feat: add support for agent configuration

lacework · Oct 11, 2023 · c3df91a · c3df91a
1 parent f274141
commit c3df91a
Show file tree

Hide file tree

Showing 7 changed files with 168 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -38,6 +38,7 @@ No modules.
 | <a name="input_aws_resources_tags"></a> [aws\_resources\_tags](#input\_aws\_resources\_tags) | A map/dictionary of Tags to be assigned to created AWS resources | `map(string)` | `{}` | no |
 | <a name="input_lacework_access_token"></a> [lacework\_access\_token](#input\_lacework\_access\_token) | The access token for the Lacework agent | `string` | `""` | no |
 | <a name="input_lacework_agent_build_hash"></a> [lacework\_agent\_build\_hash](#input\_lacework\_agent\_build\_hash) | An Agent build hash provided by Lacework | `string` | `""` | no |
+| <a name="input_lacework_agent_configuration"></a> [lacework\_agent\_configuration](#input\_lacework\_agent\_configuration) | A map/dictionary of configuration parameters for the Lacework agent | `any` | `{}` | no |
 | <a name="input_lacework_agent_tags"></a> [lacework\_agent\_tags](#input\_lacework\_agent\_tags) | A map/dictionary of Tags to be assigned to the Lacework datacollector | `map(string)` | `{}` | no |
 | <a name="input_lacework_agent_temp_path"></a> [lacework\_agent\_temp\_path](#input\_lacework\_agent\_temp\_path) | The temporary path for the Lacework installation script | `string` | `"/tmp"` | no |
 | <a name="input_lacework_enable_default_syscall_config"></a> [lacework\_enable\_default\_syscall\_config](#input\_lacework\_enable\_default\_syscall\_config) | A flag to enable the default syscall config | `string` | `"false"` | no |

diff --git a/examples/additional-agent-configuration/README.md b/examples/additional-agent-configuration/README.md
@@ -0,0 +1,73 @@
+# Default AWS SSM command deployment
+
+This example shows how to set additional agent configuration.
+See https://docs.lacework.net/onboarding/restricted/configure-agent-behavior-in-configjson-file for more details.
+
+```hcl
+provider "aws" {
+  region = "us-east-1"
+}
+
+module "lacework_aws_ssm_agents_install" {
+  source  = "lacework/ssm-agent/aws"
+  version = "~> 0.4"
+
+  lacework_agent_tags = {
+    env = "dev"
+  }
+
+  aws_resources_tags = {
+    billing = "testing"
+    owner   = "myself"
+  }
+
+    lacework_agent_configuration = {
+    "codeaware":{"enable":"all"}
+  }
+}
+
+resource "aws_resourcegroups_group" "testing" {
+  name = "Testing"
+
+  resource_query {
+    query = jsonencode({
+      ResourceTypeFilters = [
+        "AWS::EC2::Instance"
+      ]
+
+      TagFilters = [
+        {
+          Key = "environment"
+          Values = [
+            "Testing"
+          ]
+        }
+      ]
+    })
+  }
+
+  tags = {
+    billing = "testing"
+    owner   = "myself"
+  }
+}
+
+resource "aws_ssm_association" "lacework_aws_ssm_agents_install_testing" {
+  association_name = "install-lacework-agents-testing-group"
+
+  name = module.lacework_aws_ssm_agents_install.ssm_document_name
+
+  targets {
+    key = "resource-groups:Name"
+    values = [
+      aws_resourcegroups_group.testing.name,
+    ]
+  }
+
+  parameters = {
+    Token = "my-lacework-token"
+  }
+
+  compliance_severity = "HIGH"
+}
+```
diff --git a/examples/additional-agent-configuration/main.tf b/examples/additional-agent-configuration/main.tf
@@ -0,0 +1,67 @@
+provider "aws" {
+  region = "us-east-1"
+}
+
+module "lacework_aws_ssm_agents_install" {
+  source = "../../"
+
+  lacework_agent_tags = {
+    env = "dev"
+  }
+
+  lacework_enable_default_syscall_config = "true"
+
+  aws_resources_tags = {
+    billing = "testing"
+    owner   = "myself"
+  }
+
+  lacework_agent_configuration = {
+    "codeaware":{"enable":"all"}
+  }
+}
+
+resource "aws_resourcegroups_group" "testing" {
+  name = "Testing"
+
+  resource_query {
+    query = jsonencode({
+      ResourceTypeFilters = [
+        "AWS::EC2::Instance"
+      ]
+
+      TagFilters = [
+        {
+          Key = "environment"
+          Values = [
+            "Testing"
+          ]
+        }
+      ]
+    })
+  }
+
+  tags = {
+    billing = "testing"
+    owner   = "myself"
+  }
+}
+
+resource "aws_ssm_association" "lacework_aws_ssm_agents_install_testing" {
+  association_name = "install-lacework-agents-testing-group"
+
+  name = module.lacework_aws_ssm_agents_install.ssm_document_name
+
+  targets {
+    key = "resource-groups:Name"
+    values = [
+      aws_resourcegroups_group.testing.name,
+    ]
+  }
+
+  parameters = {
+    Token = "my-lacework-token"
+  }
+
+  compliance_severity = "HIGH"
+}
diff --git a/examples/additional-agent-configuration/versions.tf b/examples/additional-agent-configuration/versions.tf
@@ -0,0 +1,7 @@
+terraform {
+  required_version = ">= 1.0.0"
+
+  required_providers {
+    aws = "~> 4.0"
+  }
+}
diff --git a/main.tf b/main.tf
@@ -50,6 +50,12 @@ resource "aws_ssm_document" "setup_lacework_agent" {
         description = "A flag to enable the default syscall config"
         default     = var.lacework_enable_default_syscall_config
       }
+
+      AdditionalConfig = {
+        type        = "String"
+        description = "Additional configuration parameters for the Lacework agent"
+        default     = jsonencode(var.lacework_agent_configuration)
+      }
     }
 
