A Terraform Module to integrate Amazon Elastic Kubernetes Service (EKS) with Lacework.
Audit logging must be enabled on the cluster(s) which you wish to integrate. This can be done via the AWS CLI using the following command:
aws eks --region <region> update-cluster-config --name <cluster_name> \
--logging '{"clusterLogging":[{"types":["audit"],"enabled":true}]}'- SNS topic
- Topic policy
- S3 bucket
- S3 bucket notification
- Firehose
- Firehose IAM role & policy
- Cross account IAM role & policy
- Cloudwatch IAM role & policy
- Cloudwatch subscription filter
| Name | Version |
|---|---|
| terraform | >= 0.15 |
| aws | ~> 4.0 |
| lacework | ~> 0.17 |
| random | >= 2.1 |
| time | ~> 0.6 |
| Name | Version |
|---|---|
| aws | ~> 4.0 |
| lacework | ~> 0.17 |
| random | >= 2.1 |
| time | ~> 0.6 |
| Name | Source | Version |
|---|---|---|
| lacework_eks_audit_iam_role | lacework/iam-role/aws | ~> 0.1 |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| bucket_enable_mfa_delete | Set this to true to require MFA for object deletion (Requires versioning) |
bool |
false |
no |
| bucket_force_destroy | Force destroy bucket (Required when bucket not empty) | bool |
false |
no |
| bucket_lifecycle_expiration_days | The lifetime, in days, of the bucket objects. The value must be a non-zero positive integer. | number |
180 |
no |
| bucket_versioning_enabled | Set this to true to enable access versioning on a created S3 bucket |
bool |
true |
no |
| cloudwatch_regions | A set of regions, to allow Cloudwatch Logs to be streamed from | list(string) |
n/a | yes |
| cluster_names | A set of cluster names, to integrate with. Defaults to [] if no_cw_subscription_filter is set to true |
set(string) |
[] |
no |
| external_id_length | The length of the external ID to generate. Max length is 1224. Ignored when use_existing_iam_role is set to true |
number |
16 |
no |
| filter_pattern | The Cloudwatch Log Subscription Filter pattern | string |
"{ $.stage = \"ResponseComplete\" && $.requestURI != \"/version\" && $.requestURI != \"/version?*\" && $.requestURI != \"/metrics\" && $.requestURI != \"/metrics?*\" && $.requestURI != \"/logs\" && $.requestURI != \"/logs?*\" && $.requestURI != \"/swagger*\" && $.requestURI != \"/livez*\" && $.requestURI != \"/readyz*\" && $.requestURI != \"/healthz*\" }" |
no |
| integration_name | The name of the AWS EKS Audit Log integration in Lacework. | string |
"TF AWS EKS Audit Log" |
no |
| lacework_aws_account_id | The Lacework AWS account that the IAM role will grant access | string |
"434813966438" |
no |
| no_cw_subscription_filter | Set to true to create an integration with no Cloudwatch Subscription filter for your cluster(s) | bool |
false |
no |
| prefix | The prefix that will be use at the beginning of every generated resource | string |
"lw-eks-al" |
no |
| tags | A map/dictionary of Tags to be assigned to created resources | map(string) |
{} |
no |
| wait_time | Amount of time between setting up AWS resources, and creating the Lacework integration. | string |
"10s" |
no |
| Name | Description |
|---|---|
| bucket_arn | Lacework AWS EKS Audit Log S3 Bucket ARN |
| bucket_name | Lacework AWS EKS Audit Log S3 Bucket name |
| cloudwatch_iam_role_arn | The Cloudwatch IAM Role ARN |
| cloudwatch_iam_role_name | The Cloudwatch IAM Role name |
| cross_account_iam_role_arn | The Cross Account IAM Role ARN |
| cross_account_iam_role_name | The Cross Account IAM Role name |
| external_id | The External ID configured into the IAM role |
| filter_pattern | The Cloudwatch Log Subscription Filter pattern |
| filter_prefix | The Cloudwatch Log Subscription filter prefix |
| firehose_arn | The Firehose IAM Role ARN |
| firehose_iam_role_name | The Firehose IAM Role name |
| sns_arn | SNS Topic ARN |
| sns_name | SNS Topic name |