GCP - Integrate Agentless Workload Scanning with Terraform
info
GCP support for Agentless Workload Scanning is in Preview.
This integration method uses Terraform.
Overview
This article provides the prerequisites and troubleshooting steps for an Agentless Workload Scanning integration.
The Agentless Workload Scanning integration is configured with Terraform using the lacework_gcp_agentless_scanning module.
If you are new to the Lacework Terraform Provider, or Lacework Terraform Modules, read Terraform for Lacework Overview to learn the basics on how to configure the provider.
This module will install global and regional resources. The global resources should be installed once for a Lacework integration. The regional resources should be installed in each region where scanning will occur. Having per-region resources assures that no cross-region traffic occurs.
Once you have read through the access and resource requirements, complete the integration steps depending on your chosen integration level:
- Project Integration - Single Region
- Project Integration - Multi Region
- Organization Integration - Single Region
- Organization Integration - Multi Region
If you want to specify a custom VPC network/subnetwork for your integration, see the section linked below for an example:
Access and Resource Requirements
Agentless Workload Scanning on GCP is performed by a combination of Cloud Run jobs and Compute Engine instances.
A Cloud Run job is invoked every hour by the Cloud Scheduler. The job checks if scanning needs to be performed and will clean up any lingering resources. If scanning needs to be performed, the job performs the following tasks:
- Enumerates the monitored projects (or the entire organization) and finds Compute Engine instances.
- Finds the associated disks for the Compute Engine instances and clones them in the scanning project where the Cloud Run job is hosted.
- Launches Compute Engine instances to mount the cloned disks in the filesystem and then performs scanning.
A new VPC subnetwork is needed in each scanning zone within a single GCP project. By default, the scanning resource uses the default network unless a custom vpc is created during install (see Custom VPC Network/Subnetwork for GCP Terraform Integrations for an example of this). Agentless Workload Scanning also requires an egress rule on port 443 for telemetry logging.
Lacework recommends creating a separate project for hosting Lacework scanning resources.
Integration Requirements
- gcloud CLI - The Terraform Provider for gcloud leverages the configuration from the gcloud CLI, and it is recommended the gcloud CLI is installed and configured for the project being setup to deploy scanning resources.
- Lacework Administrator - You must have a Lacework account with administrator privileges.
- Lacework CLI - Lacework leverages the configuration from the Lacework CLI. It is recommended the Lacework CLI is installed and configured.
- Terraform -
~> 0.14,~> 0.15,~> 1.0,~> 1.1. - GCP IAM roles - The IAM/user used to run Terraform must have administrative privileges to create IAM roles on every GCP project or organization you intend to integrate with Lacework.
Access Requirements
- Access to set up Cloud Run jobs that will be triggered by the Cloud Scheduler.
- Access to set up Cloud Scheduler that invokes the Cloud Run job every hour.
- Access to create a new Cloud Storage bucket.
- Access to create a new secret in the GCP Secret Manager.
- Access to create IAM role in each monitored project or at the organization level that allows listing instances, finding attached disks and cloning them to the scanning project.
- Access to create IAM roles in the scanning project that allows the following:
- managing (creating, deleting) clones and compute instances in the scanning project.
- reading and write to the scanning storage bucket.
- runing the Cloud Run job and Compute Engine instances in the scanning project.
- Access to create service accounts in the scanning project associated with the IAM roles mentioned above.
- Access to create a VPC, subnets, and add firewall rules for the Compute Engine instances.
Module Dependencies
Lacework Terraform modules for GCP Agentless Workload Scanning have the following dependencies that will be installed when running terraform init:
Agentless Workload Scanning - Terraform Integration Steps
Choose which type of GCP Agentless Workload Scanning integration that you want to perform:
- Option 1: Project Integration - Single Region
- Option 2: Project Integration - Multi Region
- Option 3: Organization Integration - Single Region
- Option 4: Organization Integration - Multi Region
Option 1: Project Integration - Single Region
In this example, we add Terraform modules to one Google Cloud region:
- Global resources are deployed to the default Google provider region.
