Skip to main content

Terraform for Lacework Overview

This topic provides a foundational overview of using Terraform to manage the configuration of Lacework and integrations with public cloud providers, and other services.

For organizations that have adopted Hashicorp Terraform for automation, Lacework maintains the following open source projects on the Terraform Registry for automating the Lacework platform and integrations between Lacework and public cloud environments:

  • Terraform provider for Lacework - The Terraform provider for Lacework is a collection of custom resources for managing the configuration of the Lacework platform as code.
  • Terraform modules - A collection of Terraform modules for integrating AWS, Google Cloud, and Azure public cloud environments.

The purpose of the Lacework Terraform provider and modules is to enable you to manage all aspects of Lacework using automation in a manner that is fast, efficient, and secure.

Getting Started with Terraform for Lacework

Before using any of the Terraform projects for Lacework, it is helpful to have a solid understanding of how Terraform works, including writing plans, configuring Terraform providers, and using Terraform modules developed by Hashicorp and the Terraform community.

If you are new to Terraform and want to learn the basics, Hashicorp has excellent documentation on getting started with Terraform.

Terraform Version Support

Lacework Terraform projects support the following versions of Terraform:

  • ~> 1.1
  • ~> 1.0
  • ~> 0.15
  • ~> 0.14

With Terraform 0.13+ you must use the required_providers nested block inside the Terraform configuration block in order to resolve the Terraform provider for Lacework on the Terraform Registry:

terraform {
  required_providers {
    lacework = {
      source = "lacework/lacework"
      version = "~> 1.0"
    }
  }
}

provider "lacework" {
  # Configuration options
}

Configuration

The Terraform provider for Lacework must be configured to authenticate with a Lacework account. The next section discusses how to configure the Lacework provider.

Create Lacework API Key

The Terraform provider for Lacework requires an API key and secret to authenticate with Lacework. Lacework account administrators can create Lacework API keys via the Lacework Console. For more information, go to API Access Keys.

  1. Log in to the Lacework Console.
  2. Click Settings > Configuration > API keys.
  3. Click + Add New.
  4. Enter a name for the key and an optional description.
  5. Click Save.
  6. Click the ... icon and then Download to save the API key file locally.

The contents of your API key contain a keyId, secret, subAccount, and account:

 {
  "keyId": "ACCOUNT_ABCEF01234559B9B07114E834D8570F567C824039756E03",
  "secret": "_abc1234e243a645bcf173ef55b837c19",
  "subAccount": "subaccount",
  "account": "myaccount.lacework.net"
 }

The Terraform provider for Lacework can leverage configuration from the Lacework CLI. When you install and configure the Lacework CLI on the system that you plan to run Terraform from, this generates a configuration file named .lacework.toml that stores API keys for any accounts you configured. The configuration file's default location:

  • Linux and OS X - $HOME/.lacework.toml
  • Windows - %USERPROFILE%\.lacework.toml

You can manage the configuration file using the Lacework CLI. This method also supports a profile configuration and matching LW_PROFILE environment variable.

provider "lacework" {
  profile = "custom-profile"
}

Organization Accounts

A Lacework organization can contain multiple accounts so you can manage components such as alerts, resource groups, team members, and audit logs at a more granular level inside an organization. A team member may have access to multiple accounts and can easily switch between them.

important

To manage multiple accounts, a user must have the Organization Admin role.

Use the subaccount argument to switch to a different account inside your Lacework organization.

The following example shows a default profile that has access to the primary account named my-company:

# Example .lacework.toml - Config for Lacework CLI

[default]
  account = "my-company"
  api_key = "my-api-key"
  api_secret = "my-api-secret"
  version = 2

To access your sub-account named business-unit, specify the subaccount argument.

## Example main.tf
provider "lacework" {
  alias = "primary"
}

provider "lacework" {
  alias      = "business-unit"
  # This uses the same default profile but points to a sub-account
  subaccount = "business-unit"
}

From there, you can pass the alias meta-argument to any resource to switch between accounts:

resource "lacework_alert_channel_slack" "primary_critical" {
  provider = lacework.primary
  # ...
}
resource "lacework_alert_channel_slack" "business_unit_critical" {
  provider = lacework.business-unit
  # ...
}

For more information on using alias to configure multiple providers, see Multiple Provider Configurations on the Terraform documentation site.

Environment Variables

You can provide your credentials via the LW_ACCOUNT, LW_API_KEY, and LW_API_SECRET environment variables. These variables represent your Lacework account subdomain of URL, Lacework API access key, and Lacework API access secret, respectively.

provider "lacework" {}
Bash
export LW_ACCOUNT="my-account"
export LW_API_KEY="my-api-key"
export LW_API_SECRET="my-api-secret"
Powershell
$Env:LW_ACCOUNT = "my-account"
$Env:LW_API_KEY = "my-api-key"
$Env:LW_API_SECRET = "my-api-secret"

Static Credentials

You can provide static credentials by adding the account, api_key, and api_secret in-line in the Lacework provider block:

provider "lacework" {
  account    = "my-account"
  api_key    = "my-api-key"
  api_secret = "my-api-secret"
}
warning

Hard coding credentials into any Terraform configuration is not recommended. Secrets could be leaked by committing hard-coded credentials to a public version control system.

Organization Level Access

Organization administrators can access organization level data sets by setting the organization argument to true.

provider "lacework" {
  organization = true
}
important

When accessing organization level data sets, the subaccount argument is ignored.

Using this type of configuration is intended for managing resources such as alerts, resource groups, team members, cloud accounts, and more, at the organization level.

Version Pinning

Lacework Terraform projects are under heavy development with frequent releases. It is important to create a strategy for upgrading and testing new releases within your environment to avoid unintentional changes due to new features and/or new functionality. This is especially important if you plan to run Terraform continuously using a CI/CD pipeline.

The following example shows how to pin to a specific version of the Terraform provider for Lacework:

terraform {
  required_providers {
    lacework = {
      source = "lacework/lacework"
      version = "0.3.1" # Version is pinned to 0.3.1
    }
  }
}

provider "lacework" {
  # Configuration options
}

Next Steps

Explore some specific use cases with Terraform for Lacework: