lacework / terraform-aws-config Goto Github PK

Terraform module for configuring an integration with Lacework and AWS for cloud resource configuration assessment

Makefile 3.07% HCL 39.40% Shell 57.53%

terraform-aws-config's Introduction

terraform-aws-config

Terraform module for configuring an integration with Lacework and AWS for cloud resource configuration assessment.

Requirements

Name	Version
terraform	>= 0.14
aws	>= 3.35.0
lacework	~> 1.18
random	>= 2.1
time	~> 0.7

Providers

Name	Version
aws	>= 3.35.0
lacework	~> 1.18
random	>= 2.1
time	~> 0.7

Modules

Name	Source	Version
lacework_cfg_iam_role	lacework/iam-role/aws	~> 0.4

Resources

Name	Type
aws_iam_policy.lacework_audit_policy	resource
aws_iam_role_policy_attachment.lacework_audit_policy_attachment	resource
aws_iam_role_policy_attachment.security_audit_policy_attachment	resource
lacework_integration_aws_cfg.default	resource
random_id.uniq	resource
time_sleep.wait_time	resource
aws_iam_policy_document.lacework_audit_policy	data source
lacework_metric_module.lwmetrics	data source

Inputs

Name	Description	Type	Default	Required
external_id_length	Deprecated - Will be removed on our next major release v1.0.0	`number`	`16`	no
iam_role_arn	The IAM role ARN is required when setting use_existing_iam_role to `true`	`string`	`""`	no
iam_role_external_id	The external ID configured inside the IAM role is required when setting use_existing_iam_role to `true`	`string`	`""`	no
iam_role_name	The IAM role name. Required to match with iam_role_arn if use_existing_iam_role is set to `true`	`string`	`""`	no
lacework_audit_policy_name	The name of the custom audit policy (which extends SecurityAudit) to allow Lacework to read configs. Defaults to lwaudit-policy-${random_id.uniq.hex} when empty	`string`	`""`	no
lacework_aws_account_id	The Lacework AWS account that the IAM role will grant access	`string`	`"434813966438"`	no
lacework_integration_name	The name of the integration in Lacework	`string`	`"TF config"`	no
permission_boundary_arn	Optional - ARN of the policy that is used to set the permissions boundary for the role.	`string`	`null`	no
tags	A map/dictionary of Tags to be assigned to created resources	`map(string)`	`{}`	no
use_existing_iam_role	Set this to true to use an existing IAM role	`bool`	`false`	no
use_existing_iam_role_policy	Set this to `true` to use an existing policy on the IAM role, rather than attaching a new one	`bool`	`false`	no
wait_time	Amount of time to wait before the next resource is provisioned	`string`	`"10s"`	no

Outputs

Name	Description
external_id	The External ID configured into the IAM role
iam_role_arn	The IAM Role ARN
iam_role_name	The IAM Role name

Lacework Audit Policy

The Lacework audit policy extends the SecurityAudit policy to facilitate the reading of additional configuration resources. The audit policy is comprised of the following permissions:

sid	actions	resources
GetEbsEncryptionByDefault	ec2:GetEbsEncryptionByDefault	*
GetBucketPublicAccessBlock	s3:GetBucketPublicAccessBlock	*
EFS	elasticfilesystem:DescribeFileSystemPolicy	*
	elasticfilesystem:DescribeLifecycleConfiguration
	elasticfilesystem:DescribeAccessPoints
	elasticfilesystem:DescribeAccountPreferences
	elasticfilesystem:DescribeBackupPolicy
	elasticfilesystem:DescribeReplicationConfigurations
	elasticfilesystem:ListTagsForResource
EMR	elasticmapreduce:ListBootstrapActions	*
	elasticmapreduce:ListInstanceFleets
	elasticmapreduce:ListInstanceGroups
SAGEMAKER	sagemaker:GetModelPackageGroupPolicy	*
	sagemaker:GetLineageGroupPolicy
IDENTITYSTORE	identitystore:DescribeGroup	*
	identitystore:DescribeGroupMembership
	identitystore:DescribeUser
	identitystore:ListGroupMemberships
	identitystore:ListGroupMembershipsForMember
	identitystore:ListGroups
	identitystore:ListUsers
SSO	sso:DescribeAccountAssignmentDeletionStatus	*
	sso:DescribeInstanceAccessControlAttributeConfiguration
	sso:GetInlinePolicyForPermissionSet
GLACIER	glacier:ListTagsForVault	*
APIGATEWAY	apigateway:GET	arn:aws:apigateway:::/apikeys, arn:aws:apigateway:::/apikeys/*
WAFREGIONAL	waf-regional:ListRules	*
	waf-regional:GetRule
	waf-regional:ListRuleGroups
	waf-regional:GetRuleGroup
	waf-regional:ListActivatedRulesInRuleGroup
GLUE	glue:ListWorkflows	*
	glue:BatchGetWorkflows
	glue:GetTags
CODEBUILD	codebuild:ListBuilds	*
	codebuild:BatchGetBuilds
SNS	sns:GetDataProtectionPolicy	*
	sns:ListPlatformApplications
	sns:GetSubscriptionAttributes

