Azure Integration - Terraform from Azure Cloud Shell
Overview
This topic describes how to integrate with Azure by running Lacework Terraform modules from Azure Cloud Shell.
If you are new to the Lacework Terraform Provider, or Lacework Terraform Modules, read Terraform for Lacework Overview to learn the basics on how to configure the provider and more.
The approach outlined in this document is suitable for one-off integrations where you do not plan to continue to use Terraform to manage the configuration of Lacework and Azure.
If you plan to continue to manage the state of the integration between Microsoft Azure and Lacework, and/or store the configuration in a source control management tool such as Git, see Azure Integration - Terraform from Any Supported Host.
Resources
To monitor Microsoft Azure Activity Logs and compliance, Lacework requires the following resources:
- Azure AD Application - An AD application with permissions to read directory information (using the Directory Reader Role)
- Azure Resource Group - A resource group is created to store all resources provisioned by the integration
- Azure Storage Account - A storage account is used to store Activity Logs
- Azure Storage Queue - A queue to hold activity log data
- Azure Event Grid Subscription - Used to send notifications about events in Activity Logs
Requirements
The following is a list of requirements to run Lacework Terraform modules for Azure:
- Azure Global Administrator - An Azure portal account that has a Global Administrator role for your tenant's directory.
- Azure Owner Role - An Azure portal account with the Owner role in all subscriptions that you want to monitor.
- Azure CLI - The Terraform provider for Azure leverages configuration from the Azure CLI to configure resources in Azure.
- Lacework Administrator - A Lacework account with administrator privileges.
- Terraform -
~> 0.14
,~> 0.15
,~> 1.0
,~> 1.1
.
Module Dependencies
Lacework Terraform modules for Azure have the following dependencies that will be installed when running terraform init
:
For detailed information on these dependencies, visit Lacework on the Terraform Registry.
Azure Cloud Shell Configuration
Azure Cloud Shell is an embedded terminal/command-line interface that you can use within the Azure portal. This shell automatically authenticates the user that launches Cloud Shell with Azure AD and comes with pre-installed tools to manage and automate your Azure environment such as the Azure CLI and Terraform. For more information on Azure Cloud Shell, see the Overview of Azure Cloud Shell.
Lacework provides a robust command-line interface that generates Terraform code, installs the Terraform CLI (if not already installed), and can run Terraform inside Cloud Shell.
Open Azure Cloud Shell within Azure Portal
To open Azure Cloud Shell, click the Cloud Shell icon in the header bar of the Azure portal. This opens Cloud Shell in a pane at the bottom of the browser. Cloud Shell defaults to PowerShell but also supports a Bash prompt.
Install the Lacework CLI in Azure Cloud Shell
The Terraform provider for Lacework leverages the Lacework CLI configuration to authenticate with the Lacework API server and configure accounts. Run the following commands to install the Lacework CLI:
mkdir -p "$HOME"/bin
curl https://raw.githubusercontent.com/lacework/go-sdk/main/cli/install.sh | bash -s -- -d "$HOME"/bin
When the script completes, type exit
followed by enter to exit your shell. After a few seconds, a prompt appears to reconnect to Azure Shell. Once reconnected, the Lacework CLI is ready to use.
Create Lacework API Key
The Lacework CLI requires an API key and secret to authenticate with Lacework. Lacework API keys can be created by Lacework account administrators via the Lacework Console. For more information, go to API Access Keys.
- Log in to the Lacework Console.
- Click Settings > Configuration > API keys.
- Click + Add New.
- Enter a name for the key and an optional description.
- Click Save.
- Click the ... icon and then Download to save the API key file locally.
The contents of your API key contain a keyId
secret
, subAccount
, and account
:
{
"keyId": "ACCOUNT_ABCEF01234559B9B07114E834D8570F567C824039756E03",
"secret": "_abc1234e243a645bcf173ef55b837c19",
"subAccount": "myaccount",
"account": "myaccount.lacework.net"
}
Configure the Lacework CLI
Azure Cloud Shell lets you drag-and-drop the generated KEY.json
to upload it automatically.
To configure the CLI with the API key downloaded from the previous step, use the lacework configure
command in Cloud Shell and provide the following:
account
: Account subdomain of URL (i.e.,YourAccount.lacework.net
)api_key
: API Access Keyapi_secret
: API Access Secret
Run the command:
lacework configure -j CUSTOMER_EED10DA9136E9F763477FF5933464DD0C3DADF2CDDEF715.json
▸ Account: customerdemo
▸ Access Key ID: CUSTOMER_EED10DA9136E9F763477FF5933464DD0C3DADF2CDDEF715
▸ Secret Access Key: (*****************************26a0)
You are all set!
