fix: fix gcr limit_by_labels field (#379)

* fix: fix gcr limit_by_labels field

examples/resource_lacework_integration_gcr/main.tf

@@ -9,22 +9,40 @@ terraform {
 provider "lacework" {}
 
 resource "lacework_integration_gcr" "example" {
-  name            = "GRC Example"
+  name            = var.integration_name
   registry_domain = "gcr.io"
   non_os_package_support = true
   credentials {
-    client_id      = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
-    private_key_id = "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx"
-    client_email   = "[email protected]"
-    private_key    = "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
+    client_id      = var.client_id
+    private_key_id = var.private_key_id
+    client_email   = var.client_email
+    private_key    = var.private_key
   }
 
   limit_num_imgs        = 10
   limit_by_tags         = ["dev*", "*test"]
   limit_by_repositories = ["my-repo", "other-repo"]
 
   limit_by_labels = {
-    key1 = "label1"
-    key2 = "label2"
+    foo = "bar"
   }
 }
+
+variable "integration_name" {
+  type    = string
+  default = "Google Container Registry Example"
+}
+variable "client_id" {
+  type      = string
+}
+variable "client_email" {
+  type      = string
+}
+variable "private_key_id" {
+  type      = string
+}
+variable "private_key" {
+  type      = string
+  sensitive = true
+}
+

go.mod

@@ -5,7 +5,7 @@ go 1.18
 require (
 	github.com/gruntwork-io/terratest v0.40.18
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.20.0
-	github.com/lacework/go-sdk v0.42.1-0.20220921123725-3044a87f12b5
+	github.com/lacework/go-sdk v0.42.1-0.20220926171608-0167eabe68c1
 	github.com/pkg/errors v0.9.1
 	github.com/stretchr/testify v1.8.0
 	golang.org/x/text v0.3.7

go.sum

@@ -282,8 +282,8 @@ github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
 github.com/kylelemons/godebug v0.0.0-20170820004349-d65d576e9348/go.mod h1:B69LEHPfb2qLo0BaaOLcbitczOKLWTsrBG9LczfCD4k=
 github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
-github.com/lacework/go-sdk v0.42.1-0.20220921123725-3044a87f12b5 h1:IzUccsFPreWzlVeDz9VRmeNjdaZLvEoQk+EkNITfaZU=
-github.com/lacework/go-sdk v0.42.1-0.20220921123725-3044a87f12b5/go.mod h1:1pB36iQ7KQwBuFHz3gtg0ADiFvHZagVj3uEDIg7CNOU=
+github.com/lacework/go-sdk v0.42.1-0.20220926171608-0167eabe68c1 h1:sW+NjcgTXrbjpQ87+t0GqM0qsZb/h8DBblgSTRdlUxY=
+github.com/lacework/go-sdk v0.42.1-0.20220926171608-0167eabe68c1/go.mod h1:1pB36iQ7KQwBuFHz3gtg0ADiFvHZagVj3uEDIg7CNOU=
 github.com/matryer/is v1.2.0/go.mod h1:2fLPjFQM9rhQ15aVEtbuwhJinnOqrmgXPNdZsdwlWXA=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
 github.com/mattn/go-colorable v0.1.9/go.mod h1:u6P/XSegPjTcexA+o6vUJrdnUu04hMope9wVRipJSqc=

integration/integration.go

@@ -141,6 +141,18 @@ func GetContainerRegistryIntegration(result string) api.ContainerRegIntegration
 	return res.Data[0]
 }
 
+func GetContainerRegisteryGcr(result string) api.GcpGcrIntegrationResponse {
+	id := GetIDFromTerraResults(result)
+
+	res, err := LwClient.V2.ContainerRegistries.GetGcpGcr(id)
+
+	if err != nil {
+		log.Fatalf("Unable to find integration id: %s\n Response: %v", id, res)
+	}
+
+	return res
+}
+
 func GetResourceGroupDescription(result string) string {
 	id := GetIDFromTerraResults(result)
 