terraform-aws-config's People

Contributors

Stargazers

Watchers

Forkers

alexjurkiewicz dzeediscoveryzone timarenz rnikoopour rajgandhi9 ryanoatz99 relsqui naseemkullah connorwidtfeldt jbonner7 lwsporcello jycamier vknell jrobison-sb opensesame

terraform-aws-config's Issues

bug: module.lacework_cfg_iam_role should pin a specific version

Describe the bug
This module consumes the lacework/iam-role/aws module, but doesn't pin a specific version of that module. This means that whenever the iam-role module ships a new version, users of the terraform-aws-config module will inherit that new version of iam-role without really knowing it.

Steps to reproduce

Take any terraform environment where you have used terraform-aws-config and you have already run terraform init before lacework/terraform-aws-iam-role#46 was merged, run terraform plan and see no diffs.

Then run rm -rf .terraform && terraform init && terraform plan which will pull in the new version of iam-role and you'll see diffs.

Expected behavior

You should never see diffs without explicitly bumping a version.

Screenshots
N/A

Please complete the following information):

Terraform Version: v1.6.1
Module Version: 0.13.0

bug: support AWS provider v5.0

Describe the bug

This module only supports AWS provider v3 and v4.

Expected behavior

It should also support AWS provider v5, because folks will want to start using that.

please cut a release for aws provider 4.x support

that will include #39, thanks!

bug: Cannot use older version 0.5.0 with older terraform

Describe the bug
Running terraform init fails when using older specific version of the module lacework/config/aws (0.5.0) with older terraform 0.13.7.

The module loads a submodule lacework/iam-role/aws using a pessimistic version constraint of "~> 0.2" which allows it to download the latest 0.3.0 iam-role (released 3 weeks ago) which added a TF version constraint of >= 0.14. Running terraform init has been broken for us for 3 weeks now.

Steps to reproduce
Using terraform 0.13.7, I cannot terraform init an application that loads the aws_config module:

module "aws_config" {
  source   = "lacework/config/aws"
  version  = "0.5.0"
}

Expected behavior
I pin version 0.5.0 in my module load of lacework/config/aws because it works with TF 0.13.7. I expect any submodules it loads to also allow TF 0.13.7.

Please complete the following information):

Terraform Version: v0.13.7
Module Version: 0.5.0

Additional context
I'd like to request a patch version 0.5.1 that loads the iam submodule using a more strict pessimistic version constraint (the version line) :

module "lacework_cfg_iam_role" {
  source                  = "lacework/iam-role/aws"
  version                 = "~> 0.2.0"
  create                  = var.use_existing_iam_role ? false : true
  iam_role_name           = var.iam_role_name
  lacework_aws_account_id = var.lacework_aws_account_id
  external_id_length      = var.external_id_length
  tags                    = var.tags
}

Making this change locally allows terraform init to succeed.

This same iam-role dependency exists in "lacework/cloudtrail/aws" (2.1.1) and "lacework/ecr/aws" (0.6.0) modules, and both are resolved by making the same change to the version line above. If you are willing, I'd like to request a patch release for those as well (2.1.2 and 0.6.1, respectively) with the same version modification. I can create separate issue requests if necessary (and if you are willing to entertain this idea).

If you can advise some way of controlling the versioning of submodules when loading the main module, that would be great (but I don't think such a method exists as code is written.)

If the response is "we don't want to support an old version like this", then I will look at cloning your modules into my local terraform modules with the change made locally, but I'd like to avoid that if possible. (When we upgrade terraform -> 0.14 ->0.15 -> 1.x we will resolve all of these issues, but it's a complex code base.)