A Terraform Module for configuring an integration with Lacework and AWS for CloudTrail analysis for organizations using AWS Control Tower.
| Name | Version |
|---|---|
| terraform | >= 0.15.1 |
| aws | >= 3.0 |
| lacework | ~> 2.0 |
| random | >= 2.1 |
| time | ~> 0.6 |
| Name | Version |
|---|---|
| aws.audit | >= 3.0 |
| aws.log_archive | >= 3.0 |
| lacework | ~> 2.0 |
| random | >= 2.1 |
| time | ~> 0.6 |
| Name | Source | Version |
|---|---|---|
| lacework_ct_iam_role | lacework/iam-role/aws | ~> 0.4 |
| Name | Type |
|---|---|
| aws_iam_policy.cross_account_policy | resource |
| aws_iam_role_policy_attachment.lacework_cross_account_iam_role_policy | resource |
| aws_sns_topic_subscription.lacework_sns_topic_sub | resource |
| aws_sqs_queue.lacework_cloudtrail_sqs_queue | resource |
| aws_sqs_queue_policy.lacework_sqs_queue_policy | resource |
| lacework_integration_aws_ct.default | resource |
| random_id.uniq | resource |
| time_sleep.wait_time | resource |
| aws_iam_policy_document.cross_account_policy | data source |
| aws_iam_policy_document.kms_decrypt | data source |
| aws_iam_policy_document.read_logs | data source |
| aws_organizations_organization.main | data source |
| lacework_metric_module.lwmetrics | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| cross_account_policy_name | n/a | string |
"" |
no |
| enable_log_file_validation | Specifies whether cloudtrail log file integrity validation is enabled | bool |
false |
no |
| external_id_length | Deprecated - Will be removed on our next major release v1.0.0 | number |
16 |
no |
| iam_role_arn | The IAM role ARN is required when setting use_existing_iam_role to true | string |
"" |
no |
| iam_role_external_id | The external ID configured inside the IAM role is required when setting use_existing_iam_role to true | string |
"" |
no |
| iam_role_name | The IAM role name. Required to match with iam_role_arn if use_existing_iam_role is set to true | string |
"" |
no |
| kms_key_arn | The KMS key arn, if Control Tower was deployed with custom KMS key | string |
"" |
no |
| lacework_aws_account_id | The Lacework AWS account that the IAM role will grant access | string |
"434813966438" |
no |
| lacework_integration_name | The name of the integration in Lacework. | string |
"TF cloudtrail" |
no |
| org_account_mappings | Mapping of AWS accounts to Lacework accounts within a Lacework organization | list(object({ |
[] |
no |
| prefix | The prefix that will be use at the beginning of every generated resource | string |
"lacework-ct" |
no |
| s3_bucket_arn | The ARN for the S3 bucket for consolidated CloudTrail logging. Usually in the form like: arn:aws:s3:::aws-controltower-logs-<log_archive_account_id>-<control_tower_region> | string |
n/a | yes |
| sns_topic_arn | The SNS topic ARN. Usually in the form of: arn:aws:sns::<aws_audit_account_id>:aws-controltower-AllConfigNotifications | string |
n/a | yes |
| sqs_queue_name | The SQS queue name | string |
"" |
no |
| tags | A map/dictionary of Tags to be assigned to created resources | map(string) |
{} |
no |
| use_existing_iam_role | Set this to true to use an existing IAM role from the log_archive AWS Account | bool |
false |
no |
| wait_time | Amount of time to wait before the next resource is provisioned. | string |
"10s" |
no |
| Name | Description |
|---|---|
| external_id | The External ID configured into the IAM role |
| iam_role_arn | The IAM Role ARN |
| iam_role_name | The IAM Role name |
| lacework_integration_guid | Lacework CloudTrail Integration GUID |
| sns_arn | SNS Topic ARN |
| sqs_arn | SQS Queue ARN |
| sqs_name | SQS Queue name |
| sqs_url | SQS Queue URL |