From 2f2658bb7568a949e9faf33d0ab688abdb732fe3 Mon Sep 17 00:00:00 2001 From: Salim Afiune Maya Date: Wed, 2 Sep 2020 21:33:11 +0200 Subject: [PATCH] docs: update azure documentation Signed-off-by: Salim Afiune Maya --- aws/README.md | 4 +-- azure/README.md | 74 +++++++++++++++++++++++++++++++++------------ gcp/README.md | 4 ++- scripts/ci_tests.sh | 6 ++++ 4 files changed, 65 insertions(+), 23 deletions(-) diff --git a/aws/README.md b/aws/README.md index 30db483..9177635 100644 --- a/aws/README.md +++ b/aws/README.md @@ -24,11 +24,11 @@ Before you begin the following must be configured on the workstation running Ter Typically, the [AWS CLI](https://aws.amazon.com/cli/) will have been previously installed and `aws configure` run and with `$AWS_PROFILE` set to the appropriate credential profile in `~/.aws/credentials` -Also recommend that the [Lacework CLI](https://github.com/lacework/go-sdk) be installed and the `[default]` profile is associated with the applicable Lacework Account `api_key` and `api_secret` in `~/.lacework.toml` +Also recommend that the [Lacework CLI](https://github.com/lacework/go-sdk/wiki/CLI-Documentation) be installed and the `[default]` profile is associated with the applicable Lacework Account `api_key` and `api_secret` in `~/.lacework.toml` ## Usage -**IMPORTANT:** We use the `master` branch in source just as an example. In your code, *do NOT pin to master* because there may +**IMPORTANT:** We use the `master` branch in source just as an example. In your code, **do NOT pin to master** because there may be breaking changes between releases. Instead we recommend to pin to the release tag (e.g. `?ref=tags/v0.1.0`) of one of our [latest releases](https://github.com/lacework/terraform-provisioning/releases). diff --git a/azure/README.md b/azure/README.md index 6c67134..c9a2104 100644 --- a/azure/README.md +++ b/azure/README.md @@ -11,6 +11,8 @@ Trail analysis. - *Owner Role* at the Subscription level - [Lacework API Key](https://support.lacework.com/hc/en-us/articles/360011403853-Generate-API-Access-Keys-and-Tokens) +Also recommend that the [Lacework CLI](https://github.com/lacework/go-sdk/wiki/CLI-Documentation) be installed and the `[default]` profile is associated with the applicable Lacework Account `api_key` and `api_secret` in `~/.lacework.toml` + ## Login via the Azure CLI In order to integrate Lacework with Azure you will need to login to your Azure console via the Azure CLI by running the command: @@ -18,26 +20,58 @@ the Azure CLI by running the command: $ az login ``` -### Run Terraform -1. Clone this repository: https://github.com/lacework/terraform-provisioning -2. Change directories into `terraform-provisioning/azure` -3. Create a new file called `terraform.tfvars` with the following content: +## Usage -``` -prefix = "" -identifier_uris = [ - "https://.lacework.net" -] -lacework_account = "" -lacework_api_key = "" -lacework_api_secret = "" -``` -or use environment variables to avoid hardcoding API keys and secrets. +**IMPORTANT:** We use the `master` branch in source just as an example. In your code, **do NOT pin to master** because there may +be breaking changes between releases. Instead we recommend to pin to the release tag (e.g. `?ref=tags/v0.1.0`) of one of +our [latest releases](https://github.com/lacework/terraform-provisioning/releases). + +### Enable New Azure Compliance and Activity Log Integrations +```hcl +provider "azuread" {} + +provider "azurerm" { + features {} +} + +provider "lacework" {} + +module "az_config" { + source = "git::https://github.com/lacework/terraform-provisioning.git//azure/modules/config?ref=master" +} + +module "az_activity_log" { + source = "git::https://github.com/lacework/terraform-provisioning.git//azure/modules/activity_log?ref=master" + + use_existing_ad_application = true + application_id = module.az_config.application_id + application_password = module.az_config.application_password + service_principal_id = module.az_config.service_principal_id +} ``` -export TF_VAR_lacework_api_key= -export TF_VAR_lacework_api_secret= -``` - -5. Run `terraform