Maintain Cloud Integrations with Terraform
Lacework works by collecting, processing, and analyzing data it collects from the environments where it is deployed, such as integrated cloud accounts. Lacework uses this data to establish baselines, detect anomalies, generate reports, and more. You can also create queries against the data set yourself, whether for ad hoc investigation or to create custom policies.
See Datasource Metadata for more information about Lacework datasources.
Lacework regularly expands the data it collects by collecting data from new services or using additional APIs of services already monitored. The cloud APIs invoked for the services often require additional permissions for the cloud roles. Accordingly, administering Lacework involves monitoring and occasionally updating your integration to allow for new datasources.
An indication that you may need to update your cloud account integration is the occurrence of CSPAccessDeniedError
errors in Lacework, which indicates that Lacework is unable to access a resource.
To keep your Lacework integration up to date, Lacework recommends using Terraform. Lacework regularly updates the cloud configuration script, including by incorporating the latest required cloud permissions. By running the script regularly, you can apply the latest changes.
The following steps describe how to apply the Lacework configuration Terraform script to maintain your integration. Follow Add a Cloud Integration to Terraform Management if you have not already used Terraform for the cloud integration, or Update an Integration Under Terraform Management if it is already under Terraform management.
This procedure applies to AWS configuration integrations only (that is, of type AwsCfg
), not to CloudTrail or other types of integrations.
Prerequisites
To perform the steps described in this topic, you will need:
- Terraform installed.
- The Lacework CLI installed and configured.
- Access to the integrated AWS account.
For more information on these topics, see Get Started with Terraform for Lacework.
Add a Cloud Integration to Terraform Management
Lacework provides various ways to create an AWS integration in Lacework. These steps describe how to add such an integration that was created by another means, such as manually or with CloudFormation, to Terraform, and then to apply an upgrade.
Step 1: Gather Information
To add a Lacework integration to Terraform, you will need information related to the Lacework integration, including the integration name and information related to the Lacework user associated with the account.
To get this information, follow these steps:
From a terminal with the Lacework CLI installed and configured, run the following command to see a list of existing Lacework integrations:
lacework cloud-accounts list
The output lists the cloud account integrations, such as the following:
CLOUD ACCOUNT GUID NAME TYPE STATUS STATE
----------------------------------------------+--------------------+----------+----------+----------
DEV81383_BBB2ADFFD89DAFA1750A205A77816B84 dev8-doc AwsCfg Enabled Ok
DEV81383_4AA069C2D122BB0AB1F1E58F5B97AF29 dev-qa OciCfg Enabled Ok
DEV81383_215A13612BC532418965C1B9099D9FE0 dev-doc230405 OciCfg Enabled Ok
DEV81383_A3D15CFF7AAFFD202357AD59154153AD dev7-doc AwsCfg Enabled Ok
DEV81383_193B0E884D4E0F2D63D6478BDF4C94C8 dev6-doc AwsCfg Enabled OkNote the cloud account GUID for the integration you want to add to Terraform management.
Get details for the integration you want to put under Terraform using the
lacework cloud-account show
command, passing it the cloud account GUID you just noted, for example:lacework cloud-account show DEV81383_BBB2ADFFD89DAFA1750A205A77816B84
This produces output such as the following:
CLOUD ACCOUNT GUID NAME TYPE STATUS STATE
--------------------------------------------+-------------+--------+---------+--------
DEV81383_BBB2ADFFD89DAFA1750A205A77816B84 dev8-doc AwsCfg Enabled Ok
DETAILS
-------------------------------------------------------------------------------
AWS ACCOUNT ID 249446771485
EXTERNAL ID lweid:aws:v2:your-account:249446771485:dkl31.09ip
LAST SUCCESSFUL STATE 2023-05-02T12:17:51-07:00
ROLE ARN arn:aws:iam::249446771485:role/lw-doc-test-config
STATE DETAILS {}
STATE UPDATED AT 2023-05-02T12:17:51-07:00
UPDATED AT 2023-11-10T01:02:42.641Z
UPDATED BY user@example.comNote these values from the output:
- INTEGRATION NAME (
dev8-doc
, in the example) - EXTERNAL ID (such as
lweid:aws:v2:your-account:249446771485:dkl31.09ip
) - ROLE ARN, (such as
arn:aws:iam::249446771485:role/lwrm-test-config
) - ROLE NAME, which is included in the ROLE ARN (such as
lw-doc-test-config
)
You will use these values in the next step.
