feat(GcpGkeAudit): Add support for GcpGkeAudit apiv2 cloud account in…

…tegration (#327) * feat(GcpGkeAudit): Add support for GcpGkeAudit apiv2 cloud account integration Signed-off-by: Ross <[email protected]> * chore(test): re-enable TestIntegrationAwsEksAuditLog Signed-off-by: Ross <[email protected]> * feat(GcpGkeAudit): Resolve errors in gke_audit_log integration resource Signed-off-by: Ross <[email protected]> * feat(GcpGkeAudit): Make organization_id optional Signed-off-by: Ross <[email protected]> * feat(GcpGkeAudit): Mark private_key output as sensitive Signed-off-by: Ross <[email protected]> * feat(GcpGkeAudit): Update GcpGkeAudit integration tests to use google creds Signed-off-by: Ross <[email protected]> * feat(GcpGkeAudit): Update GcpGkeAudit integration test to use real pubsub subscription Signed-off-by: Ross <[email protected]> * feat(GcpGkeAudit): Update DiffSuppressFunc to check for correct fields Signed-off-by: Ross <[email protected]> * chore(GcpGkeAudit): Update go.mod & go.sum with latest go-sdk Signed-off-by: Ross <[email protected]> * feat(GcpGkeAudit): Set cred fields in Read func. Also remove PrivateKey & PrivateKeyId from tests Signed-off-by: Ross <[email protected]> * chore(docs): Add gcp_gke_audit_log resource docs Signed-off-by: Ross <[email protected]> * feat(GcpGkeAuditLog): Add create and update validation on organization_id when integration_type is ORGANIZATION Signed-off-by: Ross <[email protected]>
lacework · Jun 30, 2022 · 00d8d43 · 00d8d43
1 parent 3fed26b
commit 00d8d43
Show file tree

Hide file tree

Showing 23 changed files with 923 additions and 16 deletions.
diff --git a/examples/resource_lacework_integration_gcp_gke_audit_log/main.tf b/examples/resource_lacework_integration_gcp_gke_audit_log/main.tf
@@ -0,0 +1,85 @@
+terraform {
+  required_providers {
+    lacework = {
+      source = "lacework/lacework"
+    }
+  }
+}
+
+variable "name" {
+  type    = string
+  default = "GCP GKE audit log integration example"
+}
+
+variable "client_id" {
+  type    = string
+  default = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+}
+
+variable "client_email" {
+  type    = string
+  default = "[email protected]"
+}
+
+variable "private_key_id" {
+  type    = string
+  default = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
+}
+
+variable "private_key" {
+  type    = string
+  default = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+}
+
+variable "integration_type" {
+  type    = string
+  default = "PROJECT"
+}
+
+variable "project_id" {
+  type    = string
+  default = "example-project-id"
+}
+
+variable "subscription" {
+  type    = string
+  default = "projects/example-project-id/subscriptions/example-subscription"
+}
+
+resource "lacework_integration_gcp_gke_audit_log" "example" {
+  name = var.name
+  credentials {
+    client_id      = var.client_id
+    client_email   = var.client_email
+    private_key_id = var.private_key_id
+    private_key    = var.private_key
+  }
+  integration_type = var.integration_type
+  project_id       = var.project_id
+  subscription     = var.subscription
+  retries          = 10
+}
+
+output "name" {
+  value = lacework_integration_gcp_gke_audit_log.example.name
+}
+
+output "client_id" {
+  value = lacework_integration_gcp_gke_audit_log.example.credentials[0].client_id
+}
+
+output "client_email" {
+  value = lacework_integration_gcp_gke_audit_log.example.credentials[0].client_email
+}
+
+output "integration_type" {
+  value = lacework_integration_gcp_gke_audit_log.example.integration_type
+}
+
+output "project_id" {
+  value = lacework_integration_gcp_gke_audit_log.example.project_id
+}
+
+output "subscription" {
+  value = lacework_integration_gcp_gke_audit_log.example.subscription
+}
diff --git a/go.mod b/go.mod
@@ -5,7 +5,7 @@ go 1.18
 require (
 	github.com/gruntwork-io/terratest v0.40.17
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.13.0
-	github.com/lacework/go-sdk v0.36.1-0.20220621101646-85d5214a6d09
+	github.com/lacework/go-sdk v0.37.0
 	github.com/pkg/errors v0.9.1
 	github.com/stretchr/testify v1.7.3
 	golang.org/x/text v0.3.7
@@ -41,7 +41,7 @@ require (
 	github.com/hashicorp/hcl/v2 v2.12.0 // indirect
 	github.com/hashicorp/logutils v1.0.0 // indirect
 	github.com/hashicorp/terraform-exec v0.16.1 // indirect
-	github.com/hashicorp/terraform-json v0.13.0 // indirect
+	github.com/hashicorp/terraform-json v0.14.0 // indirect
 	github.com/hashicorp/terraform-plugin-go v0.8.0 // indirect
 	github.com/hashicorp/terraform-plugin-log v0.3.0 // indirect
 	github.com/hashicorp/terraform-registry-address v0.0.0-20210412075316-9b2996cce896 // indirect

