Skip to main content

Single Role Terraform Deployment

Lacework provides numerous Terraform modules that you can use to set up and manage the Lacework integration with your cloud service providers. These include, for example, modules for integrating Lacework with AWS Cloudtrail, configuration, ECS, and more.

Each Terraform module is designed to run in standalone fashion, encapsulating any dependencies required to apply its configuration. Accordingly, each module creates an IAM role under which it runs. Applying Lacework Terraform modules independently, therefore, results in the creation of multiple AWS IAM roles, one for each Terraform module.

You can avoid ending up with multiple IAM roles, and better coordinate multiple integrations, by creating a configuration file that specifies the Lacework modules you want to apply and the IAM role under which you want them to be applied.

This topic describes how to create such a Terraform configuration for AWS configuration and integrations. While this topic does not cover other cloud providers, the techniques shown here can apply to other cloud providers.

Use an Existing Role

The Terraform language provides a declarative language for provisioning and managing infrastructure. To manage your Lacework integrations, you can specify a new root configuration that defines the IAM user and the Lacework child modules to apply.

In Terraform code, you can create a role using the Lacework iam-role module as follows:

module "iam_role" {
source = "lacework/iam-role/aws"
version = "~> 0.4"
}

Then, to reuse the role, in each module definition specify the use of the existing role, identified by its external_id and name properties, as follows:

  use_existing_iam_role = true
iam_role_external_id = module.iam_role.external_id
iam_role_name = module.iam_role.name

By setting use_existing_iam_role to true, you direct Terraform to use the role created with the iam-role module.

The following section lists the complete sample code demonstrating this technique for integrating multiple modules.

Complete Terraform AWS Configuration Example

The following Terraform configuration example represents a complete Lacework integration using a single IAM role.

You can use this code as a model for your own Lacework Terraform configuration, following the techniques shown here.

terraform {
required_providers {
lacework = {
source = "lacework/lacework"
version = "~> 1.15"
}
}
}

# Required inputs
variable "ecs_cluster_arns" {
type = list(string)
description = "List of ARNs of the ECS clusters in which to deploy the Lacework agent"
default = []
}
variable "eks_cloudwatch_regions" {
type = list(string)
description = "A set of regions, to allow Cloudwatch Logs to be streamed from"
default = ["us-west-2"]
}
variable "ec2_agent_deployment_filter_tags" {
type = map(list(string))
description = "The list of tags (key:values) used to deploy the Lacework agent on EC2 instances"
default = {
environment = ["Testing"]
}
}

# For configuration options
# See https://registry.terraform.io/providers/lacework/lacework/latest/docs
provider "lacework" {}
provider "aws" {}

module "iam_role" {
source = "lacework/iam-role/aws"
version = "~> 0.4"
}

module "config" {
source = "lacework/config/aws"
version = "~> 0.13"

use_existing_iam_role = true
iam_role_external_id = module.iam_role.external_id
iam_role_name = module.iam_role.name
}
module "cloudtrail" {
source = "lacework/cloudtrail/aws"
version = "~> 2.8"

use_existing_iam_role = true
iam_role_external_id = module.iam_role.external_id
iam_role_name = module.iam_role.name
}
module "ecr" {
source = "lacework/ecr/aws"
version = "~> 0.9"

use_existing_iam_role = true
iam_role_external_id = module.iam_role.external_id
iam_role_name = module.iam_role.name
}
resource "lacework_agent_access_token" "ecs" {
name = "tf-deployment"
description = "ecs deployment via Terraform"
}
module "ecs-agent" {
for_each = toset(var.ecs_cluster_arns)

source = "lacework/ecs-agent/aws"
version = "~> 0.4"

use_existing_iam_role = true
iam_role_name = module.iam_role.name
lacework_access_token = lacework_agent_access_token.ecs.token
ecs_cluster_arn = each.value
}
module "eks-audit-log" {
source = "lacework/eks-audit-log/aws"
version = "~> 1.1"

