Skip to content

lacework/terraform-aws-eks-audit-log

BranchesTags

Repository files navigation

terraform-aws-eks-audit-log

GitHub release Codefresh build status

A Terraform Module to integrate Amazon Elastic Kubernetes Service (EKS) with Lacework.

Pre-requisite

Audit logging must be enabled on the cluster(s) which you wish to integrate. This can be done via the AWS CLI using the following command:

aws eks --region <region> update-cluster-config --name <cluster_name> \
--logging '{"clusterLogging":[{"types":["audit"],"enabled":true}]}'

Resources created

  • KMS key
  • KMS key alias
  • KMS ket policy
  • SNS topic
  • Topic policy
  • S3 bucket
  • S3 bucket notification
  • S3 bucket server side encryption
  • S3 bucket logging
  • S3 bucket public access block
  • Firehose
  • Firehose IAM role & policy
  • Cross account IAM role & policy
  • Cloudwatch IAM role & policy
  • Cloudwatch subscription filter

Requirements

Name Version
terraform >= 0.15
aws >= 5.0
lacework ~> 2.0
random >= 2.1
time ~> 0.6

Providers

Name Version
aws >= 5.0
lacework ~> 2.0
random >= 2.1
time ~> 0.6

Modules

Name Source Version
lacework_eks_audit_iam_role lacework/iam-role/aws ~> 0.4

Resources

Name Type
aws_cloudwatch_log_subscription_filter.lacework_eks_cw_subscription_filter resource
aws_iam_policy.eks_cross_account_policy resource
aws_iam_policy.eks_cw_iam_policy resource
aws_iam_policy.firehose_iam_policy resource
aws_iam_role.eks_cw_iam_role resource
aws_iam_role.firehose_iam_role resource
aws_iam_role_policy_attachment.eks_cross_account_role_policy resource
aws_iam_role_policy_attachment.eks_cw_iam_role_policy resource
aws_iam_role_policy_attachment.firehose_iam_role_policy resource
aws_kinesis_firehose_delivery_stream.extended_s3_stream resource
aws_kms_alias.lacework_eks_kms_alias resource
aws_kms_key.lacework_eks_kms_key resource
aws_s3_bucket.eks_audit_log_bucket resource
aws_s3_bucket.log_bucket resource
aws_s3_bucket_lifecycle_configuration.eks_audit_log_bucket_lifecycle_config resource
aws_s3_bucket_lifecycle_configuration.log_bucket_lifecycle_config resource
aws_s3_bucket_logging.eks_audit_log_bucket_logging resource
aws_s3_bucket_notification.bucket_notification resource
aws_s3_bucket_ownership_controls.eks_audit_log_bucket_ownership_controls resource
aws_s3_bucket_ownership_controls.log_bucket_ownership_controls resource
aws_s3_bucket_public_access_block.bucket_access resource
aws_s3_bucket_public_access_block.log_bucket_access resource
aws_s3_bucket_server_side_encryption_configuration.bucket_encryption resource
aws_s3_bucket_server_side_encryption_configuration.log_bucket_encryption resource
aws_s3_bucket_versioning.export_versioning resource
aws_s3_bucket_versioning.log_bucket_versioning resource
aws_sns_topic.eks_sns_topic resource
aws_sns_topic_policy.eks_sns_topic_policy resource
lacework_integration_aws_eks_audit_log.data_export resource
random_id.uniq resource
time_sleep.wait_time_cw resource
aws_arn.cloudwatch_iam_role data source
aws_arn.firehose_iam_role data source
aws_arn.iam_role data source
aws_caller_identity.current data source
aws_iam_policy_document.eks_cross_account_policy data source
aws_iam_policy_document.eks_cw_assume_role_policy data source
aws_iam_policy_document.eks_cw_iam_role_policy data source
aws_iam_policy_document.eks_sns_topic_policy data source
aws_iam_policy_document.firehose_iam_assume_role_policy data source
aws_iam_policy_document.firehose_iam_role_policy data source
aws_iam_policy_document.kms_key_policy data source
lacework_metric_module.lwmetrics data source

