terraform-gcp-gke-audit-log

A Terraform Module to configuring an integration with Google Cloud Platform GKE Audit Logs with Lacework for analysis.

⚠️ - NOTE: When using an existing Service Account, Terraform cannot work out whether a role has already been applied. This means when running the destroy step, existing roles may be removed from the Service Account. If this Service Account is managed by another Terraform module, you can re-run apply on the other module and this will re-add the role.

Alternatively, it is possible to remove the offending roles from the state file before destroy, preventing the role(s) from being removed.

e.g. terraform state rm 'google_project_iam_binding.for_lacework_service_account'

Required Roles

roles/pubsub.publisher
roles/pubsub.subscriber

Required APIs

iam.googleapis.com
pubsub.googleapis.com
serviceusage.googleapis.com
cloudresourcemanager.googleapis.com

Requirements

Name	Version
terraform	>= 0.15.1
google	>= 4.4.0
lacework	~> 2.0
time	~> 0.6

Providers

Name	Version
google	>= 4.4.0
lacework	~> 2.0
random	n/a
time	~> 0.6

Modules

Name	Source	Version
lacework_gke_svc_account	lacework/service-account/gcp	~> 2.0

Resources

Name	Type
google_logging_organization_sink.lacework_organization_sink	resource
google_logging_project_sink.lacework_project_sink	resource
google_organization_iam_audit_config.organization_audit_logs	resource
google_organization_iam_member.for_lacework_service_account	resource
google_project_iam_audit_config.project_audit_logs	resource
google_project_iam_member.for_lacework_service_account	resource
google_project_service.required_apis	resource
google_pubsub_subscription.lacework_subscription	resource
google_pubsub_subscription_iam_binding.lacework	resource
google_pubsub_topic.lacework_topic	resource
google_pubsub_topic_iam_binding.topic_publisher	resource
lacework_integration_gcp_gke_audit_log.default	resource
random_id.uniq	resource
time_sleep.wait_time	resource
google_project.selected	data source
google_storage_project_service_account.lw	data source
lacework_metric_module.lwmetrics	data source

Inputs

Name	Description	Type	Default	Required
exclusion_filters	Set of filters that will be excluded from the audit log	list(object({ filter = string name = string description = string }))	[]	no
existing_sink_name	The name of an existing sink to be re-used for this integration	string	""	no
integration_type	Specify the integration type. Can only be PROJECT or ORGANIZATION. Defaults to PROJECT	string	"PROJECT"	no
labels	Set of labels which will be added to the resources managed by the module	map(string)	{}	no
lacework_integration_name	n/a	string	"TF gke_audit_log"	no
organization_id	The organization ID, required if integration_type is set to ORGANIZATION	string	""	no
prefix	The prefix that will be use at the beginning of every generated resource	string	"lw-gke"	no
project_id	A project ID different from the default defined inside the provider	string	""	no
pubsub_subscription_labels	Set of labels which will be added to the subscription	map(string)	{}	no
pubsub_topic_labels	Set of labels which will be added to the topic	map(string)	{}	no
required_apis	n/a	map(any)	{ "iam": "iam.googleapis.com", "pubsub": "pubsub.googleapis.com", "resourcemanager": "cloudresourcemanager.googleapis.com", "serviceusage": "serviceusage.googleapis.com" }	no
service_account_name	The Service Account name (required when use_existing_service_account is set to true)	string	""	no
service_account_private_key	The private key in JSON format, base64 encoded (required when use_existing_service_account is set to true)	string	""	no
use_existing_service_account	Set this to true to use an existing Service Account	bool	false	no
wait_time	Amount of time to wait before the next resource is provisioned.	string	"10s"	no

Outputs

Name	Description
pubsub_subscription_name	The PubSub subscription name
pubsub_topic_name	The PubSub topic name
service_account_name	The Service Account name
service_account_private_key	The private key in JSON format, base64 encoded
sink_name	The sink name