Skip to main content

GCP Integration - Terraform from Any Supported Host

Overview

This topic describes how to integrate with GCP by running Lacework Terraform modules from any host supported by Terraform.

If you are new to the Lacework Terraform Provider, or Lacework Terraform Modules, read Terraform for Lacework Overview to learn the basics on how to configure the provider and more.

The approach described in this topic is suitable for organizations that plan to continuously run Terraform configuration using a CI/CD pipeline, and/or storing Terraform state.

Lacework also supports running Terraform from Google Cloud Shell, which is more suited for one off integrations. For more information see GCP Integration - Terraform from Google Cloud Shell.

Resources

Lacework integrates with Google Cloud Platform to analyze Cloud Audit Logs and to assess cloud resource configurations at the organization level or at the per project level.

Organization level integrations cover all of the existing projects in the organization, and will automatically add any new projects added after the initial integration.

Project level integrations covers only specific projects and any new projects must be added as required.

To integrate at the organization or project level, Lacework requires the following resources be provisioned in Google Cloud:

  • Google Cloud Project - A project to contain the required cloud resources with billing enabled. When integrating at the organization level, Lacework recommends that you create a project specifically for Lacework resources. When integrating at the project level, all required resources for Lacework may be provisioned within the project being integrated.
  • Google Storage Bucket - A storage bucket for Stack Driver logs
  • Google Pub/Sub Topic - For Cloud Audit Logs events
  • Google Logging Sink - To export Cloud Audit Logs to a Cloud Storage bucket
  • Service Account for Lacework - A service account to provide Lacework read-only access to Google Cloud Platform with the following roles:
    • Audit Log
      • Organization level integration
        • roles/resourcemanager.organizationViewer
      • Project level integration
        • roles/storage.objectViewer
    • Configuration
      • roles/iam.securityReviewer
      • roles/browser
      • roles/cloudasset.viewer
      • Organization level integration
        • roles/lwOrgComplianceRole containing the following permissions ("bigquery.datasets.get", "compute.projects.get", "pubsub.topics.get", "storage.buckets.get", "compute.sslPolicies.get")
      • Project level integration
        • roles/lwComplianceRole containing the following permissions ("bigquery.datasets.get", "compute.projects.get", "pubsub.topics.get", "storage.buckets.get", "compute.sslPolicies.get")

For organization level integrations, follow the steps in Integrate Google Cloud at the organization Level.

For project level integrations, follow the steps in Integrate Google Cloud at the project level.

note

If you are setting up new Google audit logging (instead of leveraging existing Google audit logging), Lacework recommends that you set a retention policy with a minimum of 7 days.

Requirements

  • Google Cloud Console - Administrator access to Google Cloud Console is required to create service accounts, grant access, and provision resources.
  • Google Cloud CLI - Lacework leverages configuration from the Google Cloud CLI to configure resources in the Google Cloud.
  • Lacework Administrator - Org admin, or Account admin access is required to create API keys and configure integrations with Lacework.
  • Lacework CLI - Lacework leverages the configuration from the Lacework CLI. It is recommended the Lacework CLI is installed and configured.
  • Terraform - ~> 0.14, ~> 0.15, ~> 1.0, ~> 1.1.

Module Dependencies

Lacework Terraform modules for GCP have the following dependencies that will be installed when running terraform init:

For detailed information on these dependencies, visit Lacework on the Terraform registry.

Integrate Google Cloud at the Organization Level

The following section covers integrating Google Cloud and Lacework for analysis of Cloud Audit Logs and configuration assessment at the organization level. Organization level integrations cover all of the existing projects in the organization, and will automatically add any new projects added after the initial integration.

Create a GCP Project Using the GCP Console

When creating an integration at the GCP organization level, Lacework recommends having a dedicated project to provision the required resources for the integration between Google Cloud and Lacework. Create the GCP project before running Terraform.

  1. Log in to the Google Cloud Console.
  2. Select the project drop-down and click New Project.
  3. Give the project a Project Name, select a Billing Account, select the Organization you are integrating.
  4. Click Create to create the new project.

Create a Service Account for Terraform

To integrate GCP and Lacework at the organization level, Terraform needs a user account or a service account with the following permissions:

  • roles/owner
  • roles/resourcemanager.organizationAdmin
  • roles/iam.organizationRoleAdmin
  • roles/logging.configWriter

If you already have a user account configured with these permissions, along with a configured key, skip to the next section.

The following steps create a service account within the project created for Lacework and give the account 'Owner' permissions to the project.

  1. In the Google Cloud Console, select the project created for Lacework resources.
  2. Click the Navigation Menu and select IAM & Admin > Service Accounts.
  3. Click Create Service Account.
  4. Name the service account (for example, terraform-provisioning), add a description, and click Create.
  5. Under the Grant this service account access to project section, give the service account Owner permissions to the project.
  6. Click Save.

Add Service Account to GCP Organization

This section covers adding the service account to the GCP organization being integrated with Lacework, and adding the required organization level permissions to the service account for Terraform to be able to configure the organization being integrated.

  1. Select the organization you are integrating with Lacework, select IAM from the navigation menu, and then click the +Add button to add a member or role to the organization.
  2. Search for the service account then add permissions for Organization Administrator, Organization Role Administrator and Logs Configuration Writer.
  3. Click Save.

