From 66e47b31d29516f7e697764a015e6551a4488b47 Mon Sep 17 00:00:00 2001 From: Ammar Ekbote Date: Tue, 24 Sep 2024 16:13:17 +0000 Subject: [PATCH] fix: pass integration type to all modules for multi region deployments --- README.md | 3 ++- main.tf | 11 ++++++----- output.tf | 7 ++++++- variables.tf | 2 ++ 4 files changed, 16 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index 7d3aa9f..bd7c0a6 100644 --- a/README.md +++ b/README.md @@ -81,7 +81,7 @@ A Terraform Module to configure the Lacework Agentless Scanner. | [custom\_vpc\_subnet](#input\_custom\_vpc\_subnet) | The name of the custom Google Cloud VPC subnet to use for scanning compute resources | `string` | `""` | no | | [execute\_job\_at\_deployment](#input\_execute\_job\_at\_deployment) | execute newly created cloud run job(s) immediately after deployment | `bool` | `false` | no | | [global](#input\_global) | Whether or not to create global resources. Defaults to `false`. | `bool` | `false` | no | -| [global\_module\_reference](#input\_global\_module\_reference) | A reference to the global lacework\_gcp\_agentless\_scanning module for this account. | 
object({
    agentless_orchestrate_service_account_email = string
    agentless_scan_service_account_email        = string
    agentless_scan_secret_id                    = string
    lacework_account                            = string
    lacework_domain                             = string
    prefix                                      = string
    suffix                                      = string
    project_filter_list                         = list(any)
  })
| 
{
  "agentless_orchestrate_service_account_email": "",
  "agentless_scan_secret_id": "",
  "agentless_scan_service_account_email": "",
  "lacework_account": "",
  "lacework_domain": "",
  "prefix": "",
  "project_filter_list": [],
  "suffix": ""
}
| no | +| [global\_module\_reference](#input\_global\_module\_reference) | A reference to the global lacework\_gcp\_agentless\_scanning module for this account. | 
object({
    agentless_orchestrate_service_account_email = string
    agentless_scan_service_account_email        = string
    agentless_scan_secret_id                    = string
    lacework_account                            = string
    lacework_domain                             = string
    prefix                                      = string
    suffix                                      = string
    project_filter_list                         = list(any)
    integration_type                            = string
  })
| 
{
  "agentless_orchestrate_service_account_email": "",
  "agentless_scan_secret_id": "",
  "agentless_scan_service_account_email": "",
  "integration_type": "",
  "lacework_account": "",
  "lacework_domain": "",
  "prefix": "",
  "project_filter_list": [],
  "suffix": ""
}
| no | | [image\_url](#input\_image\_url) | The container image url for Lacework Agentless Workload Scanning. | `string` | `"us-docker.pkg.dev/agentless-sidekick-images-tl48/sidekick/sidekick"` | no | | [integration\_type](#input\_integration\_type) | Specify the integration type. Can only be PROJECT or ORGANIZATION. Defaults to PROJECT | `string` | `"PROJECT"` | no | | [labels](#input\_labels) | Set of labels which will be added to the resources managed by the module. | `map(string)` | `{}` | no | @@ -110,6 +110,7 @@ A Terraform Module to configure the Lacework Agentless Scanner. | [agentless\_scan\_secret\_id](#output\_agentless\_scan\_secret\_id) | Google Secret Manager ID for Lacework Account and Token. | | [agentless\_scan\_service\_account\_email](#output\_agentless\_scan\_service\_account\_email) | Output Compute service account email. | | [bucket\_name](#output\_bucket\_name) | The storage bucket name for Agentless Workload Scanning data. | +| [integration\_type](#output\_integration\_type) | The scope of integration. | | [lacework\_account](#output\_lacework\_account) | Lacework Account Name for