Skip to content

Latest commit

 

History

History
144 lines (129 loc) · 20.1 KB

README.md

File metadata and controls

144 lines (129 loc) · 20.1 KB

terraform-azure-agentless-scanning

GitHub release Codefresh build status

A Terraform Module to configure the Lacework Agentless Scanner on Azure.

All code contributions made by Lacework customers to this repo are considered ‘Feedback’ under section 4.3 of the Lacework Terms of Service.

Requirements

Name Version
terraform >= 1.9
azapi ~> 1.15.0
azuread ~> 2.53.1
azurerm ~> 3.116.0
lacework ~> 2.0

Providers

Name Version
azapi ~> 1.15.0
azuread ~> 2.53.1
azurerm ~> 3.116.0
lacework ~> 2.0
random n/a
terraform n/a

Modules

No modules.

Resources

Name Type
azapi_resource.container_app_job_agentless resource
azuread_application.lw resource
azuread_service_principal.data_loader resource
azuread_service_principal_password.data_loader resource
azurerm_container_app_environment.agentless_orchestrate resource
azurerm_key_vault.lw_orchestrate resource
azurerm_key_vault_access_policy.access_for_sidekick resource
azurerm_key_vault_access_policy.access_for_user resource
azurerm_key_vault_secret.lw_orchestrate resource
azurerm_log_analytics_workspace.agentless_orchestrate resource
azurerm_nat_gateway.agentless_nat_gateway resource
azurerm_nat_gateway_public_ip_association.agentless_ip_association resource
azurerm_network_security_group.agentless_orchestrate resource
azurerm_public_ip.agentless_public_ip resource
azurerm_resource_group.scanning_rg resource
azurerm_role_assignment.key_vault_sidekick resource
azurerm_role_assignment.key_vault_user resource
azurerm_role_assignment.orchestrate resource
azurerm_role_assignment.scanner resource
azurerm_role_assignment.storage_data_loader resource
azurerm_role_assignment.storage_sidekick resource
azurerm_role_definition.agentless_monitored_subscription resource
azurerm_role_definition.agentless_scanning_subscription resource
azurerm_storage_account.scanning resource
azurerm_storage_container.scanning resource
azurerm_subnet.agentless_subnet resource
azurerm_subnet_nat_gateway_association.agentless_nat_gateway_association resource
azurerm_subnet_network_security_group_association.agentless_nsg_association resource
azurerm_user_assigned_identity.sidekick resource
azurerm_virtual_network.agentless_orchestrate resource
lacework_integration_azure_agentless_scanning.lacework_cloud_account resource
random_id.uniq resource
terraform_data.job_execution_now resource
azurerm_client_config.current data source
azurerm_resource_group.scanning_rg data source
azurerm_subscription.current data source
azurerm_subscriptions.available data source
lacework_metric_module.lwmetrics data source
lacework_user_profile.current data source

Inputs

Name Description Type Default Required
additional_environment_variables Optional list of additional environment variables passed to the task. 
list(object({
    name  = string
    value = string
  }))
 [] no
blob_container_name name of the blob container used for storing analysis artifacts. Leave blank to generate one string "" no
create_log_analytics_workspace Creates a log analytics workspace to see container logs. Defaults to false to avoid charging bool false no
custom_network The name of the custom Azure Virtual Network subnet. Make sure it allows egress traffic on port 443. Leave empty to create a new one. string "" no
custom_network_security_group The name of the custom Azure Virtual Network security group. Only needed when specifying a custom network and using a NAT gateway. string "" no
enable_storage_infrastructure_encryption enable Azure storage account-level infrastructure encryption. Defaults to false bool false no
execute_now execute newly created job(s) immediately after deployment bool true no
filter_query_text The LQL query to constrain the scanning to specific resources. If left blank, Lacework will scan all resources available to the account or organization. For more information, see Limit Scanned Workloads. string "" no
global Whether we create global resources for this deployment. Defaults to false bool false no
global_module_reference A reference to the global lacework_azure_agentless_scanning module for this account. 
object({
    scanning_resource_group_name              = string
    scanning_resource_group_id                = string
    key_vault_id                              = string
    key_vault_uri                             = string
    key_vault_secret_name                     = string
    lacework_account                          = string
    lacework_domain                           = string
    lacework_integration_name                 = string
    storage_account_name                      = string
    storage_account_id                        = string
    blob_container_name                       = string
    prefix                                    = string
    suffix                                    = string
    monitored_subscription_role_definition_id = string
    scanning_subscription_role_definition_id  = string
    sidekick_principal_id                     = string
    sidekick_client_id                        = string
    subscriptions_list                        = set(string)
  })
 