diff --git a/go.sum b/go.sum
@@ -243,8 +243,9 @@ github.com/hashicorp/logutils v1.0.0/go.mod h1:QIAnNjmIWmVIIkWDTG1z5v++HQmx9WQRO
 github.com/hashicorp/terraform-exec v0.16.0/go.mod h1:wB5JHmjxZ/YVNZuv9npAXKmz5pGyxy8PSi0GRR0+YjA=
 github.com/hashicorp/terraform-exec v0.16.1 h1:NAwZFJW2L2SaCBVZoVaH8LPImLOGbPLkSHy0IYbs2uE=
 github.com/hashicorp/terraform-exec v0.16.1/go.mod h1:aj0lVshy8l+MHhFNoijNHtqTJQI3Xlowv5EOsEaGO7M=
-github.com/hashicorp/terraform-json v0.13.0 h1:Li9L+lKD1FO5RVFRM1mMMIBDoUHslOniyEi5CM+FWGY=
 github.com/hashicorp/terraform-json v0.13.0/go.mod h1:y5OdLBCT+rxbwnpxZs9kGL7R9ExU76+cpdY8zHwoazk=
+github.com/hashicorp/terraform-json v0.14.0 h1:sh9iZ1Y8IFJLx+xQiKHGud6/TSUCM0N8e17dKDpqV7s=
+github.com/hashicorp/terraform-json v0.14.0/go.mod h1:5A9HIWPkk4e5aeeXIBbkcOvaZbIYnAIkEyqP2pNSckM=
 github.com/hashicorp/terraform-plugin-go v0.8.0 h1:MvY43PcDj9VlBjYifBWCO/6j1wf106xU8d5Tob/WRs0=
 github.com/hashicorp/terraform-plugin-go v0.8.0/go.mod h1:E3GuvfX0Pz2Azcl6BegD6t51StXsVZMOYQoGO8mkHM0=
 github.com/hashicorp/terraform-plugin-log v0.3.0 h1:NPENNOjaJSVX0f7JJTl4f/2JKRPQ7S2ZN9B4NSqq5kA=
@@ -294,8 +295,8 @@ github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LEHPfb2qLo0BaaOLcbitczOKLWTsrBG9LczfCD4k=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
-github.com/lacework/go-sdk v0.36.1-0.20220621101646-85d5214a6d09 h1:Xd4AwUYdfwptB0tHsoPmrLGHs+Qxh5VshuVxeLz8wUc=
-github.com/lacework/go-sdk v0.36.1-0.20220621101646-85d5214a6d09/go.mod h1:GBudIEhnE2fYt4EPIerH2nAoZsIsKA4qnhpzuDaMhGw=
+github.com/lacework/go-sdk v0.37.0 h1:/9E47M+zFHG/ifGJbpMnGeojF3WqWUlkcZ9sK/gaxEc=
+github.com/lacework/go-sdk v0.37.0/go.mod h1:7puR6CiRN3sS47CQxDjKwk1BJZhOzXwiVrwshmLPMTA=
 github.com/matryer/is v1.2.0/go.mod h1:2fLPjFQM9rhQ15aVEtbuwhJinnOqrmgXPNdZsdwlWXA=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
 github.com/mattn/go-colorable v0.1.4/go.mod h1:U0ppj6V5qS13XJ6of8GYAs25YV2eR4EVcfRqFIhoBtE=