integration/resource_lacework_integration_gcr_test.go

@@ -0,0 +1,46 @@
+package integration
+
+import (
+	"testing"
+
+	"github.com/gruntwork-io/terratest/modules/terraform"
+	"github.com/stretchr/testify/assert"
+)
+
+// TestIntegrationGCRCreate applies integration terraform:
+// => '../examples/resource_lacework_integration_gcr'
+//
+// It uses the go-sdk to verify the created integration,
+// applies an update with new integration name and destroys it
+func TestIntegrationGCRCreate(t *testing.T) {
+	gcreds, err := googleLoadDefaultCredentials()
+	if assert.Nil(t, err, "this test requires you to set GOOGLE_CREDENTIALS environment variable") {
+		terraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{
+			TerraformDir: "../examples/resource_lacework_integration_gcr",
+			Vars: map[string]interface{}{
+				"client_id":      gcreds.ClientID,
+				"client_email":   gcreds.ClientEmail,
+				"private_key_id": gcreds.PrivateKeyID,
+			},
+			EnvVars: map[string]string{
+				"TF_VAR_private_key": gcreds.PrivateKey,
+				"LW_API_TOKEN":       LwApiToken,
+			},
+		})
+		defer terraform.Destroy(t, terraformOptions)
+
+		// Create new Google Container Registry
+		create := terraform.InitAndApplyAndIdempotent(t, terraformOptions)
+		createData := GetContainerRegisteryGcr(create)
+		assert.Equal(t, "Google Container Registry Example", createData.Data.Name)
+		assert.Equal(t, []map[string]string{{"foo": "bar"}}, createData.Data.Data.LimitByLabel)
+
+		// Update Google Container Registry
+		terraformOptions.Vars["integration_name"] = "Google Container Registry Updated"
+
+		update := terraform.ApplyAndIdempotent(t, terraformOptions)
+		updateData := GetContainerRegistryIntegration(update)
+		assert.Equal(t, "Google Container Registry Updated", updateData.Name)
+		assert.Equal(t, []map[string]string{{"foo": "bar"}}, createData.Data.Data.LimitByLabel)
+	}
+}

lacework/resource_lacework_integration_gcr.go

@@ -60,6 +60,14 @@ func resourceLaceworkIntegrationGcr() *schema.Resource {
 						"private_key_id": {
 							Type:     schema.TypeString,
 							Required: true,
+							DiffSuppressFunc: func(k, old, new string, d *schema.ResourceData) bool {
+								return !d.HasChanges(
+									"name", "org_level", "enabled",
+									"credentials.0.client_id",
+									"credentials.0.client_email", "limit_num_imgs",
+									"limit_by_tags", "limit_by_labels", "limit_by_repositories",
+								)
+							},
 						},
 						"client_email": {
 							Type:     schema.TypeString,
@@ -70,12 +78,9 @@ func resourceLaceworkIntegrationGcr() *schema.Resource {
 							Required:  true,
 							Sensitive: true,
 							DiffSuppressFunc: func(k, old, new string, d *schema.ResourceData) bool {
-								// @afiune we can't compare this element since our API, for security reasons,
-								// does NOT return the private key configured in the Lacework server. So if
-								// any other element changed from the credentials then we trigger a diff
 								return !d.HasChanges(
 									"name", "org_level", "enabled",
-									"credentials.0.client_id", "credentials.0.private_key_id",
+									"credentials.0.client_id",
 									"credentials.0.client_email", "limit_num_imgs",
 									"limit_by_tags", "limit_by_labels", "limit_by_repositories",
 								)
@@ -154,23 +159,28 @@ func resourceLaceworkIntegrationGcr() *schema.Resource {
 
 func resourceLaceworkIntegrationGcrCreate(d *schema.ResourceData, meta interface{}) error {
 	lacework := meta.(*api.Client)
-	data := api.NewContainerRegistry(d.Get("name").(string),
-		api.GcpGarContainerRegistry,
-		api.GcpGcrData{
-			LimitByTag:       castAttributeToStringSlice(d, "limit_by_tags"),
-			LimitByLabel:     castAttributeToArrayOfKeyValueMap(d, "limit_by_labels"),
-			LimitByRep:       castAttributeToStringSlice(d, "limit_by_repositories"),
-			LimitNumImg:      d.Get("limit_num_imgs").(int),
-			RegistryDomain:   d.Get("registry_domain").(string),
-			NonOSPackageEval: d.Get("non_os_package_support").(bool),
-			Credentials: api.GcpCredentialsV2{
-				ClientID:     d.Get("credentials.0.client_id").(string),
-				ClientEmail:  d.Get("credentials.0.client_email").(string),
-				PrivateKeyID: d.Get("credentials.0.private_key_id").(string),
-				PrivateKey:   d.Get("credentials.0.private_key").(string),
-			},
+	gcrData := api.GcpGcrData{
+		LimitByTag:       castAttributeToStringSlice(d, "limit_by_tags"),
+		LimitByRep:       castAttributeToStringSlice(d, "limit_by_repositories"),
+		LimitNumImg:      d.Get("limit_num_imgs").(int),
+		RegistryDomain:   d.Get("registry_domain").(string),
+		NonOSPackageEval: d.Get("non_os_package_support").(bool),
+		Credentials: api.GcpCredentialsV2{
+			ClientID:     d.Get("credentials.0.client_id").(string),
+			ClientEmail:  d.Get("credentials.0.client_email").(string),
+			PrivateKeyID: d.Get("credentials.0.private_key_id").(string),
+			PrivateKey:   d.Get("credentials.0.private_key").(string),
 		},
-	)
+	}
+
+	labels := castAttributeToArrayKeyMapOfStrings(d, "limit_by_labels")
+	if len(labels) != 0 {
+		gcrData.LimitByLabel = labels
+	}
+
+	data := api.NewContainerRegistry(d.Get("name").(string),
+		api.GcpGcrContainerRegistry,
+		gcrData)
 
