Terraform module for configuring an integration with Lacework and AWS for cloud resource configuration assessment.
| Name | Version |
|---|---|
| terraform | >= 0.14 |
| aws | >= 3.35.0 |
| lacework | ~> 1.0 |
| random | >= 2.1 |
| time | ~> 0.6 |
| Name | Version |
|---|---|
| aws | >= 3.35.0 |
| lacework | ~> 1.0 |
| random | >= 2.1 |
| time | ~> 0.6 |
| Name | Source | Version |
|---|---|---|
| lacework_cfg_iam_role | lacework/iam-role/aws | ~> 0.4 |
| Name | Type |
|---|---|
| aws_iam_policy.lacework_audit_policy | resource |
| aws_iam_role_policy_attachment.lacework_audit_policy_attachment | resource |
| aws_iam_role_policy_attachment.security_audit_policy_attachment | resource |
| lacework_integration_aws_cfg.default | resource |
| random_id.uniq | resource |
| time_sleep.wait_time | resource |
| aws_iam_policy_document.lacework_audit_policy | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| external_id_length | Deprecated - Will be removed on our next major release v1.0.0 | number |
16 |
no |
| iam_role_arn | The IAM role ARN is required when setting use_existing_iam_role to true |
string |
"" |
no |
| iam_role_external_id | The external ID configured inside the IAM role is required when setting use_existing_iam_role to true |
string |
"" |
no |
| iam_role_name | The IAM role name. Required to match with iam_role_arn if use_existing_iam_role is set to true |
string |
"" |
no |
| lacework_audit_policy_name | The name of the custom audit policy (which extends SecurityAudit) to allow Lacework to read configs. Defaults to lwaudit-policy-${random_id.uniq.hex} when empty | string |
"" |
no |
| lacework_aws_account_id | The Lacework AWS account that the IAM role will grant access | string |
"434813966438" |
no |
| lacework_integration_name | The name of the integration in Lacework | string |
"TF config" |
no |
| permission_boundary_arn | Optional - ARN of the policy that is used to set the permissions boundary for the role. | string |
null |
no |
| tags | A map/dictionary of Tags to be assigned to created resources | map(string) |
{} |
no |
| use_existing_iam_role | Set this to true to use an existing IAM role | bool |
false |
no |
| use_existing_iam_role_policy | Set this to true to use an existing policy on the IAM role, rather than attaching a new one |
bool |
false |
no |
| wait_time | Amount of time to wait before the next resource is provisioned | string |
"10s" |
no |
| Name | Description |
|---|---|
| external_id | The External ID configured into the IAM role |
| iam_role_arn | The IAM Role ARN |
| iam_role_name | The IAM Role name |
The Lacework audit policy extends the SecurityAudit policy to facilitate the reading of additional configuration resources. The audit policy is comprised of the following permissions:
| sid | actions | resources |
|---|---|---|
| GetEbsEncryptionByDefault | ec2:GetEbsEncryptionByDefault | * |
| GetBucketPublicAccessBlock | s3:GetBucketPublicAccessBlock | * |
| EFS | elasticfilesystem:DescribeFileSystemPolicy | * |
| elasticfilesystem:DescribeLifecycleConfiguration | ||
| elasticfilesystem:DescribeAccessPoints | ||
| elasticfilesystem:DescribeAccountPreferences | ||
| elasticfilesystem:DescribeBackupPolicy | ||
| elasticfilesystem:DescribeReplicationConfigurations | ||
| EMR | elasticmapreduce:ListBootstrapActions | * |
| elasticmapreduce:ListInstanceFleets | ||
| elasticmapreduce:ListInstanceGroups | ||
| SAGEMAKER | sagemaker:GetModelPackageGroupPolicy | * |
| sagemaker:GetLineageGroupPolicy | ||
| IDENTITYSTORE | identitystore:DescribeGroup | * |
| identitystore:DescribeGroupMembership | ||
| identitystore:DescribeUser | ||
| identitystore:ListGroupMemberships | ||
| identitystore:ListGroupMembershipsForMember | ||
| identitystore:ListGroups | ||
| identitystore:ListUsers | ||
| SSO | sso:DescribeAccountAssignmentDeletionStatus | * |
| sso:DescribeInstanceAccessControlAttributeConfiguration | ||
| sso:GetInlinePolicyForPermissionSet | ||
| APIGATEWAY | apigateway:GetApiKeys | * |
| apigateway:GetAuthorizers | ||
| apigateway:GetBasePathMappings | ||
| apigateway:GetClientCertificates | ||
| apigateway:GetDeployments | ||
| apigateway:GetDocumentationParts | ||
| apigateway:GetDocumentationVersions | ||
| apigateway:GetDomainNames | ||
| apigateway:GetGatewayResponses | ||
| apigateway:GetModels | ||
| apigateway:GetModelTemplate | ||
| apigateway:GetRequestValidators | ||
| apigateway:GetResources | ||
| apigateway:GetRestApis | ||
| apigateway:GetSdk | ||
| apigateway:GetSdkTypes | ||
| apigateway:GetStages | ||
| apigateway:GetTags | ||
| apigateway:GetUsagePlanKeys | ||
| apigateway:GetUsagePlans | ||
| apigateway:GetVpcLinks | ||
| APIGATEWAYV2 | apigatewayv2:GetApis | * |
| apigatewayv2:GetApiMappings | ||
| apigatewayv2:GetAuthorizers | ||
| apigatewayv2:GetDeployments | ||
| apigatewayv2:GetDomainNames | ||
| apigatewayv2:GetIntegrations | ||
| apigatewayv2:GetIntegrationResponses | ||
| apigatewayv2:GetModelTemplate | ||
| apigatewayv2:GetModels | ||
| apigatewayv2:GetRoute | ||
| apigatewayv2:GetRouteResponses | ||
| apigatewayv2:GetStages | ||
| apigatewayv2:GetVpcLinks |