Azure Integration - Terraform from Any Supported Host
Overview
This topic describes how to integrate with Azure by running Lacework Terraform modules from any host supported by Terraform.
If you are new to the Lacework Terraform Provider, or Lacework Terraform Modules, read Terraform for Lacework Overview to learn the basics on how to configure the provider and more.
The approach outlined in this topic is targeted towards companies that store Terraform code in source control and plan to continue to manage the state of the integration between Lacework and Azure using Terraform.
Lacework also supports running Terraform from Azure Cloud Shell, which comes with Terraform pre-installed. For instructions on running Terraform from Azure Cloud Shell, see Azure Integration - Terraform from Azure Cloud Shell.
Resources
To monitor Microsoft Azure Activity Logs and compliance, Lacework requires the following resources:
- Azure AD Application - An AD application with permissions to read directory information (using the Directory Reader Role).
- Azure Resource Group - A resource group is created to store all resources provisioned during the integration.
- Azure Storage Account - A storage account is used to store Activity Logs.
- Azure Storage Queue - A queue to hold activity log data.
- Azure Event Grid Subscription - An Event Grid used to send notifications about events in Activity Logs.
Requirements
The following is a list of requirements to run Lacework Terraform modules for Azure locally:
- Azure Global Administrator - An Azure portal account that has a Global Administrator role for your tenant's directory.
- Azure Owner Role - An Azure portal account with the Owner role in all subscriptions that you want to monitor.
- Azure CLI - The Terraform provider for Azure leverages configuration from the Azure CLI to configure resources in Azure.
- Lacework Administrator - A Lacework account with administrator privileges.
- Lacework CLI - Lacework leverages the configuration from the Lacework CLI. It is recommended the Lacework CLI is installed and configured.
- Terraform -
~> 0.14
,~> 0.15
,~> 1.0
,~> 1.1
.
Module Dependencies
Lacework Terraform modules for Azure have the following dependencies that will be installed when running terraform init
:
For detailed information on these dependencies, visit Lacework on the Terraform Registry.
Install and Configure the Lacework CLI
To configure accounts, the Terraform provider for Lacework leverages the Lacework CLI configuration to authenticate with the Lacework API server. Lacework provides a shell script to install the Lacework CLI in your system.
Follow these instructions to install and configure the Lacework CLI before continuing.
Integrate Azure for All Subscriptions within the Tenant
This section covers integrating all subscriptions within your Azure tenant.
Log in to Azure via the Azure CLI
To integrate Lacework with Azure you must log in to your Azure console via the Azure CLI by running the command:
az login
Run the Lacework CLI
Run the following Lacework CLI command:
lacework generate cloud-account azure \
--configuration --activity_log \
--noninteractive --all_subscriptions \
--apply
note
To learn about using Terraform inputs to customize Lacework Terraform Modules, see documentation on the Terraform registry.
Validate the Configuration
To confirm that the cloud account integrations are working, use the Lacework CLI or log in to the Lacework Console.
To validate the integration using the CLI, run the lacework cloud-account list
command. You should see two integrations: AzureCfg
for the Configuration integration, and AzureAlSeq
for the Activity Log integration.
To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.
Integrate Azure for the Primary Subscription
This section covers integrating only the primary subscription for a given tenant. The primary subscription is the subscription used to access Cloud Shell. Additionally, when you run the command, you can specify multiple subscriptions with the --subscription_ids
flag, for example: --subscription_ids id1,id2,id3
.
Log in to Azure via the Azure CLI
To integrate Lacework with Azure you must log in to your Azure console via the Azure CLI by running the command:
az login
Run the Lacework CLI
Run the following Lacework CLI command:
lacework generate cloud-account azure \
--configuration --activity_log \
--noninteractive --apply
note
To learn about using Terraform inputs to customize Lacework Terraform Modules, see documentation on the Terraform registry.
Validate the Configuration
To confirm that the cloud account integrations are working, use the Lacework CLI or log in to the Lacework Console.
To validate the integration using the CLI, run the lacework cloud-account list
command. You should see two integrations: AzureCfg
for the Configuration integration, and AzureAlSeq
for the Activity Log integration.
To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.
Integrate Azure for a Management Group
Log in to Azure via the Azure CLI
To integrate Lacework with Azure you must log in to your Azure console via the Azure CLI by running the command:
az login
Run the Lacework CLI
Run the following Lacework CLI command:
lacework generate cloud-account azure \
--configuration --activity_log \
--noninteractive --management_group \
--management_group_id MngmtGroupId \
--apply
note
To learn about using Terraform inputs to customize Lacework Terraform Modules, see documentation on the Terraform registry.
Validate the Configuration
To confirm that the cloud account integrations are working, use the Lacework CLI or log in to the Lacework Console.
To validate the integration using the CLI, run the lacework cloud-account list
command. You should see two integrations: AzureCfg
for the Configuration integration, and AzureAlSeq
for the Activity Log integration.
To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.
Disable Collecting and Processing Azure AD Resources
If granted permissions to the directory (via the "Directory Reader" role), Lacework collects the list of users, groups, members, and app registrations from the Azure AD organization using Microsoft Graph API calls. This information is exposed for LQL datasources and compliance policies. Disabling this permission may be required if your organization has specific regulatory or privacy requirements that avoid collecting this information by third parties. If disabled, the LQL datasources and related IAM compliance policies will not be assessed.
For existing integrations, at any time, you can remove the "Directory Reader" role from the Azure AD service principal used for Lacework.
When creating a new integration, disable the enable_directory_reader flag in the Lacework ad-application module. By default, this setting is true.
module "az_ad_application" {
source = "lacework/ad-application/azure"
enable_directory_reader = false
version = "~> 1.2"
}
Deprecated Alternative Procedure for v0.x of the Modules
The deprecated v0.x of the modules use Azure AD Graph API, deprecated by Microsoft, and required specific API permissions
Azure AD Application - API Permissions
API Permission Type Description Admin Consent RQD Azure Active Directory Graph Directory.Read.All
Application Read directory data Yes Azure Key Vault user_impersonation
Delegated Have full access to Azure Key Vault service on behalf of the signed in user. This permission does not grant Lacework full access to the Azure Key Vault - Azure Storage user_impersonation
Delegated This permission gives the Lacework AD Application access to the Azure Storage REST APIs. However, Lacework access is limited by the role of Reader - Microsoft Graph User.Read.All
Application Read the full profiles for all users Yes
Using API permissions, the Azure Active Directory Application created for Lacework requires granting admin consent before the integration will work. Granting admin consent is not possible natively using Terraform, but the Lacework Terraform module will attempt to automate this process by running the following command the Azure CLI:
# Attempt to grant admin consent via the Azure CLI or print a URL to grant admin consent manually
az ad app permission admin-consent --id ${local.application_id} && echo SUCCESS!! \
|| echo ERROR!!! Unable to grant admin consent, grant it manually by following the URL: \
https://login.microsoftonline.com/${local.tenant_id}/adminconsent?client_id=${local.application_id}
If granting admin consent fails, click the link to log in to the Azure console and grant admin consent manually.