init` -6. Run `terraform apply` + +## Inputs + +| Name | Description | Type | Default | Required | +|------|-------------|------|---------|:--------:| +| application_name | The name of the Azure Active Directory Applicaiton | `string` | lacework_security_audit | no | +| application_identifier_uris | A list of user-defined URI(s) for the Lacework AD Application | `list(string)` | ["https://securityaudit.lacework.net"] | no | +| key_vault_ids | A list of Key Vault Ids used in your subscription for the Lacework AD App to have access to | `list(string)` | [] | no | +| tenant_id | A Tenant ID different from the default defined inside the provider | `string` | "" | no | +| password_length | The length of the Lacework AD Application password | `number` | 30 | no | +| use_existing_ad_application | Set this to true to use an existing Active Directory Application | `bool` | false | no | +| application_id | The Active Directory Application id to use (required when use_existing_ad_application is set to true) | `string` | "" | no | +| application_password | The Active Directory Application password to use (required when use_existing_ad_application is set to true) | `string` | "" | no | +| service_principal_id | The Service Principal id to use (required when use_existing_ad_application is set to true) | `string` | "" | no | +| prefix | The prefix that will be use at the beginning of every generated resource | `string` | l4c3w0rk | no | +| lacework_integration_name | The name of the integration in Lacework. This input is available in both the config, and the activity_log module | `string` | TF config | no | +| wait_time | Define a custom delay between cloud resource provision and Lacework external integration to avoid errors while things settle down. Use `10s` for 10 seconds, `5m` for 5 minutes. | `string` | `10s` | no | + +## Outputs + +| Name | Description | +|------|-------------| +| application_id | The Lacework AD Application id | +| application_password | The Lacework AD Application password | +| service_principal_id | The Lacework Service Principal id | diff --git a/gcp/README.md b/gcp/README.md index 7607528..b56743e 100644 --- a/gcp/README.md +++ b/gcp/README.md @@ -9,6 +9,8 @@ Before using these modules you must meet the following requirements: - [GCP Service Account](https://cloud.google.com/iam/docs/service-accounts) - [Lacework API Key](https://support.lacework.com/hc/en-us/articles/360011403853-Generate-API-Access-Keys-and-Tokens) +Also recommend that the [Lacework CLI](https://github.com/lacework/go-sdk/wiki/CLI-Documentation) be installed and the `[default]` profile is associated with the applicable Lacework Account `api_key` and `api_secret` in `~/.lacework.toml` + ## GCP Organziation Level Integrations The following section covers how to integrate GCP configuration assessment and Audit Log for an entire Google Cloud Organization @@ -26,7 +28,7 @@ More information on how to download a GCP service account key can be found [here ### Usage -**IMPORTANT:** We use the `master` branch in source just as an example. In your code, *do NOT pin to master* because there may +**IMPORTANT:** We use the `master` branch in source just as an example. In your code, **do NOT pin to master** because there may be breaking changes between releases. Instead we recommend to pin to the release tag (e.g. `?ref=tags/v0.1.0`) of one of our [latest releases](https://github.com/lacework/terraform-provisioning/releases). diff --git a/scripts/ci_tests.sh b/scripts/ci_tests.sh index cbc5da5..4280fb9 100755 --- a/scripts/ci_tests.sh +++ b/scripts/ci_tests.sh @@ -17,6 +17,10 @@ MODULES=( gcp/modules/audit_log gcp/modules/config gcp/modules/service_account + azure/ + azure/modules/ad_application + azure/modules/config + azure/modules/activity_log ) TEST_CASES=( @@ -41,6 +45,8 @@ TEST_CASES=( #gcp/modules/audit_log/examples/existing-service-account-org-level-audit-log gcp/modules/audit_log/examples/organization-level-audit-log gcp/modules/audit_log/examples/project-level-audit-log + #azure/ + #azure/modules/ad_application/examples/default-config ) log() {