fix: pass integration type to all modules for multi region deployments (

#87)
lacework · Sep 24, 2024 · 038a792 · 038a792
1 parent 5376d3d
commit 038a792
Show file tree

Hide file tree

Showing 4 changed files with 16 additions and 7 deletions.
diff --git a/README.md b/README.md
@@ -81,7 +81,7 @@ A Terraform Module to configure the Lacework Agentless Scanner.
 | <a name="input_custom_vpc_subnet"></a> [custom\_vpc\_subnet](#input\_custom\_vpc\_subnet) | The name of the custom Google Cloud VPC subnet to use for scanning compute resources | `string` | `""` | no |
 | <a name="input_execute_job_at_deployment"></a> [execute\_job\_at\_deployment](#input\_execute\_job\_at\_deployment) | execute newly created cloud run job(s) immediately after deployment | `bool` | `false` | no |
 | <a name="input_global"></a> [global](#input\_global) | Whether or not to create global resources. Defaults to `false`. | `bool` | `false` | no |
-| <a name="input_global_module_reference"></a> [global\_module\_reference](#input\_global\_module\_reference) | A reference to the global lacework\_gcp\_agentless\_scanning module for this account. | <pre>object({<br>    agentless_orchestrate_service_account_email = string<br>    agentless_scan_service_account_email        = string<br>    agentless_scan_secret_id                    = string<br>    lacework_account                            = string<br>    lacework_domain                             = string<br>    prefix                                      = string<br>    suffix                                      = string<br>    project_filter_list                         = list(any)<br>  })</pre> | <pre>{<br>  "agentless_orchestrate_service_account_email": "",<br>  "agentless_scan_secret_id": "",<br>  "agentless_scan_service_account_email": "",<br>  "lacework_account": "",<br>  "lacework_domain": "",<br>  "prefix": "",<br>  "project_filter_list": [],<br>  "suffix": ""<br>}</pre> | no |
+| <a name="input_global_module_reference"></a> [global\_module\_reference](#input\_global\_module\_reference) | A reference to the global lacework\_gcp\_agentless\_scanning module for this account. | <pre>object({<br>    agentless_orchestrate_service_account_email = string<br>    agentless_scan_service_account_email        = string<br>    agentless_scan_secret_id                    = string<br>    lacework_account                            = string<br>    lacework_domain                             = string<br>    prefix                                      = string<br>    suffix                                      = string<br>    project_filter_list                         = list(any)<br>    integration_type                            = string<br>  })</pre> | <pre>{<br>  "agentless_orchestrate_service_account_email": "",<br>  "agentless_scan_secret_id": "",<br>  "agentless_scan_service_account_email": "",<br>  "integration_type": "",<br>  "lacework_account": "",<br>  "lacework_domain": "",<br>  "prefix": "",<br>  "project_filter_list": [],<br>  "suffix": ""<br>}</pre> | no |
 | <a name="input_image_url"></a> [image\_url](#input\_image\_url) | The container image url for Lacework Agentless Workload Scanning. | `string` | `"us-docker.pkg.dev/agentless-sidekick-images-tl48/sidekick/sidekick"` | no |
 | <a name="input_integration_type"></a> [integration\_type](#input\_integration\_type) | Specify the integration type. Can only be PROJECT or ORGANIZATION. Defaults to PROJECT | `string` | `"PROJECT"` | no |
 | <a name="input_labels"></a> [labels](#input\_labels) | Set of labels which will be added to the resources managed by the module. | `map(string)` | `{}` | no |
@@ -110,6 +110,7 @@ A Terraform Module to configure the Lacework Agentless Scanner.
 | <a name="output_agentless_scan_secret_id"></a> [agentless\_scan\_secret\_id](#output\_agentless\_scan\_secret\_id) | Google Secret Manager ID for Lacework Account and Token. |
 | <a name="output_agentless_scan_service_account_email"></a> [agentless\_scan\_service\_account\_email](#output\_agentless\_scan\_service\_account\_email) | Output Compute service account email. |
 | <a name="output_bucket_name"></a> [bucket\_name](#output\_bucket\_name) | The storage bucket name for Agentless Workload Scanning data. |
+| <a name="output_integration_type"></a> [integration\_type](#output\_integration\_type) | The scope of integration. |
 | <a name="output_lacework_account"></a> [lacework\_account](#output\_lacework\_account) | Lacework Account Name for Integration. |
 | <a name="output_lacework_domain"></a> [lacework\_domain](#output\_lacework\_domain) | Lacework Domain Name for Integration. |
 | <a name="output_lacework_integration_guid"></a> [lacework\_integration\_guid](#output\_lacework\_integration\_guid) | GUID of the created Lacework integration |

