Skip to content

Latest commit

 

History

History
97 lines (74 loc) · 7.59 KB

README.md

File metadata and controls

97 lines (74 loc) · 7.59 KB

terraform-gcp-gar

GitHub release Codefresh build status

A Terraform Module to integrate Google Artifact Registry (GAR) with Lacework.

⚠️ - NOTE: When using an existing Service Account, Terraform cannot work out whether a role has already been applied. This means when running the destroy step, existing roles may be removed from the Service Account. If this Service Account is managed by another Terraform module, you can re-run apply on the other module and this will re-add the role.

Alternatively, it is possible to remove the offending roles from the state file before destroy, preventing the role(s) from being removed.

e.g. terraform state rm 'google_project_iam_member.for_gar_integration'

TODO: Update and Verify Example Scripts

Required Roles

roles/artifactRegistry.reader

Required APIs

cloudresourcemanager.googleapis.com
artifactregistry.googleapis.com

Requirements

Name Version
terraform >= 0.14
google >= 4.4.0
lacework ~> 1.18
time ~> 0.6

Providers

Name Version
google >= 4.4.0
lacework ~> 1.18
random n/a
time ~> 0.6

Modules

Name Source Version
lacework_gar_svc_account lacework/service-account/gcp ~> 2.0

Resources

Name Type
google_project_iam_member.gar_reader resource
google_project_iam_member.storage_reader resource
google_project_service.required_apis_for_gar_integration resource
lacework_integration_gar.default resource
random_id.uniq resource
time_sleep.wait_time resource
google_project.selected data source
lacework_metric_module.lwmetrics data source

Inputs

Name Description Type Default Required
lacework_integration_name The integration name displayed in the Lacework UI. string "TF GAR" no
limit_by_label An image label to limit the assessment of images with matching label. If you specify limit_by_tag and limit_by_label limits, they function as an AND. Input is "key" = "value" list(any)
[
{
"": ""
}
]
no
limit_by_repositories A comma-separated list of repositories to assess. Defaults to empty (will assess all repositories in the registry). list(any) [] no
limit_by_tags An image tag to limit the assessment of images with matching tag. If you specify limit_by_tag and limit_by_label limits, they function as an AND. Supported field input are mytextmytext, mytext, mytext, or mytext. Only one * wildcard is supported list(any) [] no
limit_num_imgs The maximum number of newest container images to assess per repository. Must be one of 5, 10, or 15 string "5" no
non_os_package_support Whether or not the integration should check non-os packages in the container for vulnerabilities bool true no
prefix The prefix that will be use at the beginning of every generated resource string "lw-gar" no
project_id A project ID different from the default defined inside the provider string "" no
registry_domain The GAR domain, which specifies the location where you store the images. Supported domains should follow the format of (region|zone)-docker.pkg.dev string "us-docker.pkg.dev" no
required_gar_apis n/a map(any)
{
"artifactregistry": "artifactregistry.googleapis.com",
"resourcemanager": "cloudresourcemanager.googleapis.com"
}
no
service_account_name The Service Account name (required when use_existing_service_account is set to true). This can also be used to specify the new service account name when use_existing_service_account is set to false string "" no
service_account_private_key The private key in JSON format, base64 encoded (required when use_existing_service_account is set to true) string "" no
use_existing_service_account Set this to true to use an existing Service Account. When using an existing service account, the required roles must be added manually. bool false no
wait_time Amount of time to wait before the next resource is provisioned. string "10s" no

Outputs

Name Description
service_account_name The Service Account name created for the integration
service_account_private_key The private key in JSON format, base64 encoded