GithubHelp home page GithubHelp logo

hal-y / terraform-gcp-audit-log Goto Github PK

View Code? Open in Web Editor NEW

This project forked from lacework/terraform-gcp-audit-log

0.0 0.0 0.0 119 KB

Terraform module for configuring an integration with Google Cloud Platform Organziations and Projects for Audit Logs analysis

Shell 39.87% Makefile 1.97% HCL 58.16%

terraform-gcp-audit-log's Introduction

terraform-gcp-audit-log

GitHub release Codefresh build status

Terraform module for configuring an integration with Google Cloud Platform Organizations and Projects for Audit Logs analysis.

โš ๏ธ - NOTE: When using an existing Service Account, Terraform cannot work out whether a role has already been applied. This means when running the destroy step, existing roles may be removed from the Service Account. If this Service Account is managed by another Terraform module, you can re-run apply on the other module and this will re-add the role.

Alternatively, it is possible to remove the offending roles from the state file before destroy, preventing the role(s) from being removed.

e.g. terraform state rm 'google_project_iam_binding.for_lacework_service_account'

Required Roles

roles/storage.objectViewer

Required APIs

iam.googleapis.com
pubsub.googleapis.com
serviceusage.googleapis.com
cloudresourcemanager.googleapis.com

Requirements

Name Version
terraform >= 0.15.1
google >= 4.4.0, < 5.0.0
lacework ~> 0.2
time ~> 0.6

Providers

Name Version
google >= 4.4.0, < 5.0.0
lacework ~> 0.2
random n/a
time ~> 0.6

Modules

Name Source Version
lacework_at_svc_account lacework/service-account/gcp ~> 1.0

Resources

Name Type
google_logging_folder_sink.lacework_folder_sink resource
google_logging_organization_sink.lacework_organization_sink resource
google_logging_project_sink.lacework_project_sink resource
google_logging_project_sink.lacework_root_project_sink resource
google_organization_iam_member.for_lacework_service_account resource
google_project_iam_member.for_lacework_service_account resource
google_project_service.required_apis resource
google_pubsub_subscription.lacework_subscription resource
google_pubsub_subscription_iam_binding.lacework resource
google_pubsub_topic.lacework_topic resource
google_pubsub_topic_iam_binding.topic_publisher resource
google_storage_bucket.lacework_bucket resource
google_storage_bucket_iam_binding.policies resource
google_storage_notification.lacework_notification resource
lacework_integration_gcp_at.default resource
random_id.uniq resource
time_sleep.wait_time resource
google_folders.my-org-folders data source
google_project.selected data source
google_projects.my-org-projects data source
google_storage_project_service_account.lw data source

Inputs

Name Description Type Default Required
bucket_force_destroy n/a bool false no
bucket_labels Set of labels which will be added to the audit log bucket map(string) {} no
bucket_region The region where the new bucket will be created, valid values for Multi-regions are (EU, US or ASIA) alternatively you can set a single region or Dual-regions follow the naming convention as outlined in the GCP bucket locations documentation https://cloud.google.com/storage/docs/locations#available-locations|string|US|false| string "US" no
custom_bucket_name Override prefix based storage bucket name generation with custom name string null no
custom_filter Customer defined Audit Log filter which will supersede all other filter options when defined string "" no
enable_ubla Boolean for enabling Uniform Bucket Level Access on the audit log bucket. Default is true bool true no
existing_bucket_name The name of an existing bucket you want to send the logs to string "" no
existing_sink_name The name of an existing sink to be re-used for this integration string "" no
folders_to_exclude List of root folders to exclude in an organization-level integration. Format is 'folders/1234567890' list(string) [] no
folders_to_include List of root folders to include in an organization-level integration. Format is 'folders/1234567890' set(string) [] no
google_workspace_filter Filter out Google Workspace login logs from GCP Audit Log sinks. Default is true bool true no
include_root_projects Enables logic to include root-level projects if excluding folders. Default is true bool true no
k8s_filter Filter out GKE logs from GCP Audit Log sinks. Default is true bool true no
labels Set of labels which will be added to the resources managed by the module map(string) {} no
lacework_integration_name n/a string "TF audit_log" no
lifecycle_rule_age Number of days to keep audit logs in Lacework GCS bucket before deleting. Leave default to keep indefinitely number -1 no
org_integration If set to true, configure an organization level integration bool false no
organization_id The organization ID, required if org_integration is set to true string "" no
prefix The prefix that will be use at the beginning of every generated resource string "lw-at" no
project_id A project ID different from the default defined inside the provider string "" no
pubsub_subscription_labels Set of labels which will be added to the subscription map(string) {} no
pubsub_topic_labels Set of labels which will be added to the topic map(string) {} no
required_apis n/a map(any) 
{
  "iam": "iam.googleapis.com",
  "pubsub": "pubsub.googleapis.com",
  "resourcemanager": "cloudresourcemanager.googleapis.com",
  "serviceusage": "serviceusage.googleapis.com"
}
 no
service_account_name The Service Account name (required when use_existing_service_account is set to true) string "" no
service_account_private_key The private key in JSON format, base64 encoded (required when use_existing_service_account is set to true) string "" no
use_existing_service_account Set this to true to use an existing Service Account bool false no
wait_time Amount of time to wait before the next resource is provisioned. string "10s" no

Outputs

Name Description
bucket_name The storage bucket name
pubsub_topic_name The PubSub topic name
service_account_name The Service Account name
service_account_private_key The private key in JSON format, base64 encoded
sink_name The sink name

terraform-gcp-audit-log's People

Contributors

lacework-releng avatar afiune avatar rmoles avatar dmurray-lacework avatar scottford-lw avatar alannix-lw avatar eraac avatar renesiekermann avatar timarenz avatar hal-y avatar frits-v avatar mr-menno avatar robewedd avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.