lacework · LMAX-iwnf · Apr 4, 2025 · Apr 3, 2025 · Apr 3, 2025 · Apr 3, 2025
diff --git a/README.md b/README.md
@@ -39,14 +39,17 @@ Terraform module for configuring an integration with Lacework and AWS for cloud
 |------|------|
 | [aws_iam_policy.lacework_audit_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_policy.lacework_audit_policy_2025_1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
+| [aws_iam_policy.lacework_audit_policy_2025_2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_policy) | resource |
 | [aws_iam_role_policy_attachment.lacework_audit_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.lacework_audit_policy_attachment_b](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
+| [aws_iam_role_policy_attachment.lacework_audit_policy_attachment_c](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [aws_iam_role_policy_attachment.security_audit_policy_attachment](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_role_policy_attachment) | resource |
 | [lacework_integration_aws_cfg.default](https://registry.terraform.io/providers/lacework/lacework/latest/docs/resources/integration_aws_cfg) | resource |
 | [random_id.uniq](https://registry.terraform.io/providers/hashicorp/random/latest/docs/resources/id) | resource |
 | [time_sleep.wait_time](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
 | [aws_iam_policy_document.lacework_audit_policy](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [aws_iam_policy_document.lacework_audit_policy_2025_1](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
+| [aws_iam_policy_document.lacework_audit_policy_2025_2](https://registry.terraform.io/providers/hashicorp/aws/latest/docs/data-sources/iam_policy_document) | data source |
 | [lacework_metric_module.lwmetrics](https://registry.terraform.io/providers/lacework/lacework/latest/docs/data-sources/metric_module) | data source |
 
 ## Inputs
@@ -351,7 +354,75 @@ The audit policy is comprised of the following permissions:
 |                            | budgets:ListTagsForResource                             |           |
 |                            | budgets:ViewBudget                                      |           |
 | BILLINGCONSOLE             | aws-portal:GetConsoleActionSetEnforced                  | *         |
-|                            | aws-portal :ViewAccount                                 |           |
-|                            | aws-portal :ViewBilling                                 |           |
-|                            | aws-portal :ViewPaymentMethods                          |           |
-|                            | aws-portal :ViewUsage                                   |           |
+|                            | aws-portal:ViewAccount                                  |           |
+|                            | aws-portal:ViewBilling                                  |           |
+|                            | aws-portal:ViewPaymentMethods                           |           |
+|                            | aws-portal:ViewUsage                                    |           |
+| ACM-PCA                    | acm-pca:GetCertificateAuthorityCertificate              | *         |
+|                            | acm-pca:GetCertificateAuthorityCertificate              | *         |
+|                            | acm-pca:GetCertificateAuthorityCsr                      |           |
+| APPCONFIG                  | appconfig:GetConfigurationProfile                       | *         |
+|                            | appconfig:GetDeploymentStrategy                         |           |
+|                            | appconfig:GetExtension                                  |           |
+|                            | appconfig:GetExtensionAssociation                       |           |
+|                            | appconfig:GetHostedConfigurationVersion                 |           |
+|                            | appconfig:ListApplications                              |           |
+|                            | appconfig:ListConfigurationProfiles                     |           |
+|                            | appconfig:ListDeployments                               |           |
+|                            | appconfig:ListDeploymentStrategies                      |           |
+|                            | appconfig:ListEnvironments                              |           |
+|                            | appconfig:ListExtensionAssociations                     |           |
+|                            | appconfig:ListExtensions                                |           |
+|                            | appconfig:ListHostedConfigurationVersions               |           |
+|                            | appconfig:ListTagsForResource                           |           |
+| APPFLOW                    | appflow:DescribeConnectorEntity                         | *         |
+|                            | appflow:DescribeConnectorProfiles                       |           |
+|                            | appflow:DescribeConnectors                              |           |
+|                            | appflow:DescribeFlow                                    |           |
+|                            | appflow:DescribeFlowExecutionRecords                    |           |
