Skip to main content

lacework cloud-account iac-generate gcp

Generate and/or execute Terraform code for GCP integration


Use this command to generate Terraform code for deploying Lacework into an GCP environment.

By default, this command interactively prompts for the required information to setup the new cloud account. In interactive mode, this command will:

  • Prompt for the required information to setup the integration
  • Generate new Terraform code using the inputs
  • Optionally, run the generated Terraform code:
    • If Terraform is already installed, the version is verified as compatible for use
    • If Terraform is not installed, or the version installed is not compatible, a new version will be installed into a temporary location
    • Once Terraform is detected or installed, Terraform plan will be executed
    • The command will prompt with the outcome of the plan and allow to view more details or continue with Terraform apply
    • If confirmed, Terraform apply will be run, completing the setup of the cloud account

This command can also be run in noninteractive mode. See help output for more details on the parameter value(s) required for Terraform code generation.

lacework cloud-account iac-generate gcp [flags]


      --apply                                         run terraform apply without executing plan or prompting
--audit_log enable audit log integration
--audit_log_integration_name string specify a custom audit log integration name
--bucket_lifecycle_rule_age int specify the lifecycle rule age (default -1)
--bucket_location string specify bucket location
--bucket_name string specify new bucket name
--bucket_region string specify bucket region
--bucket_retention_days int specify the bucket retention days
--configuration enable configuration integration
--configuration_integration_name string specify a custom configuration integration name
--enable_force_destroy_bucket enable force bucket destroy
--enable_ubla enable universal bucket level access(ubla)
--existing_bucket_name string specify existing bucket name
--existing_service_account_name string specify existing service account name
--existing_service_account_private_key string specify existing service account private key (base64 encoded)
--existing_sink_name string specify existing sink name
-h, --help help for gcp
--organization_id string specify the organization id (only set if organization_integration is set)
--organization_integration enable organization integration
--output string location to write generated content (default is ~/lacework/gcp)
--project_id string specify the project id to be used to provision lacework resources (required)
--service_account_credentials string specify service account credentials JSON file path (leave blank to make use of google credential ENV vars)

Options inherited from parent commands

  -a, --account string      account subdomain of URL (i.e. <ACCOUNT>
-k, --api_key string access key id
-s, --api_secret string secret access key
--api_token string access token (replaces the use of api_key and api_secret)
--debug turn on debug logging
--json switch commands output from human-readable to json format
--nocache turn off caching
--nocolor turn off colors
--noninteractive turn off interactive mode (disable spinners, prompts, etc.)
--organization access organization level data sets (org admins only)
-p, --profile string switch between profiles configured at ~/.lacework.toml
--subaccount string sub-account name inside your organization (org admins only)