Google Cloud - Integrate Agentless Workload Scanning with Terraform
Overview
This article explains the requirements for an Agentless Workload Scanning integration using Terraform.
Once you have read and completed the Google Cloud - Agentless Workload Scanning Prerequisites, complete the integration steps depending on your chosen integration level:
- Agentless Workload Scanning for Google Cloud - Project Integration (Terraform) (Single or Multi Region)
- Agentless Workload Scanning for Google Cloud - Organization Integration (Terraform) (Single or Multi Region)
By default, the Compute Engine instances that perform scanning use the |
The Agentless Workload Scanning integration is configured with Terraform using the lacework_gcp_agentless_scanning module.
If you are new to the Lacework Terraform Provider, or Lacework Terraform Modules, read Terraform for Lacework Overview to learn the basics on how to configure the provider.
This module will install global and regional resources. The global resources should be installed once for a Lacework FortiCNAPP integration. The regional resources should be installed in each region where scanning will occur. Having per-region resources assures that no cross-region traffic occurs.
Custom VPC Network/Subnetwork for Google Cloud Terraform Integrations
Follow the example below if you want to specify a custom VPC network/subnetwork for your Google Cloud integration.
In this example, we add Terraform modules to two Google Cloud regions for a project level integration (similar to Option 2: Project Integration - Multi Region):
- Global resources are deployed to
us-east1
.- Service Accounts/Permissions
- Object Storage Bucket
- Secret Manager Secret
- Custom VPC Network
- Firewall Rules for Agentless Workload Scanning
- Regional resources are deployed to
us-east1
andus-central1
.- Cloud Run Job
- Cloud Scheduler Job
- Custom VPC Subnetwork
-
Use the example below for your
versions.tf
file:terraform { required_version = ">= 1.5" required_providers { lacework = { source = "lacework/lacework" version = "~> 1.9" } } }
-
Use the example below for your
main.tf
file:# Set your Lacework profile here. With the Lacework CLI, use # `lacework configure list` to get a list of available profiles. provider "lacework" { profile = "lw_agentless" } provider "google" { alias = "use1" region = "us-east1" # Set the project name for where the scanning resources are hosted. # This must be assigned to the `global` region. project = "agentless-lw-scanner" } provider "google" { alias = "usc1" region = "us-central1" # Set your default project ID for this region. This isn't required for # the Agentless integration, but is required by the Google Provider. # https://registry.terraform.io/providers/hashicorp/google/latest/docs/guides/getting_started#configuring-the-provider project = "default-project-id" } locals { # Provide the list of Google Cloud projects that you want to monitor here. # Enter the ID of the projects. project_filter_list = [ "monitored-project-1", "monitored-project-2" ] } resource "google_compute_network" "awls" { provider = google.use1 name = "lacework-awls" auto_create_subnetworks = false } resource "google_compute_subnetwork" "awls_subnet_1" { provider = google.use1 name = "lacework-awls-subnet1" ip_cidr_range = "10.10.1.0/24" network = google_compute_network.awls.id } resource "google_compute_subnetwork" "awls_subnet_2" { provider = google.usc1 name = "lacework-awls-subnet2" ip_cidr_range = "10.10.2.0/24" network = google_compute_network.awls.id } resource "google_compute_firewall" "rules" { provider = google.use1 name = "awls-allow-https-egress" network = google_compute_network.awls.name description = "Firewall policy for Lacework Agentless Workload Scanning" direction = "EGRESS" destination_ranges = [ "0.0.0.0/0" ] allow { protocol = "tcp" ports = ["443"] } } module "lacework_gcp_agentless_scanning_project_multi_region_use1" { source = "lacework/agentless-scanning/gcp" version = "~> 2.0" providers = { google = google.use1 } project_filter_list = local.project_filter_list organization_id = "your-org-id" global = true regional = true custom_vpc_subnet = google_compute_subnetwork.awls_subnet_1.id } module "lacework_gcp_agentless_scanning_project_multi_region_usc1" { source = "lacework/agentless-scanning/gcp" version = "~> 2.0" providers = { google = google.usc1 } project_filter_list = local.project_filter_list organization_id = "your-org-id" regional = true global_module_reference = module.lacework_gcp_agentless_scanning_project_multi_region_use1 custom_vpc_subnet = google_compute_subnetwork.awls_subnet_2.id }
-
If you are executing Terraform outside the Google Cloud Console, use the following gcloud commands prior to running Terraform:
-
gcloud auth login
-
gcloud auth application-default login
-
gcloud config set project <scanning_project>
- Replace
<scanning-project>
with the project that will host the scanning resources (agentless-lw-scanner
in this example).
- Replace
-
-
Run
terraform init
to initialize the working directory (containing the Terraform files). -
Run
terraform plan
and review the changes that will be applied. -
Once satisfied with the changes that will be applied, run
terraform apply
to execute Terraform.