terraform-gcp-gcr

A Terraform Module to integrate Google Container Registries (GCR) with Lacework.

⚠️ - NOTE: When using an existing Service Account, Terraform cannot work out whether a role has already been applied. This means when running the destroy step, existing roles may be removed from the Service Account. If this Service Account is managed by another Terraform module, you can re-run apply on the other module and this will re-add the role.

Alternatively, it is possible to remove the offending roles from the state file before destroy, preventing the role(s) from being removed.

e.g. terraform state rm 'google_project_iam_binding.for_lacework_service_account'

Required Roles

roles/storage.objectViewer

Required APIs

cloudresourcemanager.googleapis.com
containerregistry.googleapis.com

Requirements

Name	Version
terraform	>= 0.14
google	>= 4.4.0
lacework	~> 1.18
time	~> 0.6

Providers

Name	Version
google	>= 4.4.0
lacework	~> 1.18
random	n/a
time	~> 0.6

Modules

Name	Source	Version
lacework_gcr_svc_account	lacework/service-account/gcp	>= 2.0

Resources

Name	Type
google_container_registry.registry	resource
google_project_iam_member.for_gcr_integration	resource
google_project_service.required_apis_for_gcr_integration	resource
google_storage_bucket_iam_member.registry_read	resource
lacework_integration_gcr.default	resource
random_id.uniq	resource
time_sleep.wait_time	resource
google_project.selected	data source
lacework_metric_module.lwmetrics	data source

Inputs

Name	Description	Type	Default	Required
lacework_integration_name	The integration name displayed in the Lacework UI.	string	"TF GCR"	no
limit_by_labels	A list of objects with image labels to limit the assessment of images with matching labels. If you specify limit_by_tags and limit_by_label limits, they function as an AND.	list(object({ key = string value = string }))	[]	no
limit_by_repositories	A list of repositories to assess	list(string)	[]	no
limit_by_tags	A list of tags to limit the assessment of images with matching tags. If you specify limit_by_tags and limit_by_label limits, they function as an AND.	list(string)	[]	no
limit_num_imgs	The maximum number of newest container images to assess per repository. Must be one of 5, 10, or 15. Defaults to 5.	string	"5"	no
non_os_package_support	Whether or not the integration should check non-os packages in the container for vulnerabilities. Defaults to true	bool	true	no
permission_on_bucket	Set roles/storage.objectViewer on the bucket level instead of the project	bool	false	no
prefix	The prefix that will be use at the beginning of every generated resource	string	"lw-gcr"	no
project_id	A project ID different from the default defined inside the provider	string	""	no
registry_domain	The GCR domain, which specifies the location where you store the images. Supported domains are gcr.io, us.gcr.io, eu.gcr.io, or asia.gcr.io. Defaults to gcr.io.	string	"gcr.io"	no
required_gcr_apis	n/a	map(any)	{ "containerregistry": "containerregistry.googleapis.com", "resourcemanager": "cloudresourcemanager.googleapis.com" }	no
service_account_name	The Service Account name (required when use_existing_service_account is set to true). This can also be used to specify the new service account name when use_existing_service_account is set to false	string	""	no
service_account_private_key	The private key in JSON format, base64 encoded (required when use_existing_service_account is set to true)	string	""	no
use_existing_service_account	Set this to true to use an existing Service Account. When using an existing service account, the required roles must be added manually.	bool	false	no
wait_time	Amount of time to wait before the next resource is provisioned.	string	"10s"	no

Outputs

Name	Description
service_account_name	The Service Account name
service_account_private_key	The private key in JSON format, base64 encoded