terraform-gcp-pub-sub-audit-log

A Terraform Module to configuring an integration with Google Cloud Platform Pub Sub Audit Logs with Lacework for analysis.

⚠️ - NOTE: When using an existing Service Account, Terraform cannot work out whether a role has already been applied. This means when running the destroy step, existing roles may be removed from the Service Account. If this Service Account is managed by another Terraform module, you can re-run apply on the other module and this will re-add the role.

Alternatively, it is possible to remove the offending roles from the state file before destroy, preventing the role(s) from being removed.

e.g. terraform state rm 'google_project_iam_binding.for_lacework_service_account'

Required Roles

roles/pubsub.publisher
roles/pubsub.subscriber

Required APIs

iam.googleapis.com
pubsub.googleapis.com
serviceusage.googleapis.com
cloudresourcemanager.googleapis.com

Requirements

Name	Version
terraform	>= 0.15.1
google	>= 4.4.0
lacework	~> 1.18
time	~> 0.6

Providers

Name	Version
google	>= 4.4.0
lacework	~> 1.18
random	n/a
time	~> 0.6

Modules

Name	Source	Version
lacework_al_ps_svc_account	lacework/service-account/gcp	~> 2.0

Resources

Name	Type
google_logging_folder_sink.lacework_folder_sink	resource
google_logging_organization_sink.lacework_organization_sink	resource
google_logging_project_sink.lacework_project_sink	resource
google_logging_project_sink.lacework_root_project_sink	resource
google_organization_iam_audit_config.organization_audit_logs	resource
google_organization_iam_member.for_lacework_service_account	resource
google_project_iam_audit_config.project_audit_logs	resource
google_project_iam_member.for_lacework_service_account	resource
google_project_service.required_apis	resource
google_pubsub_subscription.lacework_subscription	resource
google_pubsub_subscription_iam_binding.lacework	resource
google_pubsub_topic.lacework_topic	resource
google_pubsub_topic_iam_binding.topic_publisher	resource
lacework_integration_gcp_pub_sub_audit_log.default	resource
random_id.uniq	resource
time_sleep.wait_time	resource
google_folders.my-org-folders	data source
google_project.selected	data source
google_projects.my-org-projects	data source
lacework_metric_module.lwmetrics	data source

Inputs

Name	Description	Type	Default	Required
custom_filter	Customer defined Audit Log filter which will supersede all other filter options when defined	`string`	`""`	no
existing_sink_name	The name of an existing sink to be re-used for this integration	`string`	`""`	no
folders_to_exclude	List of root folders to exclude in an organization-level integration. Format is 'folders/1234567890'	`list(string)`	`[]`	no
folders_to_include	List of root folders to include in an organization-level integration. Format is 'folders/1234567890'	`set(string)`	`[]`	no
google_workspace_filter	Filter out Google Workspace login logs from GCP Audit Log sinks. Default is true	`bool`	`true`	no
include_root_projects	Enables logic to include root-level projects if excluding folders. Default is true	`bool`	`true`	no
integration_type	Specify the integration type. Can only be PROJECT or ORGANIZATION. Defaults to PROJECT	`string`	`"PROJECT"`	no
k8s_filter	Filter out GKE logs from GCP Audit Log sinks. Default is true	`bool`	`true`	no
labels	Set of labels which will be added to the resources managed by the module	`map(string)`	`{}`	no
lacework_integration_name	n/a	`string`	`"TF pub_sub_audit_log"`	no
organization_id	The organization ID, required if integration_type is set to ORGANIZATION	`string`	`""`	no
prefix	The prefix that will be use at the beginning of every generated resource	`string`	`"lw-al-ps"`	no
project_id	A project ID different from the default defined inside the provider	`string`	`""`	no
pubsub_subscription_labels	Set of labels which will be added to the subscription	`map(string)`	`{}`	no
pubsub_topic_labels	Set of labels which will be added to the topic	`map(string)`	`{}`	no
required_apis	n/a	`map(any)`	{ "iam": "iam.googleapis.com", "pubsub": "pubsub.googleapis.com", "resourcemanager": "cloudresourcemanager.googleapis.com", "serviceusage": "serviceusage.googleapis.com" }	no
service_account_name	The Service Account name (required when use_existing_service_account is set to true)	`string`	`""`	no
service_account_private_key	The private key in JSON format, base64 encoded (required when use_existing_service_account is set to true)	`string`	`""`	no
skip_create_lacework_integration	Set this to true to skip creating the LW integration during GCPv1 to GCPv2 migration	`bool`	`false`	no
use_existing_service_account	Set this to true to use an existing Service Account	`bool`	`false`	no
wait_time	Amount of time to wait before the next resource is provisioned.	`string`	`"10s"`	no

Outputs

Name	Description
lacework_integration_guid	GUID of the created Lacework integration
pubsub_subscription_name	The PubSub subscription name
pubsub_topic_name	The PubSub topic name
service_account_name	The Service Account name
service_account_private_key	The private key in JSON format, base64 encoded
sink_name	The sink name

Name		Name	Last commit message	Last commit date
Latest commit History 40 Commits
.github		.github
examples		examples
scripts		scripts
.gitignore		.gitignore
.terraform-docs.yml		.terraform-docs.yml
CHANGELOG.md		CHANGELOG.md
CONTRIBUTING.md		CONTRIBUTING.md
DEVELOPER_GUIDELINES.md		DEVELOPER_GUIDELINES.md
GNUmakefile		GNUmakefile
LICENSE		LICENSE
README.md		README.md
RELEASE_NOTES.md		RELEASE_NOTES.md
VERSION		VERSION
main.tf		main.tf
output.tf		output.tf
variables.tf		variables.tf
versions.tf		versions.tf

License

lacework/terraform-gcp-pub-sub-audit-log

Folders and files

Latest commit

History

Repository files navigation

terraform-gcp-pub-sub-audit-log

Required Roles

Required APIs

Requirements

Providers

Modules

Resources

Inputs

Outputs

About

Resources

License

Stars

Watchers

Forks

Languages