Terraform for Lacework Overview
This topic provides a foundational overview of using Terraform to manage the configuration of Lacework and integrations with public cloud providers, and other services.
For organizations that have adopted Hashicorp Terraform for automation, Lacework maintains the following open source projects on the Terraform Registry for automating the Lacework platform and integrations between Lacework and public cloud environments:
- Terraform provider for Lacework - The Terraform provider for Lacework is a collection of custom resources for managing the configuration of the Lacework platform as code.
- Terraform modules - A collection of Terraform modules for integrating AWS, Google Cloud, and Azure public cloud environments.
The purpose of the Lacework Terraform provider and modules is to enable you to manage all aspects of Lacework using automation in a manner that is fast, efficient, and secure.
Getting Started with Terraform for Lacework
Before using any of the Terraform projects for Lacework, it is helpful to have a solid understanding of how Terraform works, including writing plans, configuring Terraform providers, and using Terraform modules developed by Hashicorp and the Terraform community.
If you are new to Terraform and want to learn the basics, Hashicorp has excellent documentation on getting started with Terraform.
Terraform Version Support
Lacework Terraform projects support the following versions of Terraform:
~> 1.1
~> 1.0
~> 0.15
~> 0.14
With Terraform 0.13+ you must use the required_providers
nested block inside the Terraform configuration block in order to resolve the Terraform provider for Lacework on the Terraform Registry:
terraform {
required_providers {
lacework = {
source = "lacework/lacework"
version = "~> 1.0"
}
}
}
provider "lacework" {
# Configuration options
}
Configuration
The Terraform provider for Lacework must be configured to authenticate with a Lacework account. The next section discusses how to configure the Lacework provider.
Create Lacework API Key
The Terraform provider for Lacework requires an API key and secret to authenticate with Lacework. Lacework account administrators can create Lacework API keys via the Lacework Console. For more information, go to API Access Keys.
- Log in to the Lacework Console.
- Click Settings > Configuration > API keys.
- Click + Add New.
- Enter a name for the key and an optional description.
- Click Save.
- Click the ... icon and then Download to save the API key file locally.
The contents of your API key contain a keyId
, secret
, subAccount
, and account
:
{
"keyId": "ACCOUNT_ABCEF01234559B9B07114E834D8570F567C824039756E03",
"secret": "_abc1234e243a645bcf173ef55b837c19",
"subAccount": "subaccount",
"account": "myaccount.lacework.net"
}
Configure Using the Lacework CLI (Recommended)
The Terraform provider for Lacework can leverage configuration from the Lacework CLI. When you install and configure the Lacework CLI on the system that you plan to run Terraform from, this generates a configuration file named .lacework.toml
that stores API keys for any accounts you configured. The configuration file's default location:
- Linux and OS X -
$HOME/.lacework.toml
- Windows -
%USERPROFILE%\.lacework.toml
You can manage the configuration file using the Lacework CLI. This method also supports a profile configuration and matching LW_PROFILE
environment variable.
provider "lacework" {
profile = "custom-profile"
}
Organization Accounts
A Lacework organization can contain multiple accounts so you can manage components such as alerts, resource groups, team members, and audit logs at a more granular level inside an organization. A team member may have access to multiple accounts and can easily switch between them.
important
To manage multiple accounts, a user must have the Organization Admin role.
Use the subaccount
argument to switch to a different account inside your Lacework organization.
The following example shows a default
profile that has access to the primary account named my-company
:
# Example .lacework.toml - Config for Lacework CLI
[default]
account = "my-company"
api_key = "my-api-key"
api_secret = "my-api-secret"
version = 2
To access your sub-account named business-unit
, specify the subaccount
argument.
## Example main.tf
provider "lacework" {
alias = "primary"
}
provider "lacework" {
alias = "business-unit"
# This uses the same default profile but points to a sub-account
subaccount = "business-unit"
}
From there, you can pass the alias
meta-argument to any resource to switch between accounts:
resource "lacework_alert_channel_slack" "primary_critical" {
provider = lacework.primary
# ...
}
resource "lacework_alert_channel_slack" "business_unit_critical" {
provider = lacework.business-unit
# ...
}
For more information on using alias
to configure multiple providers, see Multiple Provider Configurations on the Terraform documentation site.
Environment Variables
You can provide your credentials via the LW_ACCOUNT
, LW_API_KEY
, and LW_API_SECRET
environment variables. These variables represent your Lacework account subdomain of URL, Lacework API access key, and Lacework API access secret, respectively.
provider "lacework" {}
export LW_ACCOUNT="my-account"
export LW_API_KEY="my-api-key"
export LW_API_SECRET="my-api-secret"
$Env:LW_ACCOUNT = "my-account"
$Env:LW_API_KEY = "my-api-key"
$Env:LW_API_SECRET = "my-api-secret"
Static Credentials
You can provide static credentials by adding the account
, api_key
, and api_secret
in-line in the Lacework provider block:
provider "lacework" {
account = "my-account"
api_key = "my-api-key"
api_secret = "my-api-secret"
}
warning
Hard coding credentials into any Terraform configuration is not recommended. Secrets could be leaked by committing hard-coded credentials to a public version control system.
Organization Level Access
Organization administrators can access organization level data sets by setting the organization
argument to true
.
provider "lacework" {
organization = true
}
important
When accessing organization level data sets, the subaccount
argument is ignored.
Using this type of configuration is intended for managing resources such as alerts, resource groups, team members, cloud accounts, and more, at the organization level.
Version Pinning
Lacework Terraform projects are under heavy development with frequent releases. It is important to create a strategy for upgrading and testing new releases within your environment to avoid unintentional changes due to new features and/or new functionality. This is especially important if you plan to run Terraform continuously using a CI/CD pipeline.
The following example shows how to pin to a specific version of the Terraform provider for Lacework:
terraform {
required_providers {
lacework = {
source = "lacework/lacework"
version = "0.3.1" # Version is pinned to 0.3.1
}
}
}
provider "lacework" {
# Configuration options
}
Next Steps
Explore some specific use cases with Terraform for Lacework:
- AWS Integration with Terraform
- Azure Integration with Terraform
- GCP Integration with Terraform
- Deploy Lacework Agent to Kubernetes with Terraform
- Install Agent on AWS EC2 Instances Using Terraform and AWS Systems Manager
- Manage Alert Channels with Terraform
- Manage Alert Profiles with Terraform
- Manage Alert Rules with Terraform
- Manage Resource Groups with Terraform