Skip to content

Commit

Permalink
fixup
Browse files Browse the repository at this point in the history
  • Loading branch information
Ao Zhang committed May 14, 2024
1 parent 4595e7a commit f4d1ac8
Show file tree
Hide file tree
Showing 2 changed files with 41 additions and 18 deletions.
16 changes: 15 additions & 1 deletion custom_roles.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,20 @@ resource "google_project_iam_custom_role" "agentless_orchestrate_monitored_proje
"compute.machineTypes.get",
"compute.zones.list",
"resourcemanager.projects.get",
// Required for Resource Group v2
]
}

// Scope : MONITORED_PROJECT
// Use : Accessing Folders/Organizations for Resource Group v2
// Role created at organization
// Note this binding happens at the organization level because the custom role requires organization level permissions
resource "google_organization_iam_custom_role" "agentless_orchestrate_monitored_project_resource_group" {
count = var.integration_type == "PROJECT" ? 1 : 0

org_id = var.organization_id
role_id = replace("${var.prefix}-resource-group-${local.suffix}", "-", "_")
title = "Lacework Agentless Workload Scanning Role for monitored project (Resource Group)"
permissions = [
"resourcemanager.folders.get",
"resourcemanager.organizations.get",
]
Expand Down Expand Up @@ -46,6 +59,7 @@ resource "google_organization_iam_custom_role" "agentless_orchestrate" {
"resourcemanager.projects.list",
// Required for Resource Group v2
"resourcemanager.organizations.get",
"resourcemanager.folders.get",
]
}

Expand Down
43 changes: 26 additions & 17 deletions main.tf
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,27 +52,27 @@ locals {
The target cloud run job still resides in the desired region.
*/
unsupported_cloud_scheduler_region_replacements = {
us-east5 = "us-east1"
us-south1 = "us-central1"
us-east5 = "us-east1"
us-south1 = "us-central1"
northamerica-northeast2 = "northamerica-northeast1"
southamerica-west1 = "southamerica-east1"
southamerica-west1 = "southamerica-east1"

europe-west10 = "europe-west1"
europe-west12 = "europe-west1"
europe-west4 = "europe-west1"
europe-west8 = "europe-west1"
europe-west9 = "europe-west1"
europe-west4 = "europe-west1"
europe-west8 = "europe-west1"
europe-west9 = "europe-west1"

europe-north1 = "europe-central2"
europe-north1 = "europe-central2"
europe-southwest1 = "europe-central2"
africa-south1 = "europe-central2"
me-central1 = "europe-central2"
me-central2 = "europe-central2"
me-west1 = "europe-central2"
africa-south1 = "europe-central2"
me-central1 = "europe-central2"
me-central2 = "europe-central2"
me-west1 = "europe-central2"

asia-south2 = "asia-south1"
asia-south2 = "asia-south1"
australia-southeast2 = "australia-southeast1"
}
}
cloud_scheduler_region = lookup(local.unsupported_cloud_scheduler_region_replacements, local.region, local.region)
}

Expand Down Expand Up @@ -267,6 +267,15 @@ resource "google_project_iam_member" "agentless_orchestrate_monitored_project" {
member = "serviceAccount:${local.agentless_orchestrate_service_account_email}"
}

// Orchestrate Service Account <-> Role Binding for Custom Role created for project-level integration
resource "google_organization_iam_member" "agentless_orchestrate_monitored_project_resource_group" {
count = var.integration_type == "PROJECT" ? 1 : 0

org_id = var.organization_id
role = google_organization_iam_custom_role.agentless_orchestrate_monitored_project_resource_group[0].id
member = "serviceAccount:${local.agentless_orchestrate_service_account_email}"
}

// Orchestrate Service Account <-> Role Binding for Custom Role created in Scanner Project
resource "google_project_iam_member" "agentless_orchestrate" {
count = var.global ? 1 : 0
Expand Down Expand Up @@ -429,9 +438,9 @@ resource "google_cloud_scheduler_job" "agentless_orchestrate" {
description = "Invoke Lacework Agentless Workload Scanning on a schedule."
project = local.scanning_project_id
// for unsupported regions, cloud scheduler is configured in a different region
region = local.cloud_scheduler_region
schedule = "0 * * * *"
time_zone = "Etc/UTC"
region = local.cloud_scheduler_region
schedule = "0 * * * *"
time_zone = "Etc/UTC"

http_target {
http_method = "POST"
Expand All @@ -454,7 +463,7 @@ resource "terraform_data" "execute_cloud_run_job" {
}

provisioner "local-exec" {
command = "gcloud run jobs execute ${ google_cloud_run_v2_job.agentless_orchestrate[0].name } --region=${ local.region }"
command = "gcloud run jobs execute ${google_cloud_run_v2_job.agentless_orchestrate[0].name} --region=${local.region}"
}

depends_on = [google_cloud_run_v2_job.agentless_orchestrate]
Expand Down

0 comments on commit f4d1ac8

Please sign in to comment.