Skip to main content

Manage Custom Policies with Terraform

You can manage Lacework custom policies with Terraform using the Lacework Terraform Provider.

The Terraform Provider provides two resources for managing custom policy workflows:

  • lacework_policy
  • lacework_query

Lacework Query Terraform Resource

The lacework_query resource provides the ability to define LQL as a Terraform resource. This allows the management of queries from Terraform.

Example lacework_query

The following example shows how to define a Terraform resource to query all EC2 instances with public IP addresses.

resource "lacework_query" "example" {
  query_id = "TF_AWS_Config_EC2InstanceWithPublicIPAddress"
  query    = <<EOT
  {
      source {
          LW_CFG_AWS_EC2_INSTANCES
      }
      filter {
          value_exists(RESOURCE_CONFIG:PublicIpAddress)
      }
      return distinct {
          ACCOUNT_ALIAS,
          ACCOUNT_ID,
          ARN as RESOURCE_KEY,
          RESOURCE_REGION,
          RESOURCE_TYPE,
          SERVICE,
          case when RESOURCE_TYPE = 'ec2:instance' then 'HasPublicIp'
          end as COMPLIANCE_FAILURE_REASON
      }
  }
EOT
}

For more information about the Lacework Query Terraform resource, see lacework_query on the Terraform Registry.

Lacework Policy Terraform Resource

The lacework_policy provides the ability to define custom policies as a Terraform resource. This lets you improve the context of alerts, reports, and information displayed in the Lacework Console from Terraform.

Example lacework_policy

The following example shows how to use the query resource in combination with the policy resource to check for a change of password from an RDS cluster.

resource "lacework_query" "AWS_CTA_AuroraPasswordChange" {
  query_id = "TF_AWS_CTA_AuroraPasswordChange"
  query    = <<EOT
  {
      source {
          CloudTrailRawEvents
      }
      filter {
          EVENT_SOURCE = 'rds.amazonaws.com'
          and EVENT_NAME = 'ModifyDBCluster'
          and value_exists(EVENT:requestParameters.masterUserPassword)
          and EVENT:requestParameters.applyImmediately = true
          and ERROR_CODE is null
      }
      return distinct {
          INSERT_ID,
          INSERT_TIME,
          EVENT_TIME,
          EVENT
      }
  }
EOT
}

resource "lacework_policy" "example" {
  title       = "Aurora Password Change"
  description = "Password for an Aurora RDS cluster was changed"
  remediation = "Check that the password change was expected and ensure only specified users can modify the RDS cluster"
  query_id    = lacework_query.AWS_CTA_AuroraPasswordChange.id
  severity    = "High"
  type        = "Violation"
  evaluation  = "Hourly"
  enabled     = false

  alerting {
    enabled = false
    profile = "LW_CloudTrail_Alerts.CloudTrailDefaultAlert_AwsResource"
  }
}

For more information about the Lacework Policy Terraform resource, see lacework_policy on the Terraform Registry.