lacework · afiune · Sep 2, 2020 · Sep 2, 2020 · Sep 2, 2020
diff --git a/aws/README.md b/aws/README.md
@@ -24,11 +24,11 @@ Before you begin the following must be configured on the workstation running Ter
 
 Typically, the [AWS CLI](https://aws.amazon.com/cli/) will have been previously installed and `aws configure` run and with `$AWS_PROFILE` set to the appropriate credential profile in `~/.aws/credentials`
 
-Also recommend that the [Lacework CLI](https://github.com/lacework/go-sdk) be installed and the `[default]` profile is associated with the applicable Lacework Account `api_key` and `api_secret` in `~/.lacework.toml`
+Also recommend that the [Lacework CLI](https://github.com/lacework/go-sdk/wiki/CLI-Documentation) be installed and the `[default]` profile is associated with the applicable Lacework Account `api_key` and `api_secret` in `~/.lacework.toml`
 
 ## Usage
 
-**IMPORTANT:** We use the `master` branch in source just as an example. In your code, *do NOT pin to master* because there may
+**IMPORTANT:** We use the `master` branch in source just as an example. In your code, **do NOT pin to master** because there may
 be breaking changes between releases. Instead we recommend to pin to the release tag (e.g. `?ref=tags/v0.1.0`) of one of
 our [latest releases](https://github.com/lacework/terraform-provisioning/releases).
 

diff --git a/azure/README.md b/azure/README.md
@@ -11,33 +11,67 @@ Trail analysis.
   - *Owner Role* at the Subscription level
 - [Lacework API Key](https://support.lacework.com/hc/en-us/articles/360011403853-Generate-API-Access-Keys-and-Tokens) 
 
+Also recommend that the [Lacework CLI](https://github.com/lacework/go-sdk/wiki/CLI-Documentation) be installed and the `[default]` profile is associated with the applicable Lacework Account `api_key` and `api_secret` in `~/.lacework.toml`
+
 ## Login via the Azure CLI
 In order to integrate Lacework with Azure you will need to login to your Azure console via
 the Azure CLI by running the command:
 ```
 $ az login
 ```
 
-### Run Terraform
-1. Clone this repository: https://github.com/lacework/terraform-provisioning
-2. Change directories into `terraform-provisioning/azure`
-3. Create a new file called `terraform.tfvars` with the following content:
+## Usage
 
-```
-prefix          = "<SHORT PREFIX TO IDENTIFY RESOURCES>"
-identifier_uris = [
-	"https://<YOUR LACEWORK ACCOUNT>.lacework.net"
-]
-lacework_account    = "<YOUR LACEWORK ACCOUNT>"
-lacework_api_key    = "<THE API KEY FROM LACEWORK JSON FILE>"
-lacework_api_secret = "<THE API SECRET FROM LACEWORK JSON FILE>"
-```
-or use environment variables to avoid hardcoding API keys and secrets.
+**IMPORTANT:** We use the `master` branch in source just as an example. In your code, **do NOT pin to master** because there may
+be breaking changes between releases. Instead we recommend to pin to the release tag (e.g. `?ref=tags/v0.1.0`) of one of
+our [latest releases](https://github.com/lacework/terraform-provisioning/releases).
 