Inputs

Name Description Type Default Required
access_log_prefix Optional value to specify a key prefix for access log objects for logging S3 bucket string "log/" no
allow_debugging_permissions To allow debugging permissions, set this parameter to true bool false no
bucket_arn The S3 bucket ARN is required when setting use_existing_bucket to true string "" no
bucket_enable_mfa_delete Set this to true to require MFA for object deletion (Requires versioning) bool false no
bucket_encryption_enabled Set this to true to enable encryption on a created S3 bucket bool true no
bucket_force_destroy Force destroy bucket (if disabled, terraform will not be able do destroy non-empty bucket) bool true no
bucket_key_arn The ARN of the KMS encryption key to be used for S3 (Required when bucket_sse_algorithm is aws:kms and using an existing aws_kms_key) string "" no
bucket_lifecycle_enabled Set this to true to enable S3 buckets lifecycle configuration (incompatible with MFA delete) bool true no
bucket_lifecycle_expiration_days The lifetime, in days, of the bucket objects. The value must be a non-zero positive integer. number 180 no
bucket_logs_disabled Set this to true to disable access logging on a created S3 bucket bool false no
bucket_sse_algorithm The encryption algorithm to use for S3 bucket server-side encryption string "aws:kms" no
bucket_versioning_enabled Set this to true to enable access versioning on a created S3 bucket bool true no
cloudwatch_iam_role_arn IAM role arn to use for the Cloudwatch filter if use_existing_cloudwatch_iam_role is set to true string "" no
cloudwatch_regions A set of regions, to allow Cloudwatch Logs to be streamed from list(string) n/a yes
cluster_names A set of cluster names, to integrate with. Defaults to [] if no_cw_subscription_filter is set to true set(string) [] no
external_id_length Deprecated - Will be removed on our next major release v2.0.0 number 16 no
filter_pattern The Cloudwatch Log Subscription Filter pattern string "{ $.stage = \"ResponseComplete\" && $.requestURI != \"/version\" && $.requestURI != \"/version?*\" && $.requestURI != \"/metrics\" && $.requestURI != \"/metrics?*\" && $.requestURI != \"/logs\" && $.requestURI != \"/logs?*\" && $.requestURI != \"/swagger*\" && $.requestURI != \"/livez*\" && $.requestURI != \"/readyz*\" && $.requestURI != \"/healthz*\" }" no
firehose_iam_role_arn IAM role arn to use for the Kinesis Firehose if use_existing_firehose_iam_role is set to true string "" no
iam_role_arn IAM role arn to use for cross-account access if use_existing_cross_account_iam_role is set to true string "" no
iam_role_external_id External ID for the cross-account IAM role if use_existing_cross_account_iam_role is set to true string "" no
integration_name The name of the AWS EKS Audit Log integration in Lacework. string "TF AWS EKS Audit Log" no
kinesis_firehose_encryption_enabled Set this to false to disable encryption on the Kinesis Firehose. Defaults to true bool true no
kinesis_firehose_key_arn The ARN of an existing KMS encryption key to be used for the Kinesis Firehose string "" no
kms_key_deletion_days The waiting period, specified in number of days number 30 no
kms_key_multi_region Whether the KMS key is a multi-region or regional key bool true no
kms_key_rotation Enable KMS automatic key rotation bool true no
lacework_aws_account_id The Lacework AWS account that the IAM role will grant access string "434813966438" no
log_bucket_name Name of the S3 bucket for access logs. Is required when setting use_existing_access_log_bucket to true string "" no
no_cw_subscription_filter Set to true to create an integration with no Cloudwatch Subscription filter for your cluster(s) bool false no
prefix The prefix that will be use at the beginning of every generated resource string "lw-eks-al" no
sns_topic_encryption_enabled Set this to false to disable encryption on the sns topic. Defaults to true bool true no
sns_topic_key_arn The ARN of an existing KMS encryption key to be used for the SNS topic string "" no
tags A map/dictionary of Tags to be assigned to created resources map(string) {} no
use_existing_access_log_bucket Set this to true to use an existing bucket for access logging. Default behavior creates a new access log bucket if logging is enabled bool false no
use_existing_bucket Set this to true to use an existing bucket for the logs. Default behavior creates a new log bucket bool false no
use_existing_cloudwatch_iam_role Set this to true to use an existing IAM role for the Cloudwatch subscription filter bool false no
use_existing_cross_account_iam_role Set this to true to use an existing IAM role for cross-account access bool false no
use_existing_firehose_iam_role Set this to true to use an existing IAM role for the Kinesis Firehose bool false no
wait_time Amount of time between setting up AWS resources, and creating the Lacework integration. string "20s" no

Outputs

Name Description
bucket_arn Lacework AWS EKS Audit Log S3 Bucket ARN
bucket_name Lacework AWS EKS Audit Log S3 Bucket name
cloudwatch_iam_role_arn The Cloudwatch IAM Role ARN
cloudwatch_iam_role_name The Cloudwatch IAM Role name
cross_account_iam_role_arn The Cross Account IAM Role ARN
cross_account_iam_role_name The Cross Account IAM Role name
external_id The External ID configured into the IAM role
filter_pattern The Cloudwatch Log Subscription Filter pattern
filter_prefix The Cloudwatch Log Subscription filter prefix
firehose_arn The Firehose delivery stream ARN
firehose_iam_role_arn The Firehose IAM Role ARN
firehose_iam_role_name The Firehose IAM Role name
lacework_integration_guid GUID of the created Lacework integration
sns_arn SNS Topic ARN
sns_name SNS Topic name

About

Terraform module for configuring an integration with AWS to analyze EKS Audit Logs for monitoring EKS cluster security and configuration compliance.

Resources

Readme

License

MIT license

Contributing

Contributing
Activity
Custom properties

Stars

6 stars

Watchers

39 watching

Forks

9 forks
Report repository

Releases 22

v1.1.7 Latest
Oct 9, 2025
+ 21 releases

Packages

 
 
 

Contributors

Languages