Terraform module for integrating Azure Subscriptions and Tenants with Lacework for cloud resource configuration assessment.
It adds a Service Principal as a subscription "Reader" and "Key Vault Reader", then talks to Lacework API to configure a Cloud Config Integration
| Name | Version |
|---|---|
| terraform | >= 0.14 |
| azurerm | ~> 4.0 |
| lacework | ~> 2.0 |
| Name | Version |
|---|---|
| azurerm | ~> 4.0 |
| lacework | ~> 2.0 |
| time | n/a |
| Name | Source | Version |
|---|---|---|
| az_ad_application | lacework/ad-application/azure | ~> 2.0 |
| Name | Type |
|---|---|
| azurerm_role_assignment.grant_key_vault_reader_role_to_managementgroup | resource |
| azurerm_role_assignment.grant_key_vault_reader_role_to_subscriptions | resource |
| azurerm_role_assignment.grant_reader_role_to_managementgroup | resource |
| azurerm_role_assignment.grant_reader_role_to_subscriptions | resource |
| lacework_integration_azure_cfg.lacework | resource |
| time_sleep.wait_time | resource |
| azurerm_management_group.managementgroup | data source |
| azurerm_subscription.primary | data source |
| azurerm_subscriptions.available | data source |
| lacework_metric_module.lwmetrics | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| all_subscriptions | If set to true, grant read access to ALL subscriptions within the selected Tenant (overrides 'subscription_ids') | bool |
false |
no |
| application_id | The Active Directory Application id to use (required when use_existing_ad_application is set to true) | string |
"" |
no |
| application_name | The name of the Azure Active Directory Application (required when use_existing_ad_application is set to true) | string |
"lacework_security_audit" |
no |
| application_password | The Active Directory Application password to use (required when use_existing_ad_application is set to true) | string |
"" |
no |
| lacework_integration_name | The Lacework integration name | string |
"TF config" |
no |
| management_group_id | The Management Group ID to add Reader permissions (required when use_management_group is true) | string |
"" |
no |
| service_principal_id | The Enterprise App Object ID related to the application_id (required when use_existing_ad_application is true) | string |
"" |
no |
| subscription_exclusions | List of subscriptions to exclude when using the all_subscriptions option. |
list(string) |
[] |
no |
| subscription_ids | List of subscriptions to grant read access to, by default the module will only use the primary subscription | list(string) |
[] |
no |
| use_existing_ad_application | Set this to true to use an existing Active Directory Application |
bool |
false |
no |
| use_management_group | If set to true, the AD Application will be a Reader on the Management Group level instead of Subscription level |
bool |
false |
no |
| wait_time | Amount of time to wait before the Lacework resources are provisioned | string |
"20s" |
no |
| Name | Description |
|---|---|
| application_id | The Lacework AD Application id |
| application_password | The Lacework AD Application password |
| lacework_integration_guid | GUID of the created Lacework integration |
| service_principal_id | The Lacework Service Principal id |
| subscription_ids | The list of subscriptions that will be shown in Lacework Cloud Config integration |