+|                            | appflow:ListConnectorEntities                           |           |
+|                            | appflow:ListConnectors                                  |           |
+| DYNAMODB                   | dynamodb:DescribeContributorInsights                    | *         |
+|                            | dynamodb:GetResourcePolicy                              |           |
+| EBS                        | ebs:GetSnapshotBlock                                    | *         |
+|                            | ebs:ListSnapshotBlocks                                  |           |
+| FREETIER                   | freetier:GetFreeTierUsage                               | *         |
+| LAKEFORMATION              | lakeformation:DescribeLakeFormationIdentityCenterConfiguration | *  |
+|                            | lakeformation:GetDataLakePrincipal                      |           |
+|                            | lakeformation:GetDataLakeSettings                       |           |
+|                            | lakeformation:GetEffectivePermissionsForPath            |           |
+|                            | lakeformation:GetTableObjects                           |           |
+|                            | lakeformation:ListDataCellsFilter                       |           |
+|                            | lakeformation:ListPermissions                           |           |
+|                            | lakeformation:ListResources                             |           |
+|                            | lakeformation:ListTableStorageOptimizers                |           |
+|                            | lakeformation:ListTransactions                          |           |
+| LAMBDA                     | lambda:GetFunction                                      | *         |
+|                            | lambda:GetFunctionCodeSigningConfig                     |           |
+| SCHEDULER                  | scheduler:GetSchedule                                   | *         |
+|                            | scheduler:GetScheduleGroup                              |           |
+|                            | scheduler:ListScheduleGroups                            |           |
+|                            | scheduler:ListSchedules                                 |           |
+|                            | scheduler:ListTagsForResource                           |           |
+| SCHEMAS                    | schemas:GetCodeBindingSource                            | *         |
+| DATASYNC                   | datasync:DescribeTaskExecution                          | *         |
+|                            | datasync:DescribeLocationEfs                            |           |
+|                            | datasync:ListAgents                                     |           |
+|                            | datasync:ListLocations                                  |           |
+|                            | datasync:ListTaskExecutions                             |           |
+|                            | datasync:ListStorageSystems                             |           |
+|                            | datasync:DescribeLocationSmb                            |           |
+|                            | datasync:DescribeAgent                                  |           |
+|                            | datasync:DescribeLocationFsxWindows                     |           |
+|                            | datasync:DescribeTask                                   |           |
+|                            | datasync:DescribeLocationS3                             |           |
+|                            | datasync:DescribeDiscoveryJob                           |           |
+|                            | datasync:DescribeLocationObjectStorage                  |           |
+|                            | datasync:DescribeStorageSystem                          |           |
+|                            | datasync:DescribeLocationAzureBlob                      |           |
+|                            | datasync:ListTagsForResource                            |           |
+|                            | datasync:ListTasks                                      |           |
+|                            | datasync:DescribeLocationHdfs                           |           |
+|                            | datasync:DescribeLocationFsxLustre                      |           |
+|                            | datasync:ListDiscoveryJobs                              |           |
+|                            | datasync:DescribeLocationNfs                            |           |
diff --git a/main.tf b/main.tf
@@ -6,6 +6,7 @@ locals {
     length(var.lacework_audit_policy_name) > 0 ? var.lacework_audit_policy_name : "lwaudit-policy-${random_id.uniq.hex}"
   )
   lacework_audit_policy_name_2025_1 = "${local.lacework_audit_policy_name}-2025-1"
+  lacework_audit_policy_name_2025_2 = "${local.lacework_audit_policy_name}-2025-2"
   version_file   = "${abspath(path.module)}/VERSION"
   module_name    = "terraform-aws-config"
   module_version = fileexists(local.version_file) ? file(local.version_file) : ""
@@ -512,6 +513,145 @@ data "aws_iam_policy_document" "lacework_audit_policy_2025_1" {
   }
