Get Started with Terraform for Lacework
This topic describes how to get started using Hashicorp Terraform to configure and manage Lacework.
Configuration
The Terraform provider for Lacework must be configured to authenticate with a Lacework account. The next section discusses how to configure the Lacework provider.
Create Lacework API Key
The Terraform provider for Lacework requires an API key and secret to authenticate with Lacework. Lacework account administrators can create Lacework API keys via the Lacework Console. For more information, go to API Access Keys.
- Log in to the Lacework Console.
- Click Settings > Configuration > API keys.
- Click + Add New.
- Enter a name for the key and an optional description.
- Click Save.
- Click the ... icon and then Download to save the API key file locally.
The contents of your API key contain a keyId, secret, subAccount, and account:
{
"keyId": "ACCOUNT_ABCEF01234559B9B07114E834D8570F567C824039756E03",
"secret": "_abc1234e243a645bcf173ef55b837c19",
"subAccount": "subaccount",
"account": "myaccount.lacework.net"
}
Configure Using the Lacework CLI (Recommended)
The Terraform provider for Lacework can leverage configuration from the Lacework CLI. When you install and configure the Lacework CLI on the system that you plan to run Terraform from, this generates a configuration file named .lacework.toml that stores API keys for any accounts you configured. The configuration file's default location:
- Linux and OS X -
$HOME/.lacework.toml - Windows -
%USERPROFILE%\.lacework.toml
You can manage the configuration file using the Lacework CLI. This method also supports a profile configuration and matching LW_PROFILE environment variable.
provider "lacework" {
profile = "custom-profile"
}
Organization Accounts
A Lacework organization can contain multiple accounts so you can manage components such as alerts, resource groups, team members, and audit logs at a more granular level inside an organization. A team member may have access to multiple accounts and can easily switch between them.
To manage multiple accounts, a user must have the Organization Admin role.
Use the subaccount argument to switch to a different account inside your Lacework organization.
The following example shows a default profile that has access to the primary account named my-company:
# Example .lacework.toml - Config for Lacework CLI
[default]
account = "my-company"
api_key = "my-api-key"
api_secret = "my-api-secret"
version = 2
To access your sub-account named business-unit, specify the subaccount argument.
## Example main.tf
provider "lacework" {
alias = "primary"
}
provider "lacework" {
alias = "business-unit"
# This uses the same default profile but points to a sub-account
subaccount = "business-unit"
}
From there, you can pass the alias meta-argument to any resource to switch between accounts:
resource "lacework_alert_channel_slack" "primary_critical" {
provider = lacework.primary
# ...
}
resource "lacework_alert_channel_slack" "business_unit_critical" {
provider = lacework.business-unit
# ...
}
For more information on using alias to configure multiple providers, see Multiple Provider Configurations on the Terraform documentation site.
Environment Variables
You can provide your credentials via the LW_ACCOUNT, LW_API_KEY, and LW_API_SECRET environment variables. These variables represent your Lacework account subdomain of URL, Lacework API access key, and Lacework API access secret, respectively.
provider "lacework" {}
export LW_ACCOUNT="my-account"
export LW_API_KEY="my-api-key"
export LW_API_SECRET="my-api-secret"
$Env:LW_ACCOUNT = "my-account"
$Env:LW_API_KEY = "my-api-key"
$Env:LW_API_SECRET = "my-api-secret"
Static Credentials
You can provide static credentials by adding the account, api_key, and api_secret in-line in the Lacework provider block:
provider "lacework" {
account = "my-account"
api_key = "my-api-key"
api_secret = "my-api-secret"
}
Hard coding credentials into any Terraform configuration is not recommended. Secrets could be leaked by committing hard-coded credentials to a public version control system.
Organization Level Access
Organization administrators can access organization level data sets by setting the organization argument to true.
provider "lacework" {
organization = true
}
When accessing organization level data sets, the subaccount argument is ignored.
Using this type of configuration is intended for managing resources such as alerts, resource groups, team members, cloud accounts, and more, at the organization level.
Version Pinning
Lacework Terraform projects are under heavy development with frequent releases. It is important to create a strategy for upgrading and testing new releases within your environment to avoid unintentional changes due to new features and/or new functionality. This is especially important if you plan to run Terraform continuously using a CI/CD pipeline.
Lacework recommends using pessimistic version constraints for Lacework Terraform projects. This ensures that you will get minor updates, which include big fixes and minor changes, while avoiding version upgrades that could result in breaking changes.
For example, the following required_providers block shows how to specify Terraform provider for Lacework to 1.15.x versions, up to 2.x.x:
terraform {
required_providers {
lacework = {
source = "lacework/lacework"
version = "~> 1.15"
}
}
}
provider "lacework" {
# Configuration options
}
Alternatively, the following example shows how to pin to a specific version of the Terraform provider for Lacework:
terraform {
required_providers {
lacework = {
source = "lacework/lacework"
version = "0.3.1" # Version is pinned to 0.3.1
}
}
}
provider "lacework" {
# Configuration options
}