GCP Integration - Terraform from Google Cloud Shell

Overview

This topic describes how to integrate with GCP by running Lacework Terraform modules from Google Cloud Shell.

If you are new to the Lacework Terraform provider, or Lacework Terraform modules, read Terraform for Lacework Overview to learn the basics on how to configure the provider and more.

Running Terraform from within Google Cloud Shell is suitable for one-off integrations where the user does not plan to continue to use Terraform to manage the configuration of Lacework and Google Cloud.

If you plan to continue to manage the state of the integration between Google Cloud and Lacework, and/or store the state of the configuration in a source control management tool such as Git, see GCP Integration - Terraform from Any Supported Host.

Resources

Lacework integrates with Google Cloud Platform to analyze Cloud Audit Logs and to assess cloud resource configurations at the organization level or at the per project level.

Organization level integrations cover all of the existing projects in the organization, and will automatically add any new projects added after the initial integration.

Project level integrations cover only specific projects and any new projects must be added as required.

To integrate at the organization or project level Lacework requires the following resources be provisioned in Google Cloud:

• Google Cloud Project - A project to contain the required cloud resources with billing enabled. When integrating at the organization level, Lacework recommends that you create a project specifically for Lacework resources. When integrating at the project level, all required resources for Lacework may be provisioned within the project being integrated.
• Google Storage Bucket - A storage bucket for Stack Driver logs
• Google Pub/Sub Topic - For Cloud Audit Logs events
• Google Logging Sink - To export Cloud Audit Logs to a Cloud Storage bucket
• Service Account for Lacework - A service account will be created to provide Lacework read-only access to Google Cloud Platform with the following roles:
  • Audit Log
    • Organization level integration
      • roles/resourcemanager.organizationViewer
    • Project level integration
      • roles/storage.objectViewer
  • Configuration
    • roles/iam.securityReviewer
    • roles/browser
    • roles/cloudasset.viewer
    • Organization level integration
      • roles/lwOrgComplianceRole containing the following permissions ("bigquery.datasets.get", "compute.projects.get", "pubsub.topics.get", "storage.buckets.get", "compute.sslPolicies.get")
    • Project level integration
      • roles/lwComplianceRole containing the following permissions ("bigquery.datasets.get", "compute.projects.get", "pubsub.topics.get", "storage.buckets.get", "compute.sslPolicies.get")

For organization level integrations, follow the steps in Integrate Google Cloud at the organization Level.

For project level integrations, follow the steps in Integrate Google Cloud at the project Level.

note

If you are setting up new Google audit logging (instead of leveraging existing Google audit logging), Lacework recommends that you set a retention policy with a minimum of 7 days.

Requirements

Google Cloud Shell inherits the permissions of the user running Cloud Shell. Before beginning, determine whether the integration between Google Cloud and Lacework will be at the organization level, or at the per project level, and then ensure the user account running Google Cloud Shell has the following permissions:

• Organization level integrations
  • roles/owner - For organization level integrations, it is recommended to create a dedicated Google Cloud project to contain the required resources. The user account used to run Google Cloud Shell must have 'Owner' permissions for that project
  • roles/resourcemanager.organizationAdmin
  • roles/iam.organizationRoleAdmin
  • roles/logging.configWriter
• Project level integrations
  • roles/owner - For project level integrations, it is recommended to use the project being integrated to store all of the required resources. The user account used to run Google Cloud Shell must have 'Owner' permissions every project being integrated into Lacework.

In addition to Google Cloud permissions, the Terraform provider for Lacework must be configured to authenticate with the Lacework API using a Lacework API key and secret access key. For more information on configuring the Terraform provider for Lacework, visit Terraform for Lacework Overview.

Module Dependencies

Lacework Terraform modules for GCP have the following dependencies that will be installed when running terraform init:

• google
• random
• time

For detailed information on these dependencies, visit Lacework on the Terraform registry.

Google Cloud Shell Configuration

Google Cloud Shell is an embedded terminal/command-line interface that can you can use within the Google Console. Google Cloud Shell comes with tools pre-installed like the Google Cloud SDK, gcloud command-line tool, and Terraform pre-installed to manage and automate your projects and resources in your environment.

Lacework provides a robust command-line interface that generates Terraform code, installs the Terraform CLI (if not already installed), and can run Terraform inside Cloud Shell.

Launch Google Cloud Shell within Google Console

To open Google Cloud Shell, click the Cloud Shell icon in the header bar of the Google Console, and it will launch the Cloud Shell in a pane at the bottom of the browser.

Install the Lacework CLI in Google Cloud Shell

The Terraform provider for Lacework leverages the configuration from the Lacework CLI to authenticate with the Lacework API and configure accounts. Run the following commands to install the Lacework CLI:

mkdir -p "$HOME"/bin  
curl https://raw.githubusercontent.com/lacework/go-sdk/main/cli/install.sh | bash -s -- -d "$HOME"/bin 

When the script completes, type exit followed by enter to exit your shell. After the shell exits, open Cloud Shell again and the Lacework CLI will be ready to use.

Create Lacework API Key

The Lacework CLI requires an API key and secret to authenticate with Lacework. Lacework API keys can be created by Lacework account administrators via the Lacework Console. For more information, go to API Access Keys.

1. Log in to the Lacework Console.
2. Click Settings > Configuration > API keys.
3. Click + Add New.
4. Enter a name for the key and an optional description.
5. Click Save.
6. Click the ... icon and then Download to save the API key file locally.

