From 3506f2a83253de8557870a2d772d0d543850b26e Mon Sep 17 00:00:00 2001
From: Vjosa Fusha <vjosa.fusha@gmail.com>
Date: Wed, 29 May 2024 14:24:52 +0200
Subject: [PATCH 1/2] fix: skip iam grants when using existing service account

---
 .../README.md                                 | 63 +++++++++++++++++++
 .../main.tf                                   | 35 +++++++++++
 main.tf                                       |  2 +-
 3 files changed, 99 insertions(+), 1 deletion(-)
 create mode 100644 examples/project-level-config-skip-iam-grants/README.md
 create mode 100644 examples/project-level-config-skip-iam-grants/main.tf

diff --git a/examples/project-level-config-skip-iam-grants/README.md b/examples/project-level-config-skip-iam-grants/README.md
new file mode 100644
index 0000000..083d7db
--- /dev/null
+++ b/examples/project-level-config-skip-iam-grants/README.md
@@ -0,0 +1,63 @@
+## Skip IAM grants and use Existing Service Account at the Project Level
+
+This example shows how to skip iam grants and use an existing service account to create a Google Cloud Project integration with Lacework.
+
+The fields required for this example are:
+
+| Name                           | Description                                                                                  | Type |
+|--------------------------------|----------------------------------------------------------------------------------------------|------|
+| `use_existing_service_account` | Set this to `true` to use an existing service account.                                       | `bool` |
+| `skip_iam_grants`              | Set this to `true` to skip generation of custom role, and IAM grants to the Service Account. | `bool` |
+| `service_account_name`         | The name of an existing service account.                                                     | `string` |
+| `service_account_private_key`  | A private key from the existing service account in JSON format and base64 encoded            | `string` |
+
+```hcl
+provider "google" {}
+
+provider "lacework" {}
+
+module "gcp_project_level_config" {
+    source                       = "lacework/config/gcp"
+    project_id                   = var.project_id
+
+    use_existing_service_account = true
+    skip_iam_grants              = true
+    service_account_name         = "service_account_name"
+    service_account_private_key  = "service_account_key"
+}
+```
+
+Integration will fail if grants are not in place prior to execution. Make sure to create a custom role with the right 
+permissions shown in the [README.md#required-roles](https://github.com/lacework/terraform-gcp-config/blob/main/README.md#required-roles), and assign it to the existing service account. Example:
+
+```hcl
+locals {
+  default_project_roles = [
+    "roles/browser",
+    "roles/iam.securityReviewer",
+    "roles/cloudasset.viewer"
+  ]
+}
+
+resource "google_service_account" "lacework_gcp_compliance_config" {
+  account_id   = "lacework-sa-compliance"
+  description  = "Service account used by lacework for GCP compliance config"
+  display_name = "Lacework Compliance"
+  project      = var.project_id
+}
+
+resource "google_project_iam_member" "lacework_gcp_compliance_role" {
+  project = var.project_id
+  role    = "projects/${var.project_id}/roles/lacework.gcpCompliance" // already created custom role
+  member  = "serviceAccount:${google_service_account.lacework_gcp_compliance_config.email}"
+}
+
+resource "google_project_iam_member" "lacework_gcp_compliance_config_roles" {
+  for_each = toset(local.default_project_roles)
+  project  = var.project_id
+  role     = each.value
+  member  = "serviceAccount:${google_service_account.lacework_gcp_compliance_config.email}"
+}
+```
+
+For detailed information on integrating Lacework with Google Cloud see [GCP Compliance and Audit Trail Integration - Terraform From Any Supported Host](https://docs.lacework.com/gcp-compliance-and-audit-log-integration-terraform-from-any-supported-host)
\ No newline at end of file
diff --git a/examples/project-level-config-skip-iam-grants/main.tf b/examples/project-level-config-skip-iam-grants/main.tf
new file mode 100644
index 0000000..a978c4b
--- /dev/null
+++ b/examples/project-level-config-skip-iam-grants/main.tf
@@ -0,0 +1,35 @@
+provider "google" {}
+
+provider "lacework" {}
+
+module "gcp_project_level_config" {
+  source = "../../"
+
+  # Skip custom role creation
+  skip_iam_grants = true
+  # Provide an existing service account
+  use_existing_service_account = true
+  service_account_name         = google_service_account.lacework_gcp_compliance_config.name
+  service_account_private_key  = google_service_account_key.lacework_sa_compliance_key.private_key
+}
+
+resource "google_service_account" "lacework_gcp_compliance_config" {
+  account_id   = "lacework-sa-compliance"
+  description  = "Service account used by lacework for GCP compliance config"
+  display_name = "Lacework Compliance"
+  project      = var.project_id
+}
+
+resource "google_project_iam_member" "lacework_gcp_compliance_role" {
+  project = var.project_id
+  role    = "projects/${var.project_id}/roles/lacework.gcpCompliance" // already created custom role
+  member  = "serviceAccount:${google_service_account.lacework_gcp_compliance_config.email}"
+}
+
+resource "google_service_account_key" "lacework_sa_compliance_key" {
+  service_account_id = google_service_account.lacework_gcp_compliance_config.name
+}
+
+variable "project_id" {
+  default = "my-project-id"
+}
\ No newline at end of file
diff --git a/main.tf b/main.tf
index 986fcd1..b6842c6 100644
--- a/main.tf
+++ b/main.tf
@@ -124,7 +124,7 @@ resource "google_project_iam_member" "lacework_custom_project_role_binding" {
   role       = google_project_iam_custom_role.lacework_custom_project_role.0.name
   member     = "serviceAccount:${local.service_account_json_key.client_email}"
   depends_on = [google_project_iam_custom_role.lacework_custom_project_role]
-  count      = local.resource_level == "PROJECT" ? 1 : 0
+  count      = local.skip_iam_grants ? 0 : local.resource_level == "PROJECT" ? 1 : 0
 }
 
 resource "google_project_iam_member" "for_lacework_service_account" {

From 5e558a632455e539274a70f984843a052df4cf22 Mon Sep 17 00:00:00 2001
From: Vjosa Fusha <vjosa.fusha@gmail.com>
Date: Thu, 30 May 2024 10:27:14 +0200
Subject: [PATCH 2/2] add proper syntax

---
 main.tf | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/main.tf b/main.tf
index b6842c6..b58bfc9 100644
--- a/main.tf
+++ b/main.tf
@@ -124,7 +124,7 @@ resource "google_project_iam_member" "lacework_custom_project_role_binding" {
   role       = google_project_iam_custom_role.lacework_custom_project_role.0.name
   member     = "serviceAccount:${local.service_account_json_key.client_email}"
   depends_on = [google_project_iam_custom_role.lacework_custom_project_role]
-  count      = local.skip_iam_grants ? 0 : local.resource_level == "PROJECT" ? 1 : 0
+  count      = local.skip_iam_grants ? 0 : (local.resource_level == "PROJECT" ? 1 : 0)
 }
 
 resource "google_project_iam_member" "for_lacework_service_account" {