A Terraform Module to configure a Lacework integration with Azure Event Hub for Entra ID audit log analysis. It configures a Diagnostic Setting that routes these logs to the event hub, from which Lacework reads them.
| Name | Version |
|---|---|
| terraform | >= 0.12.31 |
| lacework | ~> 1.0 |
| Name | Version |
|---|---|
| azurerm | n/a |
| lacework | ~> 1.0 |
| random | n/a |
| time | n/a |
| Name | Source | Version |
|---|---|---|
| az_ad_application | lacework/ad-application/azure | ~> 1.0 |
| Name | Type |
|---|---|
| azurerm_eventhub.lacework | resource |
| azurerm_eventhub_namespace.lacework | resource |
| azurerm_eventhub_namespace_authorization_rule.lacework | resource |
| azurerm_monitor_aad_diagnostic_setting.entra_id_activity_logs | resource |
| azurerm_resource_group.lacework | resource |
| azurerm_role_assignment.lacework | resource |
| lacework_integration_azure_ad_al.default | resource |
| random_id.uniq | resource |
| time_sleep.wait_time | resource |
| azurerm_client_config.current | data source |
| Name | Description | Type | Default | Required |
|---|---|---|---|---|
| application_id | The Active Directory Application id to use (required when use_existing_ad_application is set to true) | string |
"" |
no |
| application_name | The name of the Azure Active Directory Application (required when use_existing_ad_application is set to true) | string |
"lw_security_audit" |
no |
| application_password | The Active Directory Application password to use (required when use_existing_ad_application is set to true) | string |
"" |
no |
| diagnostic_settings_name | The name of the subscription's Diagnostic Setting for Activity Logs (required when use_existing_diagnostic_settings is set to true) | string |
"active-directory-activity-logs" |
no |
| lacework_integration_name | The Lacework integration name | string |
"TF Entra ID activity log" |
no |
| location | Azure region where the Event Hub will reside. | string |
"West US 2" |
no |
| log_retention_days | Specifies the number of days that logs will be retained. | number |
7 |
no |
| num_partitions | The number of partitions for the Event Hub. | number |
1 |
no |
| prefix | The prefix to use at the beginning of every generated resource | string |
"lacework" |
no |
| service_principal_id | The Enterprise App Object ID related to the application_id (required when use_existing_ad_application is true) | string |
"" |
no |
| tags | Key-value map of Tag names and Tag values | map(string) |
{} |
no |
| use_existing_ad_application | Set this to true to use an existing Active Directory Application |
bool |
false |
no |
| wait_time | Amount of time to wait before the Lacework resources are provisioned | string |
"50s" |
no |
| Name | Description |
|---|---|
| application_id | The Lacework AD Application id |
| application_password | The Lacework AD Application password |
| diagnostic_settings_name | The name of the subscription's Diagnostic Setting for Activity Logs |
| eventhub_name | The name of the Event Hub for Activity Logs |
| eventhub_namespace_name | The name of the Event Hub Namespace for Activity Logs |
| integration_name | The Lacework integration name |
| resource_group_location | The location of the resource group of the Event Hub for Activity Logs |
| resource_group_name | The resource group of the Event Hub for Activity Logs |
| service_principal_id | The Lacework Service Principal id |