lacework · lokesh-vadlamudi · Oct 8, 2025
@@ -84,6 +84,9 @@ type GenerateAwsEksAuditTfConfigurationArgs struct {
 	// Should we enable bucket versioning?
 	BucketVersioning bool
 
+	// Custom outputs
+	CustomOutputs []lwgenerate.HclOutput
+
 	// The name of the AWS EKS Audit Log integration in Lacework. Defaults to "TF AWS EKS Audit Log"
 	EksAuditIntegrationName string
 
@@ -146,6 +149,15 @@ type GenerateAwsEksAuditTfConfigurationArgs struct {
 
 	// Existing S3 Bucket ARN (Required when using existing bucket)
 	ExistinglBucketArn string
+
+	// Default AWS Provider Tags
+	ProviderDefaultTags map[string]interface{}
+
+	// ExtraProviderArguments allows adding more arguments to the provider block as needed (custom use cases)
+	ExtraProviderArguments map[string]interface{}
+
+	// ExtraBlocks allows adding more hclwrite.Block to the root terraform document (advanced use cases)
+	ExtraBlocks []*hclwrite.Block
 }
 
 // Ensure all combinations of inputs our valid for supported spec
@@ -209,6 +221,35 @@ func WithLaceworkAccountID(accountID string) AwsEksAuditTerraformModifier {
 	}
 }
 
+// WithProviderDefaultTags adds default_tags to the provider configuration for AWS (if tags are present)
+func WithProviderDefaultTags(tags map[string]interface{}) AwsEksAuditTerraformModifier {
+	return func(c *GenerateAwsEksAuditTfConfigurationArgs) {
+		c.ProviderDefaultTags = tags
+	}
+}
+
+// WithConfigOutputs Set Custom Terraform Outputs
+func WithCustomOutputs(outputs []lwgenerate.HclOutput) AwsEksAuditTerraformModifier {
+	return func(c *GenerateAwsEksAuditTfConfigurationArgs) {
+		c.CustomOutputs = outputs
+	}
+}
+
+// WithExtraProviderArguments enables adding additional arguments into the `aws` provider block
+// this enables custom use cases
+func WithExtraProviderArguments(arguments map[string]interface{}) AwsEksAuditTerraformModifier {
+	return func(c *GenerateAwsEksAuditTfConfigurationArgs) {
+		c.ExtraProviderArguments = arguments
+	}
+}
+
+// WithExtraBlocks enables adding additional arbitrary blocks to the root hcl document
+func WithExtraBlocks(blocks []*hclwrite.Block) AwsEksAuditTerraformModifier {
+	return func(c *GenerateAwsEksAuditTfConfigurationArgs) {
+		c.ExtraBlocks = blocks
+	}
+}
+
 // WithAwsProfile Set the AWS Profile to utilize when integrating
 func WithAwsProfile(name string) AwsEksAuditTerraformModifier {
 	return func(c *GenerateAwsEksAuditTfConfigurationArgs) {
@@ -426,13 +467,25 @@ func (args *GenerateAwsEksAuditTfConfigurationArgs) Generate() (string, error) {
 		return "", errors.Wrap(err, "failed to generate aws eks audit module & resources")
 	}
 
+	outputBlocks := []*hclwrite.Block{}
+	for _, output := range args.CustomOutputs {
+		outputBlock, err := output.ToBlock()
+		if err != nil {
+			return "", errors.Wrap(err, "failed to add custom output")
+		}
+		outputBlocks = append(outputBlocks, outputBlock)
+	}
+
 	// Render
 	hclBlocks := lwgenerate.CreateHclStringOutput(
 		lwgenerate.CombineHclBlocks(
 			requiredProviders,
 			awsProvider,
 			laceworkProvider,
-			eksAuditModule),
+			eksAuditModule,
+			outputBlocks,
+			args.ExtraBlocks,
+		),
 	)
 	return hclBlocks, nil
 }
@@ -476,13 +529,33 @@ func createAwsProvider(args *GenerateAwsEksAuditTfConfigurationArgs) ([]*hclwrit
 			"region": region,
 		}
 