- INTEGRATION NAME (
Step 2: Run the Terraform Script
Create a new directory for the Terraform code, for example:
mkdir lacework-config-integration
Change to the new directory:
cd lacework-config-integration
In the directory, create the
main.tf
file, and populate it with the following code:terraform {
required_providers {
lacework = {
source = "lacework/lacework"
}
}
}
provider "lacework" {}
provider "aws" {}
module "aws_config" {
source = "lacework/config/aws"
version = "~> 0.13"
use_existing_iam_role = true
iam_role_arn = "ROLE_ARN"
iam_role_name = "ROLE_NAME"
iam_role_external_id = "EXTERNAL_ID"
lacework_integration_name = "INTEGRATION_NAME"
}Replace the placeholder values (
ROLE_ARN
,ROLE_NAME
,EXTERNAL_ID
,INTEGRATION_NAME
) with the values you gathered in step 1. For example:terraform {
required_providers {
lacework = {
source = "lacework/lacework"
}
}
}
provider "lacework" {}
provider "aws" {}
module "aws_config" {
source = "lacework/config/aws"
version = "~>0.13"
use_existing_iam_role = true
iam_role_arn = "arn:aws:iam::249446771485:role/lw-doc-test-config"
iam_role_name = "lw-doc-test-config"
iam_role_external_id = "lweid:aws:v2:your-account:249446771485:dkl31.09ip"
lacework_integration_name = "dev8-doc"
}Replace the version (
0.13
) with the version of the Lacework config module that you want to apply. See Lacework config in the Terraform registry for the current version. The sample above uses pessimistic constraint operator to pin the version to 0.13.n. Major version increments may include breaking changes. Review the module readme for more information.If your Lacework deployment uses subaccounts, you may need to modify the
lacework
provider line by adding the subaccount that you want to integrate. For example, the following shows a subaccount namesqa_team
in thelacework
organization:provider "lacework" {
subaccount = "qa_team"
}Save and close the main.tf file, when complete, and initialize the directory:
terraform init -upgrade
Now run the Terraform import command, passing it the cloud account GUID for the integration you want to import, as you previously noted. For example:
terraform import module.aws_config.lacework_integration_aws_cfg.default DEV81383_BBB2ADFFD89DAFA1750A205A77816B84
Now review and apply the Terraform plan, as follows:
terraform plan
terraform apply
The resource manager will collect data for new services the next time it runs. After bringing your cloud integrations under Terraform management, you can use the instructions in Update an Integration Already Under Terraform Management to maintain them in the future.
Update an Integration Under Terraform Management
If your Lacework integration is already under Terraform management, you can use the following steps to regularly update your deployment. These steps assume that you have access to the Terraform script used to deploy your Lacework integration.
- Compare the current version of the Lacework config module in the Terraform registry to the version indicated in your Terraform script. Depending on the discrepancy, if any, udpate your Terraform to the desired version. If upgrading by a major version, say between 0.12 to 0.13, note that the upgrade may contain breaking changes. Review the module readme for more information.
- In your Terraform script, change, if necessary, the version to the desired target version. The version appears similar to the following: To upgrade across minor versions, say from 0.13.0 to 0.13.1, no changes are needed. To upgrade across major versions, say from 0.13.1 to 0.14.0 and if you are using a version constraint such as the example, update the version indicated.
version = "~>0.13"
- You can now apply the Terraform script by running these commands:
terraform init -upgrade
terraform plan
terraform apply
The resource manager will collect data for new services the next time it runs.