diff --git a/.circleci/config.yml b/.circleci/config.yml deleted file mode 100644 index 4fe5f36..0000000 --- a/.circleci/config.yml +++ /dev/null @@ -1,89 +0,0 @@ -version: 2.1 - -parameters: - slack-mentions: - type: string - default: 'afiune,scottford' - -orbs: - slack: circleci/slack@3.4.2 - jq: circleci/jq@2.1.0 - -executors: - terraform: - docker: - - image: techallylw/terraform:latest - alpine: - docker: - - image: cibuilds/base:latest - resource_class: small - -jobs: - terraform-test: - executor: terraform - steps: - - checkout - - run: scripts/ci_tests.sh - verify-release: - executor: alpine - steps: - - checkout - - run: scripts/release.sh verify - trigger-release: - executor: alpine - steps: - - checkout - - add_ssh_keys: - fingerprints: - - "d2:f4:31:07:9c:f4:07:8c:20:c2:a1:1a:0e:c8:6a:42" - - run: scripts/release.sh trigger - release: - executor: alpine - steps: - - checkout - - jq/install - - slack/notify: - mentions: << pipeline.parameters.slack-mentions >> - message: Releasing a new version of the terraform-provisioning repository - - run: scripts/release.sh publish - - slack/status: - fail_only: false - mentions: << pipeline.parameters.slack-mentions >> - -workflows: - version: 2 - build_test_trigger-release: - jobs: - - terraform-test - - trigger-release: - requires: - - terraform-test - filters: - branches: - only: master - - verify-release: - jobs: - - verify-release: - filters: - branches: - only: release - - release-from-tag: - jobs: - - release: - filters: - tags: - only: /^v.*/ - branches: - ignore: /.*/ - - nightly: - triggers: - - schedule: - cron: "0 12 * * *" - filters: - branches: - only: master - jobs: - - terraform-test diff --git a/CHANGELOG.md b/CHANGELOG.md index eb3560d..1f4c6c9 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,8 @@ +# DEPRECATION + +This project has been deprecated. All modules developed in this repository have been migrated to separate github repositories, and are being published directly to the [Terraform Registry](https://registry.terraform.io/search/modules?q=lacework). This migration provides support for Terraform `0.13` and allows Lacework to release new features and fixes much faster! + +--- # v0.2.1 ## Features diff --git a/Makefile b/Makefile deleted file mode 100644 index d08f4a1..0000000 --- a/Makefile +++ /dev/null @@ -1,13 +0,0 @@ -default: ci - -# TODO @afiune add more prerequisites and checks like having terraform installed -AWS_REGION?=us-west-2 -export AWS_REGION -GOOGLE_PROJECT?=customerdemo1 -export GOOGLE_PROJECT - -ci: - scripts/ci_tests.sh - -release: ci - scripts/release.sh prepare diff --git a/README.md b/README.md index ad146d5..8e6b500 100644 --- a/README.md +++ b/README.md @@ -2,12 +2,9 @@ # DEPRECATED - Lacework Provisioning with Terraform -[![GitHub release](https://img.shields.io/github/release/lacework/terraform-provisioning.svg)](https://github.com/lacework/terraform-provisioning/releases/) -[![CircleCI status](https://circleci.com/gh/lacework/terraform-provisioning.svg?style=shield)](https://circleci.com/gh/lacework/terraform-provisioning) +## **WARNING - THIS PROJECT HAS BEEN DEPRECATED** -## **WARNING - THIS PROJECT IS BEING DEPRECATED** - -This project is being deprecated. All modules developed in this repository have been migrated to separate github repositories, and are being published directly to the [Terraform Registry](https://registry.terraform.io/search/modules?q=lacework). This migration provides support for Terraform `0.13` and allows Lacework to release new features and fixes much faster! +This project has been deprecated. All modules developed in this repository have been migrated to separate github repositories, and are being published directly to the [Terraform Registry](https://registry.terraform.io/search/modules?q=lacework). This migration provides support for Terraform `0.13` and allows Lacework to release new features and fixes much faster! ### New Project Locations * **AWS Modules** @@ -28,8 +25,6 @@ This project is being deprecated. All modules developed in this repository have For documentation on using Lacework Terraform modules, see the new Terraform documentation on [support.lacework.com](https://support.lacework.com/hc/en-us/search?utf8=%E2%9C%93&query=terraform) - - ## License and Copyright Copyright 2020, Lacework Inc. ``` diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md index 0b8c332..207bbd8 100644 --- a/RELEASE_NOTES.md +++ b/RELEASE_NOTES.md @@ -1,5 +1,2 @@ # Release Notes -Another day, another release. These are the release notes for the version `v0.2.1`. - -## Features -* feat(azure): configure flexible subscription ids (#74) (Salim Afiune)([4b3e99b](https://github.com/lacework/terraform-provisioning/commit/4b3e99b2e7ddacafcf8b796698b8378e797056c4)) +Another day, another deprecation. These are the last release notes. diff --git a/VERSION b/VERSION deleted file mode 100644 index a0d4970..0000000 --- a/VERSION +++ /dev/null @@ -1 +0,0 @@ -0.2.2-dev \ No newline at end of file diff --git a/aws/README.md b/aws/README.md deleted file mode 100644 index 3cc1a95..0000000 --- a/aws/README.md +++ /dev/null @@ -1,187 +0,0 @@ -# Lacework Terraform Provisioning for AWS -Terraform modules that create AWS resources required to integrate AWS accounts with the Lacework Cloud Security Platform. - -## AWS Config and CloudTrail Integration Overview -In order for Lacework to monitor AWS configuration and CloudTrail activity, the following must be configured for each AWS account: - -#### Required Resources -- **Cross Account IAM Role** - Delegate access to Lacework to monitor resource configurations within customer's AWS account. This role is used for both the Config and CloudTrail Integrations - - `SecurityAudit` Policy - AWS managed policy used to allow Lacework to assess configuration metadata. Policy is applied for configuration assessment only. - - Custom IAM Policy - Delegate access to Lacework to monitor CloudTrail Activity. Policy is attached to