+		// set custom args before the required ones below to ensure expected behavior (i.e., no overrides)
+		for k, v := range args.ExtraProviderArguments {
+			attrs[k] = v
+		}
+
 		if args.AwsProfile != "" {
 			attrs["profile"] = args.AwsProfile
 		}
+		modifiers := []lwgenerate.HclProviderModifier{
+			lwgenerate.HclProviderWithAttributes(attrs),
+		}
+
+		if len(args.ProviderDefaultTags) != 0 {
+			defaultTagsBlock, err := lwgenerate.HclCreateGenericBlock(
+				"default_tags",
+				nil,
+				map[string]interface{}{"tags": args.ProviderDefaultTags},
+			)
+			if err != nil {
+				return nil, err
+			}
+			modifiers = append(modifiers, lwgenerate.HclProviderWithGenericBlocks(defaultTagsBlock))
+		}
 
 		providerBlock, err := lwgenerate.NewProvider(
 			"aws",
-			lwgenerate.HclProviderWithAttributes(attrs),
+			modifiers...,
 		).ToBlock()
 
 		if err != nil {

@@ -35,6 +35,7 @@ type Params struct {
 	Agentless       bool
 	Config          bool
 	CloudTrail      bool
+	EksAuditLog     bool
 	IsOrg           bool // If it's org-level integration
 	Region          string
 	Profile         string
@@ -85,6 +86,9 @@ func New(params Params) (*Preflight, error) {
 	if params.CloudTrail {
 		integrationTypes = append(integrationTypes, CloudTrail)
 	}
+	if params.EksAuditLog {
+		integrationTypes = append(integrationTypes, EksAuditLog)
+	}
 
 	preflight := &Preflight{
 		awsConfig:               cfg,

@@ -3,9 +3,10 @@ package aws
 type IntegrationType string
 
 const (
-	Agentless  IntegrationType = "aws_agentless"
-	Config     IntegrationType = "aws_config"
-	CloudTrail IntegrationType = "aws_cloudtrail"
+	Agentless   IntegrationType = "aws_agentless"
+	Config      IntegrationType = "aws_config"
+	CloudTrail  IntegrationType = "aws_cloudtrail"
+	EksAuditLog IntegrationType = "aws_eks_audit_log"
 )
 
 var RequiredPermissions = map[IntegrationType][]string{
@@ -394,6 +395,90 @@ var RequiredPermissions = map[IntegrationType][]string{
 		"sqs:SetQueueAttributes",
 		"sqs:TagQueue",
 	},
+	EksAuditLog: {
+		"ec2:DescribeRegions",
+		"s3:CreateBucket",
+		"s3:DeleteBucket",
+		"s3:ListBucket",
+		"s3:ListBucketVersions",
+		"s3:GetBucketPolicy",
+		"s3:GetBucketAcl",
+		"s3:GetBucketCORS",
+		"s3:GetBucketWebsite",
+		"s3:GetBucketVersioning",
+		"s3:GetAccelerateConfiguration",
+		"s3:GetBucketRequestPayment",
+		"s3:GetBucketLogging",
+		"s3:GetLifecycleConfiguration",
+		"s3:GetReplicationConfiguration",
+		"s3:GetEncryptionConfiguration",
+		"s3:GetBucketObjectLockConfiguration",
+		"s3:GetBucketTagging",
+		"s3:GetBucketOwnershipControls",
+		"s3:GetBucketPublicAccessBlock",
+		"s3:GetBucketNotification",
+		"s3:PutBucketOwnershipControls",
+		"s3:PutBucketPublicAccessBlock",
+		"s3:PutBucketVersioning",
+		"s3:PutBucketLogging",
+		"s3:PutLifecycleConfiguration",
+		"s3:PutEncryptionConfiguration",
+		"s3:PutBucketNotification",
+		"s3:PutBucketTagging",
+		"s3:DeleteObjectVersion",
+		"iam:CreateRole",
+		"iam:DeleteRole",
+		"iam:GetRole",
+		"iam:ListRolePolicies",
+		"iam:ListAttachedRolePolicies",
+		"iam:ListPolicyVersions",
+		"iam:ListInstanceProfilesForRole",
+		"iam:GetPolicy",
+		"iam:GetPolicyVersion",
+		"iam:CreatePolicy",
+		"iam:DeletePolicy",
+		"iam:AttachRolePolicy",
+		"iam:DetachRolePolicy",
+		"iam:ListAttachedUserPolicies",
+		"iam:ListUserPolicies",
+		"iam:ListGroupsForUser",
+		"iam:PassRole",
+		"iam:TagRole",
+		"iam:TagPolicy",
+		"kms:CreateKey",
+		"kms:PutKeyPolicy",
+		"kms:EnableKeyRotation",
+		"kms:DescribeKey",
+		"kms:GetKeyPolicy",
+		"kms:GetKeyRotationStatus",
+		"kms:ListResourceTags",
+		"kms:ScheduleKeyDeletion",
+		"kms:CreateAlias",
+		"kms:ListAliases",
+		"kms:DeleteAlias",
+		"kms:Encrypt",
+		"kms:Decrypt",
+		"kms:GenerateDataKey",
+		"kms:CreateGrant",
+		"kms:ListGrants",
+		"kms:RevokeGrant",
+		"kms:TagResource",
+		"SNS:CreateTopic",
+		"SNS:DeleteTopic",
+		"SNS:SetTopicAttributes",
+		"SNS:GetTopicAttributes",
+		"SNS:ListTagsForResource",
+		"SNS:TagResource",
+		"firehose:CreateDeliveryStream",
+		"firehose:DescribeDeliveryStream",
+		"firehose:StartDeliveryStreamEncryption",
+		"firehose:ListTagsForDeliveryStream",
+		"firehose:DeleteDeliveryStream",
+		"firehose:TagDeliveryStream",
+		"logs:PutSubscriptionFilter",
+		"logs:DescribeSubscriptionFilters",
+		"logs:DeleteSubscriptionFilter",
+	},
 }
 
