Skip to main content

Agentless Workload Scanning for Google Cloud - Organization Integration (Terraform)

Overview

This article describes how to integrate your Google Cloud organization with Lacework's Agentless Workload Scanning.

Google Cloud Organization Integration

Choose which type of Google Cloud Agentless Workload Scanning integration that you want to perform:

tip

See Lacework Terraform Module for Agentless Workload Scanning on Google Cloud for all available Terraform integration options and additional deployment examples.

Option 1: Organization Integration - Single Region

In this example, we add Terraform modules to one Google Cloud region:

  • Global resources are deployed to us-east1.
    • Service Accounts/Permissions
    • Object Storage Bucket
    • Secret Manager Secret
  • Regional resources are deployed to us-east1.
    • Cloud Run Job
    • Cloud Scheduler Job

  1. Use the example below for your versions.tf file:

    terraform {
      required_version = ">= 1.4"

      required_providers {
        lacework = {
          source  = "lacework/lacework"
          version = "~> 1.3"
        }
      }
    }

  2. Use the example below for your main.tf file:

    # Set your Lacework profile here. With the Lacework CLI, use 
    # `lacework configure list` to get a list of available profiles.
    provider "lacework" {
      profile = "lw_agentless"
    }

    provider "google" {
      alias  = "use1"
      region = "us-east1"

      # Set the project name for where the scanning resources are hosted.
      project = "agentless-lw-scanner"

    }

    module "lacework_gcp_agentless_scanning_org_single_region" {
      source  = "lacework/agentless-scanning/gcp"
      version = "~> 0.1"

      providers = {
        google = google.use1
      }

      # Provide a list of Google Cloud projects and/or folders that you want to monitor here.
      # For projects, enter the project ID. 
      # If the project_filter_list is omitted, all projects and folders in the organization are scanned.
      #project_filter_list = [
      #  "monitored-project-1",
      #  "monitored-project-2",
      #  "folder/monitored-folder-1",
      #  "folder/monitored-folder-2
      #]

      integration_type = "ORGANIZATION"
      organization_id  = "123456789012"

      global                    = true
      regional                  = true
      lacework_integration_name = "agentless_from_terraform"
    }

  3. By default, all the projects and folders in the organization are monitored. To monitor specific projects and folders only, see How to Add or Remove Google Cloud Projects or Folders.

  4. If you are executing Terraform outside the Google Cloud Console, use the following gcloud commands prior to running Terraform:

    1. gcloud auth login

    2. gcloud auth application-default login

    3. gcloud config set project <scanning_project>

      • Replace <scanning-project> with the project that will host the scanning resources (agentless-lw-scanner in this example).

  5. Run terraform init to initialize the working directory (containing the Terraform files).

  6. Run terraform plan and review the changes that will be applied.

  7. Once satisfied with the changes that will be applied, run terraform apply to execute Terraform.

Option 2: Organization Integration - Multi Region

In this example, we add Terraform modules to two Google Cloud regions:

  • Global resources are deployed to us-east1.
    • Service Accounts/Permissions
    • Object Storage Bucket
    • Secret Manager Secret
  • Regional resources are deployed to us-east1 and us-central1.
    • Cloud Run Job
    • Cloud Scheduler Job

  1. Use the example below for your versions.tf file:

    terraform {
      required_version = ">= 1.4"

      required_providers {
        lacework = {
          source  = "lacework/lacework"
          version = "~> 1.3"
        }
      }
    }

  2. Use the example below for your main.tf file:

    # Set your Lacework profile here. With the Lacework CLI, use 
    # `lacework configure list` to get a list of available profiles.
    provider "lacework" {
      profile = "lw_agentless"
    }

    provider "google" {
      alias  = "use1"
      region = "us-east1"

      # Set the project name for where the scanning resources are hosted.
      # This must be assigned to the `global` region.
      project = "agentless-lw-scanner"

    }

    provider "google" {
      alias  = "usc1"
      region = "us-central1"

