fix: dependency on global resource group creation (#29)

* update doc

* update docs

* fix: add dependency in non-global modules

* update doc

* update tf-doc version

* update workflow

.github/workflows/terraform_docs.yml

@@ -8,7 +8,7 @@ jobs:
       with:
         ref: ${{ github.event.pull_request.head.ref }}
     - name: Install terraform-docs
-      run: curl -L https://github.com/terraform-docs/terraform-docs/releases/download/v0.16.0/terraform-docs-v0.16.0-linux-amd64.tar.gz | (cd /usr/local/bin; tar zxvf -; chmod +x /usr/local/bin/terraform-docs)
+      run: curl -L https://github.com/terraform-docs/terraform-docs/releases/download/v0.17.0/terraform-docs-v0.17.0-linux-amd64.tar.gz | (cd /usr/local/bin; tar zxvf -; chmod +x /usr/local/bin/terraform-docs)
     - name: store hash of orig README.md
       id: old_hash
       run: echo "README_HASH=$(md5sum README.md)" >> $GITHUB_OUTPUT

.terraform-docs.yml

@@ -1,4 +1,4 @@
 formatter: "markdown"
-version: "0.16.0"
+version: "0.17.0"
 output:
   file: README.md

README.md

@@ -83,7 +83,7 @@ No modules.
 | <a name="input_execute_now"></a> [execute\_now](#input\_execute\_now) | execute newly created job(s) immediately after deployment | `bool` | `true` | no |
 | <a name="input_filter_query_text"></a> [filter\_query\_text](#input\_filter\_query\_text) | The LQL query to constrain the scanning to specific resources. If left blank, Lacework will scan all resources available to the account or organization. For more information, see [Limit Scanned Workloads](https://docs.lacework.net/onboarding/lacework-console-agentless-workload-scanning#aws---limit-scanned-workloads). | `string` | `""` | no |
 | <a name="input_global"></a> [global](#input\_global) | Whether we create global resources for this deployment. Defaults to `false` | `bool` | `false` | no |
-| <a name="input_global_module_reference"></a> [global\_module\_reference](#input\_global\_module\_reference) | A reference to the global lacework\_azure\_agentless\_scanning module for this account. | <pre>object({<br>    scanning_resource_group_name              = string<br>    key_vault_id                              = string<br>    key_vault_uri                             = string<br>    key_vault_secret_name                     = string<br>    lacework_account                          = string<br>    lacework_domain                           = string<br>    lacework_integration_name                 = string<br>    storage_account_name                      = string<br>    storage_account_id                        = string<br>    blob_container_name                       = string<br>    prefix                                    = string<br>    suffix                                    = string<br>    monitored_subscription_role_definition_id = string<br>    scanning_subscription_role_definition_id  = string<br>    sidekick_principal_id                     = string<br>    sidekick_client_id                        = string<br>    subscriptions_list                        = set(string)<br>  })</pre> | <pre>{<br>  "blob_container_name": "",<br>  "key_vault_id": "",<br>  "key_vault_secret_name": "",<br>  "key_vault_uri": "",<br>  "lacework_account": "",<br>  "lacework_domain": "",<br>  "lacework_integration_name": "",<br>  "monitored_subscription_role_definition_id": "",<br>  "prefix": "",<br>  "scanning_resource_group_name": "",<br>  "scanning_subscription_role_definition_id": "",<br>  "sidekick_client_id": "",<br>  "sidekick_principal_id": "",<br>  "storage_account_id": "",<br>  "storage_account_name": "",<br>  "subscriptions_list": [],<br>  "suffix": ""<br>}</pre> | no |
+| <a name="input_global_module_reference"></a> [global\_module\_reference](#input\_global\_module\_reference) | A reference to the global lacework\_azure\_agentless\_scanning module for this account. | <pre>object({<br>    scanning_resource_group_name              = string<br>    scanning_resource_group_id                = string<br>    key_vault_id                              = string<br>    key_vault_uri                             = string<br>    key_vault_secret_name                     = string<br>    lacework_account                          = string<br>    lacework_domain                           = string<br>    lacework_integration_name                 = string<br>    storage_account_name                      = string<br>    storage_account_id                        = string<br>    blob_container_name                       = string<br>    prefix                                    = string<br>    suffix                                    = string<br>    monitored_subscription_role_definition_id = string<br>    scanning_subscription_role_definition_id  = string<br>    sidekick_principal_id                     = string<br>    sidekick_client_id                        = string<br>    subscriptions_list                        = set(string)<br>  })</pre> | <pre>{<br>  "blob_container_name": "",<br>  "key_vault_id": "",<br>  "key_vault_secret_name": "",<br>  "key_vault_uri": "",<br>  "lacework_account": "",<br>  "lacework_domain": "",<br>  "lacework_integration_name": "",<br>  "monitored_subscription_role_definition_id": "",<br>  "prefix": "",<br>  "scanning_resource_group_id": "",<br>  "scanning_resource_group_name": "",<br>  "scanning_subscription_role_definition_id": "",<br>  "sidekick_client_id": "",<br>  "sidekick_principal_id": "",<br>  "storage_account_id": "",<br>  "storage_account_name": "",<br>  "subscriptions_list": [],<br>  "suffix": ""<br>}</pre> | no |
 | <a name="input_image_url"></a> [image\_url](#input\_image\_url) | The container image url for Lacework Agentless Workload Scanning. | `string` | `"public.ecr.aws/p5r4i7k7/sidekick:latest"` | no |
 | <a name="input_integration_level"></a> [integration\_level](#input\_integration\_level) | If we are integrating into a subscription or tenant. Valid values are 'SUBSCRIPTION' or 'TENANT' | `string` | n/a | yes |
 | <a name="input_key_vault_id"></a> [key\_vault\_id](#input\_key\_vault\_id) | The ID of the Key Vault containing the Lacework Account and Auth Token | `string` | `""` | no |
@@ -123,6 +123,7 @@ No modules.
 | <a name="output_lacework_integration_name"></a> [lacework\_integration\_name](#output\_lacework\_integration\_name) | The name of the integration. Passed along in global module reference. |
 | <a name="output_monitored_subscription_role_definition_id"></a> [monitored\_subscription\_role\_definition\_id](#output\_monitored\_subscription\_role\_definition\_id) | The id of the monitored subscription role definition |
 | <a name="output_prefix"></a> [prefix](#output\_prefix) | Prefix used to add uniqueness to resource names. |
+| <a name="output_scanning_resource_group_id"></a> [scanning\_resource\_group\_id](#output\_scanning\_resource\_group\_id) | Id of the resource group hosting the scanner |
 | <a name="output_scanning_resource_group_name"></a> [scanning\_resource\_group\_name](#output\_scanning\_resource\_group\_name) | Name of the resource group hosting the scanner |
 | <a name="output_scanning_subscription_role_definition_id"></a> [scanning\_subscription\_role\_definition\_id](#output\_scanning\_subscription\_role\_definition\_id) | The id of the scanning subscription role definition |
 | <a name="output_sidekick_client_id"></a> [sidekick\_client\_id](#output\_sidekick\_client\_id) | Client id of the managed identity running scanner |

