Maintain Cloud Integrations with Terraform

Lacework works by collecting, processing, and analyzing data it collects from the environments where it is deployed, such as integrated cloud accounts. Lacework uses this data to establish baselines, detect anomalies, generate reports, and more. You can also create queries against the data set yourself, whether for ad hoc investigation or to create custom policies.

info

See Datasource Metadata for more information about Lacework datasources.

Lacework regularly expands the data it collects by collecting data from new services or using additional APIs of services already monitored. The cloud APIs invoked for the services often require additional permissions for the cloud roles. Accordingly, administering Lacework involves monitoring and occasionally updating your integration to allow for new datasources.

info

An indication that you may need to update your cloud account integration is the occurrence of CSPAccessDeniedError errors in Lacework, which indicates that Lacework is unable to access a resource.

To keep your Lacework integration up to date, Lacework recommends using Terraform. Lacework regularly updates the cloud configuration script, including by incorporating the latest required cloud permissions. By running the script regularly, you can apply the latest changes.

The following steps describe how to apply the Lacework configuration Terraform script to maintain your integration. Follow Add a Cloud Integration to Terraform Management if you have not already used Terraform for the cloud integration, or Update an Integration Under Terraform Management if it is already under Terraform management.

This procedure applies to AWS configuration integrations only (that is, of type AwsCfg), not to CloudTrail or other types of integrations.

Prerequisites

To perform the steps described in this topic, you will need:

• Terraform installed.
• The Lacework CLI installed and configured.
• Access to the integrated AWS account.

For more information on these topics, see Get Started with Terraform for Lacework.

Add a Cloud Integration to Terraform Management

Lacework provides various ways to create an AWS integration in Lacework. These steps describe how to add such an integration that was created by another means, such as manually or with CloudFormation, to Terraform, and then to apply an upgrade.

Step 1: Gather Information

To add a Lacework integration to Terraform, you will need information related to the Lacework integration, including the integration name and information related to the Lacework user associated with the account.

To get this information, follow these steps:

1. From a terminal with the Lacework CLI installed and configured, run the following command to see a list of existing Lacework integrations:

   lacework cloud-accounts list

   The output lists the cloud account integrations, such as the following:

               CLOUD ACCOUNT GUID                       NAME              TYPE       STATUS     STATE
   ----------------------------------------------+--------------------+----------+----------+----------
   DEV81383_BBB2ADFFD89DAFA1750A205A77816B84       dev8-doc              AwsCfg       Enabled    Ok
   DEV81383_4AA069C2D122BB0AB1F1E58F5B97AF29       dev-qa                OciCfg       Enabled    Ok
   DEV81383_215A13612BC532418965C1B9099D9FE0       dev-doc230405         OciCfg       Enabled    Ok
   DEV81383_A3D15CFF7AAFFD202357AD59154153AD       dev7-doc              AwsCfg       Enabled    Ok
   DEV81383_193B0E884D4E0F2D63D6478BDF4C94C8       dev6-doc              AwsCfg       Enabled    Ok

2. Note the cloud account GUID for the integration you want to add to Terraform management.

3. Get details for the integration you want to put under Terraform using the lacework cloud-account show command, passing it the cloud account GUID you just noted, for example:

   lacework cloud-account show DEV81383_BBB2ADFFD89DAFA1750A205A77816B84

   This produces output such as the following:

                     CLOUD ACCOUNT GUID             NAME        TYPE    STATUS    STATE
   --------------------------------------------+-------------+--------+---------+--------
   DEV81383_BBB2ADFFD89DAFA1750A205A77816B84       dev8-doc    AwsCfg   Enabled   Ok
   
                                       DETAILS
   -------------------------------------------------------------------------------
       AWS ACCOUNT ID          249446771485
       EXTERNAL ID             lweid:aws:v2:your-account:249446771485:dkl31.09ip
       LAST SUCCESSFUL STATE   2023-05-02T12:17:51-07:00
       ROLE ARN                arn:aws:iam::249446771485:role/lw-doc-test-config
       STATE DETAILS           {}
       STATE UPDATED AT        2023-05-02T12:17:51-07:00
       UPDATED AT              2023-11-10T01:02:42.641Z
       UPDATED BY              user@example.com
   

4. Note these values from the output:

   • INTEGRATION NAME (dev8-doc, in the example)
   • EXTERNAL ID (such as lweid:aws:v2:your-account:249446771485:dkl31.09ip)
   • ROLE ARN, (such as arn:aws:iam::249446771485:role/lwrm-test-config)
   • ROLE NAME, which is included in the ROLE ARN (such as lw-doc-test-config)

   You will use these values in the next step.

