From 4595e7a1b7d8a8fac7e659fa88cc08716e414330 Mon Sep 17 00:00:00 2001
From: Ao Zhang <ao.zhang@lacework.net>
Date: Tue, 14 May 2024 11:06:17 -0700
Subject: [PATCH 1/5] misc: add permission required by resource group v2

---
 custom_roles.tf | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/custom_roles.tf b/custom_roles.tf
index 00f1d3d..86bed47 100644
--- a/custom_roles.tf
+++ b/custom_roles.tf
@@ -16,6 +16,9 @@ resource "google_project_iam_custom_role" "agentless_orchestrate_monitored_proje
     "compute.machineTypes.get",
     "compute.zones.list",
     "resourcemanager.projects.get",
+    // Required for Resource Group v2
+    "resourcemanager.folders.get",
+    "resourcemanager.organizations.get",
   ]
 }
 
@@ -41,6 +44,8 @@ resource "google_organization_iam_custom_role" "agentless_orchestrate" {
     "compute.zones.list",
     "resourcemanager.folders.list",
     "resourcemanager.projects.list",
+    // Required for Resource Group v2
+    "resourcemanager.organizations.get",
   ]
 }
 

From f4d1ac801507011fe14652f62c23461609578e81 Mon Sep 17 00:00:00 2001
From: Ao Zhang <ao.zhang@lacework.net>
Date: Tue, 14 May 2024 14:02:45 -0700
Subject: [PATCH 2/5] fixup

---
 custom_roles.tf | 16 +++++++++++++++-
 main.tf         | 43 ++++++++++++++++++++++++++-----------------
 2 files changed, 41 insertions(+), 18 deletions(-)

diff --git a/custom_roles.tf b/custom_roles.tf
index 86bed47..e86d18e 100644
--- a/custom_roles.tf
+++ b/custom_roles.tf
@@ -16,7 +16,20 @@ resource "google_project_iam_custom_role" "agentless_orchestrate_monitored_proje
     "compute.machineTypes.get",
     "compute.zones.list",
     "resourcemanager.projects.get",
-    // Required for Resource Group v2
+  ]
+}
+
+// Scope : MONITORED_PROJECT
+// Use	 : Accessing Folders/Organizations for Resource Group v2
+// Role created at organization
+// Note this binding happens at the organization level because the custom role requires organization level permissions
+resource "google_organization_iam_custom_role" "agentless_orchestrate_monitored_project_resource_group" {
+  count = var.integration_type == "PROJECT" ? 1 : 0
+
+  org_id  = var.organization_id
+  role_id = replace("${var.prefix}-resource-group-${local.suffix}", "-", "_")
+  title   = "Lacework Agentless Workload Scanning Role for monitored project (Resource Group)"
+  permissions = [
     "resourcemanager.folders.get",
     "resourcemanager.organizations.get",
   ]
@@ -46,6 +59,7 @@ resource "google_organization_iam_custom_role" "agentless_orchestrate" {
     "resourcemanager.projects.list",
     // Required for Resource Group v2
     "resourcemanager.organizations.get",
+    "resourcemanager.folders.get",
   ]
 }
 
diff --git a/main.tf b/main.tf
index bce9bb5..927d64e 100644
--- a/main.tf
+++ b/main.tf
@@ -52,27 +52,27 @@ locals {
     The target cloud run job still resides in the desired region.
   */
   unsupported_cloud_scheduler_region_replacements = {
-    us-east5 = "us-east1"
-    us-south1 = "us-central1"
+    us-east5                = "us-east1"
+    us-south1               = "us-central1"
     northamerica-northeast2 = "northamerica-northeast1"
-    southamerica-west1 = "southamerica-east1"
+    southamerica-west1      = "southamerica-east1"
 
     europe-west10 = "europe-west1"
     europe-west12 = "europe-west1"
-    europe-west4 = "europe-west1"
-    europe-west8 = "europe-west1"
-    europe-west9 = "europe-west1"
+    europe-west4  = "europe-west1"
+    europe-west8  = "europe-west1"
+    europe-west9  = "europe-west1"
 
