A Terraform Module to integrate Google Artifact Registry (GAR) with Lacework.
⚠️ - NOTE: When using an existing Service Account, Terraform cannot work out whether a role has already been applied.
This means when running the destroy step, existing roles may be removed from the Service Account. If this Service Account
is managed by another Terraform module, you can re-run apply on the other module and this will re-add the role.
Alternatively, it is possible to remove the offending roles from the state file before destroy, preventing the role(s)
from being removed.
e.g. terraform state rm 'google_project_iam_member.for_gar_integration'
TODO: Update and Verify Example Scripts
roles/artifactRegistry.reader
cloudresourcemanager.googleapis.com
artifactregistry.googleapis.com
Name |
Description |
Type |
Default |
Required |
lacework_integration_name |
The integration name displayed in the Lacework UI. |
string |
"TF GAR" |
no |
limit_by_label |
An image label to limit the assessment of images with matching label. If you specify limit_by_tag and limit_by_label limits, they function as an AND. Input is "key" = "value" |
list(any) |
[ { "": "" } ] |
no |
limit_by_repositories |
A comma-separated list of repositories to assess. Defaults to empty (will assess all repositories in the registry). |
list(any) |
[] |
no |
limit_by_tags |
An image tag to limit the assessment of images with matching tag. If you specify limit_by_tag and limit_by_label limits, they function as an AND. Supported field input are mytextmytext, mytext, mytext, or mytext. Only one * wildcard is supported |
list(any) |
[] |
no |
limit_num_imgs |
The maximum number of newest container images to assess per repository. Must be one of 5, 10, or 15 |
string |
"5" |
no |
non_os_package_support |
Whether or not the integration should check non-os packages in the container for vulnerabilities |
bool |
true |
no |
prefix |
The prefix that will be use at the beginning of every generated resource |
string |
"lw-gar" |
no |
project_id |
A project ID different from the default defined inside the provider |
string |
"" |
no |
registry_domain |
The GAR domain, which specifies the location where you store the images. Supported domains should follow the format of (region|zone)-docker.pkg.dev |
string |
"us-docker.pkg.dev" |
no |
required_gar_apis |
n/a |
map(any) |
{ "artifactregistry": "artifactregistry.googleapis.com", "resourcemanager": "cloudresourcemanager.googleapis.com" } |
no |
service_account_name |
The Service Account name (required when use_existing_service_account is set to true). This can also be used to specify the new service account name when use_existing_service_account is set to false |
string |
"" |
no |
service_account_private_key |
The private key in JSON format, base64 encoded (required when use_existing_service_account is set to true) |
string |
"" |
no |
use_existing_service_account |
Set this to true to use an existing Service Account. When using an existing service account, the required roles must be added manually. |
bool |
false |
no |
wait_time |
Amount of time to wait before the next resource is provisioned. |
string |
"10s" |
no |