Scenario
Azure policy in place that stop default LW deployment due to region blocks, and required tags.
Best answer by JBNZ
View original
How can I add tags to my cli generated terraform for azure
Resolution
Deploy Lacework in to appropriate region to be within the policy, e.g. Australia East below
Method 1 - Lacework cli
To use this method you need have have installed the lacework cli and authorised it already - see https://docs.lacework.net/cli
https://docs.lacework.net/cli/commands/lacework_generate_cloud-account_azure
Run the command below
lacework generate cloud-account azure --configuration='true' --activity_log='true' --location='Australia East' --noninteractive --apply Method 2 - More advanced - Manual terraform edit, inc tags
run the command to generate the terraform file;
lacework generate cloud-account azure --configuration='true' --activity_log='true' --location='Australia East'assuming you are on the azure cli in bash mode get into the directory
cd lacework/azureedit the .tf file using code
code main.tfedit the bottom section of the file appropriately - example below
Snippet
location = "Australia East"
tags = {
"Business owner":"Sec team",
"Technology Owner":"Corp tech",
"CostCode":123Once the file is edited, click on the code and select save file
go back to the cli and run
terraform initthis will get terraform ready to run
then
terraform plancheck the output for errors, it will display what it will deploy, but is only a dry run, no actual changes will be made
then run
terraform applythis screen will show you what will be added to your azure environment, then confirm with a yes if all is ok.
Terraform will take some time to run here, it is building many resources, you can check in the lacework UI, under settings > cloud accounts and the integrations should apeare there once complete.
Complete sample terraform with region and tags
terraform {
required_providers {
azuread = {
source = "hashicorp/azuread"
version = "~> 2.16"
}
azurerm = {
source = "hashicorp/azurerm"
version = "~> 2.91.0"
}
lacework = {
source = "lacework/lacework"
version = "~> 1.0"
}
}
}
provider "lacework" {
profile = "onboarding"
}
provider "azuread" {
}
provider "azurerm" {
features {
}
}
module "az_ad_application" {
source = "lacework/ad-application/azure"
version = "~> 1.0"
}
module "az_config" {
source = "lacework/config/azure"
version = "~> 1.0"
application_id = module.az_ad_application.application_id
application_password = module.az_ad_application.application_password
service_principal_id = module.az_ad_application.service_principal_id
use_existing_ad_application = true
}
module "az_activity_log" {
source = "lacework/activity-log/azure"
version = "~> 1.0"
application_id = module.az_ad_application.application_id
application_password = module.az_ad_application.application_password
service_principal_id = module.az_ad_application.service_principal_id
use_existing_ad_application = true
location = "Australia East"
tags = {
"Business owner":"Sec team",
"Technology Owner":"Corp tech",
"CostCode":123
}
}
example azure error the help google
Error: creating Resource Group "lacework-group-abc123": resources.GroupsClient#CreateOrUpdate: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="RequestDisallowedByPolicy" Message="Resource 'lacework-group-abc123' was disallowed by policy. Policy identifiers: '[{\"policyAssignment\":{\"name\":\"Require specified tag on resource groups (Business Owner)\",\"id\":\"/subscriptions/aaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa/providers/Microsoft.Authorization/policyAssignments/ab4266111111111111111111111\"},\"policyDefinition\":{\"name\":\"Require a tag on resource groups\",\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/96670d01-aaaa-aaaa-aaaa-aaaac0aaaaa\"}},{\"policyAssignment\":{\"name\":\"Allowed locations for resource groups\",\"id\":\"/subscriptions/aaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa/providers/Microsoft.Authorization/policyAssignments/Allowed locations for resource groups\"},\"policyDefinition\":{\"name\":\"Allowed locations for resource groups\",\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaa\"}},{\"policyAssignment\":{\"name\":\"Require specified tag on resource groups (CostCode)\",\"id\":\"/subscriptions/aaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa/providers/Microsoft.Authorization/policyAssignments/abcdef123456789\"},\"policyDefinition\":{\"name\":\"Require a tag on resource groups\",\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/96670d01-aaaa-aaaa-aaaa-aaaac0aaaaa\"}},{\"policyAssignment\":{\"name\":\"Require specified tag on resource groups (Technology Owner)\",\"id\":\"/subscriptions/aaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa/providers/Microsoft.Authorization/policyAssignments/abcdef123456789000\"},\"policyDefinition\":{\"name\":\"Require a tag on resource