Skip to content

Latest commit

 

History

History
89 lines (74 loc) · 8.37 KB

File metadata and controls

89 lines (74 loc) · 8.37 KB

terraform-aws-cloudtrail-controltower

GitHub release Codefresh build status

A Terraform Module for configuring an integration with Lacework and AWS for CloudTrail analysis for organizations using AWS Control Tower.

Requirements

Name Version
terraform >= 0.15.1
aws >= 3.0
lacework ~> 2.0
random >= 2.1
time ~> 0.6

Providers

Name Version
aws.audit >= 3.0
aws.log_archive >= 3.0
lacework ~> 2.0
random >= 2.1
time ~> 0.6

Modules

Name Source Version
lacework_ct_iam_role lacework/iam-role/aws ~> 0.4

Resources

Name Type
aws_iam_policy.cross_account_policy resource
aws_iam_role_policy_attachment.lacework_cross_account_iam_role_policy resource
aws_sns_topic_subscription.lacework_sns_topic_sub resource
aws_sqs_queue.lacework_cloudtrail_sqs_queue resource
aws_sqs_queue_policy.lacework_sqs_queue_policy resource
lacework_integration_aws_ct.default resource
random_id.uniq resource
time_sleep.wait_time resource
aws_iam_policy_document.cross_account_policy data source
aws_iam_policy_document.kms_decrypt data source
aws_iam_policy_document.read_logs data source
aws_organizations_organization.main data source
lacework_metric_module.lwmetrics data source

Inputs

Name Description Type Default Required
cross_account_policy_name n/a string "" no
enable_log_file_validation Specifies whether cloudtrail log file integrity validation is enabled bool false no
external_id_length Deprecated - Will be removed on our next major release v1.0.0 number 16 no
iam_role_arn The IAM role ARN is required when setting use_existing_iam_role to true string "" no
iam_role_external_id The external ID configured inside the IAM role is required when setting use_existing_iam_role to true string "" no
iam_role_name The IAM role name. Required to match with iam_role_arn if use_existing_iam_role is set to true string "" no
kms_key_arn The KMS key arn, if Control Tower was deployed with custom KMS key string "" no
lacework_aws_account_id The Lacework AWS account that the IAM role will grant access string "434813966438" no
lacework_integration_name The name of the integration in Lacework. string "TF cloudtrail" no
org_account_mappings Mapping of AWS accounts to Lacework accounts within a Lacework organization
list(object({
default_lacework_account = string
mapping = list(object({
lacework_account = string
aws_accounts = list(string)
}))
}))
[] no
prefix The prefix that will be use at the beginning of every generated resource string "lacework-ct" no
s3_bucket_arn The ARN for the S3 bucket for consolidated CloudTrail logging. Usually in the form like: arn:aws:s3:::aws-controltower-logs-<log_archive_account_id>-<control_tower_region> string n/a yes
sns_topic_arn The SNS topic ARN. Usually in the form of: arn:aws:sns::<aws_audit_account_id>:aws-controltower-AllConfigNotifications string n/a yes
sqs_queue_name The SQS queue name string "" no
tags A map/dictionary of Tags to be assigned to created resources map(string) {} no
use_existing_iam_role Set this to true to use an existing IAM role from the log_archive AWS Account bool false no
wait_time Amount of time to wait before the next resource is provisioned. string "10s" no

Outputs

Name Description
external_id The External ID configured into the IAM role
iam_role_arn The IAM Role ARN
iam_role_name The IAM Role name
lacework_integration_guid Lacework CloudTrail Integration GUID
sns_arn SNS Topic ARN
sqs_arn SQS Queue ARN
sqs_name SQS Queue name
sqs_url SQS Queue URL