Up and Running with the Terraform Provider for Lacework

In this edition of Up and Running with Lacework, we dive into one of the most widely adopted automation tools on the market today, and get you up and running with the Terraform Provider for Lacework!

The Lacework Platform automates cloud security so our customers can stay focused on building their own digital businesses. Lacework’s commitment to automation isn’t just limited to the platform though. We have been busy developing a lot of open source automation to help customers automate all of their workflows around the platform including integrating cloud environments with Lacework, agent deployments, integrating container registries, and more.

For organizations that have adopted Hashicorp Terraform for automation, Lacework maintains the following open source projects on the Terraform Registry for automating the Lacework platform, and integrations between Lacework and public cloud environments:

  • Terraform Provider for Lacework – The Terraform Provider for Lacework is a collection of custom resources for managing the configuration of the Lacework Platform as code.
  • Terraform Modules – A collection of Terraform modules for integrating AWS, Google Cloud, and Azure public cloud environments, as well as Terraform modules for deploying Lacework agents to Kubernetes clusters and virtual hosts.

The purpose of the Lacework Terraform Provider, and Terraform Modules, is to enable customer to manage all aspects of their usage of Lacework using automation as code, in a manner that is fast, efficient, and secure.

Getting Started with Terraform for Lacework

Before using any of the Terraform projects for Lacework, it is helpful to have a solid understanding of how Terraform works including writing plans, configuring Terraform providers, and using Terraform modules developed by Hashicorp and the Terraform community.

If you are new to Terraform and want to learn the basics, Hashicorp has excellent documentation on getting started with Terraform.

Terraform Version Support

All Lacework Terraform projects support the following versions Terraform:

  • ~> 0.14.0
  • ~> 0.13.0
  • >= 0.12.26

Required Providers

With Terraform 0.13+ you will need to use the required_providers nested block inside the terraform configuration block in order to resolve the Terraform Provider for Lacework on the Terraform Registry:


terraform {
  required_providers {
    lacework = {
      source  = "lacework/lacework"
    }
  }
 }
  provider "lacework" {
  # Configuration options
 }

Configuration

The Terraform Provider for Lacework needs to be configured to authenticate with a Lacework account. This next section provides instructions for configuring the Lacework provider.

Create Lacework API Key

The Terraform Provider for Lacework requires an API key and secret to authenticate with Lacework. Lacework API Keys can be created by Lacework account administrators via the Lacework console.

Create Lacework API Key

  1. Log in to the Lacework Console.
  2. Click Settings -> API Keys .
  3. Click CREATE NEW API KEY.
  4. Give the API key a Name and optional Description.
  5. Click SAVE.
  6. Click DOWNLOAD to save the API key file locally.

The contents of your API key contain a keyId, secret, subAccount, and account:


{
  "keyId": "ACCOUNT_ABCEF01234559B9B07114E834D8570F567C824039756E03",
  "secret": "_abc1234e243a645bcf173ef55b837c19",
  "subAccount": "myaccount",
  "account": "myaccount.lacework.net"
}

Configure Using the Lacework CLI (Recommended)

The Terraform Provider for Lacework has the ability to leverage configuration from the Lacework CLI. Once the Lacework CLI is installed and configured on the system that you plan to run Terraform from, a configuration file named .lacework.toml that stores API keys for any accounts you have configured is generated. The default location on Linux and OS X is $HOME/.lacework.toml, and for Windows users is %USERPROFILE%\.lacework.toml.

This configuration file can be easily managed using the Lacework CLI. This method also supports a profile configuration and matching LW_PROFILE environment variable.

The following example shows how you can configure the Terraform provider for Lacework for multiple Lacework accounts from the Lacework CLI configuration file:


# Example .lacework.toml - Config for Lacework CLI

[default]
  account = "main-account"
  api_key = "MAIN_3B3E14535E093681ED0DEBDC94C884FF6413242H2G5UDFF"
  api_secret = "_8e52ee492fceb0cd49b4f789bhskljhfds"

[sub-account-1]
  account = "sub-account-1"
  api_key = "SUB_20255A108A0C43A512AFA75CC0DA4C60688DBKJSDFLK55"
  api_secret = "_fbf8d6640295b24aecd3chhsai27"

[sub-account-2]
  account = "sub-account-1"
  api_key = "SUB_20255A108A0C43A432AFA75CC0DA4C60698DFH345656"
  api_secret = "_fbf8d6640295b24aecd3lalht9iew9"

## Example main.tf

provider "lacework" {
  # This uses the API key and secret for the default profile
  alias = "main"
}

provider "lacework" {
  # This uses the API key and secret for the sub-account-1 profile
  profile = "sub-account-1"
  alias = "sub-account-1"
}

provider "lacework" {
  # This uses the API key and secret for the sub-account-2 profile
  profile = "sub-account-2"
  alias = "sub-account-2"
}

For more information on using alias to configure multiple providers, checkout Multiple Provider Configurationson the Terraform docs site.

Environment Variables

You can provide your credentials via the LW_ACCOUNT, LW_API_KEY , and LW_API_SECRET environment variables. These variables represent your Lacework account subdomain of URL, Lacework API access key, and Lacework API access secret, respectively.

Configure Environment Variables


$ export LW_ACCOUNT="my-account"
$ export LW_API_KEY="my-api-key"
$ export LW_API_SECRET="my-api-secret"
$ terraform plan

Static Credentials

Static credentials can be provided by adding the account, api_key, and api_secret in-line in the Lacework provider block:


provider "lacework" {
  account    = "my-account"
  api_key    = "my-api-key"
  api_secret = "my-api-secret"
}

Warning:
Hard-coding credentials into any Terraform configuration is not recommended. Secrets could be leaked by committing hard-coded credentials to a public version control system.

About Version Pinning

Lacework Terraform projects are under heavy development with frequent releases. It is important to create a strategy for upgrading and testing new releases within your environment to avoid unintentional changes due to new features, and/or new functionality. This is especially important if you plan to run Terraform continuously using a CI/CD pipeline.

The following example shows how you can pin to a specific version of the Terraform Provider for Lacework:


terraform {
  required_providers {
    lacework = {
      source = "lacework/lacework"
      version = "= 0.2.7" # Version is pinned to 0.2.7
    }
  }
}

provider "lacework" {
  # Configuration options
}

Conclusion

Terraform for Lacework is a big topic, and one that we will continue to dive into in the coming months. If you are interested in learning more about what else you can do Terraform and Lacework, be sure to checkout both the documentation on support.lacework.com, as well as the all of the content on the Terraform Registry.

Until next time, happy automating!

Categories

Suggested for you