Terraform Azure DSPM Module

Terraform module for integrating Azure Data Security Posture Management (DSPM) with Lacework.

This module creates the necessary Azure resources for DSPM scanning, including:

• Lacework cloud account integration
• Azure Key Vault for credentials
• Service principal for authentication
• Storage account for DSPM data
• Container App Job for scheduled scanning
• Required RBAC role assignments

Creating a Service Principal to Deploy DSPM

We suggest creating a new Azure service principal to use specifically for deploying DSPM. Please refer to the service_principal directory for more information.

Usage Examples

• Subscription Level Single Region
• Subscription Level Multi Region

Requirements

Name	Version
terraform	>= 1.9
azurerm	>= 3.80
lacework	~> 2.2
time	>= 0.9

Providers

Name	Version
azuread	n/a
azurerm	>= 3.80
lacework	~> 2.2
random	n/a
time	>= 0.9

Inputs

Name	Description	Type	Default	Required
additional_environment_variables	Optional list of additional environment variables passed to the task.	list(object({ name = string value = string }))	[]	no
global_region	Region for global (shared) resources. Defaults to the first region in var.regions.	string	""	no
integration_level	If we are integrating into a subscription or tenant. Valid values are 'SUBSCRIPTION' or 'TENANT'	string	n/a	yes
lacework_hostname	Hostname for the Lacework account (e.g., my-tenant.lacework.net). If not provided, will use the URL associated with the default Lacework CLI profile.	string	""	no
lacework_integration_name	The name of the Lacework cloud account integration.	string	"azure-dspm"	no
owner_id	Owner for service account created. Azure recommends having one	string	""	no
regions	List of Azure regions where DSPM scanners are deployed.	list(string)	n/a	yes
resource_prefix	Prefix for resource names.	string	"forticnapp"	no
rg_name	Name suffix for the Azure resource group that will contain all DSPM resources.	string	"dspm-rg"	no
scanner_image	Docker image for the DSPM scanner	string	"lacework/dspm-scanner:latest"	no
scanning_subscription_id	SubcriptionId where FortiCNAPP DSPM is deployed. Leave blank to use the current one used by Azure Resource Manager. Show it through az account show	string	""	no
tags	Set of tags which will be added to the resources managed by the module.	map(string)	{ "ManagedBy": "terraform" }	no
tenant_id	TenantId where DSPM is deployed	string	""	no

Outputs

Name	Description
dspm_client_id	Client ID of our scanner's managed identity
dspm_identity_id	Fully qualified resource ID of our scanner's managed identity
dspm_identity_resource_id	The resource ID of the DSPM identity.
dspm_principal_id	Principal ID (GUID) of our scanner's managed identity
key_vault_id	The ID of the Key Vault storing DSPM secrets.
key_vault_secret_name	The name of the secret in Key Vault containing Lacework credentials.
key_vault_uri	The URI of the Key Vault storing DSPM secrets.
lacework_hostname	Lacework hostname for the integration (e.g., my-tenant.lacework.net).
lacework_integration_id	The ID of the Lacework integration.
lacework_integration_name	The name of the integration.
resource_group_id	ID of the resource group hosting the DSPM scanner
resource_group_name	Name of the resource group hosting the DSPM scanner
scanner_job_ids	Map of region to scanner job ID.
scanning_subscription_id	The subscription where scanning resources are deployed in tenant-level integrations
storage_account_name	The blob storage account for DSPM data.
suffix	Suffix used to add uniqueness to resource names.