diff --git a/main.tf b/main.tf
@@ -1,6 +1,7 @@
 locals {
 
   final_project_filter_list = length(var.global_module_reference.project_filter_list) > 0 ? var.global_module_reference.project_filter_list : var.project_filter_list
+  integration_type = length(var.global_module_reference.integration_type) > 0 ? var.global_module_reference.integration_type: var.integration_type
 
   scanning_project_id = length(var.scanning_project_id) > 0 ? var.scanning_project_id : data.google_project.selected[0].project_id
   organization_id     = length(var.organization_id) > 0 ? var.organization_id : (length(data.google_project.selected) > 0 && data.google_project.selected[0].org_id != null ? data.google_project.selected[0].org_id : "")
@@ -108,8 +109,8 @@ resource "lacework_integration_gcp_agentless_scanning" "lacework_cloud_account"
   count = var.global ? 1 : 0
 
   name                   = var.lacework_integration_name
-  resource_level         = var.integration_type
-  resource_id            = var.integration_type == "ORGANIZATION" ? local.organization_id : local.scanning_project_id
+  resource_level         = local.integration_type
+  resource_id            = local.integration_type == "ORGANIZATION" ? local.organization_id : local.scanning_project_id
   bucket_name            = google_storage_bucket.lacework_bucket[0].name
   scanning_project_id    = local.scanning_project_id
   filter_list            = local.final_project_filter_list
@@ -252,7 +253,7 @@ resource "google_service_account" "agentless_orchestrate" {
 
 // Orchestrate Service Account <-> Role Binding for Custom Role created in Organization
 resource "google_organization_iam_member" "agentless_orchestrate" {
-  count = var.global && (var.integration_type == "ORGANIZATION") ? 1 : 0
+  count = var.global && (local.integration_type == "ORGANIZATION") ? 1 : 0
 
   org_id = local.organization_id
   role   = google_organization_iam_custom_role.agentless_orchestrate[0].id
@@ -270,7 +271,7 @@ resource "google_project_iam_member" "agentless_orchestrate_monitored_project" {
 
 // Orchestrate Service Account <-> Role Binding for Custom Role project-level resource group support
 resource "google_organization_iam_member" "agentless_orchestrate_monitored_project_resource_group" {
-  count = var.global && (var.integration_type == "PROJECT") ? 1 : 0
+  count = var.global && (local.integration_type == "PROJECT") ? 1 : 0
 
   org_id = local.organization_id
   role   = google_organization_iam_custom_role.agentless_orchestrate_monitored_project_resource_group[0].id
@@ -395,7 +396,7 @@ resource "google_cloud_run_v2_job" "agentless_orchestrate" {
         }
         env {
           name  = "GCP_SCAN_SCOPE"
-          value = var.integration_type
+          value = local.integration_type
         }
         env {
           name  = "GCP_SCAN_LIST"

diff --git a/output.tf b/output.tf
@@ -54,7 +54,12 @@ output "project_filter_list" {
   description = "The list of projects to scan in this module."
 }
 
+output "integration_type" {
+  value       = local.integration_type
+  description = "The scope of integration."
+}
+
 output "lacework_integration_guid" {
   value       = var.global ? lacework_integration_gcp_agentless_scanning.lacework_cloud_account[0].intg_guid : null
   description = "GUID of the created Lacework integration"
-}
+}
diff --git a/variables.tf b/variables.tf
@@ -206,6 +206,7 @@ variable "global_module_reference" {
     prefix                                      = string
     suffix                                      = string
     project_filter_list                         = list(any)
+    integration_type                            = string
   })
   default = {
     agentless_orchestrate_service_account_email = ""
@@ -216,6 +217,7 @@ variable "global_module_reference" {
     prefix                                      = ""
     suffix                                      = ""
     project_filter_list                         = []
+    integration_type                            = ""
   }
   description = "A reference to the global lacework_gcp_agentless_scanning module for this account."
 }