 	if !d.Get("enabled").(bool) {
 		data.Enabled = 0
@@ -225,9 +235,15 @@ func resourceLaceworkIntegrationGcrRead(d *schema.ResourceData, meta interface{}
 		d.Set("limit_num_imgs", integration.Data.LimitNumImg)
 		d.Set("non_os_package_support", integration.Data.NonOSPackageEval)
 
-		d.Set("limit_by_tags", integration.Data.LimitByTag)
-		d.Set("limit_by_repositories", integration.Data.LimitByRep)
-		d.Set("limit_by_labels", castArrayOfStringKeyMapOfStringsToLimitByLabelSet(integration.Data.LimitByLabel))
+		if len(response.Data.Data.LimitByTag) != 0 {
+			d.Set("limit_by_tags", response.Data.Data.LimitByTag)
+		}
+		if len(response.Data.Data.LimitByRep) != 0 {
+			d.Set("limit_by_repositories", response.Data.Data.LimitByRep)
+		}
+		if len(response.Data.Data.LimitByLabel) != 0 {
+			d.Set("limit_by_labels", castArrayOfStringKeyMapOfStringsToLimitByLabelSet(response.Data.Data.LimitByLabel))
+		}
 
 		log.Printf("[INFO] Read %s registry type with guid: %v\n", api.GcpGcrContainerRegistry.String(), integration.IntgGuid)
 		return nil
@@ -240,23 +256,28 @@ func resourceLaceworkIntegrationGcrRead(d *schema.ResourceData, meta interface{}
 func resourceLaceworkIntegrationGcrUpdate(d *schema.ResourceData, meta interface{}) error {
 	lacework := meta.(*api.Client)
 
+	gcrData := api.GcpGcrData{
+		LimitByTag:       castAttributeToStringSlice(d, "limit_by_tags"),
+		LimitByRep:       castAttributeToStringSlice(d, "limit_by_repositories"),
+		LimitNumImg:      d.Get("limit_num_imgs").(int),
+		RegistryDomain:   d.Get("registry_domain").(string),
+		NonOSPackageEval: d.Get("non_os_package_support").(bool),
+		Credentials: api.GcpCredentialsV2{
+			ClientID:     d.Get("credentials.0.client_id").(string),
+			ClientEmail:  d.Get("credentials.0.client_email").(string),
+			PrivateKeyID: d.Get("credentials.0.private_key_id").(string),
+			PrivateKey:   d.Get("credentials.0.private_key").(string),
+		},
+	}
+
+	labels := castAttributeToArrayKeyMapOfStrings(d, "limit_by_labels")
+	if len(labels) != 0 {
+		gcrData.LimitByLabel = labels
+	}
+
 	data := api.NewContainerRegistry(d.Get("name").(string),
 		api.GcpGcrContainerRegistry,
-		api.GcpGarData{
-			LimitByTag:       castAttributeToStringSlice(d, "limit_by_tags"),
-			LimitByLabel:     castAttributeToArrayOfKeyValueMap(d, "limit_by_labels"),
-			LimitByRep:       castAttributeToStringSlice(d, "limit_by_repositories"),
-			LimitNumImg:      d.Get("limit_num_imgs").(int),
-			RegistryDomain:   d.Get("registry_domain").(string),
-			NonOSPackageEval: d.Get("non_os_package_support").(bool),
-			Credentials: api.GcpCredentialsV2{
-				ClientID:     d.Get("credentials.0.client_id").(string),
-				ClientEmail:  d.Get("credentials.0.client_email").(string),
-				PrivateKeyID: d.Get("credentials.0.private_key_id").(string),
-				PrivateKey:   d.Get("credentials.0.private_key").(string),
-			},
-		},
-	)
+		gcrData)
 
 	if !d.Get("enabled").(bool) {
 		data.Enabled = 0