Create Service Account Key

To run Terraform locally, you must create and download a key for the service account created in the previous step. This section covers creating a service key and downloading it to the local system as a JSON file.

  1. In the Google Cloud Console, select the project created for Lacework resources.
  2. Click the navigation menu and select IAM & Admin > Service Accounts.
  3. Click the Actions menu next to the service account.
  4. Click Create Key.
  5. Select JSON for the format of the key.
  6. Click Create to download the key locally.

Configure the Lacework CLI

Ensure you have the Lacework CLI installed and configured to the Lacework account you plan to integrate.

  1. Install the Lacework CLI.
  2. Create your API key.
  3. Configure your Lacework CLI.

Run the Lacework CLI

Run the following Lacework CLI command:

lacework generate cloud-account gcp  \
  --configuration --audit_log        \
  --organization_integration         \
  --organization_id OrganizationId   \
  --project_id ProjectId             \
  --noninteractive --apply
note

Lacework Terraform modules provide a number of inputs for customization. Go to the documentation on the Terraform registry for the complete list of inputs for each module.

Validate the Configuration

To confirm that the cloud account integrations are working, use the Lacework CLI or log in to the Lacework Console.

To validate the integration using the CLI, run the lacework cloud-account list command. You should see two integrations: GcpCfg for the Configuration integration, and GcpAtSes for the Audit Log integration.

To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.

Integrate Google Cloud at the Project Level

The following section covers integrating Google Cloud and Lacework for analysis of Cloud Audit Logs and configuration assessment at the project level.

In this method Terraform provisions all of the required resources in the project being integrated into Lacework.

Create a Service Account for Terraform

To integrate GCP and Lacework at the project level, Terraform needs a user account or a service account with the following permissions for the project being integrated:

  • roles/owner

If you already have an account configured with these permissions, you can skip to the next section.

The following steps create a service account with the required permissions.

  1. Log in to the Google Cloud Console.
  2. Select the project being integrated with Lacework.
  3. Click the navigation menu and select IAM & Admin > Service Accounts.
  4. Click Create Service Account.
  5. Name the service account (for example, terraform-provisioning), add a description, and click Create.
  6. Under the Grant this service account access to project section, give the service account Owner permissions to the project.
  7. Click Save.

Create Service Account Key

To run Terraform locally, you must create and download a key for the service account created in the previous step. This section covers creating a service key and downloading it to the local system as a JSON file.

  1. In the Google Cloud Console, select the project created for Lacework resources.
  2. Click the navigation menu and select IAM & Admin > Service Accounts.
  3. Click the Actions menu next to the service account.
  4. Click Create Key.
  5. Select JSON for the format of the key.
  6. Click Create to download the key locally.

Configure the Lacework CLI

Ensure you have the Lacework CLI installed and configured to the Lacework account you plan to integrate.

  1. Install the Lacework CLI.
  2. Create your API key.
  3. Configure your Lacework CLI.

Run the Lacework CLI

Run the following Lacework CLI command:

lacework generate cloud-account gcp  \
  --configuration --audit_log        \
  --project_id ProjectId             \
  --noninteractive --apply
note

Lacework Terraform modules provide a number of inputs for customization. For the complete list of inputs for each module, see the documentation on the Terraform registry.

Validate the Configuration

To confirm that the cloud account integrations are working, use the Lacework CLI or log in to the Lacework Console.

To validate the integration using the CLI, run the lacework cloud-account list command. You should see two integrations: GcpCfg for the Configuration integration, and GcpAtSes for the Audit Log integration.

To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts

Configure Multiple Projects with Terraform

If you plan to continue to integrate GCP Projects with Lacework individually, it may be helpful to leverage the Terraform for_each meta-argument and pass a map of projects.

Note that it is a requirement to specify a project within the Google provider block, even in cases where multiple projects are later referenced.

The following code snippet provides an example of using the Terraform for_each meta-argument to configure multiple GCP projects with the same config and audit_log module blocks:

terraform {
  required_providers {
    lacework = {
      source = "lacework/lacework"
      version = "~> 1.0"
    }
  }
}

variable "projects" {
  description = "Map of projects to configuration with Lacework."
  type        = map
  default     = {
    project-id-1 = "my project 1",
    project-id-2 = "my project 2"
  }
}
provider "google" {
  project = keys(var.projects)[0]
}

provider "lacework" {}

module "gcp_project_config" {
  source     = "lacework/config/gcp"
  version    = "~> 2.0"
  for_each   = var.projects
  project_id = each.key

  lacework_integration_name = each.value 
}

module "audit_log" {
  source  = "lacework/audit-log/gcp"
  version = "~> 3.0"

  bucket_force_destroy         = true
  use_existing_service_account = true

  for_each   = var.projects
  project_id = each.key
  service_account_name         = module.gcp_project_config[each.key].service_account_name
  service_account_private_key  = module.gcp_project_config[each.key].service_account_private_key
}

For more information on using for_each meta-argument, visit the Terraform documentation site.

Validate the provider/module versions and the configuration as covered in the provider documentation.

Troubleshooting

How do I fix this issue: Error: no project value set?

If you see the following error:
Error: no project value set. project_id must be set at the resource level, or a default project value must be specified on the provider

Add a project to the Google provider. See Google provider documentation for details.