Skip to main content

Azure Integration - Terraform from Any Supported Host

Overview

This topic describes how to integrate with Azure by running Lacework Terraform modules from any host supported by Terraform.

If you are new to the Lacework Terraform Provider, or Lacework Terraform Modules, read Terraform for Lacework Overview to learn the basics on how to configure the provider and more.

The approach outlined in this topic is targeted towards companies that store Terraform code in source control and plan to continue to manage the state of the integration between Lacework and Azure using Terraform.

Lacework also supports running Terraform from Azure Cloud Shell, which comes with Terraform pre-installed. For instructions on running Terraform from Azure Cloud Shell, see Azure Integration - Terraform from Azure Cloud Shell.

Resources

To monitor Microsoft Azure Activity Logs and compliance, Lacework requires the following resources:

  • Azure AD Application - An AD application with permissions to read directory information (using the Directory Reader Role).
  • Azure Resource Group - A resource group is created to store all resources provisioned during the integration.
  • Azure Storage Account - A storage account is used to store Activity Logs.
  • Azure Storage Queue - A queue to hold activity log data.
  • Azure Event Grid Subscription - An Event Grid used to send notifications about events in Activity Logs.

Requirements

The following is a list of requirements to run Lacework Terraform modules for Azure locally:

  • Azure Global Administrator - An Azure portal account that has a Global Administrator role for your tenant's directory.
  • Azure Owner Role - An Azure portal account with the Owner role in all subscriptions that you want to monitor.
  • Azure CLI - The Terraform provider for Azure leverages configuration from the Azure CLI to configure resources in Azure.
  • Lacework Administrator - A Lacework account with administrator privileges.
  • Lacework CLI - Lacework leverages the configuration from the Lacework CLI. It is recommended the Lacework CLI is installed and configured.
  • Terraform - ~> 0.14, ~> 0.15, ~> 1.0, ~> 1.1.

Module Dependencies

Lacework Terraform modules for Azure have the following dependencies that will be installed when running terraform init:

For detailed information on these dependencies, visit Lacework on the Terraform Registry.

Install and Configure the Lacework CLI

To configure accounts, the Terraform provider for Lacework leverages the Lacework CLI configuration to authenticate with the Lacework API server. Lacework provides a shell script to install the Lacework CLI in your system.

Follow these instructions to install and configure the Lacework CLI before continuing.

Integrate Azure for All Subscriptions within the Tenant

This section covers integrating all subscriptions within your Azure tenant.

Log in to Azure via the Azure CLI

To integrate Lacework with Azure you must log in to your Azure console via the Azure CLI by running the command:

az login

Run the Lacework CLI

Run the following Lacework CLI command:

lacework generate cloud-account azure   \
  --configuration --activity_log        \
  --noninteractive --all_subscriptions  \
  --apply
note

To learn about using Terraform inputs to customize Lacework Terraform Modules, see documentation on the Terraform registry.

Validate the Configuration

To confirm that the cloud account integrations are working, use the Lacework CLI or log in to the Lacework Console.

To validate the integration using the CLI, run the lacework cloud-account list command. You should see two integrations: AzureCfg for the Configuration integration, and AzureAlSeq for the Activity Log integration.

To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.

Integrate Azure for the Primary Subscription

This section covers integrating only the primary subscription for a given tenant. The primary subscription is the subscription used to access Cloud Shell. Additionally, when you run the command, you can specify multiple subscriptions with the --subscription_ids flag, for example: --subscription_ids id1,id2,id3.

Log in to Azure via the Azure CLI

To integrate Lacework with Azure you must log in to your Azure console via the Azure CLI by running the command:

az login

Run the Lacework CLI

Run the following Lacework CLI command:

lacework generate cloud-account azure  \
  --configuration --activity_log       \
  --noninteractive --apply
note

To learn about using Terraform inputs to customize Lacework Terraform Modules, see documentation on the Terraform registry.

Validate the Configuration

To confirm that the cloud account integrations are working, use the Lacework CLI or log in to the Lacework Console.

To validate the integration using the CLI, run the lacework cloud-account list command. You should see two integrations: AzureCfg for the Configuration integration, and AzureAlSeq for the Activity Log integration.

To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.

Integrate Azure for a Management Group

Log in to Azure via the Azure CLI

To integrate Lacework with Azure you must log in to your Azure console via the Azure CLI by running the command:

az login

Run the Lacework CLI

Run the following Lacework CLI command:

lacework generate cloud-account azure  \
  --configuration --activity_log       \
  --noninteractive --management_group  \
  --management_group_id MngmtGroupId   \
  --apply
note

To learn about using Terraform inputs to customize Lacework Terraform Modules, see documentation on the Terraform registry.

Validate the Configuration

To confirm that the cloud account integrations are working, use the Lacework CLI or log in to the Lacework Console.

To validate the integration using the CLI, run the lacework cloud-account list command. You should see two integrations: AzureCfg for the Configuration integration, and AzureAlSeq for the Activity Log integration.

To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.

Disable Collecting and Processing Azure AD Resources

If granted permissions to the directory (via the "Directory Reader" role), Lacework collects the list of users, groups, members, and app registrations from the Azure AD organization using Microsoft Graph API calls. This information is exposed for LQL datasources and compliance policies. Disabling this permission may be required if your organization has specific regulatory or privacy requirements that avoid collecting this information by third parties. If disabled, the LQL datasources and related IAM compliance policies will not be assessed.

For existing integrations, at any time, you can remove the "Directory Reader" role from the Azure AD service principal used for Lacework.

When creating a new integration, disable the enable_directory_reader flag in the Lacework ad-application module. By default, this setting is true.

module "az_ad_application" {
  source  = "lacework/ad-application/azure"
  enable_directory_reader = false 
  version = "~> 1.2"
}

Deprecated Alternative Procedure for v0.x of the Modules

The deprecated v0.x of the modules use Azure AD Graph API, deprecated by Microsoft, and required specific API permissions

  • Azure AD Application - API Permissions

    APIPermissionTypeDescriptionAdmin Consent RQD
    Azure Active Directory GraphDirectory.Read.AllApplicationRead directory dataYes
    Azure Key Vaultuser_impersonationDelegatedHave full access to Azure Key Vault service on behalf of the signed in user. This permission does not grant Lacework full access to the Azure Key Vault-
    Azure Storageuser_impersonationDelegatedThis permission gives the Lacework AD Application access to the Azure Storage REST APIs. However, Lacework access is limited by the role of Reader-
    Microsoft GraphUser.Read.AllApplicationRead the full profiles for all usersYes

Using API permissions, the Azure Active Directory Application created for Lacework requires granting admin consent before the integration will work. Granting admin consent is not possible natively using Terraform, but the Lacework Terraform module will attempt to automate this process by running the following command the Azure CLI:

# Attempt to grant admin consent via the Azure CLI or print a URL to grant admin consent manually
az ad app permission admin-consent --id ${local.application_id} && echo SUCCESS!! \
|| echo ERROR!!! Unable to grant admin consent, grant it manually by following the URL: \
https://login.microsoftonline.com/${local.tenant_id}/adminconsent?client_id=${local.application_id}

If granting admin consent fails, click the link to log in to the Azure console and grant admin consent manually.