GCP Integration - Terraform from Any Supported Host
Overview
This topic describes how to integrate with GCP by running Lacework Terraform modules from any host supported by Terraform.
If you are new to the Lacework Terraform Provider, or Lacework Terraform Modules, read Terraform for Lacework Overview to learn the basics on how to configure the provider and more.
The approach described in this topic is suitable for organizations that plan to continuously run Terraform configuration using a CI/CD pipeline, and/or storing Terraform state.
Lacework also supports running Terraform from Google Cloud Shell, which is more suited for one off integrations. For more information see GCP Integration - Terraform from Google Cloud Shell.
Resources
Lacework integrates with Google Cloud Platform to analyze Cloud Audit Logs and to assess cloud resource configurations at the organization level or at the per project level.
Organization level integrations cover all of the existing projects in the organization, and will automatically add any new projects added after the initial integration.
Project level integrations covers only specific projects and any new projects must be added as required.
To integrate at the organization or project level, Lacework requires the following resources be provisioned in Google Cloud:
- Google Cloud Project - A project to contain the required cloud resources with billing enabled. When integrating at the organization level, Lacework recommends that you create a project specifically for Lacework resources. When integrating at the project level, all required resources for Lacework may be provisioned within the project being integrated.
- Google Storage Bucket - A storage bucket for Stack Driver logs
- Google Pub/Sub Topic - For Cloud Audit Logs events
- Google Logging Sink - To export Cloud Audit Logs to a Cloud Storage bucket
- Service Account for Lacework - A service account to provide Lacework read-only access to Google Cloud Platform with the following roles:
- Audit Log
- Organization level integration
roles/resourcemanager.organizationViewer
- Project level integration
roles/storage.objectViewer
- Organization level integration
- Configuration
roles/iam.securityReviewer
roles/browser
roles/cloudasset.viewer
- Organization level integration
roles/lwOrgComplianceRole
containing the following permissions ("bigquery.datasets.get", "compute.projects.get", "pubsub.topics.get", "storage.buckets.get", "compute.sslPolicies.get")
- Project level integration
roles/lwComplianceRole
containing the following permissions ("bigquery.datasets.get", "compute.projects.get", "pubsub.topics.get", "storage.buckets.get", "compute.sslPolicies.get")
- Audit Log
For organization level integrations, follow the steps in Integrate Google Cloud at the organization Level.
For project level integrations, follow the steps in Integrate Google Cloud at the project level.
note
If you are setting up new Google audit logging (instead of leveraging existing Google audit logging), Lacework recommends that you set a retention policy with a minimum of 7 days.
Requirements
- Google Cloud Console - Administrator access to Google Cloud Console is required to create service accounts, grant access, and provision resources.
- Google Cloud CLI - Lacework leverages configuration from the Google Cloud CLI to configure resources in the Google Cloud.
- Lacework Administrator - Org admin, or Account admin access is required to create API keys and configure integrations with Lacework.
- Lacework CLI - Lacework leverages the configuration from the Lacework CLI. It is recommended the Lacework CLI is installed and configured.
- Terraform -
~> 0.14
,~> 0.15
,~> 1.0
,~> 1.1
.
Module Dependencies
Lacework Terraform modules for GCP have the following dependencies that will be installed when running terraform init
:
For detailed information on these dependencies, visit Lacework on the Terraform registry.
Integrate Google Cloud at the Organization Level
The following section covers integrating Google Cloud and Lacework for analysis of Cloud Audit Logs and configuration assessment at the organization level. Organization level integrations cover all of the existing projects in the organization, and will automatically add any new projects added after the initial integration.
Create a GCP Project Using the GCP Console
When creating an integration at the GCP organization level, Lacework recommends having a dedicated project to provision the required resources for the integration between Google Cloud and Lacework. Create the GCP project before running Terraform.
- Log in to the Google Cloud Console.
- Select the project drop-down and click New Project.
- Give the project a Project Name, select a Billing Account, select the Organization you are integrating.
- Click Create to create the new project.
Create a Service Account for Terraform
To integrate GCP and Lacework at the organization level, Terraform needs a user account or a service account with the following permissions:
roles/owner
roles/resourcemanager.organizationAdmin
roles/iam.organizationRoleAdmin
roles/logging.configWriter
If you already have a user account configured with these permissions, along with a configured key, skip to the next section.
The following steps create a service account within the project created for Lacework and give the account 'Owner' permissions to the project.
- In the Google Cloud Console, select the project created for Lacework resources.
- Click the Navigation Menu and select IAM & Admin > Service Accounts.
- Click Create Service Account.
- Name the service account (for example, terraform-provisioning), add a description, and click Create.
- Under the Grant this service account access to project section, give the service account Owner permissions to the project.
- Click Save.
Add Service Account to GCP Organization
This section covers adding the service account to the GCP organization being integrated with Lacework, and adding the required organization level permissions to the service account for Terraform to be able to configure the organization being integrated.
- Select the organization you are integrating with Lacework, select IAM from the navigation menu, and then click the +Add button to add a member or role to the organization.