groups\",\"id\":\"/providers/Microsoft.Authorization/policyDefinitions/96670d01-aaaa-aaaa-aaaa-aaaac0aaaaa\"}}]'." Target="lacework-group-abc123" AdditionalInfo=[{"info":{"evaluationDetails":{"evaluatedExpressions":[{"expression":"type","expressionKind":"Field","expressionValue":"Microsoft.Resources/subscriptions/resourcegroups","operator":"Equals","path":"type","result":"True","targetValue":"Microsoft.Resources/subscriptions/resourceGroups"},{"expression":"tags[Business Owner]","expressionKind":"Field","operator":"Exists","path":"tags[Business Owner]","result":"True","targetValue":"false"}]},"policyAssignmentDisplayName":"Require specified tag on resource groups (Business Owner)","policyAssignmentId":"/subscriptions/aaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa/providers/Microsoft.Authorization/policyAssignments/ab4266111111111111111111111","policyAssignmentName":"ab4266111111111111111111111","policyAssignmentParameters":{"tagName":"Business Owner"},"policyAssignmentScope":"/subscriptions/aaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa","policyDefinitionDisplayName":"Require a tag on resource groups","policyDefinitionEffect":"deny","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/96670d01-aaaa-aaaa-aaaa-aaaac0aaaaa","policyDefinitionName":"96670d01-aaaa-aaaa-aaaa-aaaac0aaaaa","policyExemptionIds":[]},"type":"PolicyViolation"},{"info":{"evaluationDetails":{"evaluatedExpressions":[{"expression":"type","expressionKind":"Field","expressionValue":"Microsoft.Resources/subscriptions/resourcegroups","operator":"Equals","path":"type","result":"True","targetValue":"Microsoft.Resources/subscriptions/resourceGroups"},{"expression":"location","expressionKind":"Field","expressionValue":"westus2","operator":"NotIn","path":"location","result":"True","targetValue":["Australia East","Australia Southeast","Australia Central"]}]},"policyAssignmentDisplayName":"Allowed locations for resource groups","policyAssignmentId":"/subscriptions/aaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa/providers/Microsoft.Authorization/policyAssignments/Allowed locations for resource groups","policyAssignmentName":"Allowed locations for resource groups","policyAssignmentParameters":{"listOfAllowedLocations":["Australia East","Australia Southeast","Australia Central"]},"policyAssignmentScope":"/subscriptions/aaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa","policyDefinitionDisplayName":"Allowed locations for resource groups","policyDefinitionEffect":"deny","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaa","policyDefinitionName":"aaaaaaaa-aaaa-aaaa-aaaa-aaaaaaaaa","policyExemptionIds":[]},"type":"PolicyViolation"},{"info":{"evaluationDetails":{"evaluatedExpressions":[{"expression":"type","expressionKind":"Field","expressionValue":"Microsoft.Resources/subscriptions/resourcegroups","operator":"Equals","path":"type","result":"True","targetValue":"Microsoft.Resources/subscriptions/resourceGroups"},{"expression":"tags[CostCode]","expressionKind":"Field","operator":"Exists","path":"tags[CostCode]","result":"True","targetValue":"false"}]},"policyAssignmentDisplayName":"Require specified tag on resource groups (CostCode)","policyAssignmentId":"/subscriptions/aaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa/providers/Microsoft.Authorization/policyAssignments/abcdef123456789","policyAssignmentName":"abcdef123456789","policyAssignmentParameters":{"tagName":"CostCode"},"policyAssignmentScope":"/subscriptions/aaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa","policyDefinitionDisplayName":"Require a tag on resource groups","policyDefinitionEffect":"deny","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/96670d01-aaaa-aaaa-aaaa-aaaac0aaaaa","policyDefinitionName":"96670d01-aaaa-aaaa-aaaa-aaaac0aaaaa","policyExemptionIds":[]},"type":"PolicyViolation"},{"info":{"evaluationDetails":{"evaluatedExpressions":[{"expression":"type","expressionKind":"Field","expressionValue":"Microsoft.Resources/subscriptions/resourcegroups","operator":"Equals","path":"type","result":"True","targetValue":"Microsoft.Resources/subscriptions/resourceGroups"},{"expression":"tags[Technology Owner]","expressionKind":"Field","operator":"Exists","path":"tags[Technology Owner]","result":"True","targetValue":"false"}]},"policyAssignmentDisplayName":"Require specified tag on resource groups (Technology Owner)","policyAssignmentId":"/subscriptions/aaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa/providers/Microsoft.Authorization/policyAssignments/abcdef123456789000","policyAssignmentName":"abcdef123456789000","policyAssignmentParameters":{"tagName":"Technology Owner"},"policyAssignmentScope":"/subscriptions/aaaaa-aaaa-aaaa-aaaa-aaaaaaaaaaa","policyDefinitionDisplayName":"Require a tag on resource groups","policyDefinitionEffect":"deny","policyDefinitionId":"/providers/Microsoft.Authorization/policyDefinitions/96670d01-aaaa-aaaa-aaaa-aaaac0aaaaa","policyDefinitionName":"96670d01-aaaa-aaaa-aaaa-aaaac0aaaaa","policyExemptionIds":[]},"type":"PolicyViolation"}]Agent
N/A
Platform
Deploy Lacework/Installation
Cloud
Azure
Reply
Enter your E-mail address. We'll send you an e-mail with instructions to reset your password.