Skip to main content

GKE Audit Log Integration - Terraform

tip

To integrate with GKE, Lacework recommends using guided configuration. The guided interface takes your input and generates a script that downloads and sets up all necessary Lacework CLI and Terraform components to create the integration non-interactively.

To use guided configuration:

  1. In the Lacework Console go to Settings > Integrations > Cloud accounts.
  2. Click + Add New.
  3. Click Google Cloud Platform and select Guided configuration.

Alternatively, follow the steps in this topic to use the Lacework CLI to generate Terraform code. Or you can create the main.tf file manually and run Terraform from Google Cloud Shell.

Overview

Lacework integrates with GKE Audit Logs in an event-based streaming pull mode for monitoring GKE admin read, data read, and data write events. This topic describes how to integrate with GKE by running Lacework Terraform modules from Google Cloud Shell.

If you are new to the Lacework Terraform provider, or Lacework Terraform modules, read Terraform for Lacework Overview to learn the basics on how to configure the provider and more.

Resources

Organization level integrations cover all existing projects in the organization, and automatically add any new projects added after the initial integration.

Project level integrations cover only specific projects and any new projects must be added as required.

To integrate at the organization or project level, Lacework requires the following resources be provisioned in Google Cloud:

  • Google Cloud Project - A project to contain the required cloud resources with billing enabled. When integrating at the organization level, Lacework recommends that you create a project specifically for Lacework resources. When integrating at the project level, all required resources for Lacework may be provisioned within the project being integrated.
  • Google Pub/Sub Topic - Topic for GKE Audit Logs events
  • Google Pub/Sub Subscription - Subscription for Lacework to pull the GKE Audit Log events from
  • Google Logging Sink - To export Cloud Audit Logs to the Pub/Sub topic
  • Service Account for Lacework - A service account will be created to provide Lacework read-only access to Google Cloud Platform with the following roles:
    • Project/Organization Level Integration
      • roles/pubsub.publisher
      • roles/pubsub.subscriber
      • roles/monitoring.viewer

For organization level integrations, follow the steps in Integrate GKE Audit Logs at the Organization Level.

For project level integrations, follow the steps in Integrate GKE Audit Logs at the Project Level.

Requirements

  • Google Cloud Shell - Google Cloud Shell inherits the permissions of the user running Cloud Shell. Before beginning, determine whether the integration between Google Cloud and Lacework will be at the organization level or the project level, and then ensure the user account running Google Cloud Shell has the following permissions:

    • Organization level integrations
      • roles/owner - For an organization level integration, Lacework recommends that you create a new project specifically for the Lacework resources. The user account used to run Google Cloud Shell must have Owner permissions for that project.
      • roles/resourcemanager.organizationAdmin
      • roles/iam.organizationRoleAdmin
    • Project level integrations
      • roles/owner - For a project level integration, Lacework recommends that you use the project being integrated to provision the required resources. The user account used to run Google Cloud Shell must have Owner permissions for every project being integrated into Lacework.
  • Terraform provider for Lacework - The Terraform provider for Lacework must be configured to authenticate with the Lacework API using a Lacework API key and secret access key. For information on configuring the Terraform Provider for Lacework, see Terraform for Lacework Overview.

  • Ensure that you are deploying the integration to a supported Google Cloud region.

Module Inputs Reference

For an up-to-date guide on all available configuration inputs, refer to the Terraform Registry documentation:

Module Dependencies

Lacework Terraform modules for Google Cloud have the following dependencies that will be installed when running terraform init:

For detailed information on these dependencies, visit Lacework on the Terraform Registry.

Google Cloud Shell Configuration

Google Cloud Shell is an embedded terminal/command-line interface that you can use within the Google Console. Google Cloud Shell comes with tools pre-installed like the Google Cloud SDK, gcloud command-line tool, and Terraform pre-installed to manage and automate your projects and resources in your environment.

Lacework provides a robust command-line interface that generates Terraform code, installs the Terraform CLI (if not already installed), and can run Terraform inside Cloud Shell.

Ingested Logs

Lacework ingests Admin Activity logs and Data Access logs. Admin Activity logs are enabled by Google Cloud by default. You may have to enable Data Access logs at an additional cost from Google Cloud to access the following event groups:

  • ADMIN_READ: access to Kubernetes metadata and configuration
  • DATA_READ: access to Kubernetes resources
  • DATA_WRITE: creation and changes to Kubernetes resources
  1. In the Google Cloud console, go to IAM & Admin > Audit Logs.
  2. In the Data Access audit logs configuration table next to Filter, start typing Kubernetes and select Kubernetes Engine API.
    gke log routing
  3. With Kubernetes Engine API selected, select the logs and click Save.
    gke log routing selected

See the following Google Cloud documentation about Configure Data Access audit logs for additional details.

Launch Google Cloud Shell within Google Console

To open Google Cloud Shell, click the Cloud Shell icon in the header bar of the Google Console, and it will launch the Cloud Shell in a pane at the bottom of the browser.

Install the Lacework CLI in Google Cloud Shell

The Terraform provider for Lacework leverages the configuration from the Lacework CLI to authenticate with the Lacework API and configure accounts. Run the following commands to install the Lacework CLI:

mkdir -p "$HOME"/bin  
curl https://raw.githubusercontent.com/lacework/go-sdk/main/cli/install.sh | bash -s -- -d "$HOME"/bin

When the script completes, type exit followed by enter to exit your shell. After the shell exits, open Cloud Shell again and the Lacework CLI will be ready for use.

Create Lacework API Key

The Lacework CLI requires an API key and secret to authenticate with Lacework. Lacework API keys can be created by Lacework account administrators via the Lacework Console. For more information, go to API Access Keys.

