Manage Resource Groups with Terraform

This topic provides a foundational overview for using Terraform to configure and manage Lacework resource groups.

For organizations that have adopted Hashicorp Terraform for automation, Lacework maintains the following open source projects on the Terraform Registry for automating the Lacework platform. The Terraform provider offers a growing collection of custom resources to manage the configuration of the Lacework platform. If you are new to the Terraform provider for Lacework, read the Terraform for Lacework Overview.

About Lacework Resource Groups

Resource groups provide a way to categorize Lacework-identifiable assets.

Account-level resource groups let you categorize multiple assets that are identified by Lacework. These can include cloud accounts, containers, or machines. You can use resource groups for granular alert routing. For more information about alert rules, see Managing Alert Rules with Terraform.

Within each Lacework account, Lacework creates a default resource group for each resource type that already has an integration. A default resource group contains all assets of that type. Default resource groups cannot be deleted or edited.

After a resource type is integrated with Lacework, you can create a resource group for that type.

Configuring Resource Groups with Terraform

The following sub-sections provide examples of configuring Lacework Resource Groups with Terraform.

Group AWS Accounts
Group GCP Organizations and Projects
Group Azure Tenants and Subscriptions
Group Container
Group Machines
Group Lacework Accounts

Group AWS Accounts

AWS lets you group workloads with a common business purpose in distinct AWS accounts to align the ownership and decision making with those accounts and avoid dependencies and conflicts with how workloads in other accounts are secured and managed.

Lacework lets you group multple AWS accounts for granular alert routing.

resource "lacework_resource_group_aws" "retail_web_services" {
  name        = "Retail accounts"
  description = "Group of all AWS Accounts managing our point of sales"
  accounts    = ["123456789011", "123456789012", "123456789013"]
}

See additional information on the lacework_resource_group_aws resource at Terraform Registry.

Group GCP Organizations and Projects

GCP projects are used to organize your Google Cloud resources, including your Cloud Storage data, into logical groups.

Lacework lets you group GCP projects from the same or different GCP organizations for granular alert routing.

resource "lacework_resource_group_gcp" "qa_resources" {
  name         = "QA Resources"
  description  = "Groups all GCP projects from QA Teams"
  organization = "YourGcpOrgID"
  projects     = ["project-1", "project-2", "project-3"]
}

note

If your project is not part of an organization in the Lacework platform, or if you are looking to group projects across multiple organizations, enter an asterisk "*" as a string input into the organization argument.

See additional information on the lacework_resource_group_gcp resource at Terraform Registry.

Group Azure Tenants and Subscriptions

Multiple Azure subscriptions lets you view billing for each subscription and limit who can access the Microsoft Azure services associated with that subscription. Additionally, multiple subscriptions help overcome Azure limits and constraints and improve development and project team agility.

Lacework lets you group Azure subscriptions from the same or different Azure tenants for granular alert routing.

resource "lacework_resource_group_azure" "business_unit" {
  name          = "Business Unit"
  description   = "Groups all Azure subscription from a business unit"
  tenant        = "abbc1234-abc1-123a-1234-abcd1234abcd"
  subscriptions = ["1a1a0b2-abc0-1ab1-1abc-1a000ab0a0a0", "2b000c3-ab10-1a01-1abc-1a000ab0a0a0"]
}

See additional information on the lacework_resource_group_azure resource at Terraform Registry.

Group Containers

Labels are a mechanism for applying metadata to images. Tags convey useful information about a specific image version/variant (like aliases).

Lacework lets you group containers with specific labels and tags for granular alert routing.

resource "lacework_resource_group_container" "dev_middleware" {
  name           = "All Dev Middleware Images"
  description    = "Groups all dev middleware container images"
  container_tags = ["dev"]
  container_label {
    key   = "application"
    value = "middleware"
  }
}

See additional information on the lacework_resource_group_container resource at Terraform Registry.

Group Machines

Lacework lets you group machines with specific tags for granular alert routing.

Machine tags are a combination of AWS tags and local agent tags. To learn how to set agent tags, see Add Agent Tags.

resource "lacework_resource_group_machine" "db" {
  name        = "All database machines"
  description = "Groups all database machines"
  machine_tags {
    key   = "application"
    value = "db"
  }
}

See additional information on the lacework_resource_group_machine resource at Terraform Registry.

Group Lacework Accounts

This type of resource group is only available for Lacework organizations. For more information, see Organization Overview.

Lacework lets you group Lacework accounts for granular alert routing.

provider "lacework" {
  organization = true
}

resource "lacework_resource_group_account" "production" {
  name        = "Prod LW accounts"
  description = "Groups a Lacework accounts monitoring production"
  accounts    = ["business-unit", "prod-abc", "prod-xyz"]
}

See additional information on the lacework_resource_group_account resource at Terraform Registry.

About Lacework Resource Groups​

Configuring Resource Groups with Terraform​

Group AWS Accounts​

Group GCP Organizations and Projects​

Group Azure Tenants and Subscriptions​

Group Containers​

Group Machines​

Group Lacework Accounts​