feat: add basic AWS SSM command to install and configure Lacework age…

…nt (#3)

This is the naive implementation that assumes many things about targeted hosts. Multiple TODOs were added to guide future improvements.

Signed-off-by: Jean-Philippe Lachance <jplachance@coveo.com>

.gitignore

@@ -1,6 +1,12 @@
+# IDE files
+.idea
+
 # Local .terraform directories
 **/.terraform/*
 
+# Terraform lock file
+.terraform.lock.hcl
+
 # .tfstate files
 *.tfstate
 *.tfstate.*

examples/default/README.md

@@ -0,0 +1,3 @@
+# Default AWS SSM command deployment
+
+This example deploys into AWS an AWS SSM Command that can be used to install the Lacework agent on a Linux EC2 instance.

examples/default/main.tf

@@ -0,0 +1,61 @@
+provider "aws" {
+  region = "us-east-1"
+}
+
+module "lacework_aws_ssm_agents_install" {
+  source = "../../"
+
+  lacework_agent_tags = {
+    env = "dev"
+  }
+
+  aws_resources_tags = {
+    billing = "testing"
+    owner   = "myself"
+  }
+}
+
+resource "aws_resourcegroups_group" "testing" {
+  name = "Testing"
+
+  resource_query {
+    query = jsonencode({
+      ResourceTypeFilters = [
+        "AWS::EC2::Instance"
+      ]
+
+      TagFilters = [
+        {
+          Key = "environment"
+          Values = [
+            "Testing"
+          ]
+        }
+      ]
+    })
+  }
+
+  tags = {
+    billing = "testing"
+    owner   = "myself"
+  }
+}
+
+resource "aws_ssm_association" "lacework_aws_ssm_agents_install_testing" {
+  association_name = "install-lacework-agents-testing-group"
+
+  name = module.lacework_aws_ssm_agents_install.ssm_document_name
+
+  targets {
+    key = "resource-groups:Name"
+    values = [
+      aws_resourcegroups_group.testing.name,
+    ]
+  }
+
+  parameters = {
+    Token = "my-lacework-token"
+  }
+
+  compliance_severity = "HIGH"
+}

examples/default/versions.tf

@@ -0,0 +1,3 @@
+terraform {
+  required_version = ">= 0.12.0"
+}

main.tf

@@ -0,0 +1,54 @@
+resource "aws_ssm_document" "setup_lacework_agent" {
+  name          = "${var.aws_resources_prefix}setup-lacework-agent"
+  document_type = "Command"
+
+  target_type = "/AWS::EC2::Instance"
+
+  content = jsonencode({
+    schemaVersion = "2.2"
+    description   = "Setup the Lacework agent on a Linux instance"
+
+    parameters = {
+      LaceworkInstallPath = {
+        type        = "String"
+        description = "The expected Lacework installation path"
+        default     = "/var/lib/lacework"
+      }
+
+      Token = {
+        type        = "String"
+        description = "The access token for the Lacework agent"
+        default     = var.lacework_access_token
+      }
+
+      # TODO: Figure out the proper way of passing tags to our bash script, currently does not generate a valid config.json file
+      Tags = {
+        type        = "String"
+        description = "The Lacework agent token"
+        default     = jsonencode(var.lacework_agent_tags)
+      }
+    }
+
+    mainSteps = [
+      {
+        action = "aws:runShellScript"
+        name   = "SetupLaceworkAgent"
+
+        precondition = {
+          StringEquals = [
+            "platformType",
+            "Linux",
+          ]
+        }
+
+        inputs = {
+          runCommand = [
+            file("${path.module}/setup_lacework_agent.sh"),
+          ]
+        }
+      }
+    ]
+  })
+
+  tags = var.aws_resources_tags
+}

outputs.tf

@@ -0,0 +1,4 @@
+output "ssm_document_name" {
+  description = "Name of the AWS SSM Document that setups the Lacework agent"
+  value       = aws_ssm_document.setup_lacework_agent.name
+}

setup_lacework_agent.sh

@@ -0,0 +1,42 @@
+#!/usr/bin/env bash
+
+set -e
+
+LACEWORK_INSTALL_PATH="{{ LaceworkInstallPath }}"
+
+# TODO: Fetch the token from AWS SSM Parameter Store instead of taking it in as a Command parameter (avoid leaks in the AWS Console)
+TOKEN='{{ Token }}'
+TAGS='{{ Tags }}'
+
+# TODO: Handle systems that don't have systemctl
+if systemctl is-active --quiet kubelet; then
+  echo "This host appears to be a Kubernetes node, please use the Kubernetes deployment method (https://support.lacework.com/hc/en-us/articles/360005263034-Deploy-on-Kubernetes)."
+  exit 0
+fi
+
+if [ ! -d "$LACEWORK_INSTALL_PATH" ]; then
+  echo "Lacework agent not installed, installing..."
+
+  # TODO: Add the support for hosts that don't have curl installed
+  curl https://packages.lacework.net/install.sh >/tmp/install.sh
+
+  chmod +x /tmp/install.sh
+
+  # TODO: Pass tags to the installation script
+  sudo /tmp/install.sh "$TOKEN"
+
+  rm /tmp/install.sh
+fi
+
+# TODO: Add the support for other Lacework configuration options
+echo "Updating the Lacework agent config.json file..."
+cat >"$LACEWORK_INSTALL_PATH/config/config.json" <<EOF
+{
+  "tokens": {
+    "AccessToken": "$TOKEN"
+  },
+  "tags": $TAGS
+}
+EOF
+
+echo "Lacework configured successfully!"

variables.tf

@@ -0,0 +1,23 @@
+variable "lacework_access_token" {
+  type        = string
+  description = "The access token for the Lacework agent"
+  default     = ""
+}
+
+variable "lacework_agent_tags" {
+  type        = map(string)
+  description = "A map/dictionary of Tags to be assigned to the Lacework datacollector"
+  default     = {}
+}
+
+variable "aws_resources_prefix" {
+  type        = string
+  description = "Prefix to use for created AWS resources"
+  default     = ""
+}
+
+variable "aws_resources_tags" {
+  type        = map(string)
+  description = "A map/dictionary of Tags to be assigned to created AWS resources"
+  default     = {}
+}

versions.tf

@@ -0,0 +1,3 @@
+terraform {
+  required_version = ">= 0.12.0"
+}