource_group_name The name of the resource group where LW sidekick is deployed. Leave blank to create a new one string "" no
scanning_subscription_id SubcriptionId where LW Sidekick is deployed. Leave blank to use the current one used by Azure Resource Manager. Show it through az account show string "" no
storage_account_url url of the storage account used for storing analysis artifacts. string "" no
subscriptions_list List of subscriptions to be scanned. Prefix a subscription with '-' to exclude it from scanning. Set only for global resource set(string) [] no
suffix A string to be appended to the end of the name of all new resources. string "" no
tags Set of tags which will be added to the resources managed by the module. map(string) {} no
tenant_id TenantId where LW Sidekick is deployed string "" no

Outputs

Name Description
agentless_credentials_client_id Client id of the service principal of Lacework app
agentless_credentials_client_secret Client secret of the service principal of Lacework app
blob_container_name The blob container used to store Agentless Workload Scanning data
key_vault_id The ID of the Key Vault that stores the LW credentials
key_vault_secret_name The name of the secret stored in key vault. The secret contains LW account authN details
key_vault_uri The URI of the key vault that stores LW account details
lacework_account Lacework Account Name for Integration.
lacework_domain Lacework Domain Name for Integration.
lacework_integration_name The name of the integration. Passed along in global module reference.
monitored_subscription_role_definition_id The id of the monitored subscription role definition
prefix Prefix used to add uniqueness to resource names.
scanning_resource_group_id Id of the resource group hosting the scanner
scanning_resource_group_name Name of the resource group hosting the scanner
scanning_subscription_role_definition_id The id of the scanning subscription role definition
sidekick_client_id Client id of the managed identity running scanner
sidekick_principal_id The principal id of the user identity used by agentless scanner
storage_account_id The ID of storage account used for scanning
storage_account_name The blob storage account for Agentless Workload Scanning data.
subscriptions_list The subscriptions list in global module reference
suffix Suffix used to add uniqueness to resource names.

About

Terraform module for configuring an integration with Lacework and Azure for Agentless scanning

Topics

terraform-module

Resources

Readme

License

MIT license
Activity
Custom properties

Stars

0 stars

Watchers

6 watching

Forks

1 fork
Report repository

Releases 12

v1.2.1 Latest
Nov 14, 2024
+ 11 releases

Packages

No packages published

Contributors 11

Languages