For more information, see Lacework CLI documentation.
Integrate Azure for All Subscriptions within the Tenant
This section covers integrating all subscriptions within your Azure tenant.
Run the Lacework CLI in Cloud Shell
Inside Azure Cloud Shell, run the following Lacework CLI command:
lacework generate cloud-account azure \
--configuration --activity_log \
--noninteractive --all_subscriptions \
--apply
note
To learn about using Terraform inputs to customize Lacework Terraform modules, see Terraform Registry documentation.
Validate the Configuration
To confirm that the cloud account integrations are working, use the Lacework CLI or log in to the Lacework Console.
To validate the integration using the CLI, run the lacework cloud-account list
command. You should see two integrations: AzureCfg
for the Configuration integration, and AzureAlSeq
for the Activity Log integration.
To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.
Integrate Azure for the Primary Subscription
This section covers running Terraform to integrate only the primary subscription for a given tenant. The primary subscription is the subscription used to access Cloud Shell. Additionally, you can specify multiple subscriptions with the --subscription_ids
flag, for example: --subscription_ids id1,id2,id3
.
Run the Lacework CLI in Cloud Shell
Inside Azure Cloud Shell, run the following Lacework CLI command:
lacework generate cloud-account azure \
--configuration --activity_log \
--noninteractive --apply
note
To learn about using Terraform inputs to customize Lacework Terraform modules, see Terraform Registry documentation.
Validate the Configuration
To confirm that the cloud account integrations are working, use the Lacework CLI or log in to the Lacework Console.
To validate the integration using the CLI, run the lacework cloud-account list
command. You should see two integrations: AzureCfg
for the Configuration integration, and AzureAlSeq
for the Activity Log integration.
To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.
Integrate Azure for a Management Group
This section covers running Terraform on Azure subscriptions within a specific management group.
Run the Lacework CLI in Cloud Shell
Inside Azure Cloud Shell, run the following Lacework CLI command:
lacework generate cloud-account azure \
--configuration --activity_log \
--noninteractive --management_group \
--management_group_id MngmtGroupId \
--apply
note
To learn about using Terraform inputs to customize Lacework Terraform Modules, see documentation on the Terraform Registry.
Validate the Configuration
To confirm that the cloud account integrations are working, use the Lacework CLI or log in to the Lacework Console.
To validate the integration using the CLI, run the lacework cloud-account list
command. You should see two integrations: AzureCfg
for the Configuration integration, and AzureAlSeq
for the Activity Log integration.
To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.
Disable Collecting and Processing Azure AD Resources
If granted permissions to the directory (via the "Directory Reader" role), Lacework collects the list of users, groups, members, and app registrations from the Azure AD organization using Microsoft Graph API calls. This information is exposed for LQL datasources and compliance policies. Disabling this permission may be required if your organization has specific regulatory or privacy requirements that avoid collecting this information by third parties. If disabled, the LQL datasources and related IAM compliance policies will not be assessed.
For existing integrations, at any time, you can remove the "Directory Reader" role from the Azure AD service principal used for Lacework.
When creating a new integration, disable the enable_directory_reader flag in the Lacework ad-application module (v1.2 or later). By default, this setting is true.
module "az_ad_application" {
source = "lacework/ad-application/azure"
enable_directory_reader = false
version = "~> 1.2"
}
Deprecated Alternative Procedure for v0.x of the Modules
The deprecated v0.x of the modules use Azure AD Graph API, deprecated by Microsoft, and required specific API permissions
Azure AD Application - API Permissions
API Permission Type Description Admin Consent RQD Azure Active Directory Graph Directory.Read.All
Application Read directory data Yes Azure Key Vault user_impersonation
Delegated Have full access to Azure Key Vault service on behalf of the signed in user. This permission does not grant Lacework full access to the Azure Key Vault - Azure Storage user_impersonation
Delegated This permission gives the Lacework AD Application access to the Azure Storage REST APIs. However, Lacework access is limited by the role of Reader - Microsoft Graph User.Read.All
Application Read the full profiles for all users Yes
Using API permissions, the Azure Active Directory Application created for Lacework requires granting admin consent before the integration will work. Granting admin consent is not possible natively using Terraform, but the Lacework Terraform module will attempt to automate this process by running the following command the Azure CLI:
# Attempt to grant admin consent via the Azure CLI or print a URL to grant admin consent manually
az ad app permission admin-consent --id ${local.application_id} && echo SUCCESS!! \
|| echo ERROR!!! Unable to grant admin consent, grant it manually by following the URL: \
https://login.microsoftonline.com/${local.tenant_id}/adminconsent?client_id=${local.application_id}
If granting admin consent fails, click the link to log in to the Azure console and grant admin consent manually.