Google Cloud - Integrate Agentless Workload Scanning with Terraform

Overview

This article explains the requirements for an Agentless Workload Scanning integration using Terraform.

Once you have read and completed the Prerequisites, complete the integration steps depending on your chosen integration level:

• Project Integration (Single or Multi Region)
• Organization Integration (Single or Multi Region)

note

By default, the Compute Engine instances that perform scanning use the default VPC network and an external IP address to communicate with the Lacework platform. If you want to avoid using Compute Engine instances with external IP addresses, specify a custom VPC network/subnetwork for your integration (see Custom VPC Network/Subnetwork for Google Cloud Terraform Integrations for an example).

The Agentless Workload Scanning integration is configured with Terraform using the lacework_gcp_agentless_scanning module.

If you are new to the Lacework Terraform Provider, or Lacework Terraform Modules, read Terraform for Lacework Overview to learn the basics on how to configure the provider.

This module will install global and regional resources. The global resources should be installed once for a Lacework integration. The regional resources should be installed in each region where scanning will occur. Having per-region resources assures that no cross-region traffic occurs.

Custom VPC Network/Subnetwork for Google Cloud Terraform Integrations

Follow the example below if you want to specify a custom VPC network/subnetwork for your Google Cloud integration.

In this example, we add Terraform modules to two Google Cloud regions for a project level integration (similar to Option 2: Project Integration - Multi Region):

• Global resources are deployed to us-east1.
  • Service Accounts/Permissions
  • Object Storage Bucket
  • Secret Manager Secret
  • Custom VPC Network
  • Firewall Rules for Agentless Workload Scanning
• Regional resources are deployed to us-east1 and us-central1.
  • Cloud Run Job
  • Cloud Scheduler Job
  • Custom VPC Subnetwork

1. Use the example below for your versions.tf file:

   terraform {
     required_version = ">= 1.4"
   
     required_providers {
       lacework = {
         source = "lacework/lacework"
         version = "~> 1.3"
       }
     }
   }

2. Use the example below for your main.tf file:

   # Set your Lacework profile here. With the Lacework CLI, use 
   # `lacework configure list` to get a list of available profiles.
   provider "lacework" {
     profile = "lw_agentless"
   }
   
   provider "google" {
     alias  = "use1"
     region = "us-east1"
   
     # Set the project name for where the scanning resources are hosted.
     # This must be assigned to the `global` region.
     project = "agentless-lw-scanner"
   }
   
   provider "google" {
     alias  = "usc1"
     region = "us-central1"
   
     # Set your default project ID for this region. This isn't required for
     # the Agentless integration, but is required by the Google Provider.
     # https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/getting_started#configuring-the-provider
     project = "default-project-id"
   }
   
   locals {
     # Provide the list of Google Cloud projects that you want to monitor here.
     # Enter the ID of the projects.
     project_filter_list = [
       "monitored-project-1",
       "monitored-project-2"
     ]
   }
   
   resource "google_compute_network" "awls" {
     provider = google.use1
   
     name                    = "lacework-awls"
     auto_create_subnetworks = false
   }
   
   resource "google_compute_subnetwork" "awls_subnet_1" {
     provider = google.use1
   
     name          = "lacework-awls-subnet1"
     ip_cidr_range = "10.10.1.0/24"
   
     network = google_compute_network.awls.id
   }
   
   resource "google_compute_subnetwork" "awls_subnet_2" {
     provider = google.usc1
   
     name          = "lacework-awls-subnet2"
     ip_cidr_range = "10.10.2.0/24"
   
     network = google_compute_network.awls.id
   }
   
   resource "google_compute_firewall" "rules" {
     provider = google.use1
   
     name        = "awls-allow-https-egress"
     network     = google_compute_network.awls.name
     description = "Firewall policy for Lacework Agentless Workload Scanning"
     direction   = "EGRESS"
   
     destination_ranges = [
       "0.0.0.0/0"
     ]
   
     allow {
       protocol = "tcp"
       ports    = ["443"]
     }
   }
   
   module "lacework_gcp_agentless_scanning_project_multi_region_use1" {
     source  = "lacework/agentless-scanning/gcp"
     version = "~> 0.1"
   
     providers = {
       google = google.use1
     }
   
     project_filter_list = local.project_filter_list
   
     global                    = true
     regional                  = true
   
     custom_vpc_subnet = google_compute_subnetwork.awls_subnet_1.id
   }
   
   module "lacework_gcp_agentless_scanning_project_multi_region_usc1" {
     source  = "lacework/agentless-scanning/gcp"
     version = "~> 0.1"
   
     providers = {
       google = google.usc1
     }
   
     project_filter_list = local.project_filter_list
   
     regional                = true
     global_module_reference = module.lacework_gcp_agentless_scanning_project_multi_region_use1
   
     custom_vpc_subnet = google_compute_subnetwork.awls_subnet_2.id
   }

3. If you are executing Terraform outside the Google Cloud Console, use the following gcloud commands prior to running Terraform:

   1. gcloud auth login

   2. gcloud auth application-default login

   3. gcloud config set project <scanning_project>

      • Replace <scanning-project> with the project that will host the scanning resources (agentless-lw-scanner in this example).

4. Run terraform init to initialize the working directory (containing the Terraform files).

5. Run terraform plan and review the changes that will be applied.

6. Once satisfied with the changes that will be applied, run terraform apply to execute Terraform.