terraform-gcp-gar

A Terraform Module to integrate Google Artifact Registry (GAR) with Lacework.

⚠️ - NOTE: When using an existing Service Account, Terraform cannot work out whether a role has already been applied. This means when running the destroy step, existing roles may be removed from the Service Account. If this Service Account is managed by another Terraform module, you can re-run apply on the other module and this will re-add the role.

Alternatively, it is possible to remove the offending roles from the state file before destroy, preventing the role(s) from being removed.

e.g. terraform state rm 'google_project_iam_member.for_gar_integration'

TODO: Update and Verify Example Scripts

Required Roles

roles/artifactRegistry.reader

Required APIs

cloudresourcemanager.googleapis.com
artifactregistry.googleapis.com

Requirements

Name	Version
terraform	>= 0.14
google	>= 4.4.0
lacework	~> 1.18
time	~> 0.6

Providers

Name	Version
google	>= 4.4.0
lacework	~> 1.18
random	n/a
time	~> 0.6

Modules

Name	Source	Version
lacework_gar_svc_account	lacework/service-account/gcp	~> 2.0

Resources

Name	Type
google_project_iam_member.gar_reader	resource
google_project_iam_member.storage_reader	resource
google_project_service.required_apis_for_gar_integration	resource
lacework_integration_gar.default	resource
random_id.uniq	resource
time_sleep.wait_time	resource
google_project.selected	data source
lacework_metric_module.lwmetrics	data source

Inputs

Name	Description	Type	Default	Required
lacework_integration_name	The integration name displayed in the Lacework UI.	string	"TF GAR"	no
limit_by_label	An image label to limit the assessment of images with matching label. If you specify limit_by_tag and limit_by_label limits, they function as an AND. Input is "key" = "value"	list(any)	[ { "": "" } ]	no
limit_by_repositories	A comma-separated list of repositories to assess. Defaults to empty (will assess all repositories in the registry).	list(any)	[]	no
limit_by_tags	An image tag to limit the assessment of images with matching tag. If you specify limit_by_tag and limit_by_label limits, they function as an AND. Supported field input are mytextmytext, mytext, mytext, or mytext. Only one * wildcard is supported	list(any)	[]	no
limit_num_imgs	The maximum number of newest container images to assess per repository. Must be one of 5, 10, or 15	string	"5"	no
non_os_package_support	Whether or not the integration should check non-os packages in the container for vulnerabilities	bool	true	no
prefix	The prefix that will be use at the beginning of every generated resource	string	"lw-gar"	no
project_id	A project ID different from the default defined inside the provider	string	""	no
registry_domain	The GAR domain, which specifies the location where you store the images. Supported domains should follow the format of (region|zone)-docker.pkg.dev	string	"us-docker.pkg.dev"	no
required_gar_apis	n/a	map(any)	{ "artifactregistry": "artifactregistry.googleapis.com", "resourcemanager": "cloudresourcemanager.googleapis.com" }	no
service_account_name	The Service Account name (required when use_existing_service_account is set to true). This can also be used to specify the new service account name when use_existing_service_account is set to false	string	""	no
service_account_private_key	The private key in JSON format, base64 encoded (required when use_existing_service_account is set to true)	string	""	no
use_existing_service_account	Set this to true to use an existing Service Account. When using an existing service account, the required roles must be added manually.	bool	false	no
wait_time	Amount of time to wait before the next resource is provisioned.	string	"10s"	no

Outputs

Name	Description
service_account_name	The Service Account name created for the integration
service_account_private_key	The private key in JSON format, base64 encoded