feat: add Azure Agentless support in generate command (#1741)

* feat: add azure Agentless support in generate command (cli)

Author: lokesh-vadlamudi

cli/cmd/generate_azure.go

@@ -39,10 +39,11 @@ func TestMissingValidEntity(t *testing.T) {
 	data := azure.GenerateAzureTfConfigurationArgs{}
 	data.Config = false
 	data.ActivityLog = false
+	data.Agentless = false
 
 	err := promptAzureGenerate(&data, &AzureGenerateCommandExtraState{Output: "/tmp"})
 	assert.Error(t, err)
-	assert.Equal(t, "must enable at least one of: Configuration or Activity Log integration", err.Error())
+	assert.Equal(t, "must enable at least one of: Configuration, Agentless or Activity Log integrations", err.Error())
 }
 
 func TestValidStorageLocations(t *testing.T) {

cli/cmd/generate_azure_test.go

@@ -40,20 +40,26 @@ lacework generate cloud-account azure [flags]
       --ad_id string                                    existing active directory application id
       --ad_pass string                                  existing active directory application password
       --ad_pid string                                   existing active directory application service principle id
+      --agentless                                       enable agentless integration
+      --agentless_subscription_ids strings              comma-separated list of subscription IDs for Agentless scanning (e.g., 'sub1,sub2,sub3')
       --all_subscriptions subscription ids              grant read access to ALL subscriptions within Tenant (overrides subscription ids)
       --apply                                           run terraform apply for the generated hcl
       --configuration                                   enable configuration integration
       --configuration_name string                       specify a custom configuration integration name
+      --create_log_analytics_workspace                  enable creation of Log Analytics Workspace for agentless scanning
       --entra_id_activity_log                           enable Entra ID activity log integration
       --entra_id_activity_log_integration_name string   specify a custom Entra ID activity log integration name
       --event_hub_location string                       specify the location where the Event Hub for logging will reside
       --event_hub_partition_count int                   specify the number of partitions for the Event Hub (default 1)
       --existing_storage                                use existing storage account
+      --global                                          enable global agentless scanning
   -h, --help                                            help for azure
+      --integration_level string                        specify the agentless integration level (e.g., 'SUBSCRIPTION', 'TENANT')
       --location string                                 specify azure region where storage account logging resides
       --management_group                                management group level integration
       --management_group_id string                      specify management group id. Required if mgmt_group provided
       --output string                                   location to write generated content (default is ~/lacework/azure)
+      --regions strings                                 comma-separated list of Azure regions for agentless scanning (e.g., 'East US,West US')
       --storage_account_name string                     specify storage account name
       --storage_resource_group string                   specify storage resource group
       --subscription_id string                          specify the Azure Subscription ID to be used to provision Lacework resources

cli/docs/lacework_generate_cloud-account_azure.md

@@ -491,7 +491,7 @@ func TestMain(m *testing.M) {
 func terraformInstall() {
 	installer := &releases.ExactVersion{
 		Product: product.Terraform,
-		Version: version.Must(version.NewVersion("1.5.0")),
+		Version: version.Must(version.NewVersion("1.9.0")),
 	}
 
 	_execPath, err := installer.Install(context.Background())