the IAM role when CloudTrail is configured. -- **CloudTrail** - Create a new CloudTrail Trail or use an existing Trail - - **S3 Bucket** - Used to store CloudTrail logs. Create a new S3 bucket, or use an existing bucket - - **SNS Topic** - Used to send notifications when CloudTrail publishes new log files to the configured S3 bucket. Use an existing or create a new SNS topic. - - **SQS Queue** - SQS queue subscribed to CloudTrail SNS topic used by Lacework to ingest CloudTrail logs -- **Lacework AWS CFG Integration** - Configures AWS CFG integration between Lacework and customer AWS account -- **Lacework AWS CT Integration** - Configures AWS CT integration between Lacework and customer AWS account - -## Requirements -Before you begin the following must be configured on the workstation running Terraform - -- [Terraform](terraform.io/downloads.html) `v0.12.x` -- [AWS API Access Key, Secret Access Key](https://aws.amazon.com/premiumsupport/knowledge-center/create-access-key/) -- [Lacework API Key](https://support.lacework.com/hc/en-us/articles/360011403853-Generate-API-Access-Keys-and-Tokens) - -Typically, the [AWS CLI](https://aws.amazon.com/cli/) will have been previously installed and `aws configure` run and with `$AWS_PROFILE` set to the appropriate credential profile in `~/.aws/credentials` - -Also recommend that the [Lacework CLI](https://github.com/lacework/go-sdk/wiki/CLI-Documentation) be installed and the `[default]` profile is associated with the applicable Lacework Account `api_key` and `api_secret` in `~/.lacework.toml` - -## Usage - -**IMPORTANT:** We use the `master` branch in source just as an example. In your code, **do NOT pin to master** because there may -be breaking changes between releases. Instead we recommend to pin to the release tag (e.g. `?ref=tags/v0.1.0`) of one of -our [latest releases](https://github.com/lacework/terraform-provisioning/releases). - -### Enable New CloudTrail Configuration -This example creates a new CloudTrail Trail, an IAM Role for Lacework, and then configures both integrations with Lacework - -```hcl -provider "aws" {} - -provider "lacework" {} - -module "aws_config" { - source = "git::https://github.com/lacework/terraform-provisioning.git//aws/modules/config?ref=master" -} - -module "aws_cloudtrail" { - source = "git::https://github.com/lacework/terraform-provisioning.git//aws/modules/cloudtrail?ref=master" - bucket_force_destroy = true - use_existing_iam_role = true - iam_role_name = module.aws_config.iam_role_name - iam_role_arn = module.aws_config.iam_role_arn - iam_role_external_id = module.aws_config.external_id -} -``` - -### Integrate Existing CloudTrail Without SNS Delivery with Lacework -This example uses an existing CloudTrail Trail and S3 bucket passed as inputs to the module. The example creates the SNS topic, SQS queue, and IAM Role for Lacework, and then configures both integrations with Lacework. -```hcl -provider "aws" {} - -provider "lacework" {} - -module "aws_config" { - source = "git::https://github.com/lacework/terraform-provisioning.git//aws/modules/config?ref=master" -} - -module "aws_cloudtrail" { - source = "git::https://github.com/lacework/terraform-provisioning.git//aws/modules/cloudtrail?ref=master" - - use_existing_cloudtrail = true - bucket_arn = "arn:aws:s3:::lacework-ct-bucket-8805c0bf" - bucket_name = "lacework-ct-bucket-8805c0bf" - - use_existing_iam_role = true - iam_role_name = module.aws_config.iam_role_name - iam_role_arn = module.aws_config.iam_role_arn - iam_role_external_id = module.aws_config.external_id -} -``` - -**NOTE: This example does not modify your CloudTrail, therefore, you have to enable SNS delivery notifications manually and point to the generated SNS topic.** - -![](img/cloudtrail_enable_sns_delivery_notifications.gif) - -### Integrate Existing CloudTrail With SNS Delivery Enabled with Lacework -This example uses an existing CloudTrail, S3 bucket, and SNS topic passed as inputs to the module. The example creates the SQS queue and IAM Role for Lacework, and then configures both integrations with Lacework. -```hcl -provider "aws" {} - -provider "lacework" {} - -module "aws_config" { - source = "git::https://github.com/lacework/terraform-provisioning.git//aws/modules/config?ref=master" -} - -module "aws_cloudtrail" { - source = "git::https://github.com/lacework/terraform-provisioning.git//aws/modules/cloudtrail?ref=master" - - use_existing_cloudtrail = true - bucket_arn = "arn:aws:s3:::lacework-ct-bucket-8805c0bf" - bucket_name = "lacework-ct-bucket-8805c0bf" - sns_topic_name = "lacework-ct-sns-8805c0bf" - - use_existing_iam_role = true - iam_role_name = module.aws_config.iam_role_name - iam_role_arn = module.aws_config.iam_role_arn - iam_role_external_id = module.aws_config.external_id -} -``` - -**NOTE: This example assumes that your CloudTrail is already sending delivery notifications to the provided SNS topic.** - -### Enable New Consolidated CloudTrail Configuration -This example enables a new Consolidated CloudTrail and IAM Role for Lacework, then configures both integrations with Lacework. -Finally, it configures a new CloudTrail Trail in an AWS sub-account that points to the main CloudTrail. - -```hcl -provider "lacework" { - alias = "main" -} - -provider "aws" { - alias = "main" -} - -module "main_cloudtrail" { - source = "git::https://github.com/lacework/terraform-provisioning.git//aws/modules/cloudtrail?ref=master" - providers = { - aws = aws.main - lacework = lacework.main - } - consolidated_trail = true -} - -provider "aws" { - alias = "sub_account" -} - -resource "aws_cloudtrail" "lw_sub_account_cloudtrail" { - provider = aws.sub_account - name = "lacework-sub-trail" - is_multi_region_trail = true - s3_bucket_name = module.main_cloudtrail.bucket_name - sns_topic_name = module.main_cloudtrail.sns_arn -} -``` - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| bucket_force_destroy | Force destroy bucket (Required when bucket not empty) | `bool` | false | no | -| bucket_name | Name of S3 bucket. Required when setting `use_existing_cloudtrail` to true | `string` | "" | no | -| bucket_arn | The S3 bucket ARN is required only when setting `use_existing_cloudtrail` to true | `string` | "" | no | -| bucket_enable_encryption | Set this to `true` to enable encryption on a created S3 bucket | `bool` | false | no | -| bucket_enable_logs | Set this to `true` to enable access logging on a created S3 bucket | `bool` | false | no | -| bucket_enable_versioning | Set this to `true` to enable access logging on a created S3 bucket | `bool` | false | no | -| bucket_sse_algorithm | Name of the server-side encryption algorithm to use ("AES256" or "aws:kms") | `string` | AES256 | no | -| bucket_sse_key_arn | The ARN of the KMS encryption key to be used (Required when using "aws:kms") | `string` | "" | no | -| cloudtrail_name | Name of existing cloudtrail | `string` | "lacework-cloudtrail" | no | -| external_id_length | Length of External ID (max 1224) | `number` | 16 | no | -| iam_role_external_id | External ID for IAM Role | `string` | "" | no | -| iam_role_name | The IAM role name | `string` | "lacework_iam_role" | no | -| lacework_account_id | The Lacework AWS account that the IAM role will grant access | `string` | 434813966438 | no | -| lacework_integration_name | The name of the integration in Lacework. This input is available in both the config, and the cloudtrail module | `string` | TF config | no | -| log_bucket_name | Name of the S3 bucket for access logs | `string` | "" | no | -| prefix | The prefix that will be use at the beginning of every generated resource | `string` | lacework-ct | no | -| sns_topic_name | SNS topic name. Can be used when generating a new resource or when using an existing resource. | `string` | "" | no | -| sqs_queue_name | SQS queue name. Can be used when generating a new resource or when using an existing resource. | `string` | "" | no | -| sqs_queues | List of SQS queues to configure in the Lacework cross-account policy. | `list(string)` | `[]` | no | -| consolidated_trail | Set this to `true` to configure a consolidated cloudtrail. | `bool` | `false` | no | -| use_existing_cloudtrail | Set this to `true` to use an existing cloudtrail. When set to `true` you must provide both the `bucket_name` and `sns_topic_name` | `bool` | `false` | no | -| use_existing_iam_role | Set this to `true` to use an existing IAM role. When set to `true` you must provide both the `iam_role_name` and `iam_role_external_id` | `bool` | `false` | no | -| wait_time | Define a custom delay between cloud resource provision and Lacework external integration to avoid errors while things settle down. Use `10s` for 10 seconds, `5m` for 5 minutes. | `string` | `10s` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| external_id | Dynamically generated External ID configured into the IAM role | -| iam_role_name | IAM Role name generated | -| iam_role_arn | IAM Role ARN | -| bucket_name | S3 Bucket name | -| sqs_name | SQS Queue name | -| sqs_arn | SQS Queue ARN | -| sns_arn | SNS Topic ARN | diff --git a/aws/main.tf b/aws/main.tf deleted file mode 100644 index d7bbca4..0000000 --- a/aws/main.tf +++ /dev/null @@ -1,19 +0,0 @@ -provider "aws" {} - -provider "lacework" {} - -module "aws_config" { - source = "lacework/config/aws" - version = "~> 0.1.3" -} - -module "aws_cloudtrail" { - source = "lacework/cloudtrail/aws" - version = "~> 0.1.3" - - bucket_force_destroy = true - use_existing_iam_role = true - iam_role_name = module.aws_config.iam_role_name - iam_role_arn = module.aws_config.iam_role_arn - iam_role_external_id = module.aws_config.external_id -} diff --git a/azure/AZURE_CLOUD_SHELL.md b/azure/AZURE_CLOUD_SHELL.md deleted file mode 100644 index 6e295f4..0000000 --- a/azure/AZURE_CLOUD_SHELL.md +++ /dev/null @@ -1,132 +0,0 @@ -# Azure Cloud Shell -The Azure Cloud Shell is an embedded terminal/command-line interface that can be used within the Azure -Portal. This shell automatically authenticates you with Azure AD and comes with tools like the Azure -CLI and Terraform pre-installed to manage and automate your Azure environment. - -These instructions will show you how to get up-and-running with Lacework, Terraform and the Azure Cloud Shell. -The only requirement we need is that your [Azure User](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-users-azure-active-directory) has -the following permissions: -- **Global Administrator** privileges in Active Directory -- **Owner Role** at the Subscription level - -## Open Azure Cloud Shell within Azure Portal -To open the Azure Cloud Shell, you simply click on the Cloud Shell icon in the header bar of the Azure Portal, -and it will open the Cloud Shell in a pane at the bottom of the browser. Cloud Shell defaults to PowerShell, -but you can also switch to a Bash prompt if you prefer. - -![Open Azure Cloud Shell](https://techally-artifacts.s3-us-west-2.amazonaws.com/github-terraform-provisioning-imgs/azure-cloud-shell-open.png) - -## Prepare your Cloud Shell - -Regardless of the prompt you choose to use, Powershell or Bash, we will need to run the `shell_startup.sh` -script to install all the neccessary tools and configure some environment variables required by Terraform. - -**NOTE:** Weather you are in Powershell or Bash you can run these commands. - -``` -PS /home/salim> curl https://raw.githubusercontent.com/lacework/terraform-provisioning/master/azure/shell_startup.sh | bash -``` - -When the script completes you need to type `exit` followed by enter to exit your shell. After a few seconds you will -be prompted to reconnect to your shell. Once reconnected, the Lacework CLI will be ready for use. - -## Configure the Lacework CLI - -Proceed to configure the Lacework CLI by using the command `lacework configure`. You will need three things: -* `account`: Account subdomain of URL (i.e. `.lacework.net`) -* `api_key`: API Access Key -* `api_secret`: API Access Secret - ->To