  1. Log in to the Lacework Console.
  2. Click Settings > Configuration > API keys.
  3. Click + Add New.
  4. Enter a name for the key and an optional description.
  5. Click Save.
  6. Click the ... icon and then Download to save the API key file locally.

The contents of your API key contain a keyId secret, subAccount, and account:

{
"keyId": "ACCOUNT_ABCEF01234559B9B07114E834D8570F567C824039756E03",
"secret": "_abc1234e243a645bcf173ef55b837c19",
"subAccount": "myaccount",
"account": "myaccount.lacework.net"
}

Configure the Lacework CLI

Google Cloud Shell lets you drag-and-drop the generated KEY.json to upload it automatically.

To configure the CLI with the API key downloaded from the previous step, use the lacework configure command in Cloud Shell and provide the following:

  • account: Account subdomain of URL (i.e. YourAccount.lacework.net)
  • api_key: API Access Key
  • api_secret: API Access Secret

Run the command:

user@cloudshell:~ $ lacework configure -j CUSTOMER_EED10DA9136E9F763477FF5933464DD0C3DADF2CDDEFABC.json
▸ Account: your_account_name
▸ Access Key ID: CUSTOMER_EED10DA9136E9F763477FF5933464DD0C3DADF2CDDEFABC
▸ Secret Access Key: (*****************************26a0)

You are all set!

For more information, see Lacework CLI documentation.

Deployment Scenarios

Integrate GKE Audit Logs at the Organization Level

The following section covers integrating Google Cloud and Lacework for analysis of GKE Audit Logs at the organization level.

Create a Google Cloud Project Using the Google Cloud Console

When creating an integration at the Google Cloud organization level, Lacework recommends having a dedicated project to provision the required resources for the integration between Google Cloud and Lacework. Create the Google Cloud project before running Terraform.

  1. Log in to the Google Cloud Console.
  2. Select the project drop-down and click New Project.
  3. Give the project a Project Name, select a Billing Account, select the Organization you are integrating.
  4. Click Create to create the new project.

Configure Project Owner Permissions to User Account

These next steps configure role/owner permission on the project for the user running Google Cloud Shell.

  1. In the Google Cloud Console, select the project created for Lacework resources.
  2. Click the navigation menu and select IAM & Admin > IAM.
  3. Filter the list and find the user account that will be used to run Google Cloud Shell.
  4. Click Edit Member and then apply role/owner.
  5. Click Save.

Run the Lacework CLI in Cloud Shell

  1. Inside Google Cloud Shell, run the following Lacework CLI command:

    lacework generate k8s gke           \
    --organization_integration \
    --organization_id OrganizationId \
    --project_id ProjectId \
    --noninteractive

    The Terraform files are created in the ~/lacework/gke directory.

  2. Navigate to the ~/lacework/gke directory.

  3. Run terraform plan and review the changes that will be applied.

  4. Once satisfied with the changes that will be applied, run terraform apply to execute Terraform.

For details about the lacework generate k8s gke command, see the CLI documentation.

note

If creating the main.tf file manually, you can use Terraform inputs to customize Lacework Terraform modules. See the documentation on the Terraform Registry for the complete list of inputs for each module.

Validate the Configuration

To confirm that the cloud account integrations are working, use the Lacework CLI or log in to the Lacework Console.

To validate the integration using the CLI, run the lacework cloud-account list command. GKE integrations are listed as GcpGkeAudit.

To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts

Integrate GKE Audit Logs at the Project Level

The following section covers integrating Google Cloud and Lacework for analysis of GKE Audit Logs at the project level.

Configure Project Owner Permissions for User Account

These next steps configure role/owner permission on the project for the user running Google Cloud Shell.

  1. Log in to the Google Cloud Console.
  2. Select the project being integrated to Lacework from the project selector at the top of the console.
  3. Click the navigation menu and select IAM & Admin > IAM.
  4. Filter the list and find the user account that will be used to run Google Cloud Shell.
  5. Click Edit Member and then apply role/owner.
  6. Click Save.

Run the Lacework CLI in Cloud Shell

  1. Inside Google Cloud Shell, run the following Lacework CLI command:

    lacework generate k8s gke  \
    --project_id ProjectId \
    --noninteractive

    The Terraform files are created in the ~/lacework/gke directory.

  2. Navigate to the ~/lacework/gke directory.

  3. Run terraform plan and review the changes that will be applied.

  4. Once satisfied with the changes that will be applied, run terraform apply to execute Terraform.

note

If creating the main.tf file manually, you can use Terraform inputs to customize Lacework Terraform modules. See the documentation on the Terraform Registry for the complete list of inputs for each module.

Validate the Configuration

To confirm that the cloud account integrations are working, use the Lacework CLI or log in to the Lacework Console.

To validate the integration using the CLI, run the lacework cloud-account list command. GKE integrations are listed as GcpGkeAudit.

To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts

Exclusion Filters

If you choose to manually create the main.tf file, you can use the Lacework GKE audit log module to define exclusion filters to reduce logs. For details about how to use exclusion filters, see exclusion_filters.

Example organization level integration with exclusion_filter
terraform {
required_providers {
lacework = {
source = "lacework/lacework"
}
}
}
provider "google" {}
provider "lacework" {}
module "gcp_organization_level_gke_audit_log" {
source = "lacework/gke-audit-log/gcp"
version = "~> 0.1"
integration_type = "ORGANIZATION"
project_id = "example-project-123"
organization_id = "my-organization-id"
exclusion_filters = list(object({
filter = string
name = string
description = string
}))
}