 var RequiredPermissionsForOrg = map[IntegrationType][]string{
@@ -824,4 +909,88 @@ var RequiredPermissionsForOrg = map[IntegrationType][]string{
 		"sqs:SetQueueAttributes",
 		"sqs:TagQueue",
 	},
+	EksAuditLog: {
+		"ec2:DescribeRegions",
+		"s3:CreateBucket",
+		"s3:DeleteBucket",
+		"s3:ListBucket",
+		"s3:ListBucketVersions",
+		"s3:GetBucketPolicy",
+		"s3:GetBucketAcl",
+		"s3:GetBucketCORS",
+		"s3:GetBucketWebsite",
+		"s3:GetBucketVersioning",
+		"s3:GetAccelerateConfiguration",
+		"s3:GetBucketRequestPayment",
+		"s3:GetBucketLogging",
+		"s3:GetLifecycleConfiguration",
+		"s3:GetReplicationConfiguration",
+		"s3:GetEncryptionConfiguration",
+		"s3:GetBucketObjectLockConfiguration",
+		"s3:GetBucketTagging",
+		"s3:GetBucketOwnershipControls",
+		"s3:GetBucketPublicAccessBlock",
+		"s3:GetBucketNotification",
+		"s3:PutBucketOwnershipControls",
+		"s3:PutBucketPublicAccessBlock",
+		"s3:PutBucketVersioning",
+		"s3:PutBucketLogging",
+		"s3:PutLifecycleConfiguration",
+		"s3:PutEncryptionConfiguration",
+		"s3:PutBucketNotification",
+		"s3:PutBucketTagging",
+		"s3:DeleteObjectVersion",
+		"iam:CreateRole",
+		"iam:DeleteRole",
+		"iam:GetRole",
+		"iam:ListRolePolicies",
+		"iam:ListAttachedRolePolicies",
+		"iam:ListPolicyVersions",
+		"iam:ListInstanceProfilesForRole",
+		"iam:GetPolicy",
+		"iam:GetPolicyVersion",
+		"iam:CreatePolicy",
+		"iam:DeletePolicy",
+		"iam:AttachRolePolicy",
+		"iam:DetachRolePolicy",
+		"iam:ListAttachedUserPolicies",
+		"iam:ListUserPolicies",
+		"iam:ListGroupsForUser",
+		"iam:PassRole",
+		"iam:TagRole",
+		"iam:TagPolicy",
+		"kms:CreateKey",
+		"kms:PutKeyPolicy",
+		"kms:EnableKeyRotation",
+		"kms:DescribeKey",
+		"kms:GetKeyPolicy",
+		"kms:GetKeyRotationStatus",
+		"kms:ListResourceTags",
+		"kms:ScheduleKeyDeletion",
+		"kms:CreateAlias",
+		"kms:ListAliases",
+		"kms:DeleteAlias",
+		"kms:Encrypt",
+		"kms:Decrypt",
+		"kms:GenerateDataKey",
+		"kms:CreateGrant",
+		"kms:ListGrants",
+		"kms:RevokeGrant",
+		"kms:TagResource",
+		"SNS:CreateTopic",
+		"SNS:DeleteTopic",
+		"SNS:SetTopicAttributes",
+		"SNS:GetTopicAttributes",
+		"SNS:ListTagsForResource",
+		"SNS:TagResource",
+		"firehose:CreateDeliveryStream",
+		"firehose:DescribeDeliveryStream",
+		"firehose:StartDeliveryStreamEncryption",
+		"firehose:ListTagsForDeliveryStream",
+		"firehose:DeleteDeliveryStream",
+		"firehose:TagDeliveryStream",
+		"logs:PutSubscriptionFilter",
+		"logs:DescribeSubscriptionFilters",
+		"logs:DeleteSubscriptionFilter",
+	},
 }