-    europe-north1 = "europe-central2"
+    europe-north1     = "europe-central2"
     europe-southwest1 = "europe-central2"
-    africa-south1 = "europe-central2"
-    me-central1 = "europe-central2"
-    me-central2 = "europe-central2"
-    me-west1 = "europe-central2"
+    africa-south1     = "europe-central2"
+    me-central1       = "europe-central2"
+    me-central2       = "europe-central2"
+    me-west1          = "europe-central2"
 
-    asia-south2 = "asia-south1"
+    asia-south2          = "asia-south1"
     australia-southeast2 = "australia-southeast1"
-}
+  }
   cloud_scheduler_region = lookup(local.unsupported_cloud_scheduler_region_replacements, local.region, local.region)
 }
 
@@ -267,6 +267,15 @@ resource "google_project_iam_member" "agentless_orchestrate_monitored_project" {
   member  = "serviceAccount:${local.agentless_orchestrate_service_account_email}"
 }
 
+// Orchestrate Service Account <-> Role Binding for Custom Role created for project-level integration
+resource "google_organization_iam_member" "agentless_orchestrate_monitored_project_resource_group" {
+  count = var.integration_type == "PROJECT" ? 1 : 0
+
+  org_id = var.organization_id
+  role   = google_organization_iam_custom_role.agentless_orchestrate_monitored_project_resource_group[0].id
+  member = "serviceAccount:${local.agentless_orchestrate_service_account_email}"
+}
+
 // Orchestrate Service Account <-> Role Binding for Custom Role created in Scanner Project
 resource "google_project_iam_member" "agentless_orchestrate" {
   count = var.global ? 1 : 0
@@ -429,9 +438,9 @@ resource "google_cloud_scheduler_job" "agentless_orchestrate" {
   description = "Invoke Lacework Agentless Workload Scanning on a schedule."
   project     = local.scanning_project_id
   // for unsupported regions, cloud scheduler is configured in a different region
-  region      = local.cloud_scheduler_region
-  schedule    = "0 * * * *"
-  time_zone   = "Etc/UTC"
+  region    = local.cloud_scheduler_region
+  schedule  = "0 * * * *"
+  time_zone = "Etc/UTC"
 
   http_target {
     http_method = "POST"
@@ -454,7 +463,7 @@ resource "terraform_data" "execute_cloud_run_job" {
   }
 
   provisioner "local-exec" {
-    command = "gcloud run jobs execute ${ google_cloud_run_v2_job.agentless_orchestrate[0].name } --region=${ local.region }"
+    command = "gcloud run jobs execute ${google_cloud_run_v2_job.agentless_orchestrate[0].name} --region=${local.region}"
   }
 
   depends_on = [google_cloud_run_v2_job.agentless_orchestrate]

From 26594d92de941bc11fe6485e27d9e8cb5d92f888 Mon Sep 17 00:00:00 2001
From: Ao Zhang <ao.zhang@lacework.net>
Date: Tue, 14 May 2024 15:51:07 -0700
Subject: [PATCH 3/5] fixup

---
 custom_roles.tf | 2 +-
 main.tf         | 6 +++---
 2 files changed, 4 insertions(+), 4 deletions(-)

diff --git a/custom_roles.tf b/custom_roles.tf
index e86d18e..6e9be41 100644
--- a/custom_roles.tf
+++ b/custom_roles.tf
@@ -24,7 +24,7 @@ resource "google_project_iam_custom_role" "agentless_orchestrate_monitored_proje
 // Role created at organization
 // Note this binding happens at the organization level because the custom role requires organization level permissions
 resource "google_organization_iam_custom_role" "agentless_orchestrate_monitored_project_resource_group" {
-  count = var.integration_type == "PROJECT" ? 1 : 0
+  count = var.global && (var.integration_type == "PROJECT") ? 1 : 0
 
   org_id  = var.organization_id
   role_id = replace("${var.prefix}-resource-group-${local.suffix}", "-", "_")
diff --git a/main.tf b/main.tf
index 927d64e..66b5830 100644
--- a/main.tf
+++ b/main.tf
@@ -267,11 +267,11 @@ resource "google_project_iam_member" "agentless_orchestrate_monitored_project" {
   member  = "serviceAccount:${local.agentless_orchestrate_service_account_email}"
 }
 