+
+### Enable New Azure Compliance and Activity Log Integrations
+```hcl
+provider "azuread" {}
+
+provider "azurerm" {
+  features {}
+}
+
+provider "lacework" {}
+
+module "az_config" {
+  source = "git::https://github.com/lacework/terraform-provisioning.git//azure/modules/config?ref=master"
+}
+
+module "az_activity_log" {
+  source = "git::https://github.com/lacework/terraform-provisioning.git//azure/modules/activity_log?ref=master"
+
+  use_existing_ad_application = true
+  application_id              = module.az_config.application_id
+  application_password        = module.az_config.application_password
+  service_principal_id        = module.az_config.service_principal_id
+}
 ```
-export TF_VAR_lacework_api_key=<THE API KEY FROM LACEWORK JSON FILE>
-export TF_VAR_lacework_api_secret=<THE API SECRET FROM LACEWORK JSON FILE>
-```
-
-5. Run `terraform init`
-6. Run `terraform apply`
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| application_name | The name of the Azure Active Directory Applicaiton | `string` | lacework_security_audit | no |
+| application_identifier_uris | A list of user-defined URI(s) for the Lacework AD Application | `list(string)` | ["https://securityaudit.lacework.net"] | no |
+| key_vault_ids | A list of Key Vault Ids used in your subscription for the Lacework AD App to have access to | `list(string)` | [] | no |
+| tenant_id | A Tenant ID different from the default defined inside the provider | `string` | "" | no |
+| password_length | The length of the Lacework AD Application password | `number` | 30 | no |
+| use_existing_ad_application | Set this to true to use an existing Active Directory Application | `bool` | false | no |
+| application_id | The Active Directory Application id to use (required when use_existing_ad_application is set to true) | `string` | "" | no |
+| application_password | The Active Directory Application password to use (required when use_existing_ad_application is set to true) | `string` | "" | no |
+| service_principal_id | The Service Principal id to use (required when use_existing_ad_application is set to true) | `string` | "" | no |
+| prefix | The prefix that will be use at the beginning of every generated resource | `string` | l4c3w0rk | no |
+| lacework_integration_name | The name of the integration in Lacework. This input is available in both the config, and the activity_log module | `string` | TF config | no |
+| wait_time | Define a custom delay between cloud resource provision and Lacework external integration to avoid errors while things settle down. Use `10s` for 10 seconds, `5m` for 5 minutes. | `string` | `10s` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| application_id | The Lacework AD Application id |
+| application_password | The Lacework AD Application password |
+| service_principal_id | The Lacework Service Principal id |
diff --git a/azure/main.tf b/azure/main.tf
@@ -1,231 +1,19 @@
-provider "azuread" {
-  version = "=0.7.0"
-}
+provider "azuread" {}
 
 provider "azurerm" {
-  version = "=1.44.0"
-}
-
-provider "random" {
-  version = "=2.2"
-}
-
-locals {
-  resource_group = var.resource_group == null ? "${var.prefix}lwresourcegroup" : var.resource_group
-  storage = var.storage == null ? "${var.prefix}lwstorage" : var.storage
-  storage_queue = var.storage_queue == null ? "${var.prefix}lwstoragequeue" : var.storage_queue
-  event_subscription = var.event_subscription == null ? "${var.prefix}lweventsub" : var.event_subscription
-  log_profile = var.log_profile == null ? "${var.prefix}lwlogprofile" : var.log_profile
-}
-
-resource "azuread_application" "default" {
-  name = var.app_name
-  identifier_uris = var.identifier_uris
-
-  // Microsoft Graph
-  required_resource_access {
-    resource_app_id = "00000003-0000-0000-c000-000000000000"
-
-    resource_access {
-      id = "e1fe6dd8-ba31-4d61-89e7-88639da4683d"
-      type = "Scope"
-    }
-
-    resource_access {
-      id = "df021288-bdef-4463-88db-98f22de89214"
-      type = "Role"
-    }
-  }
-
-  // AAD Graph API
-  required_resource_access {
-    resource_app_id = "00000002-0000-0000-c000-000000000000"
-
-    resource_access {
-      id = "5778995a-e1bf-45b8-affa-663a9f3f4d04"
-      type = "Role"
-    }
-  }
-
-  // Azure Storage
-  required_resource_access {
-    resource_app_id = "e406a681-f3d4-42a8-90b6-c2b029497af1"
-
-    resource_access {
-      id = "03e0da56-190b-40ad-a80c-ea378c433f7f"
-      type = "Scope"
-    }
-  }
-
-  // Azure Key Vault
-  required_resource_access {
-    resource_app_id = "cfa8b339-82a2-471a-a3c9-0fc0be7a4093"
-
-    resource_access {
-      id = "f53da476-18e3-4152-8e01-aec403e6edc0"
-      type = "Scope"
-    }
-  }
-}
-
-resource "random_uuid" "generator" {}
-
-resource "azuread_application_password" "client_secret" {
-  application_object_id = azuread_application.default.id
-  value = random_uuid.generator.result
-  end_date = "2299-12-31T01:02:03Z"
-}
-
-resource "azuread_service_principal" "default" {
-  application_id = azuread_application.default.application_id
-}
-
-data "azurerm_subscriptions" "available" {}
-
-resource "azurerm_role_assignment" "ex" {
-  count = length(data.azurerm_subscriptions.available.subscriptions)
-
-  scope = "/subscriptions/${data.azurerm_subscriptions.available.subscriptions[count.index].subscription_id}"
-  role_definition_name = "Reader"
-  principal_id = azuread_service_principal.default.id
-}
-
-data "azurerm_subscription" "primary" {}
-
-resource "azurerm_key_vault_access_policy" "default" {
