feat: introducing new ECR Module #1
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
afiune
force-pushed
the
afiune/ALLY-371/ECR
branch
2 times, most recently
from
11672f0
to
d0ec911
Compare
Signed-off-by: Salim Afiune Maya <afiune@lacework.net>
afiune
force-pushed
the
afiune/ALLY-371/ECR
branch
from
d0ec911
to
05f7600
Compare
examples/default/README.md
Outdated
Comment on lines
14
to
15
| provider "lacework" {} | ||
| provider "aws" { |
There was a problem hiding this comment.
Suggested change
| provider "lacework" {} | |
| provider "aws" { | |
| provider "lacework" {} | |
| provider "aws" { |
examples/default/main.tf
Outdated
Comment on lines
1
to
2
| provider "lacework" {} | ||
| provider "aws" { |
There was a problem hiding this comment.
Suggested change
| provider "lacework" {} | |
| provider "aws" { | |
| provider "lacework" {} | |
| provider "aws" { |
scottford-lw
suggested changes
Mar 16, 2021
There was a problem hiding this comment.
@afiune a couple of suggestions and a couple of items that need confirmation.
Signed-off-by: Salim Afiune Maya <afiune@lacework.net>
afiune
commented
Mar 16, 2021
JPLachance
reviewed
Mar 16, 2021
|
|
||
| # wait for X seconds for things to settle down in the AWS side | ||
| # before trying to create the Lacework external integration | ||
| resource "time_sleep" "wait_time" { |
There was a problem hiding this comment.
I confirm I had this issue multiple times. Happy to see we have a fix for it!
JPLachance
reviewed
Mar 16, 2021
| tags = var.tags | ||
| } | ||
|
|
||
| resource "aws_iam_role_policy_attachment" "ecr_read_only_policy_attachment" { |
There was a problem hiding this comment.
Let's suppose an AWS account with multiple regions. Let's suppose we don't want to create one IAM role per region and that we want to reuse the same role in each region.
To achieve this goal, I would set use_existing_iam_role to true. It will work in the first region.
How will it reach in the second region?
I think this attachment will fail because the policy AmazonEC2ContainerRegistryReadOnly will already be attached.
There was a problem hiding this comment.
Very interesting use case! I will test it right away!
There was a problem hiding this comment.
It works like a charm!
Code:
provider "lacework" {
profile = "mini"
}
provider "aws" {
alias = "west2"
region = "us-west-2"
}
module "lacework_ecr_west" {
source = "../.."
providers = {
aws = aws.west2
}
}
provider "aws" {
alias = "east1"
region = "us-east-1"
}
module "lacework_ecr_east" {
source = "../.."
providers = {
aws = aws.west2
}
use_existing_iam_role = true
iam_role_name = module.lacework_ecr_west.iam_role_name
iam_role_arn = module.lacework_ecr_west.iam_role_arn
iam_role_external_id = module.lacework_ecr_west.external_id
}Running Terraform:
$ terraform apply
module.lacework_ecr_west.module.lacework_ecr_iam_role.random_id.uniq: Refreshing state... [id=uTkifw]
module.lacework_ecr_east.module.lacework_ecr_iam_role.random_id.uniq: Refreshing state... [id=mNsUIw]
module.lacework_ecr_west.module.lacework_ecr_iam_role.random_string.external_id[0]: Refreshing state... [id=VmfEQMbZ8Ws95Enq]
module.lacework_ecr_east.data.aws_caller_identity.current: Refreshing state...
module.lacework_ecr_east.data.aws_region.current: Refreshing state...
module.lacework_ecr_west.data.aws_region.current: Refreshing state...
module.lacework_ecr_west.data.aws_caller_identity.current: Refreshing state...
module.lacework_ecr_east.aws_iam_role_policy_attachment.ecr_read_only_policy_attachment: Refreshing state... [id=lw-iam-b939227f-20210316210253370700000001]
module.lacework_ecr_west.module.lacework_ecr_iam_role.data.aws_iam_policy_document.lacework_assume_role_policy[0]: Refreshing state...
module.lacework_ecr_west.module.lacework_ecr_iam_role.aws_iam_role.lacework_iam_role[0]: Refreshing state... [id=lw-iam-b939227f]
module.lacework_ecr_east.time_sleep.wait_time: Refreshing state... [id=2021-03-16T21:03:08Z]
module.lacework_ecr_west.aws_iam_role_policy_attachment.ecr_read_only_policy_attachment: Refreshing state... [id=lw-iam-b939227f-20210316210148989500000001]
module.lacework_ecr_west.lacework_integration_ecr.iam_role: Refreshing state... [id=MINIALLY_9293C0545824CF31E4D29AA3D2BE425189ED2D56F45B0B0]
module.lacework_ecr_east.lacework_integration_ecr.iam_role: Refreshing state... [id=MINIALLY_3884B70BF5F60803A1EB9A7B5238F78FFFD8DE746C2D6DC]
module.lacework_ecr_west.time_sleep.wait_time: Refreshing state... [id=2021-03-16T21:02:04Z]
Apply complete! Resources: 0 added, 0 changed, 0 destroyed.
Two ECR integrations with the same IAM role in different Regions! ⭐
$ lacework int -p mini show MINIALLY_9293C0545824CF31E4D29AA3D2BE425189ED2D56F45B0B0
INTEGRATION GUID NAME TYPE STATUS STATE
-----------------------------------------------------------+-----------------+---------------+---------+--------
MINIALLY_9293C0545824CF31E4D29AA3D2BE425189ED2D56F45B0B0 TF ECR IAM Role CONT_VULN_CFG Enabled Ok
INTEGRATION DETAILS
----------------------------------------------------------------------------------
REGISTRY TYPE AWS_ECR
REGISTRY DOMAIN 463783698038.dkr.ecr.us-west-2.amazonaws.com
LIMIT BY TAG *
LIMIT BY LABEL *
LIMIT NUM IMAGES PER REPO 5
AWS AUTH TYPE AWS_IAM
ROLE ARN arn:aws:iam::463783698038:role/lw-iam-b939227f
$
$ lacework int -p mini show MINIALLY_3884B70BF5F60803A1EB9A7B5238F78FFFD8DE746C2D6DC
INTEGRATION GUID NAME TYPE STATUS STATE
-----------------------------------------------------------+-----------------+---------------+---------+--------
MINIALLY_3884B70BF5F60803A1EB9A7B5238F78FFFD8DE746C2D6DC TF ECR IAM Role CONT_VULN_CFG Enabled Ok
INTEGRATION DETAILS
----------------------------------------------------------------------------------
REGISTRY TYPE AWS_ECR
REGISTRY DOMAIN 463783698038.dkr.ecr.us-west-2.amazonaws.com
LIMIT BY TAG *
LIMIT BY LABEL *
LIMIT NUM IMAGES PER REPO 5
AWS AUTH TYPE AWS_IAM
ROLE ARN arn:aws:iam::463783698038:role/lw-iam-b939227f
@JPLachance Thoughts?
There was a problem hiding this comment.
I will add this as an example!
Signed-off-by: Salim Afiune Maya <afiune@lacework.net>
…form-aws-ecr into afiune/ALLY-371/ECR
JPLachance
approved these changes
Mar 16, 2021
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
As a Lacework user that uses Terraform,
I want to be able to create an IAM Role to integrate Elastic Container Registry (ECR) with Lacework using Terraform,
So I don't have to worry about creating an IAM Role manually.
Default Lacework ECR Integration
This example creates a new least privilege IAM Role to access the Amazon Container Registry of the account running the automation and integrates it with Lacework.
Signed-off-by: Salim Afiune Maya afiune@lacework.net