 }
 
+
+# New permission incoming for 20.0.0 release:
+# https://lacework.atlassian.net/browse/RAIN-94565
+data "aws_iam_policy_document" "lacework_audit_policy_2025_2" {
+  count   = var.use_existing_iam_role_policy ? 0 : 1
+  version = "2012-10-17"
+
+  statement {
+    sid = "FREETIER"
+    actions = ["freetier:GetFreeTierUsage"]
+    resources = ["*"]
+  }
+
+  statement {
+    sid = "ACMPCA"
+    actions = ["acm-pca:GetCertificateAuthorityCertificate",
+      "acm-pca:GetCertificateAuthorityCsr",
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    sid = "APPCONFIG"
+    actions = ["appconfig:GetConfigurationProfile",
+      "appconfig:GetDeploymentStrategy",
+      "appconfig:GetExtension",
+      "appconfig:GetExtensionAssociation",
+      "appconfig:GetHostedConfigurationVersion",
+      "appconfig:ListApplications",
+      "appconfig:ListConfigurationProfiles",
+      "appconfig:ListDeployments",
+      "appconfig:ListDeploymentStrategies",
+      "appconfig:ListEnvironments",
+      "appconfig:ListExtensionAssociations",
+      "appconfig:ListExtensions",
+      "appconfig:ListHostedConfigurationVersions",
+      "appconfig:ListTagsForResource",
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    sid = "APPFLOW"
+    actions = ["appflow:DescribeConnectorEntity",
+      "appflow:DescribeConnectorProfiles",
+      "appflow:DescribeConnectors",
+      "appflow:DescribeFlow",
+      "appflow:DescribeFlowExecutionRecords",
+      "appflow:ListConnectorEntities",
+      "appflow:ListConnectors",
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    sid = "DYNAMODB"
+    actions = ["dynamodb:GetResourcePolicy",
+      "dynamodb:DescribeContributorInsights",
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    sid = "EBS"
+    actions = ["ebs:GetSnapshotBlock",
+      "ebs:ListSnapshotBlocks",
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    sid = "LAKEFORMATION"
+    actions = ["lakeformation:DescribeLakeFormationIdentityCenterConfiguration",
+      "lakeformation:GetDataLakePrincipal",
+      "lakeformation:GetDataLakeSettings",
+      "lakeformation:GetEffectivePermissionsForPath",
+      "lakeformation:GetTableObjects",
+      "lakeformation:ListDataCellsFilter",
+      "lakeformation:ListPermissions",
+      "lakeformation:ListResources",
+      "lakeformation:ListTableStorageOptimizers",
+      "lakeformation:ListTransactions",
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    sid = "LAMBDA"
+    actions = ["lambda:GetFunction",
+      "lambda:GetFunctionCodeSigningConfig",
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    sid = "SCHEDULER"
+    actions = ["scheduler:GetSchedule",
+      "scheduler:GetScheduleGroup",
+      "scheduler:ListScheduleGroups",
+      "scheduler:ListSchedules",
+      "scheduler:ListTagsForResource",
+    ]
+    resources = ["*"]
+  }
+
+  statement {
+    sid = "SCHEMAS"
+    actions = ["schemas:GetCodeBindingSource"]
+    resources = ["*"]
+  }
+
+  statement {
+    sid = "DATASYNC"
+    actions = ["datasync:DescribeTaskExecution",
+      "datasync:DescribeLocationEfs",
+      "datasync:ListAgents",
+      "datasync:ListLocations",
+      "datasync:ListTaskExecutions",
+      "datasync:ListStorageSystems",
+      "datasync:DescribeLocationSmb",
+      "datasync:DescribeAgent",
+      "datasync:DescribeLocationFsxWindows",
+      "datasync:DescribeTask",
+      "datasync:DescribeLocationS3",
+      "datasync:DescribeDiscoveryJob",
+      "datasync:DescribeLocationObjectStorage",
+      "datasync:DescribeStorageSystem",
+      "datasync:DescribeLocationAzureBlob",
+      "datasync:ListTagsForResource",
+      "datasync:ListTasks",
+      "datasync:DescribeLocationHdfs",
+      "datasync:DescribeLocationFsxLustre",
+      "datasync:ListDiscoveryJobs",
+      "datasync:DescribeLocationNfs"
+    ]
+    resources = ["*"]
+  }
+}
+
 resource "aws_iam_policy" "lacework_audit_policy" {
   count       = var.use_existing_iam_role_policy ? 0 : 1
   name        = local.lacework_audit_policy_name
@@ -528,6 +668,14 @@ resource "aws_iam_policy" "lacework_audit_policy_2025_1" {
   tags        = var.tags
 }
 
+resource "aws_iam_policy" "lacework_audit_policy_2025_2" {
+  count       = var.use_existing_iam_role_policy ? 0 : 1
+  name        = local.lacework_audit_policy_name_2025_2
+  description = "An audit policy to allow Lacework to read configs (extends SecurityAudit), this is the third policy"
+  policy      = data.aws_iam_policy_document.lacework_audit_policy_2025_2[0].json
+  tags        = var.tags
+}
+
 resource "aws_iam_role_policy_attachment" "lacework_audit_policy_attachment" {
   count      = var.use_existing_iam_role_policy ? 0 : 1
   role       = local.iam_role_name
@@ -542,6 +690,13 @@ resource "aws_iam_role_policy_attachment" "lacework_audit_policy_attachment_b" {
   depends_on = [module.lacework_cfg_iam_role]
 }
 
+resource "aws_iam_role_policy_attachment" "lacework_audit_policy_attachment_c" {
+  count      = var.use_existing_iam_role_policy ? 0 : 1
+  role       = local.iam_role_name
+  policy_arn = aws_iam_policy.lacework_audit_policy_2025_2[0].arn
+  depends_on = [module.lacework_cfg_iam_role]
+}
+
 # wait for X seconds for things to settle down in the AWS side
 # before trying to create the Lacework external integration
 resource "time_sleep" "wait_time" {