diff --git a/integration/integration.go b/integration/integration.go
@@ -68,6 +68,17 @@ func GetCloudAccountEksAuditLogData(result string) api.AwsEksAuditData {
 	return response.Data.Data
 }
 
+func GetCloudAccountGkeAuditLogData(result string) api.GcpGkeAuditData {
+	id := GetIDFromTerraResults(result)
+
+	response, err := LwClient.V2.CloudAccounts.GetGcpGkeAudit(id)
+	if err != nil {
+		log.Fatalf("Unable to find gke audit log id: %s\n Response: %v", id, response)
+	}
+
+	return response.Data.Data
+}
+
 func GetIntegrationName(result string, integration string) string {
 	var res api.V2CommonIntegration
 	id := GetIDFromTerraResults(result)

diff --git a/integration/resource_lacework_integration_aws_eks_audit_log_test.go b/integration/resource_lacework_integration_aws_eks_audit_log_test.go
@@ -12,8 +12,7 @@ import (
 //
 // It uses the go-sdk to verify the created integration,
 // applies an update with new integration name and destroys it
-//nolint
-func _TestIntegrationAwsEksAuditLog(t *testing.T) {
+func TestIntegrationAwsEksAuditLog(t *testing.T) {
 	terraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{
 		TerraformDir: "../examples/resource_lacework_integration_aws_eks_audit_log",
 		Vars: map[string]interface{}{

