-
Notifications
You must be signed in to change notification settings - Fork 3
/
main.tf
98 lines (84 loc) · 3.07 KB
/
main.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
locals {
resource_level = "PROJECT"
project_id = length(var.project_id) > 0 ? var.project_id : data.google_project.selected[0].project_id
service_account_name = var.use_existing_service_account ? (
var.service_account_name
) : (
length(var.service_account_name) > 0 ? var.service_account_name : "${var.prefix}-lw-${random_id.uniq.hex}"
)
service_account_json_key = jsondecode(var.use_existing_service_account ? (
base64decode(var.service_account_private_key)
) : (
base64decode(module.lacework_gar_svc_account.private_key)
))
gar_apis = var.required_gar_apis
version_file = "${abspath(path.module)}/VERSION"
module_name = "terraform-gcp-gar"
module_version = fileexists(local.version_file) ? file(local.version_file) : ""
}
resource "random_id" "uniq" {
byte_length = 4
}
data "google_project" "selected" {
count = length(var.project_id) > 0 ? 0 : 1
}
module "lacework_gar_svc_account" {
source = "lacework/service-account/gcp"
version = "~> 2.0"
create = var.use_existing_service_account ? false : true
service_account_name = local.service_account_name
project_id = local.project_id
}
resource "google_project_service" "required_apis_for_gar_integration" {
for_each = local.gar_apis
project = local.project_id
service = each.value
disable_on_destroy = false
}
// Role(s) for a GAR integration
resource "google_project_iam_member" "gar_reader" {
project = local.project_id
role = "roles/artifactregistry.reader"
member = "serviceAccount:${local.service_account_json_key.client_email}"
}
resource "google_project_iam_member" "storage_reader" {
project = local.project_id
role = "roles/storage.objectViewer"
member = "serviceAccount:${local.service_account_json_key.client_email}"
}
# wait for X seconds for things to settle down in the GCP side
# before trying to create the Lacework external integration
resource "time_sleep" "wait_time" {
create_duration = var.wait_time
depends_on = [
module.lacework_gar_svc_account,
google_project_service.required_apis_for_gar_integration,
google_project_iam_member.gar_reader,
google_project_iam_member.storage_reader
]
}
resource "lacework_integration_gar" "default" {
name = "${var.lacework_integration_name}-${local.project_id}"
registry_domain = var.registry_domain
credentials {
client_id = local.service_account_json_key.client_id
private_key_id = local.service_account_json_key.private_key_id
client_email = local.service_account_json_key.client_email
private_key = local.service_account_json_key.private_key
}
limit_by_tags = var.limit_by_tags
limit_by_repositories = var.limit_by_repositories
limit_num_imgs = var.limit_num_imgs
/*
limit_by_label {
key = keys(var.limit_by_label)
value = values(var.limit_by_label)
}
*/
non_os_package_support = var.non_os_package_support
depends_on = [time_sleep.wait_time]
}
data "lacework_metric_module" "lwmetrics" {
name = local.module_name
version = local.module_version
}