Lacework Single Role Deployment via Terraform

aws.tf

terraform {
  required_providers {
    lacework = {
      source = "lacework/lacework"
      version = "~> 1.15"
    }
  }
}

# Required inputs
variable "ecs_cluster_arns" {
  type        = list(string)
  description = "List of ARNs of the ECS clusters in which to deploy the Lacework agent"
  default = []
}
variable "eks_cloudwatch_regions" {
  type        = list(string)
  description = "A set of regions, to allow Cloudwatch Logs to be streamed from"
  default     = ["us-west-2"]
}
variable "ec2_agent_deployment_filter_tags" {
  type = map(list(string))
  description = "The list of tags (key:values) used to deploy the Lacework agent on EC2 instances"
  default = {
    environment = ["Testing"]
  }
}

# For configuration options
# See https://registry.terraform.io/providers/lacework/lacework/latest/docs
provider "lacework" {}
provider "aws" {}

module "iam_role" {
  source  = "lacework/iam-role/aws"
  version = "~> 0.4"
}

module "config" {
  source  = "lacework/config/aws"
  version = "~> 0.13"

  use_existing_iam_role = true
  iam_role_external_id  = module.iam_role.external_id
  iam_role_name         = module.iam_role.name
}
module "cloudtrail" {
  source  = "lacework/cloudtrail/aws"
  version = "~> 2.8"

  use_existing_iam_role = true
  iam_role_external_id  = module.iam_role.external_id
  iam_role_name         = module.iam_role.name
}
module "ecr" {
  source  = "lacework/ecr/aws"
  version = "~> 0.9"

  use_existing_iam_role = true
  iam_role_external_id  = module.iam_role.external_id
  iam_role_name         = module.iam_role.name
}
resource "lacework_agent_access_token" "ecs" {
  name        = "tf-deployment"
  description = "ecs deployment via Terraform"
}
module "ecs-agent" {
  for_each = toset(var.ecs_cluster_arns)

  source  = "lacework/ecs-agent/aws"
  version = "~> 0.4"

  use_existing_iam_role = true
  iam_role_name         = module.iam_role.name
  lacework_access_token = lacework_agent_access_token.ecs.token
  ecs_cluster_arn       = each.value
}
module "eks-audit-log" {
  source  = "lacework/eks-audit-log/aws"
  version = "~> 1.1"

  use_existing_cross_account_iam_role = true
  iam_role_external_id                = module.iam_role.external_id
  iam_role_arn                        = module.iam_role.arn
  cloudwatch_regions                  = var.eks_cloudwatch_regions
}  
module "agentless-scanning" {
  source  = "lacework/agentless-scanning/aws"
  version = "~> 0.13"

  global   = true
  regional = true
  use_existing_cross_account_role = true
  cross_account_role_name         = module.iam_role.name
  cross_account_role_arn          = module.iam_role.arn
  external_id                     = module.iam_role.external_id
}
# (Optional) Agent deployment on EC2 instances via SSM
resource "lacework_agent_access_token" "ssm_deployment" {
  name        = "ssm-deployment"
  description = "Used to deploy agents using AWS System Manager"
}
module "ssm_agent_install" {
  source  = "lacework/ssm-agent/aws"
  version = "~> 0.10"

  lacework_access_token = lacework_agent_access_token.ssm_deployment.token
}
locals {
  ec2_tag_filters = [for key, values in var.ec2_agent_deployment_filter_tags : format("%#v", {
    Key    = key
    Values = [ values ]
  })]
}
resource "aws_resourcegroups_group" "testing" {
  name = "Testing"

  resource_query {
    query = jsonencode({
      ResourceTypeFilters = [
        "AWS::EC2::Instance"
      ]

      TagFilters = local.ec2_tag_filters
    })
  }

  tags = {
    billing = "testing"
    owner   = "myself"
  }
}

resource "aws_ssm_association" "lacework_aws_ssm_agents_install_testing" {
  association_name = "install-lacework-agents-testing-group"

  name = module.ssm_agent_install.ssm_document_name

  targets {
    key = "resource-groups:Name"
    values = [
      aws_resourcegroups_group.testing.name,
    ]
  }

  compliance_severity = "HIGH"
}