CLI usage
This topic is part of the legacy IaC offering. It will be end of support and deprecated by the end of 2025. See Navigating the Infrastructure-as-Code security pages and Infrastructure-as-Code Security for more information on the active IaC offerings.
To run FortiCNAPP's Infrastructure as Code (IaC) offerings with the FortiCNAPP CLI, you must install the Lacework CLI according to your operating system, use API keys to authenticate, and configure the CLI for FortiCNAPP and for IaC security.
Installing the FortiCNAPP CLI
Bash (macOS/Linux)
curl https://raw.githubusercontent.com/lacework/go-sdk/main/cli/install.sh | bash
Powershell (Windows)
-
Open a PowerShell terminal and run the following command:
Set-ExecutionPolicy Bypass -Scope Process -Force iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/lacework/go-sdk/main/cli/install.ps1'))The FortiCNAPP CLI is installed at
C:\ProgramData\Lacework\lacework.exeand the system PATH environment variable is updated to include the FortiCNAPP CLI. -
Open a new PowerShell terminal to read the updated system PATH and use the FortiCNAPP CLI.
Homebrew (macOS/Linux)
brew install lacework/tap/lacework-cli
For more details, see the Lacework Homebrew Tap.
Chocolatey (Windows):
choco install lacework-cli
For more details, see the Lacework CLI Chocolatey package.
Creating an API key
The FortiCNAPP CLI requires an API key and secret to authenticate with FortiCNAPP. FortiCNAPP API Keys can be created by account administrators through the console. For more information, go to API Access Keys and Tokens.
To create a key:
- Log in to the console.
- Click Settings > API keys.
- Click Add New.
- Enter a name for the key and an optional description.
- Click Save.
- Click the ... icon and then Download to save the API key file locally.
The contents of your API key contain a keyId secret, subAccount, and account:
{
"keyId": "ACCOUNT_ABCEF01234559B9B07114E834D8570F567C824039756E03",
"secret": "_abc1234e243a645bcf173ef55b837c19",
"subAccount": "myaccount",
"account": "myaccount.lacework.net"
}
Configuring the CLI
Use the lacework configure command to configure the FortiCNAPP CLI with the API Key downloaded from the previous step.
lacework configure -j /path/to/key.json
Example output:
Account: example Access Key ID: EXAMPLE_1234567890ABCDE1EXAMPLE1EXAMPLE123456789EXAMPLE Secret Access Key: ********************************** You are all set!
The lacework configure command generates a file named .lacework.toml inside your home directory
($HOME/.lacework.toml) with a single profile named default.
Configuring the CLI for IaC
Once you have installed the FortiCNAPP CLI and set up authentication with lacework configure, you must configure the CLI for use with FortiCNAPP's Infrastructure as Code (IaC) Security.
To configure the FortiCNAPP CLI for IaC Security:
- Run
lacework component install iacin the FortiCNAPP CLI. - The FortiCNAPP CLI is now configured for IaC. You can now run
lacework iac ....
If you encounter an error installing the IaC component, run lacework iac config reconfig --reset.
Environment variables
Within the FortiCNAPP CLI:
LW_ACCOUNTsets the account.LW_API_KEYsets the API key.LW_API_SECRETsets the API secret.
IaC CLI commands and usage
completion Generate the autocompletion script for the specified shell help Help about any command scan Scan infrastructure code files version Display the version of the lacework IAC CLI
Usage
lacework iac [command]
A list of commands and command-line options is available by running lacework iac --help.
Help and specific options for each command is available by running lacework iac [command] --help
Troubleshooting config for FortiCNAPP CLI
- To start over, try deleting (or backing up) your
~/.config/lacework/iac-config.jsonfile. - You should NOT have
APITokenin your config when working with FortiCNAPP CLI. - Run
envand check for unintended Lacework-related values being set.