-  count = length(var.key_vault_ids)
-
-  key_vault_id = var.key_vault_ids[count.index]
-  object_id = azuread_service_principal.default.id
-  tenant_id = data.azurerm_subscription.primary.tenant_id
-
-  key_permissions = [
-    "List"
-  ]
-  secret_permissions = [
-    "List"
-  ]
-}
-
-// ------------------------------------------------------------------------------
-
-resource "azurerm_resource_group" "default" {
-  name = local.resource_group
-  location = var.location
-}
-
-resource "azurerm_storage_account" "default" {
-  name = local.storage
-  account_kind = "StorageV2"
-  account_replication_type = "LRS"
-  account_tier = "Standard"
-  enable_blob_encryption = true
-  enable_https_traffic_only = true
-  location = var.location
-  resource_group_name = azurerm_resource_group.default.name
-}
-
-resource "azurerm_storage_queue" "default" {
-  name = local.storage_queue
-  storage_account_name = azurerm_storage_account.default.name
-}
-
-resource "azurerm_eventgrid_event_subscription" "default" {
-  name = local.event_subscription
-  scope = azurerm_storage_account.default.id
-
-  storage_queue_endpoint {
-    storage_account_id = azurerm_storage_account.default.id
-    queue_name = azurerm_storage_queue.default.name
-  }
-
-  subject_filter {
-    subject_begins_with = "/blobServices/default/containers/insights-operational-logs/"
-  }
-
-  included_event_types = [
-    "Microsoft.Storage.BlobCreated"
-  ]
+  features {}
 }
 
-resource "azurerm_monitor_log_profile" "default" {
-  name = local.log_profile
-
-  categories = [
-    "Action",
-    "Delete",
-    "Write",
-  ]
-
-  locations = var.log_profile_locations
-
-  storage_account_id = azurerm_storage_account.default.id
-
-  retention_policy {
-    enabled = true
-    days = 7
-  }
-}
-
-resource "azurerm_role_definition" "default" {
-  name = "${var.prefix}lwrole"
-  description = "Monitors Activity Log"
-
-  scope = data.azurerm_subscription.primary.id
-  assignable_scopes = [
-    data.azurerm_subscription.primary.id
-  ]
-
-  permissions {
-    actions = [
-      "Microsoft.Resources/subscriptions/resourceGroups/read",
-      "Microsoft.Storage/storageAccounts/read",
-      "Microsoft.Storage/storageAccounts/blobServices/containers/read",
-      "Microsoft.Storage/storageAccounts/queueServices/queues/read",
-      "Microsoft.EventGrid/eventSubscriptions/read",
-      "Microsoft.Storage/storageAccounts/listkeys/action"
-    ]
-
-    data_actions = [
-      "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
-      "Microsoft.Storage/storageAccounts/queueServices/queues/messages/read",
-      "Microsoft.Storage/storageAccounts/queueServices/queues/messages/delete"
-    ]
-  }
-}
-
-resource "azurerm_role_assignment" "default" {
-  role_definition_id = azurerm_role_definition.default.id
-  principal_id = azuread_service_principal.default.id
-  scope = data.azurerm_subscription.primary.id
-}
-
-provider "lacework" {
-  account    = var.lacework_account
-  api_key    = var.lacework_api_key
-  api_secret = var.lacework_api_secret
-}
+provider "lacework" {}
 
-resource "lacework_integration_azure_cfg" "default" {
-  name      = var.lacework_integration_config_name
-  tenant_id = data.azurerm_subscription.primary.tenant_id
-  credentials {
-    client_id     = azuread_application.default.application_id
-    client_secret = azuread_application_password.client_secret.value
-  }
-  depends_on = [ azurerm_eventgrid_event_subscription.default ]
+module "az_config" {
+  source = "./modules/config"
 }
 
-resource "lacework_integration_azure_al" "default" {
-  name      = var.lacework_integration_activitylog_name
-  tenant_id = data.azurerm_subscription.primary.tenant_id
-  queue_url = "https://${azurerm_storage_account.default.name}.queue.core.windows.net/${azurerm_storage_queue.default.name}"
-  credentials {
-    client_id     = azuread_application.default.application_id
-    client_secret = azuread_application_password.client_secret.value
-  }
-  depends_on = [
-    azurerm_eventgrid_event_subscription.default,
-    lacework_integration_azure_cfg.default
-  ]
+module "az_activity_log" {
+  source                      = "./modules/activity_log"
+  use_existing_ad_application = true
+  application_id              = module.az_config.application_id
+  application_password        = module.az_config.application_password
+  service_principal_id        = module.az_config.service_principal_id
 }
diff --git a/azure/modules/activity_log/examples/custom-activity-log/main.tf b/azure/modules/activity_log/examples/custom-activity-log/main.tf
@@ -0,0 +1,19 @@
+provider "azuread" {}
+
+provider "azurerm" {
+  features {}
+}
+
+provider "lacework" {}
+
+module "az_activity_log" {
+  source                      = "../../"
+  application_identifier_uris = ["https://account.lacework.net"]
+  application_name            = "my-custom-application-name"
+  key_vault_ids               = ["vault-id-1", "vault-id-2", "vault-id-3", "vault-id-4"]
+  tenant_id                   = "123abc12-abcd-1234-abcd-abcd12340123"
+  password_lenght             = 16
+  lacework_integration_name   = "custom name"
+  prefix                      = "customprefix"
+  location                    = "Central US"
+}
diff --git a/azure/modules/activity_log/examples/default-activity-log/main.tf b/azure/modules/activity_log/examples/default-activity-log/main.tf
@@ -0,0 +1,11 @@
+provider "azuread" {}
+
+provider "azurerm" {
+  features {}
+}
+
+provider "lacework" {}
+
+module "az_activity_log" {
+  source = "../../"
+}