create a set of API keys, log in to your Lacework account via WebUI and navigate to Settings > API Keys and ->click + Create New. Enter a name for the key and an optional description, then click Save. To get the secret key, ->download the generated API key file. - -The Azure Cloud Shell allows you to drag-and-drop the generated `KEY.json` to upload it automatically. - -![Download-Drag-and-Drop Lacework API key](https://techally-artifacts.s3-us-west-2.amazonaws.com/github-terraform-provisioning-imgs/azure-cloud-shell-drag-drop-api-key.gif) - -Finally, run the command: -``` -$ lacework configure -j CUSTOMER_EED10DA9136E9F763477FF5933464DD0C3DADF2CDDEF715.json -▸ Account: customerdemo -▸ Access Key ID: CUSTOMER_EED10DA9136E9F763477FF5933464DD0C3DADF2CDDEF715 -▸ Secret Access Key: (*****************************26a0) - -You are all set! -``` - -For more information about the Lacework CLI, see https://github.com/lacework/go-sdk/wiki/CLI-Documentation. - -## Enable Azure Compliance and Activity Log Integrations -Cloud Shell also has a built-in file editor that will give you a more graphically appealing experience for -editing files, use the following command to create a Terraform template named `main.tf`. -``` -$ code main.tf -``` - -Inside this file add the following code snippet that will configure both, Azure Compliance and Activity Log -Integrations. The code leverages our Terraform modules to create resources in you Azure Portal as well as -connecting such resources to you Lacework account. To customize these modules look at the [following input -parameters](https://github.com/lacework/terraform-provisioning/tree/master/azure#inputs). - -```hcl -terraform { - required_providers { - azuread = { - source = "hashicorp/azuread" - } - azurerm = { - source = "hashicorp/azurerm" - version = "2.26" - } - lacework = { - source = "lacework/lacework" - } - } -} - -provider "azurerm" { - features {} -} - -module "az_config" { - source = "lacework/config/azure" - version = "0.1.0" -} - -module "az_activity_log" { - source = "lacework/activity-log/azure" - version = "0.1.0" - - use_existing_ad_application = true - application_id = module.az_config.application_id - application_password = module.az_config.application_password - service_principal_id = module.az_config.service_principal_id -} -``` - -__NOTE: Don't forget to save the file with `Ctrl + S` on Windows or `Cmd + S` on MacOS__ - -### Run the Automation. Run Terraform! - -Run the command `terraform init` to download the necessary plugins and modules required to run this automation. -``` -$ terraform init -``` - -Then, run `terraform apply`, this command will create a "plan" of the resources that will be created and stop -for you to type `yes` to proceed. -``` -$ terraform apply -``` - -![Hit Yes](https://techally-artifacts.s3-us-west-2.amazonaws.com/github-terraform-provisioning-imgs/azure-cloud-shell-editor-terraform-apply.png) - -**Hit yes!** - -### Verify Lacework Integrations - -To verify if the two integrations have been configured successfully, run the command: -``` -$ lacework integrations list -``` diff --git a/azure/README.md b/azure/README.md deleted file mode 100644 index fa3f035..0000000 --- a/azure/README.md +++ /dev/null @@ -1,89 +0,0 @@ -# Lacework Terraform Provisioning for Azure -Terraform modules that create Azure resources required to integrate Azure Tenants and Subscriptions -with the Lacework Cloud Security Platform. - -## Use your Azure Portal - -This couldn't be easier! - -Follow [these instructions](AZURE_CLOUD_SHELL.md) to use the Azure Cloud Shell to run these modules from -the comfort of your Azure Portal. - -## Requirements -If you prefer to use these modules locally, you must meet the following requirements: - -- [Terraform](terraform.io/downloads.html) `v0.12.x` -- [Azure CLI](https://docs.microsoft.com/en-us/cli/azure/install-azure-cli?view=azure-cli-latest) -- [Azure User](https://docs.microsoft.com/en-us/azure/active-directory/fundamentals/add-users-azure-active-directory) with the following permissions: - - *Global Administrator* privileges in Active Directory - - *Owner Role* at the Subscription level -- [Lacework API Key](https://support.lacework.com/hc/en-us/articles/360011403853-Generate-API-Access-Keys-and-Tokens) - -We also recommend that the [Lacework CLI](https://github.com/lacework/go-sdk/wiki/CLI-Documentation) is installed and the `[default]` -profile is associated with the applicable Lacework Account `api_key` and `api_secret` inside the `~/.lacework.toml` configuration file. - -## Login via the Azure CLI -In order to integrate Lacework with Azure you will need to login to your Azure console via -the Azure CLI by running the command: -``` -$ az login -``` - -## Usage - -**IMPORTANT:** We use the `master` branch in source just as an example. In your code, **do NOT pin to master** because there may -be breaking changes between releases. Instead we recommend to pin to the release tag (e.g. `?ref=tags/v0.1.0`) of one of -our [latest releases](https://github.com/lacework/terraform-provisioning/releases). - - -### Enable New Azure Compliance and Activity Log Integrations -```hcl -provider "azuread" {} - -provider "azurerm" { - version = "2.26" - features {} -} - -provider "lacework" {} - -module "az_config" { - source = "git::https://github.com/lacework/terraform-provisioning.git//azure/modules/config?ref=master" -} - -module "az_activity_log" { - source = "git::https://github.com/lacework/terraform-provisioning.git//azure/modules/activity_log?ref=master" - - use_existing_ad_application = true - application_id = module.az_config.application_id - application_password = module.az_config.application_password - service_principal_id = module.az_config.service_principal_id -} -``` - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| application_name | The name of the Azure Active Directory Application | `string` | lacework_security_audit | no | -| application_identifier_uris | A list of