Integrate OCI with Terraform
This topic describes how to integrate Lacework and your Oracle Cloud using Terraform. Terraform lets you define and manage your infrastructure as code, and provides for a repeatable, collaborative configuration mechanism.
If you are new to using Terraform with Lacework, see Terraform for Lacework Overview.
Requirements
You must perform these steps from a host with Terraform installed.
To perform the integration, you need to use a Lacework account with administrator privileges. You also need to ensure that the Lacework Terraform provider can access your Lacework API credentials. You can accomplish that by either:
- Installing and configuring the Lacework CLI
- Setting the
LW_ACCOUNT
,LW_API_KEY
, andLW_API_SECRET
environment variables - Choosing one of the several other authentication methods listed in the Lacework Terraform provider documentation
You must also ensure that the OCI Terraform provider can access your OCI credentials by completing these requirements:
- Installing and configuring the OCI CLI
- Setting the
TF_VAR_config_file_profile
environment variable to point to a valid OCI CLI configuration file - Running the Terraform code from the OCI Cloud Shell. Ensure the user account running Oracle Cloud Shell has sufficient permissions to create IAM users and policies.
- Choosing one of the several other authentication methods listed in the OCI Terraform provider documentation
For detailed information on resources, dependencies, and more, visit the Lacework OCI module page on the Terraform Registry.
Oracle Cloud Shell Configuration
The Oracle Cloud Shell is an embedded terminal/command-line interface that can you can use within the Oracle Console. Oracle Cloud Shell comes with tools pre-installed like the Oracle Cloud SDK, oci
command-line tool, and Terraform pre-installed to manage and automate your projects and resources in your environment.
Lacework provides a command-line interface tool that can generate Terraform code, install the Terraform CLI (if not installed), and run Terraform inside the Oracle Cloud Shell.
Step 1. Launch Oracle Cloud Shell within Oracle Console
To open Oracle Cloud Shell, first ensure that your home region is selected in the Regions menu at the top right of the OCI web console. Then click the Cloud Shell icon in the header bar. The Cloud Shell launches in a pane at the bottom of the browser, by default.
Step 2. Install the Lacework CLI in Oracle Cloud Shell
The Terraform provider for Lacework leverages the configuration from the Lacework CLI to authenticate with the Lacework API and configure accounts. Run the following commands to install the Lacework CLI:
mkdir -p "$HOME"/bin
curl https://raw.githubusercontent.com/lacework/go-sdk/main/cli/install.sh | bash -s -- -d "$HOME"/bin
echo 'export PATH=$PATH:$HOME/bin/' >> ~/.bashrc
When the script completes, type exit
followed by enter and close the shell. After the shell exits, open Cloud Shell again and the Lacework CLI will be ready to use.
For general information on the Lacework CLI, see Get Started with the Lacework CLI.
Step 3. Create Lacework API Key
The Lacework CLI requires an API key and secret to authenticate with Lacework. Lacework API keys can be created by Lacework account administrators via the Lacework Console. For more information, go to API Keys.
It is recommended to use a service user API key. To do so, create a service user account in Lacework. You can then create an API key for the user:
- Log in to the Lacework Console as a user in the Admin role or with write permissions for API keys.
- Click Settings > Configuration > API keys.
- Click + Add New.
- Enter a name for the key and an optional description.
- Enable the Assign this to a service user option and choose the user you created from the list.
- Click Save.
- Click the ... icon and then Download to save the API key file locally.
The contents of your API key contain a keyId
secret
, subAccount
, and account
:
{
"keyId": "ACCOUNT_ABCEF01234559B9B07114E834D8570F567C824039756E03",
"secret": "_abc1234e243a645bcf173ef55b837c19",
"subAccount": "myaccount",
"account": "myaccount.lacework.net"
}
Step 4. Configure the Lacework CLI
Oracle Cloud Shell lets you drag-and-drop the generated JSON key file to your Cloud Shell window to upload it to your home directory.
To configure the CLI with the API key downloaded from the previous step, use the lacework configure
command in Cloud Shell and provide the following:
account
: Account subdomain of URL (i.e.YourAccount.lacework.net
)api_key
: API Access Keyapi_secret
: API Access Secret
Run the configure
CLI command:
user@cloudshell:~ (us-sanjose-1)$ ./bin/lacework configure -j ACCOUNTCE4D_60BE.json
▸ Account: myaccount.lacework.net
▸ Access Key ID: ACCOUNT_ABCEF01234559B9B07114E834D8570F567C824039756E03
▸ Secret Access Key: (*****************************7c19)
Step 5. Complete the Lacework Integration
From the Oracle Cloud Shell, use Terraform to complete the integration. Oracle Cloud Shell includes Terraform by default. If you need to update or install Terraform, however, you can download it from Terraform.
Version 1.4.6 or later is recommended.
Once you have Terraform, follow these steps:
Create a file main.tf containing:
terraform {
required_providers {
lacework = {
source = "lacework/lacework"
version = ">= 1.9.0"
}
}
}
module "oci_config" {
source = "lacework/config/oci"
version = "~> 0.2"
tenancy_id = "<tenancy_ocid>"
user_email = "<oci_user_email>"
}Initialize Terraform:
terraform init
Now verify and generate a Terraform plan:
terraform plan
If
terraform plan
runs with no errors, use the following command to create the required OCI resources:terraform apply -auto-approve
infoIf the
terraform apply
command results in a 400 failure in validating the specified credentials, it may be because OCI resources sometimes take a few moments after creation before becoming available. Rerunningterraform apply
again after a minute or two give the resources time to present themselves as available and solve the issue.List integrations to verify:
lacework cloud-account list | grep -i oci
You should see the
OciCfg
integration. To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts and look for the OCI integration.
You may need to use the --profile
option for the preceding Lacework CLI command, depending on your configuration. The default profile is used if you do not specify one. See information on managing profiles in the Lacework CLI documentation for more information.