Integration. | | [lacework\_domain](#output\_lacework\_domain) | Lacework Domain Name for Integration. | | [lacework\_integration\_guid](#output\_lacework\_integration\_guid) | GUID of the created Lacework integration | diff --git a/main.tf b/main.tf index c5e368a..934dc6c 100644 --- a/main.tf +++ b/main.tf @@ -1,6 +1,7 @@ locals { final_project_filter_list = length(var.global_module_reference.project_filter_list) > 0 ? var.global_module_reference.project_filter_list : var.project_filter_list + integration_type = length(var.global_module_reference.integration_type) > 0 ? var.global_module_reference.integration_type: var.integration_type scanning_project_id = length(var.scanning_project_id) > 0 ? var.scanning_project_id : data.google_project.selected[0].project_id organization_id = length(var.organization_id) > 0 ? var.organization_id : (length(data.google_project.selected) > 0 && data.google_project.selected[0].org_id != null ? data.google_project.selected[0].org_id : "") @@ -108,8 +109,8 @@ resource "lacework_integration_gcp_agentless_scanning" "lacework_cloud_account" count = var.global ? 1 : 0 name = var.lacework_integration_name - resource_level = var.integration_type - resource_id = var.integration_type == "ORGANIZATION" ? local.organization_id : local.scanning_project_id + resource_level = local.integration_type + resource_id = local.integration_type == "ORGANIZATION" ? local.organization_id : local.scanning_project_id bucket_name = google_storage_bucket.lacework_bucket[0].name scanning_project_id = local.scanning_project_id filter_list = local.final_project_filter_list @@ -252,7 +253,7 @@ resource "google_service_account" "agentless_orchestrate" { // Orchestrate Service Account <-> Role Binding for Custom Role created in Organization resource "google_organization_iam_member" "agentless_orchestrate" { - count = var.global && (var.integration_type == "ORGANIZATION") ? 1 : 0 + count = var.global && (local.integration_type == "ORGANIZATION") ? 1 : 0 org_id = local.organization_id role = google_organization_iam_custom_role.agentless_orchestrate[0].id @@ -270,7 +271,7 @@ resource "google_project_iam_member" "agentless_orchestrate_monitored_project" { // Orchestrate Service Account <-> Role Binding for Custom Role project-level resource group support resource "google_organization_iam_member" "agentless_orchestrate_monitored_project_resource_group" { - count = var.global && (var.integration_type == "PROJECT") ? 1 : 0 + count = var.global && (local.integration_type == "PROJECT") ? 1 : 0 org_id = local.organization_id role = google_organization_iam_custom_role.agentless_orchestrate_monitored_project_resource_group[0].id @@ -395,7 +396,7 @@ resource "google_cloud_run_v2_job" "agentless_orchestrate" { } env { name = "GCP_SCAN_SCOPE" - value = var.integration_type + value = local.integration_type } env { name = "GCP_SCAN_LIST" diff --git a/output.tf b/output.tf index edd0117..77b4c5f 100644 --- a/output.tf +++ b/output.tf @@ -54,7 +54,12 @@ output "project_filter_list" { description = "The list of projects to scan in this module." } +output "integration_type" { + value = local.integration_type + description = "The scope of integration." +} + output "lacework_integration_guid" { value = var.global ? lacework_integration_gcp_agentless_scanning.lacework_cloud_account[0].intg_guid : null description = "GUID of the created Lacework integration" -} \ No newline at end of file +} diff --git a/variables.tf b/variables.tf index cd6aa16..2a84a28 100644 --- a/variables.tf +++ b/variables.tf @@ -206,6 +206,7 @@ variable "global_module_reference" { prefix = string suffix = string project_filter_list = list(any) + integration_type = string }) default = { agentless_orchestrate_service_account_email = "" @@ -216,6 +217,7 @@ variable "global_module_reference" { prefix = "" suffix = "" project_filter_list = [] + integration_type = "" } description = "A reference to the global lacework_gcp_agentless_scanning module for this account." }