Terraform for Lacework Overview

Welcome to the getting started with Terraform for Lacework overview! This article provides a foundational overview of using Terraform to manage the configuration of Lacework and integrations with public cloud providers, and other services.

For organizations that have adopted Hashicorp Terraform for automation, Lacework maintains the following open source projects on the Terraform Registry for automating the Lacework platform, and integrations between Lacework and public cloud environments:

• Terraform Provider for Lacework - The Terraform Provider for Lacework is a collection of custom resources for managing the configuration of the Lacework Platform as code.
• Terraform Modules - A collection of Terraform modules for integrating AWS, Google Cloud, and Azure public cloud environments.

The purpose of the Lacework Terraform Provider and Modules is to enable customer to manage all aspects of their usage of Lacework using automation in a manner that is fast, efficient, and secure.

Getting Started with Terraform for Lacework

Before using any of the Terraform projects for Lacework, it is helpful to have a solid understanding of how Terraform works including writing plans, configuring Terraform providers, and using Terraform modules developed by Hashicorp and the Terraform community.

If you are new to Terraform and want to learn the basics, Hashicorp has excellent documentation on getting started with Terraform.

Terraform Version Support

Lacework Terraform projects support the following versions of Terraform:

• ~> 0.15
• ~> 0.14
• ~> 0.13
• >= 0.12.31

With Terraform 0.13+ you will need to use the required_providers nested block inside the terraform configuration block in order to resolve the Terraform Provider for Lacework on the Terraform Registry:

terraform {
  required_providers {
    lacework = {
      source = "lacework/lacework"
      version = "~> 0.3"
    }
  }
}

provider "lacework" {
  # Configuration options
}

Terraform v0.12.31 will accept syntax like the above example but will understand it in the same way as the following v0.12-style syntax:

terraform {
  required_providers {
    lacework = {
      version = "~> 0.3"
    }
  }
}

provider "lacework" {
  # Configuration options
}

Configuration

The Terraform Provider for Lacework needs to be configured to authenticate with a Lacework account. This next section provides instructions for configing the Lacework provider.

Create Lacework API Key

The Terraform Provider for Lacework requires an API key and secret to authenticate with Lacework. Lacework API Keys can be created by Lacework account administrators via the Lacework console.

1. Log in to the Lacework Console.
2. Click Settings > API Keys.
3. Click Create New API Key.
4. Give the API key a Name and optional Description.
5. Click Save.
6. Click Download to save the API Key file locally.

The contents of your API key contain a keyId secret, subAccount, and account:

 {
  "keyId": "ACCOUNT_ABCEF01234559B9B07114E834D8570F567C824039756E03",
  "secret": "_abc1234e243a645bcf173ef55b837c19",
  "subAccount": "myaccount",
  "account": "myaccount.lacework.net"
 }

Configure Using the Lacework CLI (Recommended)

The Terraform Provider for Lacework has the ability to leverage configuration from the Lacework CLI. Once the Lacework CLI is installed and configured on the system that you plan to run Terraform from, a configuration file named .lacework.toml that stores API keys for any accounts you have configured is generated. The default location on Linux and OS X is $HOME/.lacework.toml, and for Windows users is %USERPROFILE%\.lacework.toml.

This configuration file can be easily managed using the Lacework CLI. This method also supports a profile configuration and matching LW_PROFILE environment variable.

The following example shows how you can use two different configurations from the Lacework CLI.

# Example .lacework.toml - Config for Lacework CLI

[default]
  account = "main-account"
  api_key = "MAIN_3B3E14535E093681ED0DEBDC94C884FF6413242H2G5UDFF"
  api_secret = "_8e52ee492fceb0cd49b4f789bhskljhfds"

[sub-account-1]
  account = "sub-account-1"
  api_key = "SUB_20255A108A0C43A512AFA75CC0DA4C60688DBKJSDFLK55"
  api_secret = "_fbf8d6640295b24aecd3chhsai27"

[sub-account-2]
  account = "sub-account-1"
  api_key = "SUB_20255A108A0C43A432AFA75CC0DA4C60698DFH345656"
  api_secret = "_fbf8d6640295b24aecd3lalht9iew9"

## Example main.tf

provider "lacework" {
  # This uses the API key and secret for the default profile
  alias = "main"
}

provider "lacework" {
  # This uses the API key and secret for the sub-account-1 profile
  profile = "sub-account-1"
  alias = "sub-account-1"
}

provider "lacework" {
  # This uses the API key and secret for the sub-account-2 profile
  profile = "sub-account-2"
  alias = "sub-account-2"
}

For more information on using alias to configure multiple providers, checkout Multiple Provider Configurations on the Terraform docs site.

Environment Variables

You can provide your credentials via the LW_ACCOUNT, LW_API_KEY, and LW_API_SECRET environment variables. These variables represent your Lacework account subdomain of URL, Lacework API access key, and Lacework API access secret, respectively.

# Example main.tf

provider "lacework" {}

Terminal:

$ export LW_ACCOUNT="my-account"
$ export LW_API_KEY="my-api-key"
$ export LW_API_SECRET="my-api-secret"
$ terraform plan

Static Credentials

Static credentials can be provided by adding the account, api_key, and api_secret in-line in the Lacework provider block:

provider "lacework" {
  account    = "my-account"
  api_key    = "my-api-key"
  api_secret = "my-api-secret"
}

Warning: Hard-coding credentials into any Terraform configuration is not recommended. Secrets could be leaked by committing hard-coded credenitals to a public version control system.

About Version Pinning

Lacework Terraform projects are under heavy development with frequent releases. It is important to create a strategy for upgrading and testing new releases within your environment to avoid unintentional changes due to new features, and/or new functionality. This is especially important if you plan to run Terraform continuously using a CI/CD pipeline.

The following example shows how you can pin to a specific version of the Terraform Provider for Lacework:

terraform {
  required_providers {
    lacework = {
      source = "lacework/lacework"
      version = "0.3.1" # Version is pinned to 0.3.1
    }
  }
}

provider "lacework" {
  # Configuration options
}

Next Steps

From here you are ready to explore some of the specific use cases with Terraform for Lacework:

• AWS Config and CloudTrail Integration with Terraform
• AWS Config and CloudTrail Integration with Terraform using AWS CloudShell
• GCP Compliance and Audit Trail Integration - Terraform From Any Supported Host
• GCP Compliance and Audit Trail Integration - Terraform using Google Cloud Shell
• Azure Compliance & Activity Log Integrations - Terraform From Any Supported Host
• Azure Compliance & Activity Log Integrations - Terraform using Azure Cloud Shell
• Deploy Lacework Agent to Kubernetes with Terraform
• Install Agent on AWS EC2 Instances Using Terraform and AWS Systems Manager
• Managing Alert Channels with Terraform