Skip to main content

Azure Integration - Terraform from Azure Cloud Shell

Overview

This topic describes how to integrate with Azure by running Lacework Terraform modules from Azure Cloud Shell.

If you are new to the Lacework Terraform Provider, or Lacework Terraform Modules, read Terraform for Lacework Overview to learn the basics on how to configure the provider and more.

The approach outlined in this document is suitable for one-off integrations where you do not plan to continue to use Terraform to manage the configuration of Lacework and Azure.

If you plan to continue to manage the state of the integration between Microsoft Azure and Lacework, and/or store the configuration in a source control management tool such as Git, see Azure Integration - Terraform from Any Supported Host.

Resources

To monitor Microsoft Azure Activity Logs and compliance, Lacework requires the following resources:

  • Azure AD Application - An AD application with permissions to read directory information (using the Directory Reader Role)
  • Azure Resource Group - A resource group is created to store all resources provisioned by the integration
  • Azure Storage Account - A storage account is used to store Activity Logs
  • Azure Storage Queue - A queue to hold activity log data
  • Azure Event Grid Subscription - Used to send notifications about events in Activity Logs

Requirements

The following is a list of requirements to run Lacework Terraform modules for Azure:

  • Azure Global Administrator - An Azure portal account that has a Global Administrator role for your tenant's directory.
  • Azure Owner Role - An Azure portal account with the Owner role in all subscriptions that you want to monitor.
  • Azure CLI - The Terraform provider for Azure leverages configuration from the Azure CLI to configure resources in Azure.
  • Lacework Administrator - A Lacework account with administrator privileges.
  • Terraform - ~> 0.14, ~> 0.15, ~> 1.0, ~> 1.1.

Module Dependencies

Lacework Terraform modules for Azure have the following dependencies that will be installed when running terraform init:

For detailed information on these dependencies, visit Lacework on the Terraform Registry.

Azure Cloud Shell Configuration

Azure Cloud Shell is an embedded terminal/command-line interface that you can use within the Azure portal. This shell automatically authenticates the user that launches Cloud Shell with Azure AD and comes with pre-installed tools to manage and automate your Azure environment such as the Azure CLI and Terraform. For more information on Azure Cloud Shell, see the Overview of Azure Cloud Shell.

Lacework provides a robust command-line interface that generates Terraform code, installs the Terraform CLI (if not already installed), and can run Terraform inside Cloud Shell.

Open Azure Cloud Shell within Azure Portal

To open Azure Cloud Shell, click the Cloud Shell icon in the header bar of the Azure portal. This opens Cloud Shell in a pane at the bottom of the browser. Cloud Shell defaults to PowerShell but also supports a Bash prompt.

Open Azure Cloud Shell

Install the Lacework CLI in Azure Cloud Shell

The Terraform provider for Lacework leverages the Lacework CLI configuration to authenticate with the Lacework API server and configure accounts. Run the following commands to install the Lacework CLI:

mkdir -p "$HOME"/bin  
curl https://raw.githubusercontent.com/lacework/go-sdk/main/cli/install.sh | bash -s -- -d "$HOME"/bin

When the script completes, type exit followed by enter to exit your shell. After a few seconds, a prompt appears to reconnect to Azure Shell. Once reconnected, the Lacework CLI is ready to use.

Create Lacework API Key

The Lacework CLI requires an API key and secret to authenticate with Lacework. Lacework API keys can be created by Lacework account administrators via the Lacework Console. For more information, go to API Access Keys.

  1. Log in to the Lacework Console.
  2. Click Settings > Configuration > API keys.
  3. Click + Add New.
  4. Enter a name for the key and an optional description.
  5. Click Save.
  6. Click the ... icon and then Download to save the API key file locally.

The contents of your API key contain a keyId secret, subAccount, and account:

{
"keyId": "ACCOUNT_ABCEF01234559B9B07114E834D8570F567C824039756E03",
"secret": "_abc1234e243a645bcf173ef55b837c19",
"subAccount": "myaccount",
"account": "myaccount.lacework.net"
}

Configure the Lacework CLI

Azure Cloud Shell lets you drag-and-drop the generated KEY.json to upload it automatically.

To configure the CLI with the API key downloaded from the previous step, use the lacework configure command in Cloud Shell and provide the following:

  • account: Account subdomain of URL (i.e., YourAccount.lacework.net)
  • api_key: API Access Key
  • api_secret: API Access Secret

Run the command:

lacework configure -j CUSTOMER_EED10DA9136E9F763477FF5933464DD0C3DADF2CDDEF715.json
▸ Account: customerdemo
▸ Access Key ID: CUSTOMER_EED10DA9136E9F763477FF5933464DD0C3DADF2CDDEF715
▸ Secret Access Key: (*****************************26a0)

You are all set!

