Manage Custom Policies with Terraform
You can manage Lacework custom policies with Terraform using the Lacework Terraform Provider.
The Terraform Provider provides two resources for managing custom policy workflows:
lacework_policy
lacework_query
Lacework Query Terraform Resource
The lacework_query
resource provides the ability to define LQL as a Terraform resource. This allows the management of queries from Terraform.
Example lacework_query
The following example shows how to define a Terraform resource to query all EC2 instances with public IP addresses.
resource "lacework_query" "example" {
query_id = "TF_AWS_Config_EC2InstanceWithPublicIPAddress"
query = <<EOT
{
source {
LW_CFG_AWS_EC2_INSTANCES
}
filter {
value_exists(RESOURCE_CONFIG:PublicIpAddress)
}
return distinct {
ACCOUNT_ALIAS,
ACCOUNT_ID,
ARN as RESOURCE_KEY,
RESOURCE_REGION,
RESOURCE_TYPE,
SERVICE,
case when RESOURCE_TYPE = 'ec2:instance' then 'HasPublicIp'
end as COMPLIANCE_FAILURE_REASON
}
}
EOT
}
For more information about the Lacework Query Terraform resource, see lacework_query on the Terraform Registry.
Lacework Policy Terraform Resource
The lacework_policy
provides the ability to define custom policies as a Terraform resource. This lets you improve the context of alerts, reports, and information displayed in the Lacework Console from Terraform.
Example lacework_policy
The following example shows how to use the query resource in combination with the policy resource to check for a change of password from an RDS cluster.
resource "lacework_query" "AWS_CTA_AuroraPasswordChange" {
query_id = "TF_AWS_CTA_AuroraPasswordChange"
query = <<EOT
{
source {
CloudTrailRawEvents
}
filter {
EVENT_SOURCE = 'rds.amazonaws.com'
and EVENT_NAME = 'ModifyDBCluster'
and value_exists(EVENT:requestParameters.masterUserPassword)
and EVENT:requestParameters.applyImmediately = true
and ERROR_CODE is null
}
return distinct {
INSERT_ID,
INSERT_TIME,
EVENT_TIME,
EVENT
}
}
EOT
}
resource "lacework_policy" "example" {
title = "Aurora Password Change"
description = "Password for an Aurora RDS cluster was changed"
remediation = "Check that the password change was expected and ensure only specified users can modify the RDS cluster"
query_id = lacework_query.AWS_CTA_AuroraPasswordChange.id
severity = "High"
type = "Violation"
evaluation = "Hourly"
enabled = false
alerting {
enabled = false
profile = "LW_CloudTrail_Alerts.CloudTrailDefaultAlert_AwsResource"
}
}
For more information about the Lacework Policy Terraform resource, see lacework_policy on the Terraform Registry.