feat: Add inputs limit_by_labels, limit_by_tags, limit_by_repositories (#17)

dmurray-lacework · web-flow · commit 1c8446561470 · 2021-11-22T14:20:50.000-07:00
Signed-off-by: Darren Murray &lt;darren.murray@lacework.net&gt;
diff --git a/README.md b/README.md
@@ -22,6 +22,9 @@ A Terraform Module to integrate Amazon Container Registries (ECR) with Lacework.
 | wait_time                 | Amount of time to wait before the next resource is provisioned                                                   | `string`      | `"15s"`             | no       |
 | lacework_integration_name | The name of the external ECR integration                                                                         | `string`      | `"TF ECR IAM ROLE"` | no       |
 | non_os_package_support    | Whether or not the integration should check non-os packages in the container for vulnerabilities                 | `bool`        | `false`             | no       |
+| `limit_by_tags` |A list of image tags to limit the assessment of images with matching tags. If you specify limit_by_tags and limit_by_labels limits, they function as an AND. Supported field input can be ["mytext\*mytext", "mytext", "mytext\*", "mytext". Only one * wildcard is supported.| `list(string)` | no |
+| `limit_by_labels` |A list of image labels to limit the assessment of images with matching labels. If you specify limit_by_tags and limit_by_labels limits, they function as an AND. Supported field input can be ["mytext\*mytext", "mytext", "mytext*", "mytext"].Only one * wildcard is supported.| `list(string)` | no |
+| `limit_by_repositories` |A list of repositories to assess.| `list(string)` | no |
 
 ## Outputs
 
diff --git a/examples/configure-lacework-ecr-integration/README.md b/examples/configure-lacework-ecr-integration/README.md
@@ -0,0 +1,26 @@
+# Configure Lacework ECR Integration
+
+This example creates a new least privilege IAM Role to access the Amazon Container Registry of the account running the automation and integrates it with Lacework.
+
+```hcl
+terraform {
+  required_providers {
+    lacework = {
+      source = "lacework/lacework"
+    }
+  }
+}
+
+provider "lacework" {}
+
+provider "aws" {}
+
+module "lacework_ecr" {
+  source  = "lacework/ecr/aws"
+  version = "~> 0.1"
+
+  limit_by_tags         = ["example*"]
+  limit_by_labels       = {example: "example"}
+  limit_by_repositories = ["foo","bar"]
+}
+```
diff --git a/examples/configure-lacework-ecr-integration/main.tf b/examples/configure-lacework-ecr-integration/main.tf
@@ -0,0 +1,11 @@
+provider "lacework" {}
+
+provider "aws" {}
+
+module "lacework_ecr" {
+  source = "../.."
+  
+  limit_by_tags         = ["example*"]
+  limit_by_labels       = {example: "example"}
+  limit_by_repositories = ["foo","bar"]
+}
diff --git a/examples/configure-lacework-ecr-integration/versions.tf b/examples/configure-lacework-ecr-integration/versions.tf
@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 0.12.26"
+
+  required_providers {
+    aws = "~> 3.0"
+    lacework = {
+      source = "lacework/lacework"
+    }
+  }
+}
diff --git a/main.tf b/main.tf
@@ -41,5 +41,8 @@ resource "lacework_integration_ecr" "iam_role" {
     role_arn    = local.iam_role_arn
     external_id = local.iam_role_external_id
   }
-  depends_on = [time_sleep.wait_time]
+  limit_by_tags         = var.limit_by_tags  
+  limit_by_labels       = var.limit_by_labels   
+  limit_by_repositories = var.limit_by_repositories
+  depends_on            = [time_sleep.wait_time]
 }
diff --git a/scripts/ci_tests.sh b/scripts/ci_tests.sh
@@ -12,6 +12,7 @@ TEST_CASES=(
   examples/default
   examples/custom
   examples/multi-region
+  examples/configure-lacework-ecr-integration
 )
 
 log() {
diff --git a/variables.tf b/variables.tf
@@ -28,6 +28,24 @@ variable "iam_role_name" {
   description = "The IAM role name. Required to match with iam_role_arn if use_existing_iam_role is set to true"
 }
 
+variable "limit_by_tags" {
+  type        = list(string)
+  default     = []
+  description = "A list of tags to limit the assessment of images with matching tags. If you specify limit_by_tags and limit_by_label limits, they function as an AND."
+}
+
+variable "limit_by_labels" {
+  type        = map(string)
+  default     = {}
+  description = "A key based map of image labels to limit the assessment of images with matching labels. If you specify limit_by_tags and limit_by_label limits, they function as an AND."
+}
+
+variable "limit_by_repositories" {
+  type        = list(string)
+  default     = []
+  description = "A list of repositories to assess"
+}
+
 variable "external_id_length" {
   type        = number
   default     = 16

Original file line number	Diff line number	Diff line change
`@@ -41,5 +41,8 @@ resource "lacework_integration_ecr" "iam_role" {`
`41`	`41`	`role_arn = local.iam_role_arn`
`42`	`42`	`external_id = local.iam_role_external_id`
`43`	`43`	`}`
`44`		`- depends_on = [time_sleep.wait_time]`
	`44`	`+ limit_by_tags = var.limit_by_tags`
	`45`	`+ limit_by_labels = var.limit_by_labels`
	`46`	`+ limit_by_repositories = var.limit_by_repositories`
	`47`	`+ depends_on = [time_sleep.wait_time]`
`45`	`48`	`}`
Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,7 @@ TEST_CASES=(`
`12`	`12`	`examples/default`
`13`	`13`	`examples/custom`
`14`	`14`	`examples/multi-region`
	`15`	`+ examples/configure-lacework-ecr-integration`
`15`	`16`	`)`
`16`	`17`
`17`	`18`	`log() {`