- Search for the service account then add permissions for Organization Administrator, Organization Role Administrator and Logs Configuration Writer.
- Click Save.
Create Service Account Key
To run Terraform locally, you must create and download a key for the service account created in the previous step. This section covers creating a service key and downloading it to the local system as a JSON file.
- In the Google Cloud Console, select the project created for Lacework resources.
- Click the navigation menu and select IAM & Admin > Service Accounts.
- Click the Actions menu next to the service account.
- Click Create Key.
- Select JSON for the format of the key.
- Click Create to download the key locally.
Configure the Lacework CLI
Ensure you have the Lacework CLI installed and configured to the Lacework account you plan to integrate.
Run the Lacework CLI
Run the following Lacework CLI command:
lacework generate cloud-account gcp \
--configuration --audit_log \
--organization_integration \
--organization_id OrganizationId \
--project_id ProjectId \
--noninteractive --apply
note
Lacework Terraform modules provide a number of inputs for customization. Go to the documentation on the Terraform registry for the complete list of inputs for each module.
Validate the Configuration
To confirm that the cloud account integrations are working, use the Lacework CLI or log in to the Lacework Console.
To validate the integration using the CLI, run the lacework cloud-account list
command. You should see two integrations: GcpCfg
for the Configuration integration, and GcpAtSes
for the Audit Log integration.
To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts.
Integrate Google Cloud at the Project Level
The following section covers integrating Google Cloud and Lacework for analysis of Cloud Audit Logs and configuration assessment at the project level.
In this method Terraform provisions all of the required resources in the project being integrated into Lacework.
Create a Service Account for Terraform
To integrate GCP and Lacework at the project level, Terraform needs a user account or a service account with the following permissions for the project being integrated:
roles/owner
If you already have an account configured with these permissions, you can skip to the next section.
The following steps create a service account with the required permissions.
- Log in to the Google Cloud Console.
- Select the project being integrated with Lacework.
- Click the navigation menu and select IAM & Admin > Service Accounts.
- Click Create Service Account.
- Name the service account (for example, terraform-provisioning), add a description, and click Create.
- Under the Grant this service account access to project section, give the service account Owner permissions to the project.
- Click Save.
Create Service Account Key
To run Terraform locally, you must create and download a key for the service account created in the previous step. This section covers creating a service key and downloading it to the local system as a JSON file.
- In the Google Cloud Console, select the project created for Lacework resources.
- Click the navigation menu and select IAM & Admin > Service Accounts.
- Click the Actions menu next to the service account.
- Click Create Key.
- Select JSON for the format of the key.
- Click Create to download the key locally.
Configure the Lacework CLI
Ensure you have the Lacework CLI installed and configured to the Lacework account you plan to integrate.
Run the Lacework CLI
Run the following Lacework CLI command:
lacework generate cloud-account gcp \
--configuration --audit_log \
--project_id ProjectId \
--noninteractive --apply
note
Lacework Terraform modules provide a number of inputs for customization. For the complete list of inputs for each module, see the documentation on the Terraform registry.
Validate the Configuration
To confirm that the cloud account integrations are working, use the Lacework CLI or log in to the Lacework Console.
To validate the integration using the CLI, run the lacework cloud-account list
command. You should see two integrations: GcpCfg
for the Configuration integration, and GcpAtSes
for the Audit Log integration.
To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts
Configure Multiple Projects with Terraform
If you plan to continue to integrate GCP Projects with Lacework individually, it may be helpful to leverage the Terraform for_each
meta-argument and pass a map
of projects.
Note that it is a requirement to specify a project within the Google provider block, even in cases where multiple projects are later referenced.
The following code snippet provides an example of using the Terraform for_each
meta-argument to configure multiple GCP projects with the same config and audit_log module blocks:
terraform {
required_providers {
lacework = {
source = "lacework/lacework"
version = "~> 1.0"
}
}
}
variable "projects" {
description = "Map of projects to configuration with Lacework."
type = map
default = {
project-id-1 = "my project 1",
project-id-2 = "my project 2"
}
}
provider "google" {
project = keys(var.projects)[0]
}
provider "lacework" {}
module "gcp_project_config" {
source = "lacework/config/gcp"
version = "~> 2.0"
for_each = var.projects
project_id = each.key
lacework_integration_name = each.value
}
module "audit_log" {
source = "lacework/audit-log/gcp"
version = "~> 3.0"
bucket_force_destroy = true
use_existing_service_account = true
for_each = var.projects
project_id = each.key
service_account_name = module.gcp_project_config[each.key].service_account_name
service_account_private_key = module.gcp_project_config[each.key].service_account_private_key
}
For more information on using for_each
meta-argument, visit the Terraform documentation site.
Validate the provider/module versions and the configuration as covered in the provider documentation.
Troubleshooting
How do I fix this issue: Error: no project value set?
If you see the following error:
Error: no project value set. project_id must be set at the resource level, or a default project value must be specified on the provider
Add a project to the Google provider. See Google provider documentation for details.