This article covers using Terraform to configure AWS Systems Manager to deploy the Lacework Agent to supported EC2 instances.
Lacework maintains the terraform-aws-ssm-agent module, which creates an SSM document for managing the deployment of the Lacework agent to EC2 instances.
If you are new to the Lacework Terraform Provider, or Lacework Terraform Modules, read the Terraform for Lacework Overview article to learn the basics on how to configure the provider, and more.
Overview of Using AWS Systems Manager with Lacework
AWS Systems Manager (formerly known as SSM) is an AWS service that you can use to view and control your infrastructure on AWS. Using the Systems Manager console, you can view operational data from multiple AWS services and automate operational tasks across your AWS resources. Systems Manager helps you maintain security and compliance by scanning your managed instances and reporting on (or taking corrective action on) any policy violations it detects.
For Lacework customers using AWS Systems Manager to manage EC2 instances in their AWS account, the terraform-aws-ssm-agent Terraform Module can be used to create an SM document to install the Lacework agent on EC2 instances.
This installation method creates a agent token, and then installs the latest stable (GA) version of the Lacework Datacollector agent.
Configuring AWS Systems Manager for Lacework Agent Deployments
The following code example creates a Lacework agent access token, then creates an SSM document to install the Lacework agent on EC2 instances. Additonally, an AWS resource group is created with EC2 instances that have the machine tag environment:testing
, and then the SSM document is associated with that AWS Resource group. Once Terraform executes, AWS Systems Manager will be configured and the Lacework Datacollector agent will be installed automatically.
The following example assumes you already have AWS Systems Manager configured on your instances. If you are new AWS SSM and want to test this install method, read the AWS Systems Manager Quick Setup documentation.
provider "aws" { region = "us-east-1" } provider "lacework" {} # Create an agent access token in Lacework resource "lacework_agent_access_token" "ssm_deployment" { name = "ssm-deployment" description = "Used to deploy agents using AWS System Manager" } # Create AWS SSM Document module "lacework_aws_ssm_agents_install" { source = "lacework/ssm-agent/aws" version = "~> 0.2.0" lacework_agent_tags = { env = "testing" } aws_resources_tags = { billing = "testing" owner = "myself" } lacework_access_token = lacework_agent_access_token.ssm_deployment.token } # Create an AWS Resource group for EC2 Instances with # the tag 'environment:testing' resource "aws_resourcegroups_group" "testing" { name = "testing" resource_query { query = jsonencode({ ResourceTypeFilters = [ "AWS::EC2::Instance" ] TagFilters = [ { Key = "environment" Values = [ "testing" ] } ] }) } tags = { billing = "testing" owner = "myself" } } # Create an SSM Association group called install-lacework-agents-testing-group resource "aws_ssm_association" "lacework_aws_ssm_agents_install_testing" { association_name = "install-lacework-agents-testing-group" name = module.lacework_aws_ssm_agents_install.ssm_document_name targets { key = "resource-groups:Name" values = [ aws_resourcegroups_group.testing.name, ] } compliance_severity = "HIGH" }
Run Terraform
This example shows 3 existing EC2 instances with the machine tag
environment:testing
- Copy and paste the code snippet above into a
main.tf
, and then save the file. - Run
terraform plan
and review the changes. Four resources should be created. - After you have reviewed the changes, run
terraform apply -auto-approve
to execute Terraform.
Validate Changes
After Terraform executes, open AWS Resource Groups in the region you applied the changes. You should see a new resource group called testing
with the instances that have the tag environment:testing
:
Open the AWS Systems Manager. Under Node Management, click State Manager, click Association id for the install-lacework-agents-testing-group
, and click the Resources tab, where you should see the status of action taken on the instances: