Manage Resource Groups with Terraform
This topic provides a foundational overview for using Terraform to configure and manage Lacework resource groups.
For organizations that have adopted Hashicorp Terraform for automation, Lacework maintains the following open source projects on the Terraform Registry for automating the Lacework platform. The Terraform provider offers a growing collection of custom resources to manage the configuration of the Lacework platform. If you are new to the Terraform provider for Lacework, read the Terraform for Lacework Overview.
About Lacework Resource Groups
Resource groups provide a way to categorize Lacework-identifiable assets.
Account-level resource groups let you categorize multiple assets that are identified by Lacework. These can include cloud accounts, containers, or machines. You can use resource groups for granular alert routing. For more information about alert rules, see Managing Alert Rules with Terraform.
Within each Lacework account, Lacework creates a default resource group for each resource type that already has an integration. A default resource group contains all assets of that type. Default resource groups cannot be deleted or edited.
After a resource type is integrated with Lacework, you can create a resource group for that type.
Configuring Resource Groups with Terraform
The following sub-sections provide examples of configuring Lacework Resource Groups with Terraform.
- Group AWS Accounts
- Group GCP Organizations and Projects
- Group Azure Tenants and Subscriptions
- Group Container
- Group Machines
- Group Lacework Accounts
Group AWS Accounts
AWS lets you group workloads with a common business purpose in distinct AWS accounts to align the ownership and decision making with those accounts and avoid dependencies and conflicts with how workloads in other accounts are secured and managed.
Lacework lets you group multple AWS accounts for granular alert routing.
resource "lacework_resource_group_aws" "retail_web_services" {
name = "Retail accounts"
description = "Group of all AWS Accounts managing our point of sales"
accounts = ["123456789011", "123456789012", "123456789013"]
}
See additional information on the lacework_resource_group_aws
resource at Terraform Registry.
Group GCP Organizations and Projects
GCP projects are used to organize your Google Cloud resources, including your Cloud Storage data, into logical groups.
Lacework lets you group GCP projects from the same or different GCP organizations for granular alert routing.
resource "lacework_resource_group_gcp" "qa_resources" {
name = "QA Resources"
description = "Groups all GCP projects from QA Teams"
organization = "YourGcpOrgID"
projects = ["project-1", "project-2", "project-3"]
}
If your project is not part of an organization in the Lacework platform, or if you are looking to group projects across multiple organizations, enter an asterisk "*"
as a string input into the organization
argument.
See additional information on the lacework_resource_group_gcp
resource at Terraform Registry.
Group Azure Tenants and Subscriptions
Multiple Azure subscriptions lets you view billing for each subscription and limit who can access the Microsoft Azure services associated with that subscription. Additionally, multiple subscriptions help overcome Azure limits and constraints and improve development and project team agility.
Lacework lets you group Azure subscriptions from the same or different Azure tenants for granular alert routing.
resource "lacework_resource_group_azure" "business_unit" {
name = "Business Unit"
description = "Groups all Azure subscription from a business unit"
tenant = "abbc1234-abc1-123a-1234-abcd1234abcd"
subscriptions = ["1a1a0b2-abc0-1ab1-1abc-1a000ab0a0a0", "2b000c3-ab10-1a01-1abc-1a000ab0a0a0"]
}
See additional information on the lacework_resource_group_azure
resource at Terraform Registry.
Group Containers
Labels are a mechanism for applying metadata to images. Tags convey useful information about a specific image version/variant (like aliases).
Lacework lets you group containers with specific labels and tags for granular alert routing.
resource "lacework_resource_group_container" "dev_middleware" {
name = "All Dev Middleware Images"
description = "Groups all dev middleware container images"
container_tags = ["dev"]
container_label {
key = "application"
value = "middleware"
}
}
See additional information on the lacework_resource_group_container
resource at Terraform Registry.
Group Machines
Lacework lets you group machines with specific tags for granular alert routing.
Machine tags are a combination of AWS tags and local agent tags. To learn how to set agent tags, see Add Agent Tags.
resource "lacework_resource_group_machine" "db" {
name = "All database machines"
description = "Groups all database machines"
machine_tags {
key = "application"
value = "db"
}
}
See additional information on the lacework_resource_group_machine
resource at Terraform Registry.
Group Lacework Accounts
This type of resource group is only available for Lacework organizations. For more information, see Organization Overview.
Lacework lets you group Lacework accounts for granular alert routing.
provider "lacework" {
organization = true
}
resource "lacework_resource_group_account" "production" {
name = "Prod LW accounts"
description = "Groups a Lacework accounts monitoring production"
accounts = ["business-unit", "prod-abc", "prod-xyz"]
}
See additional information on the lacework_resource_group_account
resource at Terraform Registry.