A Terraform Module for configuring an integration with Lacework and AWS for CloudTrail analysis for organizations using AWS Control Tower.
Name | Version |
---|---|
terraform | >= 0.15.1 |
aws | >= 3.0 |
lacework | ~> 2.0 |
random | >= 2.1 |
time | ~> 0.6 |
Name | Version |
---|---|
aws.audit | >= 3.0 |
aws.log_archive | >= 3.0 |
lacework | ~> 2.0 |
random | >= 2.1 |
time | ~> 0.6 |
Name | Source | Version |
---|---|---|
lacework_ct_iam_role | lacework/iam-role/aws | ~> 0.4 |
Name | Type |
---|---|
aws_iam_policy.cross_account_policy | resource |
aws_iam_role_policy_attachment.lacework_cross_account_iam_role_policy | resource |
aws_sns_topic_subscription.lacework_sns_topic_sub | resource |
aws_sqs_queue.lacework_cloudtrail_sqs_queue | resource |
aws_sqs_queue_policy.lacework_sqs_queue_policy | resource |
lacework_integration_aws_ct.default | resource |
random_id.uniq | resource |
time_sleep.wait_time | resource |
aws_iam_policy_document.cross_account_policy | data source |
aws_iam_policy_document.kms_decrypt | data source |
aws_iam_policy_document.read_logs | data source |
aws_organizations_organization.main | data source |
lacework_metric_module.lwmetrics | data source |
Name | Description | Type | Default | Required |
---|---|---|---|---|
cross_account_policy_name | n/a | string |
"" |
no |
enable_log_file_validation | Specifies whether cloudtrail log file integrity validation is enabled | bool |
false |
no |
external_id_length | Deprecated - Will be removed on our next major release v1.0.0 | number |
16 |
no |
iam_role_arn | The IAM role ARN is required when setting use_existing_iam_role to true | string |
"" |
no |
iam_role_external_id | The external ID configured inside the IAM role is required when setting use_existing_iam_role to true | string |
"" |
no |
iam_role_name | The IAM role name. Required to match with iam_role_arn if use_existing_iam_role is set to true | string |
"" |
no |
kms_key_arn | The KMS key arn, if Control Tower was deployed with custom KMS key | string |
"" |
no |
lacework_aws_account_id | The Lacework AWS account that the IAM role will grant access | string |
"434813966438" |
no |
lacework_integration_name | The name of the integration in Lacework. | string |
"TF cloudtrail" |
no |
org_account_mappings | Mapping of AWS accounts to Lacework accounts within a Lacework organization | list(object({ |
[] |
no |
prefix | The prefix that will be use at the beginning of every generated resource | string |
"lacework-ct" |
no |
s3_bucket_arn | The ARN for the S3 bucket for consolidated CloudTrail logging. Usually in the form like: arn:aws:s3:::aws-controltower-logs-<log_archive_account_id>-<control_tower_region> | string |
n/a | yes |
sns_topic_arn | The SNS topic ARN. Usually in the form of: arn:aws:sns::<aws_audit_account_id>:aws-controltower-AllConfigNotifications | string |
n/a | yes |
sqs_queue_name | The SQS queue name | string |
"" |
no |
tags | A map/dictionary of Tags to be assigned to created resources | map(string) |
{} |
no |
use_existing_iam_role | Set this to true to use an existing IAM role from the log_archive AWS Account | bool |
false |
no |
wait_time | Amount of time to wait before the next resource is provisioned. | string |
"10s" |
no |
Name | Description |
---|---|
external_id | The External ID configured into the IAM role |
iam_role_arn | The IAM Role ARN |
iam_role_name | The IAM Role name |
lacework_integration_guid | Lacework CloudTrail Integration GUID |
sns_arn | SNS Topic ARN |
sqs_arn | SQS Queue ARN |
sqs_name | SQS Queue name |
sqs_url | SQS Queue URL |