     mainSteps = [

diff --git a/setup_lacework_agent.sh b/setup_lacework_agent.sh
@@ -8,6 +8,7 @@ LACEWORK_TEMP_PATH='{{ LaceworkTempPath }}'
 TAGS='{{ Tags }}'
 BUILD_HASH='{{ Hash }}'
 SERVER_URL='{{ Serverurl }}'
+ADDITIONAL_CONFIG='{{ AdditionalConfig }}'
 # TODO: Fetch the token from AWS SSM Parameter Store instead of
 #       taking it in as a Command parameter (avoid leaks in the AWS Console)
 TOKEN='{{ Token }}'
@@ -52,6 +53,7 @@ render_agent_config() {
   local _config_json
   local _token_json
   local _server_url_json
+  local _additional_config_json
   local _tags_json
 
   # Token
@@ -62,6 +64,11 @@ render_agent_config() {
     _server_url_json='"serverurl": "'$SERVER_URL'",'
   fi
 
+  # Additional Config Json
+  if [ "$ADDITIONAL_CONFIG" != "" ]; then
+    _additional_config_json='$ADDITIONAL_CONFIG,'
+  fi
+
   # Tags
   _tags_json='"tags": '${TAGS:-"{}"}
 
@@ -73,6 +80,7 @@ render_agent_config() {
   _config_json="""{
   ${_token_json}
   ${_server_url_json}
+  ${_additional_config_json}
   ${_tags_json}
 }"""
 

diff --git a/variables.tf b/variables.tf
@@ -16,6 +16,12 @@ variable "lacework_agent_tags" {
   default     = {}
 }
 
+variable "lacework_agent_configuration" {
+  type        = any
+  description = "A map/dictionary of configuration parameters for the Lacework agent"
+  default     = {}
+}
+
 variable "lacework_agent_temp_path" {
   type        = string
   description = "The temporary path for the Lacework installation script"