user-defined URI(s) for the Lacework AD Application | `list(string)` | ["https://securityaudit.lacework.net"] | no | -| subscription_ids | A list of subscriptions to grant read access to, by default the modules will only use the primary subscription | `list(string)` | `[]` | no | -| all_subscriptions | If set to true, grant read access to ALL subscriptions within the selected Tenant (overrides `subscription_ids`) | `bool` | false | no | -| key_vault_ids | A list of Key Vault Ids used in your subscription for the Lacework AD App to have access to | `list(string)` | [] | no | -| tenant_id | A Tenant ID different from the default defined inside the provider | `string` | "" | no | -| password_length | The length of the Lacework AD Application password | `number` | 30 | no | -| use_existing_ad_application | Set this to true to use an existing Active Directory Application | `bool` | false | no | -| application_id | The Active Directory Application id to use (required when use_existing_ad_application is set to true) | `string` | "" | no | -| application_password | The Active Directory Application password to use (required when use_existing_ad_application is set to true) | `string` | "" | no | -| service_principal_id | The Service Principal id to use (required when use_existing_ad_application is set to true) | `string` | "" | no | -| prefix | The prefix that will be use at the beginning of every generated resource | `string` | l4c3w0rk | no | -| lacework_integration_name | The name of the integration in Lacework. This input is available in both the config, and the activity_log module | `string` | TF config | no | -| wait_time | Define a custom delay between cloud resource provision and Lacework external integration to avoid errors while things settle down. Use `10s` for 10 seconds, `5m` for 5 minutes. | `string` | `10s` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| application_id | The Lacework AD Application id | -| application_password | The Lacework AD Application password | -| service_principal_id | The Lacework Service Principal id | diff --git a/azure/main.tf b/azure/main.tf deleted file mode 100644 index c650dad..0000000 --- a/azure/main.tf +++ /dev/null @@ -1,22 +0,0 @@ -provider "azuread" {} - -provider "azurerm" { - features {} -} - -provider "lacework" {} - -module "az_config" { - source = "lacework/config/azure" - version = "~> 0.1.2" -} - -module "az_activity_log" { - source = "lacework/activity-log/azure" - version = "~> 0.1.2" - - use_existing_ad_application = true - application_id = module.az_config.application_id - application_password = module.az_config.application_password - service_principal_id = module.az_config.service_principal_id -} diff --git a/gcp/GOOGLE_CLOUD_SHELL.md b/gcp/GOOGLE_CLOUD_SHELL.md deleted file mode 100644 index 4d82d3f..0000000 --- a/gcp/GOOGLE_CLOUD_SHELL.md +++ /dev/null @@ -1,150 +0,0 @@ -# Google Cloud Shell -The Google Cloud Shell is an embedded terminal/command-line interface that can be used within the Google -Console. This shell is fully authenticated and comes with tools like the [Google Cloud SDK](https://cloud.google.com/sdk/gcloud/), -`gcloud`command-line tool and Terraform pre-installed to manage and automate your projects and resources in your -environment. - -These instructions will show you how to get up-and-running with Lacework, Terraform and the Google Cloud Shell. -The only requirement we need is that your [Google Account](https://cloud.google.com/iam/docs/service-accounts) has -the following permissions: - -### For Organization Level Integration -- Logs Configuration Writer -- Organziation Admin -- Project Owner - -### For Project Level Integration -- Project Owner - -## Open Google Cloud Shell within Google Console -To open the Google Cloud Shell, you simply click on the Cloud Shell icon in the header bar of the Google Console, -and it will open the Cloud Shell in a pane at the bottom of the browser. - -![Open Google Cloud Shell](https://techally-artifacts.s3-us-west-2.amazonaws.com/github-terraform-provisioning-imgs/google-cloud-shell-open.png) - -## Prepare your Cloud Shell - -We need to run the `shell_startup.sh` script to install all the neccessary tools and configure some environment -variables required by Terraform. - -``` -afiune@cloudshell:~ $ curl https://raw.githubusercontent.com/lacework/terraform-provisioning/master/gcp/shell_startup.sh | bash -``` - -When the script completes you need to type `exit` followed by enter to exit your shell. Once the shell has exited you can open -the Cloud Shell again and the Lacework CLI will be ready for use! - -## Configure the Lacework CLI - -Proceed to configure the Lacework CLI by using the command `lacework configure`. You will need three things: -* `account`: Account subdomain of URL (i.e. `.lacework.net`) -* `api_key`: API Access Key -* `api_secret`: API Access Secret - ->To create a set of API keys, log in to your Lacework account via WebUI and navigate to Settings > API Keys and ->click + Create New. Enter a name for the key and an optional description, then click Save. To get the secret key, ->download the generated API key file. - -The Google Cloud Shell allows you to drag-and-drop the generated `KEY.json` to upload it automatically. - -![Download-Drag-and-Drop Lacework API key](https://techally-artifacts.s3-us-west-2.amazonaws.com/github-terraform-provisioning-imgs/google-cloud-shell-drag-drop-api-key.gif) - -Finally, run the command: -``` -afiune@cloudshell:~ $ lacework configure -j CUSTOMER_EED10DA9136E9F763477FF5933464DD0C3DADF2CDDEF715.json -▸ Account: customerdemo -▸ Access Key ID: CUSTOMER_EED10DA9136E9F763477FF5933464DD0C3DADF2CDDEF715 -▸ Secret Access Key: (*****************************26a0) - -You are all set! -``` - -For more information about the Lacework CLI, see https://github.com/lacework/go-sdk/wiki/CLI-Documentation. - -## Enable Google Compliance and Audit Log Integrations -Cloud Shell also has a built-in file editor that will