Skip to main content

Manage Alert Rules with Terraform

This topic provides an overview of using Terraform to configure and manage Lacework alert rules.

For organizations that have adopted Hashicorp Terraform for automation, Lacework maintains the following open source projects on the Terraform Registry for automating the Lacework platform. The Terraform provider offers a growing collection of custom resources to manage the configuration of the Lacework platform. If you are new to the Terraform provider for Lacework, read the Terraform for Lacework Overview.

About Lacework Alert Rules

Lacework alert rules provide a mechanism to route events to the appropriate people or tools.

Alert rules use alert channels and, optionally, resource groups. Before continuing, ensure you understand both topics.

An alert rule has three parts:

  • Alert channel(s) that should receive the event notification
  • Event severity and categories to include
  • Resource group(s) containing the subset of your environment to consider

Typically, organizations will have many alert rules. Reasons for utilizing multiple rules might include routing compliance events to different people or tools than runtime events, ensuring that high severity alerts get sent to on-call personnel, or notifying teams for only the subset of the infrastructure they manage. Alert rules are highly flexible to provide the ability to get the correct information to the right people (or tools).

Configuring Alert Rules with Terraform

note

The remainder of this topic assumes all resource groups and alert channels are configured with Terraform. Though it is possible to configure only the alert rules with Terraform, it is best to use Terraform for all three.

The following subsections provide examples of configuring Lacework alert rules with Terraform.

Basic Alert Rule

This example creates a simple email alert channel and then creates a new alert rule. Notice that the alert rule uses the ID of the email alert channel in its definition.

The alert rule accepts the following properties (all required):

  • name: This is the friendly name displayed in the Lacework Console
  • alert_channels: List of alert channel IDs
  • severities: List of the event severities that should be sent to the alert channel
note

See full details for property types and their values at Terraform Registry.

This new rule ensures that all event types from all resources are sent to the specified email, provided the event is of medium or higher severity.

resource "lacework_alert_channel_email" "event_notifications" {
  name       = "All Event Notifications"
  recipients = [ "email@domain.com" ]
}

resource "lacework_alert_rule" "all_events" {
  name           = "Alert Rule for All Events"
  severities     = ["High", "Medium"]
  alert_channels = [lacework_alert_channel_email.event_notifications.id]
}

Alert Rule for a Specific AWS Account

This example creates a new alert rule that alerts the supplied alert channel only if the source event came from the specified AWS account in the resource group. The example first defines a resource group, an email alert channel, and the alert rule using the previous two resources as input.

The alert rule accepts the following properties:

  • name: This is the friendly name displayed in the Lacework Console
  • alert_channels: List of alert channel IDs
  • severities: List of the event severities that should be sent to the alert channel
  • resource_groups: List of resource group IDs; only events that originate from items contained in this resource group will be sent
note

See full details for property types and their values at Terraform Registry.

The result of this new rule is that only events sourced from the AWS account 123456789011 whose severity is medium or high will notify the alert channel.

resource "lacework_resource_group_aws" "prod_aws_account" {
  name     = "Production AWS Resources"
  accounts = ["123456789011"]
}

resource "lacework_alert_channel_email" "prod_notification" {
  name       = "Production Notification Channel"
  recipients = [ "email@domain.com" ]
}

resource "lacework_alert_rule" "prod_aws" {
  name            = "Prod AWS Account Notification"
  severities      = ["High", "Medium"]
  alert_channels  = [lacework_alert_channel_email.prod_notification.id]
  resource_groups = [lacework_resource_group_aws.prod_aws_account.id]
}

Alert Rule for a Specific Event Type

Lacework generates events for many categories, for example, Compliance or Cloud Activity. In this example, the new alert rule will notify only if the event is of the correct type. The example below first creates an email alert channel and then a new rule and limits the event category to Compliance.

The alert rule accepts the following properties:

  • name: This is the friendly name displayed in the Lacework Console
  • alert_channels: List of alert channel IDs
  • severities: List of the event severities that should be sent to the alert channel
  • event_categories: List of the types of events to send to this alert channel
note

See full details for property types and their values at Terraform Registry.

resource "lacework_alert_channel_email" "compliance_events" {
  name       = "Compliance Events"
  recipients = [ "email@domain.com" ]
}

resource "lacework_alert_rule" "compliance_events" {
  name             = "All Compliance Events"
  severities       = ["High", "Medium"]
  event_categories = ["Compliance"]
  alert_channels   = [lacework_alert_channel_email.compliance_events.id]
}

Multiple Alert Rules for Intelligent Routing

Most teams need to route alerts of different types and severities to specific people or tools. This example creates multiple alert channels and demonstrates splitting event notifications across various channels. The example creates two alert channels, one for Slack and one for email. It then makes three alert rules; two rules for non-compliance events, sending the higher severities to Slack and the lower severity to email. The final alert rule is for compliance events, and those notifications go to email. Notice that the email alert channel is used multiple times; you can use resource groups and alert channels multiple times as needed.

The alert rules use the following properties:

  • name: This is the friendly name displayed in the Lacework Console
  • alert_channels: List of alert channel IDs
  • severities: List of the event severities that should be sent to the alert channel
  • event_categories: List of the types of events to send to this alert channel
note

See full details for property types and their values at Terraform Registry.

resource "lacework_alert_channel_email" "sre_team" {
  name       = "SRE Team Notifications"
  recipients = [ "email@domain.com" ]
}

resource "lacework_alert_channel_slack" "sre_team" {
  name      = "SRE Team Slack Notifications"
  slack_url = "https://hooks.slack.com/services/TEAM/WEBHOOK/ID"
}

resource "lacework_alert_rule" "sre_urgent" {
  name             = "SRE High/Critical Events"
  severities       = ["High", "Critical"]
  event_categories = [ "App", "Cloud", "File", "Machine", "User", "Platform" ]
   alert_channels   = [lacework_alert_channel_slack.sre_team.id]
}

resource "lacework_alert_rule" "sre_low_priority" {
  name             = "SRE Lower Severity Events"
  severities       = ["Low", "Medium"]
  event_categories = [ "App", "Cloud", "File", "Machine", "User", "Platform" ]
  alert_channels   = [lacework_alert_channel_email.sre_team.id]
}

resource "lacework_alert_rule" "sre_compliance" {
  name             = "SRE Compliance Events"
  severities       = ["High", "Critical"]
  event_categories = ["Compliance"]
  alert_channels   = [lacework_alert_channel_email.sre_team.id]
}
Last updated on