-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat: introducing new ECR Module #1
Conversation
11672f0
to
d0ec911
Compare
Signed-off-by: Salim Afiune Maya <afiune@lacework.net>
d0ec911
to
05f7600
Compare
examples/default/README.md
Outdated
provider "lacework" {} | ||
provider "aws" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
provider "lacework" {} | |
provider "aws" { | |
provider "lacework" {} | |
provider "aws" { |
examples/default/main.tf
Outdated
provider "lacework" {} | ||
provider "aws" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
provider "lacework" {} | |
provider "aws" { | |
provider "lacework" {} | |
provider "aws" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@afiune a couple of suggestions and a couple of items that need confirmation.
Signed-off-by: Salim Afiune Maya <afiune@lacework.net>
|
||
# wait for X seconds for things to settle down in the AWS side | ||
# before trying to create the Lacework external integration | ||
resource "time_sleep" "wait_time" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I confirm I had this issue multiple times. Happy to see we have a fix for it!
tags = var.tags | ||
} | ||
|
||
resource "aws_iam_role_policy_attachment" "ecr_read_only_policy_attachment" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Let's suppose an AWS account with multiple regions. Let's suppose we don't want to create one IAM role per region and that we want to reuse the same role in each region.
To achieve this goal, I would set use_existing_iam_role
to true
. It will work in the first region.
How will it reach in the second region?
I think this attachment will fail because the policy AmazonEC2ContainerRegistryReadOnly
will already be attached.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Very interesting use case! I will test it right away!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It works like a charm!
Code:
provider "lacework" {
profile = "mini"
}
provider "aws" {
alias = "west2"
region = "us-west-2"
}
module "lacework_ecr_west" {
source = "../.."
providers = {
aws = aws.west2
}
}
provider "aws" {
alias = "east1"
region = "us-east-1"
}
module "lacework_ecr_east" {
source = "../.."
providers = {
aws = aws.west2
}
use_existing_iam_role = true
iam_role_name = module.lacework_ecr_west.iam_role_name
iam_role_arn = module.lacework_ecr_west.iam_role_arn
iam_role_external_id = module.lacework_ecr_west.external_id
}
Running Terraform:
$ terraform apply
module.lacework_ecr_west.module.lacework_ecr_iam_role.random_id.uniq: Refreshing state... [id=uTkifw]
module.lacework_ecr_east.module.lacework_ecr_iam_role.random_id.uniq: Refreshing state... [id=mNsUIw]
module.lacework_ecr_west.module.lacework_ecr_iam_role.random_string.external_id[0]: Refreshing state... [id=VmfEQMbZ8Ws95Enq]
module.lacework_ecr_east.data.aws_caller_identity.current: Refreshing state...
module.lacework_ecr_east.data.aws_region.current: Refreshing state...
module.lacework_ecr_west.data.aws_region.current: Refreshing state...
module.lacework_ecr_west.data.aws_caller_identity.current: Refreshing state...
module.lacework_ecr_east.aws_iam_role_policy_attachment.ecr_read_only_policy_attachment: Refreshing state... [id=lw-iam-b939227f-20210316210253370700000001]
module.lacework_ecr_west.module.lacework_ecr_iam_role.data.aws_iam_policy_document.lacework_assume_role_policy[0]: Refreshing state...
module.lacework_ecr_west.module.lacework_ecr_iam_role.aws_iam_role.lacework_iam_role[0]: Refreshing state... [id=lw-iam-b939227f]
module.lacework_ecr_east.time_sleep.wait_time: Refreshing state... [id=2021-03-16T21:03:08Z]
module.lacework_ecr_west.aws_iam_role_policy_attachment.ecr_read_only_policy_attachment: Refreshing state... [id=lw-iam-b939227f-20210316210148989500000001]
module.lacework_ecr_west.lacework_integration_ecr.iam_role: Refreshing state... [id=MINIALLY_9293C0545824CF31E4D29AA3D2BE425189ED2D56F45B0B0]
module.lacework_ecr_east.lacework_integration_ecr.iam_role: Refreshing state... [id=MINIALLY_3884B70BF5F60803A1EB9A7B5238F78FFFD8DE746C2D6DC]
module.lacework_ecr_west.time_sleep.wait_time: Refreshing state... [id=2021-03-16T21:02:04Z]
Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
Two ECR integrations with the same IAM role in different Regions! ⭐
$ lacework int -p mini show MINIALLY_9293C0545824CF31E4D29AA3D2BE425189ED2D56F45B0B0
INTEGRATION GUID NAME TYPE STATUS STATE
-----------------------------------------------------------+-----------------+---------------+---------+--------
MINIALLY_9293C0545824CF31E4D29AA3D2BE425189ED2D56F45B0B0 TF ECR IAM Role CONT_VULN_CFG Enabled Ok
INTEGRATION DETAILS
----------------------------------------------------------------------------------
REGISTRY TYPE AWS_ECR
REGISTRY DOMAIN 463783698038.dkr.ecr.us-west-2.amazonaws.com
LIMIT BY TAG *
LIMIT BY LABEL *
LIMIT NUM IMAGES PER REPO 5
AWS AUTH TYPE AWS_IAM
ROLE ARN arn:aws:iam::463783698038:role/lw-iam-b939227f
$
$ lacework int -p mini show MINIALLY_3884B70BF5F60803A1EB9A7B5238F78FFFD8DE746C2D6DC
INTEGRATION GUID NAME TYPE STATUS STATE
-----------------------------------------------------------+-----------------+---------------+---------+--------
MINIALLY_3884B70BF5F60803A1EB9A7B5238F78FFFD8DE746C2D6DC TF ECR IAM Role CONT_VULN_CFG Enabled Ok
INTEGRATION DETAILS
----------------------------------------------------------------------------------
REGISTRY TYPE AWS_ECR
REGISTRY DOMAIN 463783698038.dkr.ecr.us-west-2.amazonaws.com
LIMIT BY TAG *
LIMIT BY LABEL *
LIMIT NUM IMAGES PER REPO 5
AWS AUTH TYPE AWS_IAM
ROLE ARN arn:aws:iam::463783698038:role/lw-iam-b939227f
@JPLachance Thoughts?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM!
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great stuff!
Signed-off-by: Salim Afiune Maya <afiune@lacework.net>
…form-aws-ecr into afiune/ALLY-371/ECR
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As a Lacework user that uses Terraform,
I want to be able to create an IAM Role to integrate Elastic Container Registry (ECR) with Lacework using Terraform,
So I don't have to worry about creating an IAM Role manually.
Default Lacework ECR Integration
This example creates a new least privilege IAM Role to access the Amazon Container Registry of the account running the automation and integrates it with Lacework.
Signed-off-by: Salim Afiune Maya afiune@lacework.net