Terraform for Lacework Overview

Welcome to the getting started with Terraform for Lacework overview! This article provides a foundational overview of using Terraform to manage the configuration of Lacework and integrations with public cloud providers, and other services.

For organizations that have adopted Hashicorp Terraform for automation, Lacework maintains the following open source projects on the Terraform Registry for automating the Lacework platform, and integrations between Lacework and public cloud environments:

• Terraform Provider for Lacework - The Terraform Provider for Lacework is a collection of custom resources for managing the configuration of the Lacework Platform as code.
• Terraform Modules - A collection of Terraform modules for integrating AWS, Google Cloud, and Azure public cloud environments.

The purpose of the Lacework Terraform Provider and Modules is to enable customers to manage all aspects of their usage of Lacework using automation in a manner that is fast, efficient, and secure.

Getting Started with Terraform for Lacework

Before using any of the Terraform projects for Lacework, it is helpful to have a solid understanding of how Terraform works including writing plans, configuring Terraform providers, and using Terraform modules developed by Hashicorp and the Terraform community.

If you are new to Terraform and want to learn the basics, Hashicorp has excellent documentation on getting started with Terraform.

Terraform Version Support

Lacework Terraform projects support the following versions of Terraform:

• ~> 1.0
• ~> 0.15
• ~> 0.14
• ~> 0.13
• >= 0.12.31

With Terraform 0.13+ you will need to use the required_providers nested block inside the terraform configuration block in order to resolve the Terraform Provider for Lacework on the Terraform Registry:

terraform {
  required_providers {
    lacework = {
      source = "lacework/lacework"
      version = "~> 0.3"
    }
  }
}

provider "lacework" {
  # Configuration options
}

Terraform v0.12.31 will accept syntax like the above example but will understand it in the same way as the following v0.12-style syntax:

terraform {
  required_providers {
    lacework = {
      version = "~> 0.3"
    }
  }
}

provider "lacework" {
  # Configuration options
}

Configuration

The Terraform Provider for Lacework needs to be configured to authenticate with a Lacework account. This next section provides instructions for configing the Lacework provider.

Create Lacework API Key

The Terraform Provider for Lacework requires an API key and secret to authenticate with Lacework. Lacework API Keys can be created by Lacework account administrators via the Lacework console.

1. Log in to the Lacework Console.
2. Click Settings > API Keys.
3. Click Create New API Key.
4. Give the API key a Name and optional Description.
5. Click Save.
6. Click Download to save the API Key file locally.

The contents of your API key contain a keyId secret, subAccount, and account:

 {
  "keyId": "ACCOUNT_ABCEF01234559B9B07114E834D8570F567C824039756E03",
  "secret": "_abc1234e243a645bcf173ef55b837c19",
  "subAccount": "subaccount",
  "account": "myaccount.lacework.net"
 }

Configure Using the Lacework CLI (Recommended)

The Terraform Provider for Lacework has the ability to leverage configuration from the Lacework CLI. Once the Lacework CLI is installed and configured on the system that you plan to run Terraform from, a configuration file named .lacework.toml that stores API keys for any accounts you have configured is generated. The default location on Linux and OS X is $HOME/.lacework.toml, and for Windows users is %USERPROFILE%\.lacework.toml.

This configuration file can be easily managed using the Lacework CLI. This method also supports a profile configuration and matching LW_PROFILE environment variable.

provider "lacework" {
  profile = "custom-profile"
}

Organizational Accounts

An organization can contain multiple accounts so you can manage components such as alerts, resource groups, team members, and audit logs at a more granular level inside an organization. A team member may have access to multiple accounts and can easily switch between them.

Warning: To manage multiple accounts, a user must have the Organization Admin role.

Use the argument subaccount to switch to a different account inside your Lacework organization.

The following example shows a default profile that has access to the primary account named my-company:

# Example .lacework.toml - Config for Lacework CLI

[default]
  account = "my-company"
  api_key = "my-api-key"
  api_secret = "my-api-secret"
  version = 2

To access your sub-account named business-unit you would specify the argument subaccount.

## Example main.tf
provider "lacework" {
  alias = "primary"
}

provider "lacework" {
  alias      = "business-unit"
  # This uses the same default profile but points to a sub-account 
  subaccount = "business-unit"
}

From there, you can pass the alias meta-argument to any resource to switch between accounts:

resource "lacework_alert_channel_slack" "primary_critical" {
  alias = lacework.primary
  # ...
}
resource "lacework_alert_channel_slack" "business_unit_critical" {
  alias = lacework.business-unit
  # ...
}

For more information on using alias to configure multiple providers, checkout Multiple Provider Configurations on the Terraform docs site.

Environment Variables

You can provide your credentials via the LW_ACCOUNT, LW_API_KEY, and LW_API_SECRET environment variables. These variables represent your Lacework account subdomain of URL, Lacework API access key, and Lacework API access secret, respectively.

# Example main.tf

provider "lacework" {}

Terminal:

$ export LW_ACCOUNT="my-account"
$ export LW_API_KEY="my-api-key"
$ export LW_API_SECRET="my-api-secret"
$ terraform plan

Static Credentials

Static credentials can be provided by adding the account, api_key, and api_secret in-line in the Lacework provider block:

provider "lacework" {
  account    = "my-account"
  api_key    = "my-api-key"
  api_secret = "my-api-secret"
}

Warning: Hard-coding credentials into any Terraform configuration is not recommended. Secrets could be leaked by committing hard-coded credentials to a public version control system.

Organization Level Access

Organization administrators can access organization level data sets by setting the organization argument to true.

provider "lacework" {
  organization = true
}

Warning: When accessing organization level data sets, the subaccount argument is ignored.

Using this type of configuration is intended for managing resources such as alerts, resource groups, team members, cloud accounts, and more, at the organization level.

About Version Pinning

Lacework Terraform projects are under heavy development with frequent releases. It is important to create a strategy for upgrading and testing new releases within your environment to avoid unintentional changes due to new features, and/or new functionality. This is especially important if you plan to run Terraform continuously using a CI/CD pipeline.

The following example shows how you can pin to a specific version of the Terraform Provider for Lacework:

terraform {
  required_providers {
    lacework = {
      source = "lacework/lacework"
      version = "0.3.1" # Version is pinned to 0.3.1
    }
  }
}

provider "lacework" {
  # Configuration options
}

Next Steps

From here you are ready to explore some of the specific use cases with Terraform for Lacework:

• AWS Config and CloudTrail Integration with Terraform
• AWS Config and CloudTrail Integration with Terraform using AWS CloudShell
• GCP Compliance and Audit Trail Integration - Terraform From Any Supported Host
• GCP Compliance and Audit Trail Integration - Terraform using Google Cloud Shell
• Azure Compliance & Activity Log Integrations - Terraform From Any Supported Host
• Azure Compliance & Activity Log Integrations - Terraform using Azure Cloud Shell
• Deploy Lacework Agent to Kubernetes with Terraform
• Install Agent on AWS EC2 Instances Using Terraform and AWS Systems Manager
• Managing Alert Channels with Terraform