The contents of your API key contain a keyId secret, subAccount, and account:

{
  "keyId": "ACCOUNT_ABCEF01234559B9B07114E834D8570F567C824039756E03",
  "secret": "_abc1234e243a645bcf173ef55b837c19",
  "subAccount": "myaccount",
  "account": "myaccount.lacework.net"
}

Configure the Lacework CLI

Google Cloud Shell lets you drag-and-drop the generated KEY.json to upload it automatically.

To configure the CLI with the API key downloaded from the previous step, use the lacework configure command in Cloud Shell and provide the following:

• account: Account subdomain of URL (i.e. YourAccount.lacework.net)
• api_key: API Access Key
• api_secret: API Access Secret

Run the command:

user@cloudshell:~ lacework configure -j CUSTOMER_EED10DA9136E9F763477FF5933464DD0C3DADF2CDDEFABC.json
▸ Account: your_account_name
▸ Access Key ID: CUSTOMER_EED10DA9136E9F763477FF5933464DD0C3DADF2CDDEFABC
▸ Secret Access Key: (*****************************26a0)

You are all set!

For more information, see Lacework CLI documentation.

Integrate Google Cloud at the Organization Level

The following section covers integrating Google Cloud and Lacework for analysis of Cloud Audit Logs and configuration assessment at the organization level. Organization level integrations cover all of the existing projects in the organization, and will automatically add any new projects added after the initial integration.

Create a GCP Project Using the GCP Console

When creating an integration at the GCP organization level, Lacework recommends having a dedicated project to provision the required resources for the integration between Google Cloud and Lacework. Create the GCP project before running Terraform.

1. Log in to the Google Cloud Console.
2. Select the project drop-down and click New Project.
3. Give the project a Project Name, select a Billing Account, select the Organization you are integrating.
4. Click Create to create the new project

Configure Project Owner Permissions to User Account

These next steps configure role/owner permission on the GCP project for the user running Google Cloud Shell.

1. In the Google Cloud Console, select the project created for Lacework resources.
2. Click the navigation menu and select IAM & Admin > IAM.
3. Filter the list and find the user account that will be used to run Google Cloud Shell.
4. Click Edit Member and then apply role/owner.
5. Click Save.

Run the Lacework CLI in Cloud Shell

Inside Google Cloud Shell, run the following Lacework CLI command:

lacework generate cloud-account gcp  \
  --configuration --audit_log        \
  --organization_integration         \
  --organization_id OrganizationId   \
  --project_id ProjectId             \
  --noninteractive --apply

note

Lacework Terraform modules provide a number of inputs for customization. For the complete list of inputs for each module, see the documentation on the Terraform registry.

Validate the Configuration

To confirm that the cloud account integrations are working, use the Lacework CLI or log in to the Lacework Console.

To validate the integration using the CLI, run the lacework cloud-account list command. You should see two integrations: GcpCfg for the Configuration integration, and GcpAtSes for the Audit Log integration.

To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts

Integrate Google Cloud at the Project Level

The following section covers integrating Google Cloud and Lacework for analysis of Cloud Audit Logs and configuration assessment at the project level.

In this method Terraform provisions all of the required resources in the project being integrated into Lacework.

Configure Project Owner Permissions to User Account

These next steps configure role/owner for the user running Google Cloud Shell on the GCP project being integrated to Lacework.

1. Log in to the Google Cloud Console.
2. Select the project being integrated to Lacework from the project selector at the top of the console.
3. Click the navigation menu and select IAM & Admin > IAM.
4. Filter the list and find the user account that will be used to run Google Cloud Shell.
5. Click Edit Member and then apply role/owner.
6. Click Save.

Run the Lacework CLI in Cloud Shell

Inside Google Cloud Shell, run the following Lacework CLI command:

lacework generate cloud-account gcp  \
  --configuration --audit_log        \
  --project_id ProjectId             \
  --noninteractive --apply

note

Lacework Terraform modules provide a number of inputs for customization. For the complete list of inputs for each module, see the documentation on the Terraform registry.

Validate the Configuration

To confirm that the cloud account integrations are working, use the Lacework CLI or log in to the Lacework Console.

To validate the integration using the CLI, run the lacework cloud-account list command. You should see two integrations: GcpCfg for the Configuration integration, and GcpAtSes for the Audit Log integration.

To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts

Configure Multiple Projects with Terraform

If you plan to continue to integrate GCP projects with Lacework individually, it may be helpful to leverage the Terraform for_each meta-argument and pass a map of projects.

Note that it is a requirement to specify a project within the Google provider block, even in cases where multiple projects are later referenced.

The following code snippet provides an example of using the Terraform for_each meta-argument to configure multiple GCP projects with the same config and audit_log module blocks:

terraform {
  required_providers {
    lacework = {
      source = "lacework/lacework"
      version = "~> 1.0"
    }
  }
}

variable "projects" {
  description = "Map of projects to configuration with Lacework."
  type        = map
  default     = {
    project-id-1 = "my project 1",
    project-id-2 = "my project 2"
  }
}
provider "google" {
  project = keys(var.projects)[0]
}

provider "lacework" {}

module "gcp_project_config" {
  source     = "lacework/config/gcp"
  version    = "~> 2.0"
  for_each   = var.projects
  project_id = each.key

  lacework_integration_name = each.value
}

module "audit_log" {
  source  = "lacework/audit-log/gcp"
  version = "~> 3.0"

  bucket_force_destroy         = true
  use_existing_service_account = true

  for_each   = var.projects
  project_id = each.key
  service_account_name         = module.gcp_project_config[each.key].service_account_name
  service_account_private_key  = module.gcp_project_config[each.key].service_account_private_key
}

For more information on using for_each meta-argument, visit the Terraform documentation site.

Validate the provider/module versions and the configuration as covered in the provider documentation.