-// Orchestrate Service Account <-> Role Binding for Custom Role created for project-level integration
+// Orchestrate Service Account <-> Role Binding for Custom Role project-level resource group support
 resource "google_organization_iam_member" "agentless_orchestrate_monitored_project_resource_group" {
-  count = var.integration_type == "PROJECT" ? 1 : 0
+  count = var.global && (var.integration_type == "PROJECT") ? 1 : 0
 
-  org_id = var.organization_id
+  org_id = local.organization_id
   role   = google_organization_iam_custom_role.agentless_orchestrate_monitored_project_resource_group[0].id
   member = "serviceAccount:${local.agentless_orchestrate_service_account_email}"
 }

From 1ae3575614774da64b198e6f15554e2d292bbefe Mon Sep 17 00:00:00 2001
From: Ao Zhang <ao.zhang@lacework.net>
Date: Tue, 14 May 2024 17:23:02 -0700
Subject: [PATCH 4/5] terraform-docs

---
 README.md | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index d93cb88..adb70f5 100644
--- a/README.md
+++ b/README.md
@@ -19,9 +19,9 @@ A Terraform Module to configure the Lacework Agentless Scanner.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | ~> 4.46 |
-| <a name="provider_lacework"></a> [lacework](#provider\_lacework) | ~> 1.18 |
-| <a name="provider_random"></a> [random](#provider\_random) | n/a |
+| <a name="provider_google"></a> [google](#provider\_google) | 4.84.0 |
+| <a name="provider_lacework"></a> [lacework](#provider\_lacework) | 1.15.1 |
+| <a name="provider_random"></a> [random](#provider\_random) | 3.5.1 |
 | <a name="provider_terraform"></a> [terraform](#provider\_terraform) | n/a |
 
 ## Modules
@@ -37,7 +37,9 @@ A Terraform Module to configure the Lacework Agentless Scanner.
 | [google_cloud_run_v2_job.agentless_orchestrate](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_run_v2_job) | resource |
 | [google_cloud_scheduler_job.agentless_orchestrate](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/cloud_scheduler_job) | resource |
 | [google_organization_iam_custom_role.agentless_orchestrate](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/organization_iam_custom_role) | resource |
+| [google_organization_iam_custom_role.agentless_orchestrate_monitored_project_resource_group](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/organization_iam_custom_role) | resource |
 | [google_organization_iam_member.agentless_orchestrate](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/organization_iam_member) | resource |
+| [google_organization_iam_member.agentless_orchestrate_monitored_project_resource_group](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/organization_iam_member) | resource |
 | [google_project_iam_custom_role.agentless_orchestrate](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_custom_role) | resource |
 | [google_project_iam_custom_role.agentless_orchestrate_monitored_project](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_custom_role) | resource |
 | [google_project_iam_custom_role.agentless_scan](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_custom_role) | resource |

From 7211b165dbdd12c454130a8fce36bd05d656b9b4 Mon Sep 17 00:00:00 2001
From: Ao Zhang <ao.zhang@lacework.net>
Date: Wed, 15 May 2024 00:45:55 +0000
Subject: [PATCH 5/5] terraform-docs (signed)

---
 README.md | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index adb70f5..5bf3034 100644
--- a/README.md
+++ b/README.md
@@ -19,9 +19,9 @@ A Terraform Module to configure the Lacework Agentless Scanner.
 
 | Name | Version |
 |------|---------|
-| <a name="provider_google"></a> [google](#provider\_google) | 4.84.0 |
-| <a name="provider_lacework"></a> [lacework](#provider\_lacework) | 1.15.1 |
-| <a name="provider_random"></a> [random](#provider\_random) | 3.5.1 |
+| <a name="provider_google"></a> [google](#provider\_google) | ~> 4.46 |
+| <a name="provider_lacework"></a> [lacework](#provider\_lacework) | ~> 1.18 |
+| <a name="provider_random"></a> [random](#provider\_random) | n/a |
 | <a name="provider_terraform"></a> [terraform](#provider\_terraform) | n/a |
 
 ## Modules