diff --git a/integration/resource_lacework_integration_gcp_gke_audit_log_test.go b/integration/resource_lacework_integration_gcp_gke_audit_log_test.go
@@ -0,0 +1,97 @@
+package integration
+
+import (
+	"testing"
+
+	"github.com/gruntwork-io/terratest/modules/terraform"
+	"github.com/stretchr/testify/assert"
+)
+
+// TestIntegrationGcpGkeAuditLog applies integration terraform:
+// => '../examples/resource_lacework_integration_gcp_gke_audit_log'
+//
+// It uses the go-sdk to verify the created integration,
+// applies an update with new integration name and destroys it
+func TestIntegrationGcpGkeAuditLog(t *testing.T) {
+	gcreds, err := googleLoadDefaultCredentials()
+	if assert.Nil(t, err, "this test requires you to set GOOGLE_CREDENTIALS environment variable") {
+		terraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{
+			TerraformDir: "../examples/resource_lacework_integration_gcp_gke_audit_log",
+			Vars: map[string]interface{}{
+				"name":             "GCP GKE audit log integration example",
+				"client_id":        gcreds.ClientID,
+				"client_email":     gcreds.ClientEmail,
+				"private_key_id":   gcreds.PrivateKeyID,
+				"private_key":      gcreds.PrivateKey,
+				"integration_type": "PROJECT",
+				"project_id":       gcreds.ProjectID,
+				"subscription":     "projects/techally-hipstershop-275821/subscriptions/gcp-gke-audit-log-subscription",
+			},
+		})
+		defer terraform.Destroy(t, terraformOptions)
+
+		// Create new GcpGkeAudit Integration
+		create := terraform.InitAndApplyAndIdempotent(t, terraformOptions)
+		actualClientId := terraform.Output(t, terraformOptions, "client_id")
+		actualClientEmail := terraform.Output(t, terraformOptions, "client_email")
+		actualIntegrationType := terraform.Output(t, terraformOptions, "integration_type")
+		actualProjectId := terraform.Output(t, terraformOptions, "project_id")
+		actualSubscription := terraform.Output(t, terraformOptions, "subscription")
+		assert.Equal(
+			t,
+			"GCP GKE audit log integration example",
+			GetCloudAccountIntegrationName(create),
+		)
+		assert.Equal(t, gcreds.ClientID, actualClientId)
+		assert.Equal(t, gcreds.ClientEmail, actualClientEmail)
+		assert.Equal(t, "PROJECT", actualIntegrationType)
+		assert.Equal(t, gcreds.ProjectID, actualProjectId)
+		assert.Equal(t, "projects/techally-hipstershop-275821/subscriptions/gcp-gke-audit-log-subscription", actualSubscription)
+
+		// Update GcpGkeAudit Integration
+		terraformOptions.Vars = map[string]interface{}{
+			"name":             "GcpGkeAudit log integration updated",
+			"client_id":        gcreds.ClientID,
+			"client_email":     gcreds.ClientEmail,
+			"private_key_id":   gcreds.PrivateKeyID,
+			"private_key":      gcreds.PrivateKey,
+			"integration_type": "PROJECT",
+			"project_id":       gcreds.ProjectID,
+			"subscription":     "projects/techally-hipstershop-275821/subscriptions/gcp-gke-audit-log-subscription",
+		}
+
+		update := terraform.ApplyAndIdempotent(t, terraformOptions)
+		actualClientId = terraform.Output(t, terraformOptions, "client_id")
+		actualClientEmail = terraform.Output(t, terraformOptions, "client_email")
+		actualIntegrationType = terraform.Output(t, terraformOptions, "integration_type")
+		actualProjectId = terraform.Output(t, terraformOptions, "project_id")
+		actualSubscription = terraform.Output(t, terraformOptions, "subscription")
+		assert.Equal(
+			t,
+			"GcpGkeAudit log integration updated",
+			GetCloudAccountIntegrationName(update),
+		)
+		assert.Equal(t, gcreds.ClientID, actualClientId)
+		assert.Equal(t, gcreds.ClientEmail, actualClientEmail)
+		assert.Equal(t, "PROJECT", actualIntegrationType)
+		assert.Equal(t, gcreds.ProjectID, actualProjectId)
+		assert.Equal(t, "projects/techally-hipstershop-275821/subscriptions/gcp-gke-audit-log-subscription", actualSubscription)
+
+		// Update GcpGkeAudit with invalid configuration
+		terraformOptions.Vars = map[string]interface{}{
+			"name":             "GcpGkeAudit log integration updated",
+			"client_id":        gcreds.ClientID,
+			"client_email":     gcreds.ClientEmail,
+			"private_key_id":   gcreds.PrivateKeyID,
+			"private_key":      gcreds.PrivateKey,
+			"integration_type": "ORGANIZATION",
+			"project_id":       gcreds.ProjectID,
+			"subscription":     "projects/techally-hipstershop-275821/subscriptions/gcp-gke-audit-log-subscription",
+		}
+
+		_, err = terraform.ApplyAndIdempotentE(t, terraformOptions)
+		assert.Contains(t, err.Error(),
+			"error updating cloud account integration: organization_id MUST be"+
+				" set when integration_type is ORGANIZATION")
+	}
+}
diff --git a/lacework/provider.go b/lacework/provider.go
@@ -92,6 +92,7 @@ func Provider() *schema.Provider {
 			"lacework_integration_ecr":                   resourceLaceworkIntegrationEcr(),
 			"lacework_integration_gcp_cfg":               resourceLaceworkIntegrationGcpCfg(),
 			"lacework_integration_gcp_at":                resourceLaceworkIntegrationGcpAt(),
+			"lacework_integration_gcp_gke_audit_log":     resourceLaceworkIntegrationGcpGkeAuditLog(),
 			"lacework_integration_gar":                   resourceLaceworkIntegrationGar(),
 			"lacework_integration_gcr":                   resourceLaceworkIntegrationGcr(),
 			"lacework_integration_ghcr":                  resourceLaceworkIntegrationGhcr(),