Step 2: Run the Terraform Script

1. Create a new directory for the Terraform code, for example:

   mkdir lacework-config-integration

2. Change to the new directory:

   cd  lacework-config-integration

3. In the directory, create the main.tf file, and populate it with the following code:

    terraform {
        required_providers {
            lacework = {
                source = "lacework/lacework"
            }
        }
    }
   
    provider "lacework" {}
    provider "aws" {}
   
    module "aws_config" {
        source  = "lacework/config/aws"
        version = "~> 0.13"
        use_existing_iam_role = true
        iam_role_arn          = "ROLE_ARN"
        iam_role_name         = "ROLE_NAME"
        iam_role_external_id  = "EXTERNAL_ID"
        lacework_integration_name = "INTEGRATION_NAME"
    }

   Replace the placeholder values (ROLE_ARN, ROLE_NAME, EXTERNAL_ID, INTEGRATION_NAME ) with the values you gathered in step 1. For example:

    terraform {
        required_providers {
            lacework = {
                source = "lacework/lacework"
            }
        }
    }
   
    provider "lacework" {}
    provider "aws" {}
   
    module "aws_config" {
        source  = "lacework/config/aws"
        version = "~>0.13"
        
        use_existing_iam_role = true
        iam_role_arn          = "arn:aws:iam::249446771485:role/lw-doc-test-config"
        iam_role_name         = "lw-doc-test-config"
        iam_role_external_id  = "lweid:aws:v2:your-account:249446771485:dkl31.09ip"
        lacework_integration_name = "dev8-doc"
    }

4. Replace the version (0.13) with the version of the Lacework config module that you want to apply. See Lacework config in the Terraform registry for the current version. The sample above uses pessimistic constraint operator to pin the version to 0.13.n. Major version increments may include breaking changes. Review the module readme for more information.

5. If your Lacework deployment uses subaccounts, you may need to modify the lacework provider line by adding the subaccount that you want to integrate. For example, the following shows a subaccount names qa_team in the lacework organization:

       provider "lacework" {
           subaccount = "qa_team"
       }

6. Save and close the main.tf file, when complete, and initialize the directory:

   terraform init -upgrade

7. Now run the Terraform import command, passing it the cloud account GUID for the integration you want to import, as you previously noted. For example:

   terraform import module.aws_config.lacework_integration_aws_cfg.default DEV81383_BBB2ADFFD89DAFA1750A205A77816B84

8. Now review and apply the Terraform plan, as follows:

   terraform plan 
   terraform apply 

The resource manager will collect data for new services the next time it runs. After bringing your cloud integrations under Terraform management, you can use the instructions in Update an Integration Already Under Terraform Management to maintain them in the future.

Update an Integration Under Terraform Management

If your Lacework integration is already under Terraform management, you can use the following steps to regularly update your deployment. These steps assume that you have access to the Terraform script used to deploy your Lacework integration.

1. Compare the current version of the Lacework config module in the Terraform registry to the version indicated in your Terraform script. Depending on the discrepancy, if any, udpate your Terraform to the desired version. If upgrading by a major version, say between 0.12 to 0.13, note that the upgrade may contain breaking changes. Review the module readme for more information.
2. In your Terraform script, change, if necessary, the version to the desired target version. The version appears similar to the following:

   version = "~>0.13"
   To upgrade across minor versions, say from 0.13.0 to 0.13.1, no changes are needed. To upgrade across major versions, say from 0.13.1 to 0.14.0 and if you are using a version constraint such as the example, update the version indicated.
3. You can now apply the Terraform script by running these commands:

   terraform init -upgrade
   terraform plan 
   terraform apply 

The resource manager will collect data for new services the next time it runs.