give you a more graphically appealing experience for -editing files, to open the editor click the button "🖊️ **Open Editor**" and create a file named `main.tf`. - -**NOTE:** You can also use the old school `vi` editor if you prefer to do so. -``` -afiune@cloudshell:~ $ vi main.tf -``` - -Inside this file add the following code snippet that will configure both, Google Compliance and Audit Log -Integrations. The code leverages our Terraform modules to create resources in you Google Console as well as -connecting such resources to you Lacework account. To customize these modules look at the [following input -parameters](https://github.com/lacework/terraform-provisioning/tree/master/gcp#inputs). - -**IMPORTANT:** We use the `master` branch in source just as an example. In your code, **do NOT pin to master** -because there may be breaking changes between releases. Instead we recommend to pin to the release tag (e.g. -`?ref=tags/v0.1.0`) of one of our [latest releases](https://github.com/lacework/terraform-provisioning/releases). - -### For Organization Level Integration -```hcl -provider "google" {} - -provider "lacework" {} - -module "gcp_organization_config" { - source = "git::https://github.com/lacework/terraform-provisioning.git//gcp/modules/config?ref=master" - org_integration = true - organization_id = "my-organization-id" -} - -module "gcp_organization_audit_log" { - source = "git::https://github.com/lacework/terraform-provisioning.git//gcp/modules/audit_log?ref=master" - bucket_force_destroy = true - org_integration = true - use_existing_service_account = true - service_account_name = module.gcp_organization_config.service_account_name - service_account_private_key = module.gcp_organization_config.service_account_private_key - organization_id = "my-organization-id" -} -``` - -__NOTE: Update 'my-organization-id' with your GCP Organization ID. You can use the command `gcloud organizations list` to look up your id.__ - -### For Project Level Integration -```hcl -provider "google" {} - -provider "lacework" {} - -module "gcp_project_config" { - source = "git::https://github.com/lacework/terraform-provisioning.git//gcp/modules/config?ref=master" -} - -module "gcp_project_audit_log" { - source = "git::https://github.com/lacework/terraform-provisioning.git//gcp/modules/audit_log?ref=master" - bucket_force_destroy = true - use_existing_service_account = true - service_account_name = module.gcp_project_config.service_account_name - service_account_private_key = module.gcp_project_config.service_account_private_key -} -``` - -__NOTE: If you choose the editor, don't forget to save the file.__ - -### Run the Automation. Run Terraform! - -Run the command `terraform init` to download the necessary plugins and modules required to run this automation. -``` -afiune@cloudshell:~ $ terraform init -``` - -Then, run `terraform apply`, this command will create a "plan" of the resources that will be created and stop -for you to type `yes` to proceed. -``` -afiune@cloudshell:~ $ terraform apply -``` - -![Hit Yes](https://techally-artifacts.s3-us-west-2.amazonaws.com/github-terraform-provisioning-imgs/google-cloud-shell-terraform-apply.png) - -**Hit yes!** - -### Verify Lacework Integrations - -To verify if the two integrations have been configured successfully, run the command: -``` -afiune@cloudshell:~ $ lacework integrations list -``` diff --git a/gcp/README.md b/gcp/README.md deleted file mode 100644 index 4f9a547..0000000 --- a/gcp/README.md +++ /dev/null @@ -1,128 +0,0 @@ -# Lacework Terraform Provisioning for GCP -Terraform modules that create GCP resources required to integrate GCP Organizations or Projects -with the Lacework Cloud Security Platform. - -## Use your Google Console - -This couldn't be easier! - -Follow [these instructions](GOOGLE_CLOUD_SHELL.md) to use the Google Cloud Shell to run these modules from -the comfort of your Google Console. - -## Requirements -If you prefer to use these modules locally, you must meet the following requirements: - -- [Terraform](terraform.io/downloads.html) `v0.12.x` -- [GCP Service Account](https://cloud.google.com/iam/docs/service-accounts) -- [Lacework API Key](https://support.lacework.com/hc/en-us/articles/360011403853-Generate-API-Access-Keys-and-Tokens) - -We also recommend that the [Lacework CLI](https://github.com/lacework/go-sdk/wiki/CLI-Documentation) be installed and the `[default]` profile is associated with the applicable Lacework Account `api_key` and `api_secret` in `~/.lacework.toml` - -## GCP Organziation Level Integrations -The following section covers how to integrate GCP configuration assessment and Audit Log for -an entire Google Cloud Organization - -### Setup GCP Service Account -To integrate Lacework with a Google Cloud Organization you will need a GCP service account with -the following permissions: -- Logs Configuration Writer -- Organziation Admin -- Project Owner - -Download the service account `json` file to your workstation and move on to the next section. - -More information on how to download a GCP service account key can be found [here](https://cloud.google.com/iam/docs/creating-managing-service-account-keys) - -### Usage - -**IMPORTANT:** We use the `master` branch in source just as an example. In your code, **do NOT pin to master** because there may -be breaking changes between releases. Instead we recommend to pin to the release tag (e.g. `?ref=tags/v0.1.0`) of one of -our [latest releases](https://github.com/lacework/terraform-provisioning/releases). - -#### Enable New GCP Organization -```hcl -provider "google" {} - -provider "lacework" {} - -module "gcp_organization_config" { - source = "git::https://github.com/lacework/terraform-provisioning.git//gcp/modules/config?ref=master" - org_integration = true - organization_id = "my-organization-id" -} - -module "gcp_organization_audit_log" { - source = "git::https://github.com/lacework/terraform-provisioning.git//gcp/modules/audit_log?ref=master" - bucket_force_destroy = true - org_integration = true - use_existing_service_account = true - service_account_name = module.gcp_organization_config.service_account_name - service_account_private_key = module.gcp_organization_config.service_account_private_key - organization_id = "my-organization-id" -} -``` - -More information on adding GCP credentials for Terraform can be found [here](https://www.terraform.io/docs/providers/google/guides/getting_started.html#adding-credentials) - -## GCP Project Level Integration -The following section covers how to integrate GCP configuration assessment and Audit Log on a per -project basis. - -### Setup GCP Service Account -In order to integrate Lacework with a GCP Project you will need a GCP service account in each project you intend to integrate with the following permissions: -- Project Owner - -Download the service account `json` file to your workstation and move on to the next section. - -More information on how to download a GCP service account key can be found [here](https://cloud.google.com/iam/docs/creating-managing-service-account-keys) - -### Usage - -**IMPORTANT:** We use the `master` branch in source just as an example. In your code, *do NOT pin to master* because there may -be breaking changes between releases. Instead we recommend to pin to the release tag (e.g. `?ref=tags/v0.1.0`) of one of -our [latest releases](https://github.com/lacework/terraform-provisioning/releases). - -#### Enable New GCP Project -```hcl -provider "google" {} - -provider "lacework" {} - -module "gcp_project_config" { - source = "git::https://github.com/lacework/terraform-provisioning.git//gcp/modules/config?ref=master" -} - -module "gcp_project_audit_log" { - source = "git::https://github.com/lacework/terraform-provisioning.git//gcp/modules/audit_log?ref=master" - bucket_force_destroy = true - use_existing_service_account = true - service_account_name = module.gcp_project_config.service_account_name - service_account_private_key = module.gcp_project_config.service_account_private_key -} -``` -More information on adding GCP credentials for Terraform can be found [here](https://www.terraform.io/docs/providers/google/guides/getting_started.html#adding-credentials) - -## Inputs - -| Name | Description | Type | Default | Required | -|------|-------------|------|---------|:--------:| -| prefix | The prefix that will be use at the beginning of every generated resource | `string` | lw-at | no | -| org_integration | Set this to `true` to configure an organization level integration. When set to `true` you must provide the `organization_id` | `bool` | `false` | no | -| organization_id | The organization ID | `string` | "" | no | -| project_id | A project ID different from the default defined inside the `google` provider. | `string` | "" | no | -| use_existing_service_account | Set this to `true` to use an existing Service Account. When set to `true` you must provide both the `service_account_name` and `service_account_private_key` | `bool` | `false` | no | -| service_account_name | The Service Account name . | `string` | "" | no | -| service_account_private_key | The private key in JSON format, base64 encoded. | `string` | "" | no | -| bucket_force_destroy | Force destroy storage bucket (Required when bucket not empty) | `bool` | false | no | -| existing_bucket_name | The name of an existing bucket you want to send the logs to | `string` | "" | no | -| lacework_integration_name | The name of the integration in Lacework. This input is available in both the config, and the audit_log module | `string` | TF config | no | -| wait_time | Define a custom delay between cloud resource provision and Lacework external integration to avoid errors while things settle down. Use `10s` for 10 seconds, `5m` for 5 minutes. | `string` | `10s` | no | - -## Outputs - -| Name | Description | -|------|-------------| -| service_account_name | The Service Account name | -| service_account_private_key | The private key in JSON format, base64 encoded | -| bucket_name | The storage bucket name | -| pubsub_topic_name | The PubSub topic name | diff --git a/gcp/organization_level.tf b/gcp/organization_level.tf deleted file mode 100644 index b4d9dac..0000000 --- a/gcp/organization_level.tf +++ /dev/null @@ -1,23 +0,0 @@ -provider "google" {} - -provider "lacework" {} - -module "gcp_organization_config" { - source = "lacework/config/gcp" - version = "~> 0.1.1" - - org_integration = true - organization_id = "my-organization-id" -} - -module "gcp_organization_audit_log" { - source = "lacework/audit-log/gcp" - version = "~> 0.1.1" - - bucket_force_destroy = true - org_integration = true - use_existing_service_account = true - service_account_name = module.gcp_organization_config.service_account_name - service_account_private_key = module.gcp_organization_config.service_account_private_key - organization_id = "my-organization-id" -} diff --git a/gcp/project_level.tf b/gcp/project_level.tf deleted file mode 100644 index 5204531..0000000 --- a/gcp/project_level.tf +++ /dev/null @@ -1,14 +0,0 @@ -module "gcp_project_config" { - source = "lacework/config/gcp" - version = "~> 0.1.1" -} - -module "gcp_project_audit_log" { - source = "lacework/audit-log/gcp" - version = "~> 0.1.1" - - bucket_force_destroy = true - use_existing_service_account = true - service_account_name = module.gcp_project_config.service_account_name - service_account_private_key = module.gcp_project_config.service_account_private_key -} diff --git a/scripts/ci_tests.sh b/scripts/ci_tests.sh deleted file mode 100755 index 1cae853..0000000 --- a/scripts/ci_tests.sh +++ /dev/null @@ -1,56 +0,0 @@ -#!