{
  "blob_container_name": "",
  "key_vault_id": "",
  "key_vault_secret_name": "",
  "key_vault_uri": "",
  "lacework_account": "",
  "lacework_domain": "",
  "lacework_integration_name": "",
  "monitored_subscription_role_definition_id": "",
  "prefix": "",
  "scanning_resource_group_id": "",
  "scanning_resource_group_name": "",
  "scanning_subscription_role_definition_id": "",
  "sidekick_client_id": "",
  "sidekick_principal_id": "",
  "storage_account_id": "",
  "storage_account_name": "",
  "subscriptions_list": [],
  "suffix": ""
}
 no
image_url The container image url for Lacework Agentless Workload Scanning. string "public.ecr.aws/p5r4i7k7/sidekick:latest" no
integration_level If we are integrating into a subscription or tenant. Valid values are 'SUBSCRIPTION' or 'TENANT' string n/a yes
key_vault_id The ID of the Key Vault containing the Lacework Account and Auth Token string "" no
lacework_account The name of the Lacework account with which to integrate. string "" no
lacework_domain The domain of the Lacework account with with to integrate. string "lacework.net" no
lacework_integration_name The name of the Lacework cloud account integration. Should only be set in global resource string "azure-agentless-scanning" no
notification_email Used for receiving notification on key updates such as those to service principal string "" no
owner_id Owner for service account created. Azure recommends having one string "" no
prefix A string to be prefixed to the name of all new resources. string "lacework" no
region The region where LW scanner is deployed to string "westus2" no
regional Whether or not to create regional resources. Defaults to true. bool true no
scan_containers Whether to includes scanning for containers. Defaults to true. bool true no
scan_frequency_hours How often in hours the scan will run in hours. Defaults to 24. number 24 no
scan_host_vulnerabilities Whether to includes scanning for host vulnerabilities. Defaults to true. bool true no
scan_multi_volume Whether to scan secondary volumes. Defaults to false. bool false no
scan_stopped_instances Whether to scan stopped instances. Defaults to true. bool true no
scanning_resource_group_name The name of the resource group where LW sidekick is deployed. Leave blank to create a new one string "" no
scanning_subscription_id SubcriptionId where LW Sidekick is deployed. Leave blank to use the current one used by Azure Resource Manager. Show it through az account show string "" no
storage_account_url url of the storage account used for storing analysis artifacts. string "" no
subscriptions_list List of subscriptions to be scanned. Prefix a subscription with '-' to exclude it from scanning. Set only for global resource set(string) [] no
suffix A string to be appended to the end of the name of all new resources. string "" no
tags Set of tags which will be added to the resources managed by the module. map(string) {} no
tenant_id TenantId where LW Sidekick is deployed string "" no
use_nat_gateway Whether to use a NAT gateway instead of public IPs on scanning instances. Defaults to false. bool false no

Outputs

Name Description
agentless_credentials_client_id Client id of the service principal of Lacework app
agentless_credentials_client_secret Client secret of the service principal of Lacework app
blob_container_name The blob container used to store Agentless Workload Scanning data
key_vault_id The ID of the Key Vault that stores the LW credentials
key_vault_secret_name The name of the secret stored in key vault. The secret contains LW account authN details
key_vault_uri The URI of the key vault that stores LW account details
lacework_account Lacework Account Name for Integration.
lacework_domain Lacework Domain Name for Integration.
lacework_integration_name The name of the integration. Passed along in global module reference.
monitored_subscription_role_definition_id The id of the monitored subscription role definition
prefix Prefix used to add uniqueness to resource names.
scanning_resource_group_id Id of the resource group hosting the scanner
scanning_resource_group_name Name of the resource group hosting the scanner
scanning_subscription_role_definition_id The id of the scanning subscription role definition
sidekick_client_id Client id of the managed identity running scanner
sidekick_principal_id The principal id of the user identity used by agentless scanner
storage_account_id The ID of storage account used for scanning
storage_account_name The blob storage account for Agentless Workload Scanning data.
subscriptions_list The subscriptions list in global module reference
suffix Suffix used to add uniqueness to resource names.