Skip to content

fix: use organization_id smarter #75

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
merged 8 commits into from
May 15, 2024
Merged

fix: use organization_id smarter #75

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
8 commits
Select commit Hold shift + click to select a range
4595e7a
misc: add permission required by resource group v2
May 14, 2024
f4d1ac8
fixup
May 14, 2024
26594d9
fixup
May 14, 2024
1ae3575
terraform-docs
May 15, 2024
6d1b8a2
misc: use organization_id smarter
May 15, 2024
ec9bc52
update
May 15, 2024
7ac1ce4
terraform-docs (signed)
May 15, 2024
77b9132
Merge branch 'main' into orgid_validator
May 15, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -11,7 +11,7 @@ A Terraform Module to configure the Lacework Agentless Scanner.

| Name | Version |
|------|---------|
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.12.31 |
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.5 |
| <a name="requirement_google"></a> [google](#requirement\_google) | ~> 4.46 |
| <a name="requirement_lacework"></a> [lacework](#requirement\_lacework) | ~> 1.18 |

Expand Down
10 changes: 10 additions & 0 deletions checks.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,10 @@
// ensure that organization_id is not empty, even for project-level integrations
check "non_empty_organization_id" {
// There can be multiple reasons for an empty `organization_id`. One example is that the provider project resides
// in a folder. In this case, google_project.selected[0].org_id will be empty whereas google_project.selected[0].folder_id
// will be non-empty. We'd need to ask the user to provide the organization_id in such cases.
assert {
condition = local.organization_id != ""
error_message = "No `organization_id` is provided and we failed to derive one. Please provide `organization_id`."
}
}
4 changes: 2 additions & 2 deletions custom_roles.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@ resource "google_project_iam_custom_role" "agentless_orchestrate_monitored_proje
resource "google_organization_iam_custom_role" "agentless_orchestrate_monitored_project_resource_group" {
count = var.global && (var.integration_type == "PROJECT") ? 1 : 0

org_id = var.organization_id
org_id = local.organization_id
role_id = replace("${var.prefix}-resource-group-${local.suffix}", "-", "_")
title = "Lacework Agentless Workload Scanning Role for monitored project (Resource Group)"
permissions = [
Expand All @@ -44,7 +44,7 @@ resource "google_organization_iam_custom_role" "agentless_orchestrate" {
count = var.global && (var.integration_type == "ORGANIZATION") ? 1 : 0

role_id = replace("${var.prefix}-snapshot-${local.suffix}", "-", "_")
org_id = var.organization_id
org_id = local.organization_id
title = "Lacework Agentless Workload Scanning Role for monitored organization (Organization Snapshots)"
permissions = [
"iam.roles.get",
Expand Down
7 changes: 4 additions & 3 deletions main.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -3,7 +3,7 @@ locals {
final_project_filter_list = length(var.global_module_reference.project_filter_list) > 0 ? var.global_module_reference.project_filter_list : var.project_filter_list

scanning_project_id = length(var.scanning_project_id) > 0 ? var.scanning_project_id : data.google_project.selected[0].project_id
organization_id = length(var.organization_id) > 0 ? var.organization_id : (data.google_project.selected[0].org_id != null ? data.google_project.selected[0].org_id : "")
organization_id = length(var.organization_id) > 0 ? var.organization_id : (length(data.google_project.selected) > 0 && data.google_project.selected[0].org_id != null ? data.google_project.selected[0].org_id : "")

agentless_orchestrate_service_account_email = var.global ? google_service_account.agentless_orchestrate[0].email : (length(var.global_module_reference.agentless_orchestrate_service_account_email) > 0 ? var.global_module_reference.agentless_orchestrate_service_account_email : var.agentless_orchestrate_service_account_email)
agentless_scan_service_account_email = var.global ? google_service_account.agentless_scan[0].email : (length(var.global_module_reference.agentless_scan_service_account_email) > 0 ? var.global_module_reference.agentless_scan_service_account_email : var.agentless_scan_service_account_email)
Expand Down Expand Up @@ -84,8 +84,9 @@ data "lacework_user_profile" "current" {}

data "google_client_config" "default" {}

// if the scanning project id is not provided, use the project specified in the provider
data "google_project" "selected" {
count = length(var.scanning_project_id) > 0 ? (length(var.organization_id) > 0 ? 0 : 1) : 1
count = length(var.scanning_project_id) > 0 ? 0 : 1
Copy link
Contributor Author

@badass-aoz badass-aoz May 15, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this will make the logic here less convoluted. Previously there's an implicit dependency:

  • local.scanning_project_id depends on data.google_project.selected depends on var.organization_id

which made things a bit hard to reason about. Hence I'm doing this cleanup, so we'll always try to get the current project regardless whether organization_id is provided. LMK if this condition is actually needed.

}

resource "google_project_service" "required_apis" {
Expand Down Expand Up @@ -253,7 +254,7 @@ resource "google_service_account" "agentless_orchestrate" {
resource "google_organization_iam_member" "agentless_orchestrate" {
count = var.global && (var.integration_type == "ORGANIZATION") ? 1 : 0

org_id = var.organization_id
org_id = local.organization_id
role = google_organization_iam_custom_role.agentless_orchestrate[0].id
member = "serviceAccount:${local.agentless_orchestrate_service_account_email}"
}
Expand Down
2 changes: 1 addition & 1 deletion versions.tf
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
terraform {
required_version = ">= 0.12.31"
required_version = ">= 1.5"

required_providers {
google = "~> 4.46"
Expand Down