/terraform-azure-activity-log

Terraform module for configuring an integration with Azure Subscriptions and Tenants for Activity Log analysis

Primary LanguageHCL

terraform-azure-activity-log

GitHub release Codefresh build status

Terraform module for configuring an integration with Azure Subscriptions and Tenants for Activity Log analysis. It configures a Diagnostic Setting that puts logs in an storage account, from which Lacework will read Activity Logs.

Requirements

Name Version
terraform >= 0.14
azurerm ~> 3.115
lacework ~> 1.18
random >= 2.1

Providers

Name Version
azurerm ~> 3.115
lacework ~> 1.18
random >= 2.1
time n/a

Modules

Name Source Version
az_ad_application lacework/ad-application/azure ~> 1.0

Resources

Name Type
azurerm_eventgrid_event_subscription.lacework resource
azurerm_monitor_diagnostic_setting.lacework resource
azurerm_private_endpoint.lacework resource
azurerm_resource_group.lacework resource
azurerm_role_assignment.lacework resource
azurerm_role_definition.lacework resource
azurerm_storage_account.lacework resource
azurerm_storage_account_network_rules.lacework resource
azurerm_storage_queue.lacework resource
azurerm_subnet.lacework resource
azurerm_virtual_network.lacework resource
lacework_integration_azure_al.lacework resource
random_id.uniq resource
time_sleep.wait_time resource
azurerm_storage_account.lacework data source
azurerm_subscription.primary data source
azurerm_subscriptions.available data source
lacework_metric_module.lwmetrics data source

Inputs

Name Description Type Default Required
all_subscriptions If set to true, grant read access to ALL subscriptions within the selected Tenant (overrides subscription_ids) bool false no
application_id The Active Directory Application id to use (required when use_existing_ad_application is set to true) string "" no
application_name The name of the Azure Active Directory Application (required when use_existing_ad_application is set to true) string "lacework_security_audit" no
application_password The Active Directory Application password to use (required when use_existing_ad_application is set to true) string "" no
diagnostic_settings_name The name of the subscription's Diagnostic Setting for Activity Logs (required when use_existing_diagnostic_settings is set to true) string "activity-logs" no
existing_subnet_id Subnet ID for existing VNet to use for creating the private endpoint and/or storage account access rules string "" no
infrastructure_encryption_enabled Enable Infrastructure Encryption for Azure Storage Account bool false no
lacework_integration_name The Lacework integration name string "TF activity log" no
location Azure region where the storage account for logging will reside string "West US 2" no
log_retention_days Specifies the number of days that logs will be retained number 10 no
prefix The prefix to use at the beginning of every generated resource string "lacework" no
private_endpoint_network_policies_enabled Enable or Disable network policies for the private endpoint on the subnet. Possible values are Disabled, Enabled, NetworkSecurityGroupEnabled and RouteTableEnabled. Defaults to Disabled string "Disabled" no
service_principal_id The Enterprise App Object ID related to the application_id (required when use_existing_ad_application is true) string "" no
storage_account_name The name of the Storage Account string "" no
storage_account_network_rule_action Specifies the azurerm_storage_account_network_rules default action of allow or deny when no other rules match. Valid options are Deny or Allow string "Deny" no
storage_account_network_rule_bypass Specifies whether traffic is bypassed for Logging/Metrics/AzureServices. Valid options are any combination of Logging, Metrics, AzureServices, or None. Requires use_storage_account_network_rules enabled. list(string) 
[
  "Metrics",
  "Logging",
  "AzureServices"
]
 no
storage_account_network_rule_ip_rules List of allowed ip addresses. Requires use_storage_account_network_rules enabled. list(string) [] no
storage_account_network_rule_lacework_ip_rules List of allowed Lacework ip addresses. See https://docs.lacework.net/onboarding/lacework-outbound-ips#docusaurus_skipToContent_fallback. Requires use_storage_account_network_rules enabled. list(string) 
[
  "34.208.85.38",
  "35.165.121.10",
  "35.165.62.149",
  "35.165.83.150",
  "35.166.181.157",
  "35.93.121.192/26",
  "44.231.201.69",
  "52.42.2.33",
  "52.43.197.121",
  "52.88.113.199",
  "54.200.230.179",
  "54.203.18.234",
  "54.213.7.200",
  "3.75.192.192/26",
  "3.121.245.162",
  "18.184.141.112",
  "18.193.166.115",
  "3.27.79.192/26"
]
 no
storage_account_network_rule_subnet_ids A list of virtual network subnet ids to secure the storage account. Requires use_storage_account_network_rules enabled. list(string) [] no
storage_account_resource_group The Resource Group for the existing Storage Account string "" no
subnet_address_prefixes Limit the CIDR of the subnet list(string) 
[
  "10.0.1.0/24"
]
 no
subscription_exclusions List of subscriptions to exclude when using the all_subscriptions option. list(string) [] no
subscription_ids List of subscriptions to enable logging (by default the module will only use the primary subscription) list(string) [] no
tags Key-value map of Tag names and Tag values map(string) {} no
use_existing_ad_application Set this to true to use an existing Active Directory Application bool false no
use_existing_diagnostic_settings Set this to true to use an existing Diagnostic Settings. Default behavior creates a new Diagnostic Settings bool false no
use_existing_storage_account Set this to true to use an existing Storage Account. Default behavior creates a new Storage Account bool false no
use_existing_subnet Set this to true to use an existing VNet Subnet ID. Default behavior creates a new VNet bool false no
use_storage_account_network_rules Enable configuration of azurerm_storage_account_network_rules resource bool false no
virtual_network_address_space Adress space of the Storage Acount vNet list(string) 
[
  "10.0.0.0/16"
]
 no
wait_time Amount of time to wait before the Lacework resources are provisioned string "50s" no

Outputs

Name Description
application_id The Lacework AD Application id
application_password The Lacework AD Application password
diagnostic_settings_name The name of the subscription's Diagnostic Setting for Activity Logs
lacework_integration_guid GUID of the created Lacework integration
service_principal_id The Lacework Service Principal id
storage_account_name The name of the centralized Storage Account for Activity Logs
storage_account_resource_group The resource group of the centralized Storage Account for Activity Logs
subscription_ids The list of subscriptions that will send Activity Logs to the storage account