/bin/bash -# -# Name:: ci_tests.sh -# Description:: Use this script to run ci tests of this repository -# Author:: Salim Afiune Maya () -# -set -eou pipefail - -readonly project_name=terraform-provisioning - -MODULES=( - aws/ - gcp/ - azure/ -) - -TEST_CASES=( - aws/ - gcp/ - #azure/ -) - -log() { - echo "--> ${project_name}: $1" -} - -warn() { - echo "xxx ${project_name}: $1" >&2 -} - -integration_tests() { - for tcase in ${TEST_CASES[*]}; do - log "Running tests at $tcase" - ( cd $tcase || exit 1 - terraform init - terraform validate - terraform plan - ) || exit 1 - done -} - -lint_tests() { - for mod in ${MODULES[*]}; do - log "fmt check for module $mod" - ( cd $mod || exit 1 - terraform fmt -check - ) || exit 1 - done -} - -main() { - lint_tests - integration_tests -} - -main || exit 99 diff --git a/scripts/release.sh b/scripts/release.sh deleted file mode 100755 index ebc7fb6..0000000 --- a/scripts/release.sh +++ /dev/null @@ -1,286 +0,0 @@ -#!/bin/bash -# -# Name:: release.sh -# Description:: Use this script to prepare a new release on Github, -# the automation will create a GH tag like 'v0.1.0' -# (using the VERSION file) -# Author:: Salim Afiune Maya () -# -set -eou pipefail - -readonly project_name=terraform-provisioning -VERSION=$(cat VERSION) - -usage() { - local _cmd - _cmd="$(basename "${0}")" - cat < CHANGELOG.md - echo "" >> CHANGELOG.md - echo "$(cat CHANGES.md)" >> CHANGELOG.md - echo "---" >> CHANGELOG.md - echo "$_changelog" >> CHANGELOG.md - # clean changes file since we don't need it anymore - rm CHANGES.md -} - -load_list_of_changes() { - latest_version=$(find_latest_version) - local _list_of_changes=$(git log --no-merges --pretty="* %s (%an)([%h](https://github.com/lacework/${project_name}/commit/%H))" ${latest_version}..master) - echo "## Features" > CHANGES.md - echo "$_list_of_changes" | grep "\* feat[:(]" >> CHANGES.md - echo "## Refactor" >> CHANGES.md - echo "$_list_of_changes" | grep "\* refactor[:(]" >> CHANGES.md - echo "## Performance Improvements" >> CHANGES.md - echo "$_list_of_changes" | grep "\* perf[:(]" >> CHANGES.md - echo "## Bug Fixes" >> CHANGES.md - echo "$_list_of_changes" | grep "\* fix[:(]" >> CHANGES.md - echo "## Documentation Updates" >> CHANGES.md - echo "$_list_of_changes" | grep "\* doc[:(]" >> CHANGES.md - echo "$_list_of_changes" | grep "\* docs[:(]" >> CHANGES.md - echo "## Other Changes" >> CHANGES.md - echo "$_list_of_changes" | grep "\* style[:(]" >> CHANGES.md - echo "$_list_of_changes" | grep "\* chore[:(]" >> CHANGES.md - echo "$_list_of_changes" | grep "\* build[:(]" >> CHANGES.md - echo "$_list_of_changes" | grep "\* ci[:(]" >> CHANGES.md - echo "$_list_of_changes" | grep "\* test[:(]" >> CHANGES.md -} - -generate_release_notes() { - log "generating release notes at RELEASE_NOTES.md" - load_list_of_changes - echo "# Release Notes" > RELEASE_NOTES.md - echo "Another day, another release. These are the release notes for the version \`v$VERSION\`." >> RELEASE_NOTES.md - echo "" >> RELEASE_NOTES.md - echo "$(cat CHANGES.md)" >> RELEASE_NOTES.md -} - -push_release() { - log "commiting and pushing the release to github" - _version_no_tag=$(echo $VERSION | awk -F. '{printf("%d.%d.%d", $1, $2, $3)}') - git checkout -B release - git commit -am "Release v$_version_no_tag" - git push origin release - log "" - log "Follow the above url and open a pull request" -} - -tag_release() { - local _tag="v$VERSION" - log "creating github tag: $_tag" - git tag "$_tag" - git push origin "$_tag" -} - -prerequisites() { - local _branch=$(git rev-parse --abbrev-ref HEAD) - if [ "$_branch" != "master" ]; then - warn "Releases must be generated from the 'master' branch. (current $_branch)" - warn "Switch to the master branch and try again." - exit 127 - fi - - local _unsaved_changes=$(git status -s) - if [ "$_unsaved_changes" != "" ]; then - warn "You have unsaved changes in the master branch. Are you resuming a release?" - warn "To resume a release you have to start over, to remove all unsaved changes run the command:" - warn " git reset --hard origin/master" - exit 127 - fi -} - -find_latest_version() { - local _pattern="v[0-9]\+.[0-9]\+.[0-9]\+" - local _versions - _versions=$(git ls-remote --tags --quiet | grep $_pattern | tr '/' ' ' | awk '{print $NF}') - echo "$_versions" | tr '.' ' ' | sort -nr -k 1 -k 2 -k 3 | tr ' ' '.' | head -1 -} - -add_tag_version() { - _tag=${1:-dev} - echo $VERSION | awk -F. '{printf("%d.%d.%d-'$_tag'", $1, $2, $3)}' > VERSION - VERSION=$(cat VERSION) - log "updated version to v$VERSION" -} - -remove_tag_version() { - echo $VERSION | awk -F. '{printf("%d.%d.%d", $1, $2, $3)}' > VERSION - VERSION=$(cat VERSION) - log "updated version to v$VERSION" -} - -bump_version() { - log "updating version after tagging release" - latest_version=$(find_latest_version) - - if [[ "v$VERSION" == "$latest_version" ]]; then - case "${1:-}" in - major) - echo $VERSION | awk -F. '{printf("%d.%d.%d-dev", $1+1, $2, $3)}' > VERSION - ;; - minor) - echo $VERSION | awk -F. '{printf("%d.%d.%d-dev", $1, $2+1, $3)}' > VERSION - ;; - *) - echo $VERSION | awk -F. '{printf("%d.%d.%d-dev", $1, $2, $3+1)}' > VERSION - ;; - esac - VERSION=$(cat VERSION) - log "version bumped from $latest_version to v$VERSION" - else - log "skipping version bump. Already bumped to v$VERSION" - return - fi - - log "commiting and pushing the vertion bump to github" - git add VERSION - git commit -m "version bump to v$VERSION" - git push origin master -} - -create_release() { - local _tag - _tag=$(git describe --tags) - local _body="/tmp/release.json" - - log "generating GH release $_tag" - generate_release_body "$_body" - curl -XPOST -H "Authorization: token $GITHUB_TOKEN" --data "@$_body" \ - https://api.github.com/repos/lacework/${project_name}/releases - - log "the release has been completed!" - log "" - log " -> https://github.com/lacework/${project_name}/releases/tag/${_tag}" -} - -generate_release_body() { - _file=${1:-release.json} - _tag=$(git describe --tags) - _release_notes=$(jq -aRs . <<< cat RELEASE_NOTES.md) - cat < $_file -{ - "tag_name": "$_tag", - "name": "$_tag", - "draft": false, - "prerelease": false, - "body": $_release_notes -} -EOF -} - -log() { - echo "--> ${project_name}: $1" -} - -warn() { - echo "xxx ${project_name}: $1" >&2 -} - -main "$@" || exit 99