- Service Accounts/Permissions
- Object Storage Bucket
- Secret Manager Secret
- Regional resources are deployed to the default Google provider region.
- Cloud Run Job
- Cloud Scheduler Job
Use the example below for your
versions.tffile:terraform {
required_version = ">= 0.12.31"
required_providers {
lacework = {
source = "lacework/lacework"
version = "~> 1.3"
}
}
}Use the example below for your
main.tffile:provider "lacework" {}
provider "google" {}
module "lacework_gcp_agentless_scanning_project_single_region" {
source = "lacework/agentless-scanning/gcp"
version = "~> 0.1"
project_filter_list = [
"monitored-project-1",
"monitored-project-2"
]
global = true
regional = true
lacework_integration_name = "agentless_from_terraform"
}
Option 2: Project Integration - Multi Region
In this example, we add Terraform modules to two Google Cloud regions:
- Global resources are deployed to
us-east1.- Service Accounts/Permissions
- Object Storage Bucket
- Secret Manager Secret
- Regional resources are deployed to
us-east1andus-central1.- Cloud Run Job
- Cloud Scheduler Job
Use the example below for your
versions.tffile:terraform {
required_version = ">= 0.12.31"
required_providers {
lacework = {
source = "lacework/lacework"
version = "~> 1.3"
}
}
}Use the example below for your
main.tffile:provider "lacework" {}
provider "google" {
alias = "use1"
region = "us-east1"
}
provider "google" {
alias = "usc1"
region = "us-central1"
}
module "lacework_gcp_agentless_scanning_project_multi_region_use1" {
source = "lacework/agentless-scanning/gcp"
version = "~> 0.1"
providers = {
google = google.use1
}
project_filter_list = [
"monitored-project-1",
"monitored-project-2"
]
global = true
regional = true
lacework_integration_name = "agentless_from_terraform"
}
module "lacework_gcp_agentless_scanning_project_multi_region_usc1" {
source = "lacework/agentless-scanning/gcp"
version = "~> 0.1"
providers = {
google = google.usc1
}
regional = true
global_module_reference = module.lacework_gcp_agentless_scanning_project_multi_region_use1
}
Option 3: Organization Integration - Single Region
In this example, we add Terraform modules to one Google Cloud region:
- Global resources are deployed to the default Google provider region.
- Service Accounts/Permissions
- Object Storage Bucket
- Secret Manager Secret
- Regional resources are deployed to the default Google provider region.
- Cloud Run Job
- Cloud Scheduler Job
Use the example below for your
versions.tffile:terraform {
required_version = ">= 0.12.31"
required_providers {
lacework = {
source = "lacework/lacework"
version = "~> 1.3"
}
}
}Use the example below for your
main.tffile:provider "lacework" {}
provider "google" {}
module "lacework_gcp_agentless_scanning_org_single_region" {
source = "lacework/agentless-scanning/gcp"
version = "~> 0.1"
integration_type = "ORGANIZATION"
organization_id = "123456789012"
global = true
regional = true
lacework_integration_name = "agentless_from_terraform"
}
Option 4: Organization Integration - Multi Region
In this example, we add Terraform modules to two Google Cloud regions:
- Global resources are deployed to
us-east1.- Service Accounts/Permissions
- Object Storage Bucket
- Secret Manager Secret
- Regional resources are deployed to
us-east1andus-central1.- Cloud Run Job
- Cloud Scheduler Job
Use the example below for your
versions.tffile:terraform {
required_version = ">= 0.12.31"
required_providers {
lacework = {
source = "lacework/lacework"
version = "~> 1.3"
}
}
}Use the example below for your
main.tffile:provider "lacework" {}
provider "google" {
alias = "use1"
region = "us-east1"
}
provider "google" {
alias = "usc1"
region = "us-central1"
}
module "lacework_gcp_agentless_scanning_org_multi_region" {
source = "lacework/agentless-scanning/gcp"
version = "~> 0.1"
providers = {
google = google.use1
}
integration_type = "ORGANIZATION"
organization_id = "123456789012"
global = true
regional = true
lacework_integration_name = "agentless_from_terraform"
}
module "lacework_gcp_agentless_scanning_org_multi_region_usc1" {
source = "lacework/agentless-scanning/gcp"
version = "~> 0.1"
providers = {
google = google.usc1
}
regional = true
global_module_reference = module.lacework_gcp_agentless_scanning_org_multi_region
}
Custom VPC Network/Subnetwork for GCP Terraform Integrations
Follow the example below if you want to specify a custom network/subnetwork for your GCP integration.