For more information, see Lacework CLI documentation.

Integrate Azure for All Subscriptions within the Tenant

This section covers integrating all subscriptions within your Azure tenant.

Run the Lacework CLI in Cloud Shell

Inside Azure Cloud Shell, run the following Lacework CLI command:

lacework generate cloud-account azure   \
--configuration --activity_log \
--noninteractive --all_subscriptions \
--apply
note

To learn about using Terraform inputs to customize Lacework Terraform modules, see Terraform Registry documentation.

Validate the Configuration

To confirm that the cloud account integrations are working, use the Lacework CLI or log in to the Lacework Console.

To validate the integration using the CLI, run the lacework cloud-account list command. You should see two integrations: AzureCfg for the Configuration integration, and AzureAlSeq for the Activity Log integration.

To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.

Integrate Azure for the Primary Subscription

This section covers running Terraform to integrate only the primary subscription for a given tenant. The primary subscription is the subscription used to access Cloud Shell. Additionally, you can specify multiple subscriptions with the --subscription_ids flag, for example: --subscription_ids id1,id2,id3.

Run the Lacework CLI in Cloud Shell

Inside Azure Cloud Shell, run the following Lacework CLI command:

lacework generate cloud-account azure  \
--configuration --activity_log \
--noninteractive --apply
note

To learn about using Terraform inputs to customize Lacework Terraform modules, see Terraform Registry documentation.

Validate the Configuration

To confirm that the cloud account integrations are working, use the Lacework CLI or log in to the Lacework Console.

To validate the integration using the CLI, run the lacework cloud-account list command. You should see two integrations: AzureCfg for the Configuration integration, and AzureAlSeq for the Activity Log integration.

To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.

Integrate Azure for a Management Group

This section covers running Terraform on Azure subscriptions within a specific management group.

Run the Lacework CLI in Cloud Shell

Inside Azure Cloud Shell, run the following Lacework CLI command:

lacework generate cloud-account azure  \
--configuration --activity_log \
--noninteractive --management_group \
--management_group_id MngmtGroupId \
--apply
note

To learn about using Terraform inputs to customize Lacework Terraform Modules, see documentation on the Terraform Registry.

Validate the Configuration

To confirm that the cloud account integrations are working, use the Lacework CLI or log in to the Lacework Console.

To validate the integration using the CLI, run the lacework cloud-account list command. You should see two integrations: AzureCfg for the Configuration integration, and AzureAlSeq for the Activity Log integration.

To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.

Disable Collecting and Processing Azure AD Resources

If granted permissions to the directory (via the "Directory Reader" role), Lacework collects the list of users, groups, members, and app registrations from the Azure AD organization using Microsoft Graph API calls. This information is exposed for LQL datasources and compliance policies. Disabling this permission may be required if your organization has specific regulatory or privacy requirements that avoid collecting this information by third parties. If disabled, the LQL datasources and related IAM compliance policies will not be assessed.

For existing integrations, at any time, you can remove the "Directory Reader" role from the Azure AD service principal used for Lacework.

When creating a new integration, disable the enable_directory_reader flag in the Lacework ad-application module (v1.2 or later). By default, this setting is true.

module "az_ad_application" {
source = "lacework/ad-application/azure"
enable_directory_reader = false
version = "~> 1.2"
}

Deprecated Alternative Procedure for v0.x of the Modules

The deprecated v0.x of the modules use Azure AD Graph API, deprecated by Microsoft, and required specific API permissions

  • Azure AD Application - API Permissions

    APIPermissionTypeDescriptionAdmin Consent RQD
    Azure Active Directory GraphDirectory.Read.AllApplicationRead directory dataYes
    Azure Key Vaultuser_impersonationDelegatedHave full access to Azure Key Vault service on behalf of the signed in user. This permission does not grant Lacework full access to the Azure Key Vault-
    Azure Storageuser_impersonationDelegatedThis permission gives the Lacework AD Application access to the Azure Storage REST APIs. However, Lacework access is limited by the role of Reader-
    Microsoft GraphUser.Read.AllApplicationRead the full profiles for all usersYes

Using API permissions, the Azure Active Directory Application created for Lacework requires granting admin consent before the integration will work. Granting admin consent is not possible natively using Terraform, but the Lacework Terraform module will attempt to automate this process by running the following command the Azure CLI:

# Attempt to grant admin consent via the Azure CLI or print a URL to grant admin consent manually

az ad app permission admin-consent --id ${local.application_id} && echo SUCCESS!! \
|| echo ERROR!!! Unable to grant admin consent, grant it manually by following the URL: \
https://login.microsoftonline.com/${local.tenant_id}/adminconsent?client_id=${local.application_id}

If granting admin consent fails, click the link to log in to the Azure console and grant admin consent manually.