use_existing_cross_account_iam_role = true
iam_role_external_id = module.iam_role.external_id
iam_role_arn = module.iam_role.arn
cloudwatch_regions = var.eks_cloudwatch_regions
}
module "agentless-scanning" {
source = "lacework/agentless-scanning/aws"
version = "~> 0.13"

global = true
regional = true
use_existing_cross_account_role = true
cross_account_role_name = module.iam_role.name
cross_account_role_arn = module.iam_role.arn
external_id = module.iam_role.external_id
}
# (Optional) Agent deployment on EC2 instances via SSM
resource "lacework_agent_access_token" "ssm_deployment" {
name = "ssm-deployment"
description = "Used to deploy agents using AWS System Manager"
}
module "ssm_agent_install" {
source = "lacework/ssm-agent/aws"
version = "~> 0.10"

lacework_access_token = lacework_agent_access_token.ssm_deployment.token
}
locals {
ec2_tag_filters = [for key, values in var.ec2_agent_deployment_filter_tags : format("%#v", {
Key = key
Values = [ values ]
})]
}
resource "aws_resourcegroups_group" "testing" {
name = "Testing"

resource_query {
query = jsonencode({
ResourceTypeFilters = [
"AWS::EC2::Instance"
]

TagFilters = local.ec2_tag_filters
})
}

tags = {
billing = "testing"
owner = "myself"
}
}

resource "aws_ssm_association" "lacework_aws_ssm_agents_install_testing" {
association_name = "install-lacework-agents-testing-group"

name = module.ssm_agent_install.ssm_document_name

targets {
key = "resource-groups:Name"
values = [
aws_resourcegroups_group.testing.name,
]
}

compliance_severity = "HIGH"
}

Use the Example Configuration

To use the sample configuration, create a directory in the environment from which you intend to run Terraform. Add a new main.tf file to the directory, pasting the sample code into it.

Modify a few elements of the example, as follows.

Step 1. Add Variable Values

The configuration first declares three input variables used to integrate Lacework andAmazon ECS and EKS. If integrating those resources, provide values for the variables:

  • If installing Lacework agents on AWS ECS, add ARNs of clusters to integrate to the ecs_cluster_arns variable definition. For example:

    variable "ecs_cluster_arns" {
    type = list(string)
    description = "List of ARNs of the ECS clusters in which to deploy the Lacework agent"
    default = ["arn:aws:ecs:us-west-2:123456789012:cluster/default"]
    }
  • If integrating EKS, modify the region if needed. Separate multiple regions by comma:

    variable "eks_cloudwatch_regions" {
    type = list(string)
    description = "A set of regions, to allow Cloudwatch Logs to be streamed from"
    default = ["us-west-2", "us-west-1", "us-east-1"]
    }
  • If deploying agents to EC2 instances, you can specify the EC2 instances on which to deploy agents based on EC2 tags. Use ec2_agent_deployment_filter_tags to specify the key-value pairs of tags that identify EC2 instances on which to install the Lacework agent. For example:

    variable "ec2_agent_deployment_filter_tags" {
    type = map(list(string))
    description = "The list of tags (key:values) used to deploy the Lacework agent on EC2 instances"
    default = {
    environment = ["dev", "qa"]
    orgunit = ["finapp"]
    }
    }

Step 2. Remove Unneeded Modules

The sample configuration shows examples of a complete AWS integration, not all of which may be relevant to your requirements. Remove any modules that are not relevant.

Step 3. Verify Terraform Setup

Before running your Terraform configuration, make sure you are set up to do so, as described in Get Started with Terraform for Lacework.

For Lacework permissions, make sure you have configured credentials of a service user with Lacework admin access. Terraform can rely on the Lacework credentials that are configured for the CLI. See Configure Using the Lacework CLI for more information.

Also, ensure that your cloud client environment is configured with credentials of a user with sufficient permissions for performing the operations specified in the configuration. For AWS, you need to have AWS Account Admin permissions.

Step 4. Apply the Configuration

When finished modifying the configuration for your requirements, run terraform init and terraform apply to apply the configuration. See the Terraform CLI documentation for general information on using Terraform.