terraform-gcp-audit-log
Terraform module for configuring an integration with Google Cloud Platform Organizations and Projects for Audit Logs analysis.
Alternatively, it is possible to remove the offending roles from the state file before destroy, preventing the role(s) from being removed.
e.g. terraform state rm 'google_project_iam_binding.for_lacework_service_account'
Required Roles
roles/storage.objectViewer
Required APIs
iam.googleapis.com
pubsub.googleapis.com
serviceusage.googleapis.com
cloudresourcemanager.googleapis.com
Inputs
Name | Description | Type | Default | Required |
---|---|---|---|---|
org_integration | If set to true, configure an organization level integration | bool | false | false |
organization_id | The organization ID, required if org_integration is set to true | string | "" | false |
project_id | A project ID different from the default defined inside the provider | string | "" | false |
use_existing_service_account | Set this to true to use an existing Service Account. When using an existing service account, the required roles must be added manually. | bool | false | false |
service_account_name | The Service Account name (required when use_existing_service_account is set to true). This can also be used to specify the new service account name when use_existing_service_account is set to false | string | "" | false |
service_account_private_key | The private key in JSON format, base64 encoded (required when use_existing_service_account is set to true) | string | "" | false |
existing_bucket_name | The name of an existing bucket you want to send the logs to | string | "" | false |
existing_sink_name | The name of an existing sink that already captures management events. Note: If both existing_bucket_name and existing_sink_name are configured, this module assumes they are correctly configured for log capture. |
string | "" | false |
bucket_region | The region where the new bucket will be created, valid values for Multi-regions are (EU, US or ASIA). Alternatively, you can set a single region or Dual-regions follow the naming convention as outlined in the GCP bucket locations documentation https://cloud.google.com/storage/docs/locations#available-locations | string | US | false |
bucket_force_destroy | Whether to force destroy the bucket and ignore any content. | bool | false | false |
bucket_labels | Set of labels which will be added to the audit log bucket. | map(string) | null | false |
lacework_integration_name | The integration name displayed in the Lacework UI. | string | TF audit_log | false |
required_apis | The APIs that should be enabled for this integration to be successful. | map(any) | See the Required APIs section | false |
prefix | The prefix that will be used at the beginning of every generated resource | string | lw-at | false |
labels | Set of labels which will be added to the resources managed by the module | map(string) | null | false |
wait_time | Amount of time to wait before the next resource is provisioned. | string | 10s | false |
enable_ubla | Boolean for enabled Uniform Bucket Level Access on the audit log bucket | bool | false | false |
lifecycle_rule_age | Number of days to keep audit logs in Lacework GCS bucket before deleting. Leave null to keep indefinitely | number | null | false |
pubsub_topic_labels | Set of labels which will be added to the topic. | map(string) | null | false |
pubsub_subscription_labels | Set of labels which will be added to the subscription. | map(string) | null | false |
Outputs
Name | Description |
---|---|
service_account_name | The Service Account name |
service_account_private_key | The private key in JSON format, base64 encoded |
bucket_name | The storage bucket name |
pubsub_topic_name | The PubSub topic name |