Skip to main content

Install Windows Agent on Azure VMs using Terraform

You can use Terraform to deploy the Lacework agent to Azure VM instances. In this type of deployment, the Terraform template uses the CustomScriptExtension to download and run a Install-LWCollector.ps1 PowerShell script that installs the agent onto a Windows VM instance.

Prerequisites

  1. Install Terraform on your machine. For instructions, see Install Terraform.
  2. Install Azure CLI on your machine. For instructions, see How to install the Azure CLI.
  3. Download the Terraform script for Azure (azure-terraform.zip file) using the instructions in Download Windows Agent Installers.
  4. Unzip the azure-terraform.zip file. The azure-terraform folder that is created contains the following files:
    • main.tf
    • variables.tf

Configure the Terraform Template File

Open the main.tf file in the azure-terraform folder and examine the local variables at the beginning of the file. These variables define the script commands used to install the agent. The azurerm_virtual_machine_extension resource specifies the CustomScriptExtension to download and run the Install-LWCollector.ps1 script.

The Install-LWCollector.ps1 script installs the Windows agent and adds a local firewall rule to allow the agent to communicate with Lacework. In addition, the script optionally configures a Windows Defender exclusion for the agent with the -defender parameter.

note

Lacework recommends that you exclude the agent from any antivirus or Endpoint Detection and Response (EDR) applications on your host. The Install-LWCollector.ps1 script allows you to enable this exclusion for Microsoft Defender. For other antivirus applications, you can customize the Install-LWCollector.ps1 script to exclude the agent from scanning.

Configure the Input Variable File

Open the variables.tf file in the azure-terraform folder and configure the parameters for the Terraform module. The Terraform template uses the variables.tf file to define the parameters for the Terraform module. These variables correspond to the parameters used in the Install-LWCollector.ps1 script. Specify values for the following variables in the variables.tf file:

  • lacework_token - A valid Lacework agent access token. For more information, see Obtain an Access Token for the Windows Agent. It is good practice to store access tokens securely in Azure Key Vault. The variables.tf file references the access token in a Key Vault.
  • lacework_endpoint - The Lacework API server URL, either api.lacework.net (default), api.fra.lacework.net (for European Union (EU)), or auprodn1.agent.lacework.net (for Australia and New Zealand (ANZ)).
  • lacework_msi_url - The URL for downloading the Windows agent MSI package. To obtain the URL, do the following:
    1. Go to the Lacework Windows Agent Releases page. This page lists the Windows agent releases you can install.
    2. Go to the release you want to install.
    3. Copy the URL for Lacework Windows Agent MSI Package.
  • lacework_ps_script - The URL for the Install-LWDataCollector.ps1 PowerShell script. To obtain the URL, do the following:
    1. Go to the Lacework Windows Agent Releases page. This page lists the Windows agent releases you can install.
    2. Go to the release you want to install.
    3. Copy the URL for Install-LWDataCollector.ps1 Script.
  • lacework_defender - (Optional) To configure a Windows Defender exclusion for the agent, change the value of this variable to true.
  • Variables for your Azure resource group, Azure Key Vault, and Windows VM on Azure.

Run Terraform

  1. Open a Terminal and navigate to the directory that contains the main.tf file.
  2. Run terraform init to initialize the project and download the required modules.
  3. Run terraform plan to validate the configuration and review pending changes.
  4. After you review the pending changes, run terraform apply.

After you install the agent, it takes 10 to 15 minutes for agent data to appear in the Lacework Console under Resources > Configuration > Agents.