Skip to content

Terraform module for configuring an integration with Lacework and AWS for CloudTrail analysis in AWS organizations that use Control Tower

License

Notifications You must be signed in to change notification settings

lacework/terraform-aws-cloudtrail-controltower

Repository files navigation

terraform-aws-cloudtrail-controltower

GitHub release Codefresh build status

A Terraform Module for configuring an integration with Lacework and AWS for CloudTrail analysis for organizations using AWS Control Tower.

Requirements

Name Version
terraform >= 0.15.1
aws >= 3.0
lacework ~> 2.0
random >= 2.1
time ~> 0.6

Providers

Name Version
aws.audit >= 3.0
aws.log_archive >= 3.0
lacework ~> 2.0
random >= 2.1
time ~> 0.6

Modules

Name Source Version
lacework_ct_iam_role lacework/iam-role/aws ~> 0.4

Resources

Name Type
aws_iam_policy.cross_account_policy resource
aws_iam_role_policy_attachment.lacework_cross_account_iam_role_policy resource
aws_sns_topic_subscription.lacework_sns_topic_sub resource
aws_sqs_queue.lacework_cloudtrail_sqs_queue resource
aws_sqs_queue_policy.lacework_sqs_queue_policy resource
lacework_integration_aws_ct.default resource
random_id.uniq resource
time_sleep.wait_time resource
aws_iam_policy_document.cross_account_policy data source
aws_iam_policy_document.kms_decrypt data source
aws_iam_policy_document.read_logs data source
aws_organizations_organization.main data source
lacework_metric_module.lwmetrics data source

Inputs

Name Description Type Default Required
cross_account_policy_name n/a string "" no
enable_log_file_validation Specifies whether cloudtrail log file integrity validation is enabled bool false no
external_id_length Deprecated - Will be removed on our next major release v1.0.0 number 16 no
iam_role_arn The IAM role ARN is required when setting use_existing_iam_role to true string "" no
iam_role_external_id The external ID configured inside the IAM role is required when setting use_existing_iam_role to true string "" no
iam_role_name The IAM role name. Required to match with iam_role_arn if use_existing_iam_role is set to true string "" no
kms_key_arn The KMS key arn, if Control Tower was deployed with custom KMS key string "" no
lacework_aws_account_id The Lacework AWS account that the IAM role will grant access string "434813966438" no
lacework_integration_name The name of the integration in Lacework. string "TF cloudtrail" no
org_account_mappings Mapping of AWS accounts to Lacework accounts within a Lacework organization
list(object({
default_lacework_account = string
mapping = list(object({
lacework_account = string
aws_accounts = list(string)
}))
}))
[] no
prefix The prefix that will be use at the beginning of every generated resource string "lacework-ct" no
s3_bucket_arn The ARN for the S3 bucket for consolidated CloudTrail logging. Usually in the form like: arn:aws:s3:::aws-controltower-logs-<log_archive_account_id>-<control_tower_region> string n/a yes
sns_topic_arn The SNS topic ARN. Usually in the form of: arn:aws:sns::<aws_audit_account_id>:aws-controltower-AllConfigNotifications string n/a yes
sqs_queue_name The SQS queue name string "" no
tags A map/dictionary of Tags to be assigned to created resources map(string) {} no
use_existing_iam_role Set this to true to use an existing IAM role from the log_archive AWS Account bool false no
wait_time Amount of time to wait before the next resource is provisioned. string "10s" no

Outputs

Name Description
external_id The External ID configured into the IAM role
iam_role_arn The IAM Role ARN
iam_role_name The IAM Role name
lacework_integration_guid Lacework CloudTrail Integration GUID
sns_arn SNS Topic ARN
sqs_arn SQS Queue ARN
sqs_name SQS Queue name
sqs_url SQS Queue URL

About

Terraform module for configuring an integration with Lacework and AWS for CloudTrail analysis in AWS organizations that use Control Tower

Resources

License

Stars

Watchers

Forks

Packages

No packages published