Terraform module for configuring an integration with Lacework and AWS for CloudTrail analysis.
| Name | Version |
|---|---|
| terraform | >= 0.14 |
| aws | >= 4.0 |
| lacework | ~> 2.0 |
| random | >= 2.1 |
| time | ~> 0.6 |
| Name | Version |
|---|---|
| aws | >= 4.0 |
| lacework | ~> 2.0 |
| random | >= 2.1 |
| time | ~> 0.6 |
| Name | Source | Version |
|---|---|---|
| lacework_ct_iam_role | lacework/iam-role/aws | ~> 0.4 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| access_log_prefix | Optional value to specify a key prefix for access log objects for logging S3 bucket | string |
"log/" |
no |
| bucket_arn | The S3 bucket ARN is required when setting use_existing_cloudtrail to true | string |
"" |
no |
| bucket_enable_mfa_delete | Set this to true to require MFA for object deletion (Requires versioning) |
bool |
false |
no |
| bucket_encryption_enabled | Set this to true to enable encryption on a created S3 bucket |
bool |
true |
no |
| bucket_force_destroy | Force destroy bucket (When 'false' a non-empty bucket will NOT be destroyed.) | bool |
true |
no |
| bucket_logs_enabled | Set this to true to enable access logging on a created S3 bucket |
bool |
true |
no |
| bucket_name | Optional value to specify name for a newly created S3 bucket. Not required when use_existing_cloudtrail is true. |
string |
"" |
no |
| bucket_sse_algorithm | The encryption algorithm to use for S3 bucket server-side encryption | string |
"aws:kms" |
no |
| bucket_sse_key_arn | The ARN of the KMS encryption key to be used for S3 (Required when bucket_sse_algorithm is aws:kms and using an existing aws_kms_key) |
string |
"" |
no |
| bucket_versioning_enabled | Set this to true to enable access versioning on a created S3 bucket |
bool |
true |
no |
| cloudtrail_name | The name of the CloudTrail. Required when setting use_existing_cloudtrail to true | string |
"lacework-cloudtrail" |
no |
| consolidated_trail | Set this to true to configure a consolidated cloudtrail | bool |
false |
no |
| create_lacework_integration | Set this to false if you don't want the module to automatically create a corresponding Lacework integration. |
bool |
true |
no |
| cross_account_cloudtrail_arn | If using an existing CloudTrail in another account, provide the ARN here | string |
null |
no |
| cross_account_policy_name | n/a | string |
"" |
no |
| enable_cloudtrail_s3_management_events | Enable CloudTrail Object-level logging | bool |
false |
no |
| enable_log_file_validation | Specifies whether cloudtrail log file integrity validation is enabled | bool |
true |
no |
| external_id_length | Deprecated - Will be removed on our next major release v3.0.0 | number |
16 |
no |
| iam_role_arn | The IAM role ARN is required when setting use_existing_iam_role to true | string |
"" |
no |
| iam_role_external_id | The external ID configured inside the IAM role is required when setting use_existing_iam_role to true | string |
"" |
no |
| iam_role_name | The IAM role name. Required to match with iam_role_arn if use_existing_iam_role is set to true | string |
"" |
no |
| is_organization_trail | Whether the trail is an AWS Organizations trail. Organization trails log events for the master account and all member accounts. Can only be created in the organization master account | bool |
false |
no |
| kms_key_deletion_days | The waiting period, specified in number of days | number |
30 |
no |
| kms_key_multi_region | Whether the KMS key is a multi-region or regional key | bool |
true |
no |
| kms_key_rotation | Enable KMS automatic key rotation | bool |
false |
no |
| lacework_aws_account_id | The Lacework AWS account that the IAM role will grant access | string |
"434813966438" |
no |
| lacework_integration_name | The name of the integration in Lacework. | string |
"TF cloudtrail" |
no |
| log_bucket_name | Name of the S3 bucket for access logs. Is required when setting use_existing_access_log_bucket to true |
string |
"" |
no |
| org_account_mappings | Mapping of AWS accounts to Lacework accounts within a Lacework organization | list(object({ |
[] |
no |
| permission_boundary_arn | Optional - ARN of the policy that is used to set the permissions boundary for the role. | string |
null |
no |
| prefix | The prefix that will be use at the beginning of every generated resource | string |
"lacework-ct" |
no |
| s3_notification_log_prefix | The object prefix for which to create S3 notifications | string |
"AWSLogs/" |
no |
| s3_notification_type | The destination type that should be used for S3 notifications: SNS or SQS. Defaults to SQS |
string |
"SQS" |
no |
| sns_topic_arn | The SNS topic ARN | string |
"" |
no |
| sns_topic_encryption_enabled | Set this to false to disable encryption on a sns topic. Defaults to true |
bool |
true |
no |
| sns_topic_encryption_key_arn | The ARN of an existing KMS encryption key to be used for SNS | string |
"" |
no |
| sns_topic_name | The SNS topic name | string |
"" |
no |
| sqs_encryption_enabled | Set this to true to enable server-side encryption on SQS. |
bool |
true |
no |
| sqs_encryption_key_arn | The ARN of the KMS encryption key to be used for SQS (Required when sqs_encryption_enabled is true) |
string |
"" |
no |
| sqs_queue_name | The SQS queue name | string |
"" |
no |
| sqs_queues | List of SQS queues to configure in the Lacework cross-account policy | list(string) |
[] |
no |
| tags | A map/dictionary of Tags to be assigned to created resources | map(string) |
{} |
no |
| use_existing_access_log_bucket | Set this to true to use an existing bucket for access logging. Default behavior creates a new access log bucket if logging is enabled |
bool |
false |
no |
| use_existing_cloudtrail | Set this to true to use an existing cloudtrail. Default behavior enables new cloudtrail | bool |
false |
no |
| use_existing_iam_role | Set this to true to use an existing IAM role | bool |
false |
no |
| use_existing_iam_role_policy | Set this to true to use an existing policy on the IAM role, rather than attaching a new one |
bool |
false |
no |
| use_existing_kms_key | Set this to true to use an existing KMS key. | bool |
false |
no |
| use_existing_sns_topic | Set this to true to use an existing SNS topic. Default behavior creates a new SNS topic | bool |
false |
no |
| use_s3_bucket_notification | Set this to true to use S3 bucket notifications instead of CloudTrail. When set to false CloudTrail will be used. Defaults to false |
bool |
false |
no |
| wait_time | Amount of time to wait before the next resource is provisioned. | string |
"10s" |
no |
| Name | Description |
|---|---|
| bucket_arn | S3 Bucket ARN |
| bucket_name | S3 Bucket name |
| bucket_sse_key_arn | The ARN of the KMS encryption key used for S3 |
| external_id | The External ID configured into the IAM role |
| iam_role_arn | The IAM Role ARN |
| iam_role_name | The IAM Role name |
| lacework_integration_guid | Lacework CloudTrail Integration GUID |
| sns_arn | SNS Topic ARN |
| sns_name | SNS Topic name |
| sqs_arn | SQS Queue ARN |
| sqs_name | SQS Queue name |
| sqs_url | SQS Queue URL |