In this example, we add Terraform modules to two Google Cloud regions for a project level integration (similar to Option 2: Project Integration - Multi Region):
- Global resources are deployed to
us-east1.- Service Accounts/Permissions
- Object Storage Bucket
- Secret Manager Secret
- Custom VPC Network
- Firewall Rules for Agentless Workload Scanning
- Regional resources are deployed to
us-east1andus-central1.- Cloud Run Job
- Cloud Scheduler Job
- Custom VPC Subnetwork
Use the example below for your
versions.tffile:terraform {
required_version = ">= 0.12.31"
required_providers {
lacework = {
source = "lacework/lacework"
}
}
}Use the example below for your
main.tffile:provider "lacework" {}
provider "google" {
alias = "use1"
region = "us-east1"
}
provider "google" {
alias = "usc1"
region = "us-central1"
}
locals {
project_filter_list = [
"monitored-project-1",
"monitored-project-2"
]
}
resource "google_compute_network" "awls" {
provider = google.use1
name = "lacework-awls"
auto_create_subnetworks = false
}
resource "google_compute_subnetwork" "awls_subnet_1" {
provider = google.use1
name = "lacework-awls-subnet1"
ip_cidr_range = "10.10.1.0/24"
network = google_compute_network.awls.id
}
resource "google_compute_subnetwork" "awls_subnet_2" {
provider = google.usc1
name = "lacework-awls-subnet2"
ip_cidr_range = "10.10.2.0/24"
network = google_compute_network.awls.id
}
resource "google_compute_firewall" "rules" {
provider = google.use1
name = "awls-allow-https-egress"
network = google_compute_network.awls.name
description = "Firewall policy for Lacework Agentless Workload Scanning"
direction = "EGRESS"
destination_ranges = [
"0.0.0.0/0"
]
allow {
protocol = "tcp"
ports = ["443"]
}
}
module "lacework_gcp_agentless_scanning_project_multi_region_use1" {
source = "lacework/agentless-scanning/gcp"
version = "~> 0.1"
providers = {
google = google.use1
}
project_filter_list = local.project_filter_list
global = true
regional = true
custom_vpc_subnet = google_compute_subnetwork.awls_subnet_1.id
}
module "lacework_gcp_agentless_scanning_project_multi_region_usc1" {
source = "lacework/agentless-scanning/gcp"
version = "~> 0.1"
providers = {
google = google.usc1
}
project_filter_list = local.project_filter_list
regional = true
global_module_reference = module.lacework_gcp_agentless_scanning_project_multi_region_use1
custom_vpc_subnet = google_compute_subnetwork.awls_subnet_2.id
}
Verify your Agentless Workload Scanning Integration
In the Lacework console, the status of the integration at Settings > Integrations > Cloud accounts will display as Success if all resources are installed correctly. If the periodic scanning encounters an error, the status will display the error details.
Remove an Agentless Workload Scanning Integration
Start in the Lacework console.
- In Settings > Integrations > Cloud accounts, find the integration that you would like to remove.
- Toggle the integration State to disabled, or Delete the integration using the actions menu on the right.
Using Terraform, run terraform destroy for the Agentless module.