checks.tf

@@ -17,7 +17,8 @@ check "check_global_resource_condition" {
       length(var.global_module_reference.sidekick_principal_id) > 0 &&
       length(var.global_module_reference.sidekick_client_id) > 0 &&
       length(var.global_module_reference.key_vault_secret_name) > 0 &&
-      length(var.global_module_reference.key_vault_uri) > 0
+      length(var.global_module_reference.key_vault_uri) > 0  && 
+      length(var.global_module_reference.suffix ) > 0
     )
     error_message = "Some resources have not been referenced correctly during a non-global deployment"
   }

main.tf

@@ -130,6 +130,8 @@ locals {
   version_file   = "${abspath(path.module)}/VERSION"
   module_name    = "terraform-azure-agentless-scanning"
   module_version = fileexists(local.version_file) ? file(local.version_file) : ""
+
+  scanning_rg_id = var.global ? "" : var.global_module_reference.scanning_resource_group_id
 }
 
 resource "random_id" "uniq" {
@@ -145,6 +147,11 @@ resource "azurerm_resource_group" "scanning_rg" {
 
 data "azurerm_resource_group" "scanning_rg" {
   count = var.global ? 0 : 1
+  depends_on = [
+    # This is here to enforce that non-global modules are created after the global module
+    # We can't do a normal `depends_on` because it wouldn't account for dependencies between modules
+    local.scanning_rg_id
+  ]
 
   name = local.scanning_resource_group_name
 }

output.tf

@@ -34,6 +34,11 @@ output "scanning_resource_group_name" {
   description = "Name of the resource group hosting the scanner"
 }
 
+output "scanning_resource_group_id" {
+  value       = var.global ? azurerm_resource_group.scanning_rg[0].id : data.azurerm_resource_group.scanning_rg[0].id
+  description = "Id of the resource group hosting the scanner"
+}
+
 output "storage_account_name" {
   value       = local.storage_account_name
   description = "The blob storage account for Agentless Workload Scanning data."

variables.tf

@@ -270,6 +270,7 @@ variable "filter_query_text" {
 variable "global_module_reference" {
   type = object({
     scanning_resource_group_name              = string
+    scanning_resource_group_id                = string
     key_vault_id                              = string
     key_vault_uri                             = string
     key_vault_secret_name                     = string
@@ -289,6 +290,7 @@ variable "global_module_reference" {
   })
   default = {
     scanning_resource_group_name              = ""
+    scanning_resource_group_id                = ""
     key_vault_id                              = ""
     key_vault_uri                             = ""
     key_vault_secret_name                     = ""