integration/azure_generation_test.go

@@ -27,20 +27,26 @@ Flags:
       --ad_id string                                    existing active directory application id
       --ad_pass string                                  existing active directory application password
       --ad_pid string                                   existing active directory application service principle id
+      --agentless                                       enable agentless integration
+      --agentless_subscription_ids strings              comma-separated list of subscription IDs for Agentless scanning (e.g., 'sub1,sub2,sub3')
       --all_subscriptions subscription ids              grant read access to ALL subscriptions within Tenant (overrides subscription ids)
       --apply                                           run terraform apply for the generated hcl
       --configuration                                   enable configuration integration
       --configuration_name string                       specify a custom configuration integration name
+      --create_log_analytics_workspace                  enable creation of Log Analytics Workspace for agentless scanning
       --entra_id_activity_log                           enable Entra ID activity log integration
       --entra_id_activity_log_integration_name string   specify a custom Entra ID activity log integration name
       --event_hub_location string                       specify the location where the Event Hub for logging will reside
       --event_hub_partition_count int                   specify the number of partitions for the Event Hub (default 1)
       --existing_storage                                use existing storage account
+      --global                                          enable global agentless scanning
   -h, --help                                            help for azure
+      --integration_level string                        specify the agentless integration level (e.g., 'SUBSCRIPTION', 'TENANT')
       --location string                                 specify azure region where storage account logging resides
       --management_group                                management group level integration
       --management_group_id string                      specify management group id. Required if mgmt_group provided
       --output string                                   location to write generated content (default is ~/lacework/azure)
+      --regions strings                                 comma-separated list of Azure regions for agentless scanning (e.g., 'East US,West US')
       --storage_account_name string                     specify storage account name
       --storage_resource_group string                   specify storage resource group
       --subscription_id string                          specify the Azure Subscription ID to be used to provision Lacework resources

integration/framework_test.go

@@ -2,6 +2,9 @@
 package azure
 
 import (
+	"fmt"
+	"strings"
+
 	"github.com/hashicorp/hcl/v2/hclwrite"
 	"github.com/lacework/go-sdk/v2/lwgenerate"
 	"github.com/pkg/errors"
@@ -14,6 +17,9 @@ type GenerateAzureTfConfigurationArgs struct {
 	// Should we add Config integration in LW?
 	Config bool
 
+	// Should we add Agentless integration in LW?
+	Agentless bool
+
 	// Should we create an Entra ID integration in LW?
 	EntraIdActivityLog bool
 
@@ -88,23 +94,40 @@ type GenerateAzureTfConfigurationArgs struct {
 
 	// Custom outputs
 	CustomOutputs []lwgenerate.HclOutput
+
+	// Integration level for agentless scanning (e.g., "SUBSCRIPTION", "TENANT")
+	IntegrationLevel string
+
+	// Should agentless scanning be global?
+	Global bool
+
+	// Should we create a Log Analytics Workspace for agentless scanning?
+	CreateLogAnalyticsWorkspace bool
+
+	// List of regions to deploy for agentless scanning
+	Regions []string
+
+	// List of subscription IDs for agentless scanning
+	AgentlessSubscriptionIds []string
 }
 
 // Ensure all combinations of inputs are valid for supported spec
 func (args *GenerateAzureTfConfigurationArgs) validate() error {
-	// Validate one of config or activity log was enabled; otherwise error out
-	if !args.ActivityLog && !args.Config && !args.EntraIdActivityLog {
-		return errors.New("audit log or config integration must be enabled")
+	// Validate one of config, agentless or activity log was enabled; otherwise error out
+	if !args.ActivityLog && !args.Agentless && !args.Config && !args.EntraIdActivityLog {
+		return errors.New("audit log, agentless or config integration must be enabled")
 	}
 
-	if (args.ActivityLog || args.Config || args.EntraIdActivityLog) && args.SubscriptionID == "" {
+	if (args.ActivityLog || args.Agentless || args.Config || args.EntraIdActivityLog) && args.SubscriptionID == "" {
 		return errors.New("subscription_id must be provided")
 	}
 
 	// Validate that active directory settings are correct
-	if !args.CreateAdIntegration && (args.AdApplicationId == "" ||
-		args.AdServicePrincipalId == "" || args.AdApplicationPassword == "") {
-		return errors.New("Active directory details must be set")
+	if !args.CreateAdIntegration && (args.Config || args.ActivityLog || args.EntraIdActivityLog) {
+		if args.AdApplicationId == "" ||
+			args.AdServicePrincipalId == "" || args.AdApplicationPassword == "" {
+			return errors.New("Active directory details must be set")
+		}
 	}
 
 	// Validate the Mangement Group
@@ -117,6 +140,16 @@ func (args *GenerateAzureTfConfigurationArgs) validate() error {
 		return errors.New("When using existing storage account, storage account details must be configured")
 	}
 
+	// Validate Agentless Scanning
+	if args.Agentless {
+		if args.IntegrationLevel == "" {
+			return errors.New("integration_level must be set for Agentless Integration")
+		}
+		if args.IntegrationLevel == "SUBSCRIPTION" && len(args.AgentlessSubscriptionIds) == 0 {
+			return errors.New("subscription_ids must be provided for Agentless Integration with SUBSCRIPTION integration level")
+		}
+	}
+
 	return nil
 }
 
@@ -127,12 +160,13 @@ type AzureTerraformModifier func(c *GenerateAzureTfConfigurationArgs)
 //
 // Note: Additional configuration details may be set using modifiers of the AzureTerraformModifier type
 func NewTerraform(
-	enableConfig bool, enableActivityLog bool, enableEntraIdActivityLog, createAdIntegration bool,
+	enableConfig bool, enableActivityLog bool, enableAgentless bool, enableEntraIdActivityLog, createAdIntegration bool,
 	mods ...AzureTerraformModifier,
 ) *GenerateAzureTfConfigurationArgs {
 	config := &GenerateAzureTfConfigurationArgs{
 		ActivityLog:         enableActivityLog,
 		Config:              enableConfig,
+		Agentless:           enableAgentless,
 		EntraIdActivityLog:  enableEntraIdActivityLog,
 		CreateAdIntegration: createAdIntegration,
 	}
@@ -245,6 +279,19 @@ func WithSubscriptionIds(subscriptionIds []string) AzureTerraformModifier {
 	}
 }
 
+// WithAgentlessSubscriptionIds List of subscriptions for agentless scanning.
+func WithAgentlessSubscriptionIds(agentlessSubscriptionIds []string) AzureTerraformModifier {
+	return func(c *GenerateAzureTfConfigurationArgs) {
+		c.AgentlessSubscriptionIds = agentlessSubscriptionIds
+	}
+}
+
+func WithRegions(regions []string) AzureTerraformModifier {
+	return func(c *GenerateAzureTfConfigurationArgs) {
+		c.Regions = regions
+	}
+}
+
 // WithAllSubscriptions Grant read access to ALL subscriptions within
 // the selected Tenant (overrides 'subscription_ids')
 func WithAllSubscriptions(allSubscriptions bool) AzureTerraformModifier {
@@ -307,6 +354,27 @@ func WithSubscriptionID(subcriptionID string) AzureTerraformModifier {
 	}
 }
 
+// WithGlobal sets the Global field for agentless scanning
+func WithGlobal(global bool) AzureTerraformModifier {
+	return func(c *GenerateAzureTfConfigurationArgs) {
+		c.Global = global
+	}
+}
+
+// WithCreateLogAnalyticsWorkspace sets the CreateLogAnalyticsWorkspace field for agentless scanning
+func WithCreateLogAnalyticsWorkspace(create bool) AzureTerraformModifier {
+	return func(c *GenerateAzureTfConfigurationArgs) {
+		c.CreateLogAnalyticsWorkspace = create
+	}
+}
+
+// WithIntegrationLevel sets the IntegrationLevel field for agentless scanning
+func WithIntegrationLevel(level string) AzureTerraformModifier {
+	return func(c *GenerateAzureTfConfigurationArgs) {
+		c.IntegrationLevel = level
+	}
+}
+
 // Generate new Terraform code based on the supplied args.
 func (args *GenerateAzureTfConfigurationArgs) Generate() (string, error) {
 	// Validate inputs
@@ -350,6 +418,11 @@ func (args *GenerateAzureTfConfigurationArgs) Generate() (string, error) {
 		return "", errors.Wrap(err, "failed to generate azure activity log module")
 	}
 
