Skip to main content

Integrate OCI with Terraform

This topic describes how to integrate Lacework and your Oracle Cloud using Terraform. Terraform lets you define and manage your infrastructure as code, and provides for a repeatable, collaborative configuration mechanism.

If you are new to using Terraform with Lacework, see Terraform for Lacework Overview.


You must perform these steps from a host with Terraform installed.

To perform the integration, you need to use a Lacework account with administrator privileges. You also need to ensure that the Lacework Terraform provider can access your Lacework API credentials. You can accomplish that by either:

You must also ensure that the OCI Terraform provider can access your OCI credentials by completing these requirements:

For detailed information on resources, dependencies, and more, visit the Lacework OCI module page on the Terraform Registry.

Oracle Cloud Shell Configuration

The Oracle Cloud Shell is an embedded terminal/command-line interface that can you can use within the Oracle Console. Oracle Cloud Shell comes with tools pre-installed like the Oracle Cloud SDK, oci command-line tool, and Terraform pre-installed to manage and automate your projects and resources in your environment.

Lacework provides a command-line interface tool that can generate Terraform code, install the Terraform CLI (if not installed), and run Terraform inside the Oracle Cloud Shell.

Step 1. Launch Oracle Cloud Shell within Oracle Console

To open Oracle Cloud Shell, first ensure that your home region is selected in the Regions menu at the top right of the OCI web console. Then click the Cloud Shell icon in the header bar. The Cloud Shell launches in a pane at the bottom of the browser, by default.

Step 2. Install the Lacework CLI in Oracle Cloud Shell

The Terraform provider for Lacework leverages the configuration from the Lacework CLI to authenticate with the Lacework API and configure accounts. Run the following commands to install the Lacework CLI:

mkdir -p "$HOME"/bin  
curl | bash -s -- -d "$HOME"/bin
echo 'export PATH=$PATH:$HOME/bin/' >> ~/.bashrc

When the script completes, type exit followed by enter and close the shell. After the shell exits, open Cloud Shell again and the Lacework CLI will be ready to use.


For general information on the Lacework CLI, see Get Started with the Lacework CLI.

Step 3. Create Lacework API Key

The Lacework CLI requires an API key and secret to authenticate with Lacework. Lacework API keys can be created by Lacework account administrators via the Lacework Console. For more information, go to API Keys.

It is recommended to use a service user API key. To do so, create a service user account in Lacework. You can then create an API key for the user:

  1. Log in to the Lacework Console as a user in the Admin role or with write permissions for API keys.
  2. Click Settings > Configuration > API keys.
  3. Click + Add New.
  4. Enter a name for the key and an optional description.
  5. Enable the Assign this to a service user option and choose the user you created from the list.
  6. Click Save.
  7. Click the ... icon and then Download to save the API key file locally.

The contents of your API key contain a keyId secret, subAccount, and account:

"keyId": "ACCOUNT_ABCEF01234559B9B07114E834D8570F567C824039756E03",
"secret": "_abc1234e243a645bcf173ef55b837c19",
"subAccount": "myaccount",
"account": ""

Step 4. Configure the Lacework CLI

Oracle Cloud Shell lets you drag-and-drop the generated JSON key file to your Cloud Shell window to upload it to your home directory.

To configure the CLI with the API key downloaded from the previous step, use the lacework configure command in Cloud Shell and provide the following:

  • account: Account subdomain of URL (i.e.
  • api_key: API Access Key
  • api_secret: API Access Secret

Run the configure CLI command:

user@cloudshell:~ (us-sanjose-1)$ ./bin/lacework configure -j ACCOUNTCE4D_60BE.json 
▸ Account:
▸ Access Key ID: ACCOUNT_ABCEF01234559B9B07114E834D8570F567C824039756E03
▸ Secret Access Key: (*****************************7c19)

Step 5. Complete the Lacework Integration

From the Oracle Cloud Shell, use Terraform to complete the integration. Oracle Cloud Shell includes Terraform by default. If you need to update or install Terraform, however, you can download it from Terraform.

Version 1.4.6 or later is recommended.

Once you have Terraform, follow these steps:

  1. Create a file containing:

    terraform {
    required_providers {
    lacework = {
    source = "lacework/lacework"
    version = ">= 1.9.0"

    module "oci_config" {
    source = "lacework/config/oci"
    version = "~> 0.2"
    tenancy_id = "<tenancy_ocid>"
    user_email = "<oci_user_email>"
  2. Initialize Terraform:

    terraform init
  3. Now verify and generate a Terraform plan:

    terraform plan
  4. If terraform plan runs with no errors, use the following command to create the required OCI resources:

    terraform apply -auto-approve

    If the terraform apply command results in a 400 failure in validating the specified credentials, it may be because OCI resources sometimes take a few moments after creation before becoming available. Rerunning terraform apply again after a minute or two give the resources time to present themselves as available and solve the issue.

  5. List integrations to verify:

    lacework cloud-account list | grep -i oci

    You should see the OciCfg integration. To validate the integration using the Lacework Console, log in to your account and go to Settings > Integrations > Cloud Accounts and look for the OCI integration.


You may need to use the --profile option for the preceding Lacework CLI command, depending on your configuration. The default profile is used if you do not specify one. See information on managing profiles in the Lacework CLI documentation for more information.