      # Set your default project ID for this region. This isn't required for
      # the Agentless integration, but is required by the Google Provider.
      # https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/getting_started#configuring-the-provider
      project = "default-project-id"
    }

    module "lacework_gcp_agentless_scanning_org_multi_region" {
      source  = "lacework/agentless-scanning/gcp"
      version = "~> 0.1"

      providers = {
        google = google.use1
      }

      # Provide a list of Google Cloud projects and/or folders that you want to monitor here.
      # For projects, enter the project ID.
      # If the project_filter_list is omitted, all projects and folders in the organization are scanned.
      #project_filter_list = [
      #  "monitored-project-1",
      #  "monitored-project-2",
      #  "folder/monitored-folder-1",
      #  "folder/monitored-folder-2
      #]

      integration_type = "ORGANIZATION"
      organization_id  = "123456789012"

      global                    = true
      regional                  = true
      lacework_integration_name = "agentless_from_terraform"
    }

    module "lacework_gcp_agentless_scanning_org_multi_region_usc1" {
      source  = "lacework/agentless-scanning/gcp"
      version = "~> 0.1"

      providers = {
        google = google.usc1
      }

      regional                = true
      global_module_reference = module.lacework_gcp_agentless_scanning_org_multi_region
    }

  3. By default, all the projects and folders in the organization are monitored. To monitor specific projects and folders only, see How to Add or Remove Google Cloud Projects or Folders.

  4. If you are executing Terraform outside the Google Cloud Console, use the following gcloud commands prior to running Terraform:

    1. gcloud auth login

    2. gcloud auth application-default login

    3. gcloud config set project <scanning_project>

      • Replace <scanning-project> with the project that will host the scanning resources (agentless-lw-scanner in this example).

  5. Run terraform init to initialize the working directory (containing the Terraform files).

  6. Run terraform plan and review the changes that will be applied.

  7. Once satisfied with the changes that will be applied, run terraform apply to execute Terraform.

Verify your Agentless Workload Scanning Integration

In the Lacework console, the status of the integration at Settings > Integrations > Cloud accounts will display as Success if all resources are installed correctly. If the periodic scanning encounters an error, the status will display the error details.

Remove an Agentless Workload Scanning Integration

Start in the Lacework console.

  1. In Settings > Integrations > Cloud accounts, find the integration that you would like to remove.
  2. Toggle the integration State to disabled, or Delete the integration using the actions menu on the right.

Using Terraform, run terraform destroy for the Agentless module.

How to Add or Remove Google Cloud Projects or Folders

Follow the steps below if you want to add or remove projects or folders from your integration.

Add or Remove Google Cloud Projects or Folders using the Lacework Console

  1. Go to Settings > Integrations: Cloud accounts.

  2. Find your Agentless integration and click Edit in the additional options.

  3. Find the Limit Projects field and add your additional projects/folders (comma-delimited).

    • If this field is currently blank, then all new and current projects within the organization are scanned automatically.
    • If adding folders, the folder name must be prefixed with "folder/".
      For example: folder/myscannedfolder1, folder/myscannedfolder2

  4. Click Save.

Add or Remove Google Cloud Projects or Folders using Terraform

If you want to add or remove projects or folders to be monitored from your integration, you will need to update your main.tf file and rerun Terraform.

  1. Add the Google Cloud projects/folders to the project_filter_list in your main.tf file:

    Example
    # For projects, enter the project ID.
    project_filter_list = [
      "monitored-project",
      "folder/monitored-folder",
      "additional-project",
      "folder/additional-folder"
    ]
    note

    If this field is commented out or omitted, then all new and current projects within the organization are scanned automatically.

  2. If you are executing Terraform outside the Google Cloud Console, use the following gcloud commands prior to running Terraform:

    1. gcloud auth login

    2. gcloud auth application-default login

    3. gcloud config set project <scanning_project>

      • Replace <scanning-project> with the project that hosts the scanning resources.

  3. Run terraform init to initialize the working directory (containing the Terraform files).

  4. Run terraform plan and review the changes that will be applied.

  5. Once satisfied with the changes that will be applied, run terraform apply to execute Terraform.

Next Steps

  1. View scanning results in the Lacework Console.
  2. Read FAQs on Agentless Workload Scanning.
Last updated on