Terraform to deploy an AWS Fargate ECS Cluster and configure the Lacework Agent.

The terraform also creates an ECS Fargate Task Definition to deploy the LW Agent as a sidecar using a volume map approach and sets up the IAM policy to deploy the main app from AWS ECR container registry.

Currently the terraform runs on version 1.0.9 so you may wish to use TFSwitch to manage your different terraform versions easily !

Once you have your ECS Container deployed, the LW sidecar will send all the details to the UI. It will look like this.

Once the terraform is complete, in AWS you will see your cluster in the ECS dashboard. You will see it has a Fargate service and running task.

There will be two containers:

• The App container
• The LW Datacollector Sidecar

The App container will continue to run but the LW Sidecar will stop running (die) after it finishes the config. This is ok as the sidecar is not essential and so the task will continue running the App.

You will need the following:

• AWS access
• A pem key in the AWS IAM - Docs here
• Terraform installed
• AWS CLI - Docs here
• A code editor like VS Code

Here is a script to set up you laptop using Brew - Code here

First you need the code !

git clone https://github.com/anthonygrees/lw_fargate_ecs_demo

cd lw_fargate_ecs_demo
cd terraform

Next, create yourself a terraform.tfvars file with the following:

• lw_token: Is the Lacework Agent Token.
• app_image: Is the name of the ECR (or other registry) image.

Here is an example tfvars file:

aws_profile = "default"
aws_region = "ap-southeast-2"
aws_key_pair_file = "~/.ssh/your_pem_file.pem"
aws_key_pair_name = "your_key_name"
lw_token = "99999999999999999999YOUR_TOKEN99999999999999999"
fargate_container_cpu = "256"
fargate_container_memory = "512"
app_image = "999999999999999.dkr.ecr.ap-southeast-2.amazonaws.com/your-nginx:latest"

With the Fargate CPU and Memory, make sure you stick to the correct sizes. See the AWS docs - CPU Task Guide

Execute the terraform. First run the initialise to ensure the plugins you need are installed:

terraform init

Before you run Terraform to create your infrastructure, it's a good idea to see what resources it would create. It also helps you verify that Terraform can connect to your AWS account.

terraform plan

Now run the apply to create the infrastructure.

terraform apply -auto-approve

Once the run is complete you will get a list of the alb_hostname addresses.

1. Jeff's Readme and Minimal Sidecar Example
2. Non Root Access
3. LW Agent Sidecar Code