+	agentlessLogModule, err := createAgentless(args)
+	if err != nil {
+		return "", errors.Wrap(err, "failed to generate azure agentless module")
+	}
+
 	entraIdActivityLogModule, err := createEntraIdActivityLog(args)
 	if err != nil {
 		return "", errors.Wrap(err, "failed to generate azure Entra ID activity log module")
@@ -374,6 +447,7 @@ func (args *GenerateAzureTfConfigurationArgs) Generate() (string, error) {
 			laceworkADProvider,
 			configModule,
 			activityLogModule,
+			agentlessLogModule,
 			entraIdActivityLogModule,
 			outputBlocks,
 			args.ExtraBlocks),
@@ -622,6 +696,82 @@ func createActivityLog(args *GenerateAzureTfConfigurationArgs) ([]*hclwrite.Bloc
 	return blocks, nil
 }
 
+func createAgentless(args *GenerateAzureTfConfigurationArgs) ([]*hclwrite.Block, error) {
+	blocks := []*hclwrite.Block{}
+
+	if !args.Agentless {
+		return blocks, nil
+	}
+
+	// Helper function to format region names for module naming
+	formatRegionForModuleName := func(region string) string {
+		return strings.ToLower(strings.ReplaceAll(region, " ", "_"))
+	}
+
+	// Determine regions to process
+	regions := args.Regions
+	if len(regions) == 0 {
+		regions = []string{"West US"} // Default to West US if no regions specified
+	}
+
+	isTenant := strings.EqualFold(args.IntegrationLevel, "TENANT")
+	isSubscription := strings.EqualFold(args.IntegrationLevel, "SUBSCRIPTION")
+
+	var firstModuleName string
+	for i, region := range regions {
+		isFirstRegion := (i == 0)
+
+		// Build module name
+		var moduleName string
+		if isTenant {
+			moduleName = fmt.Sprintf("lacework_azure_agentless_scanning_tenant_%s", formatRegionForModuleName(region))
+		} else {
+			moduleName = fmt.Sprintf("lacework_azure_agentless_scanning_subscription_%s", formatRegionForModuleName(region))
+		}
+
+		// Build attributes
+		attrs := map[string]interface{}{
+			"integration_level":              args.IntegrationLevel,
+			"region":                         region,
+			"global":                         args.Global && isFirstRegion,
+			"create_log_analytics_workspace": args.CreateLogAnalyticsWorkspace,
+		}
+
+		// set the first module name for global reference
+		if isFirstRegion {
+			firstModuleName = moduleName
+		} else {
+			attrs["global_module_reference"] = lwgenerate.CreateSimpleTraversal([]string{"module", firstModuleName})
+		}
+
+		if args.SubscriptionID != "" {
+			attrs["scanning_subscription_id"] = args.SubscriptionID
+		}
+		if isSubscription && isFirstRegion && len(args.AgentlessSubscriptionIds) > 0 {
+			subs := make([]string, len(args.AgentlessSubscriptionIds))
+			for j, id := range args.AgentlessSubscriptionIds {
+				subs[j] = fmt.Sprintf("/subscriptions/%s", id)
+			}
+			attrs["included_subscriptions"] = subs
+		}
+
+		// Create module details
+		moduleDetails := []lwgenerate.HclModuleModifier{
+			lwgenerate.HclModuleWithAttributes(attrs),
+		}
+		block, err := lwgenerate.NewModule(
+			moduleName,
+			lwgenerate.LWAzureAgentlessSource,
+			append(moduleDetails, lwgenerate.HclModuleWithVersion(lwgenerate.LWAzureAgentlessVersion))...,
+		).ToBlock()
+		if err != nil {
+			return nil, err
+		}
+		blocks = append(blocks, block)
+	}
+	return blocks, nil
+}
+
 func createEntraIdActivityLog(args *GenerateAzureTfConfigurationArgs) ([]*hclwrite.Block, error) {
 	blocks := []*hclwrite.Block{}
 	if args.EntraIdActivityLog {