feat: add account mapping option to GCP agentless

Author: wl-smith

lacework/account_mapping_helper.go

@@ -13,7 +13,15 @@ func (f *accountMappingsFile) Empty() bool {
 	return f.DefaultLaceworkAccount == ""
 }
 
-func getResourceOrgAccountMappings(d *schema.ResourceData) *accountMappingsFile {
+type typeStruct struct {
+	awsAccounts string
+	gcpProjects string
+}
+
+var awsMappingType string = "aws_accounts"
+var gcpMappingType string = "gcp_projects"
+
+func getResourceOrgAccountMappings(d *schema.ResourceData, mappingsType string) *accountMappingsFile {
 	accountMapFile := new(accountMappingsFile)
 	accMapsInt := d.Get("org_account_mappings").([]interface{})
 	if len(accMapsInt) != 0 && accMapsInt[0] != nil {
@@ -28,7 +36,7 @@ func getResourceOrgAccountMappings(d *schema.ResourceData) *accountMappingsFile
 		for _, m := range mappingSet.List() {
 			mapping := m.(map[string]interface{})
 			accountMapFile.Mappings[mapping["lacework_account"].(string)] = map[string]interface{}{
-				"aws_accounts": castStringSlice(mapping["aws_accounts"].(*schema.Set).List()),
+				mappingsType: castStringSlice(mapping[mappingsType].(*schema.Set).List()),
 			}
 		}
 
@@ -37,7 +45,7 @@ func getResourceOrgAccountMappings(d *schema.ResourceData) *accountMappingsFile
 	return accountMapFile
 }
 
-func flattenOrgAccountMappings(mappingFile *accountMappingsFile) []map[string]interface{} {
+func flattenOrgAccountMappings(mappingFile *accountMappingsFile, mappingsType string) []map[string]interface{} {
 	orgAccMappings := make([]map[string]interface{}, 0, 1)
 
 	if mappingFile.Empty() {
@@ -46,26 +54,27 @@ func flattenOrgAccountMappings(mappingFile *accountMappingsFile) []map[string]in
 
 	mappings := map[string]interface{}{
 		"default_lacework_account": mappingFile.DefaultLaceworkAccount,
-		"mapping":                  flattenMappings(mappingFile.Mappings),
+		"mapping":                  flattenMappings(mappingFile.Mappings, mappingsType),
 	}
 
 	orgAccMappings = append(orgAccMappings, mappings)
 	return orgAccMappings
 }
 
-func flattenMappings(mappings map[string]interface{}) *schema.Set {
+func flattenMappings(mappings map[string]interface{}, mappingsType string) *schema.Set {
 	var (
 		orgAccountMappingsSchema = awsCloudTrailIntegrationSchema["org_account_mappings"].Elem.(*schema.Resource)
 		mappingSchema            = orgAccountMappingsSchema.Schema["mapping"].Elem.(*schema.Resource)
-		awsAccountsSchema        = mappingSchema.Schema["aws_accounts"].Elem.(*schema.Schema)
+		accountsSchema           = mappingSchema.Schema[mappingsType].Elem.(*schema.Schema)
 		res                      = schema.NewSet(schema.HashResource(mappingSchema), []interface{}{})
 	)
+
 	for laceworkAccount, m := range mappings {
 		mappingValue := m.(map[string]interface{})
 		res.Add(map[string]interface{}{
 			"lacework_account": laceworkAccount,
-			"aws_accounts": schema.NewSet(schema.HashSchema(awsAccountsSchema),
-				mappingValue["aws_accounts"].([]interface{}),
+			mappingsType: schema.NewSet(schema.HashSchema(accountsSchema),
+				mappingValue[mappingsType].([]interface{}),
 			),
 		})
 	}

lacework/resource_lacework_integration_aws_ct.go

@@ -135,7 +135,7 @@ func resourceLaceworkIntegrationAwsCloudTrailCreate(d *schema.ResourceData, meta
 		}
 	)
 	// verify if the user provided an account mapping
-	accountMapFile := getResourceOrgAccountMappings(d)
+	accountMapFile := getResourceOrgAccountMappings(d, awsMappingType)
 	if !accountMapFile.Empty() {
 		accountMapFileBytes, err := json.Marshal(accountMapFile)
 		if err != nil {
@@ -234,7 +234,7 @@ func resourceLaceworkIntegrationAwsCloudTrailRead(d *schema.ResourceData, meta i
 
 		}
 
-		err = d.Set("org_account_mappings", flattenOrgAccountMappings(accountMapFile))
+		err = d.Set("org_account_mappings", flattenOrgAccountMappings(accountMapFile, awsMappingType))
 		if err != nil {
 			return fmt.Errorf("Error flattening organization account mapping: %s", err)
 		}
@@ -262,7 +262,7 @@ func resourceLaceworkIntegrationAwsCloudTrailUpdate(d *schema.ResourceData, meta
 	)
 
 	// verify if the user provided an account mapping
-	accountMapFile := getResourceOrgAccountMappings(d)
+	accountMapFile := getResourceOrgAccountMappings(d, awsMappingType)
 	if !accountMapFile.Empty() {
 		accountMapFileBytes, err := json.Marshal(accountMapFile)
 		if err != nil {

lacework/resource_lacework_integration_aws_org_agentless_scanning.go

@@ -214,7 +214,7 @@ func resourceLaceworkIntegrationAwsOrgAgentlessScanningCreate(d *schema.Resource
 	}
 
 	// verify if the user provided an account mapping
-	accountMapFile := getResourceOrgAccountMappings(d)
+	accountMapFile := getResourceOrgAccountMappings(d, awsMappingType)
 	if !accountMapFile.Empty() {
 		accountMapFileBytes, err := json.Marshal(accountMapFile)
 		if err != nil {
@@ -318,7 +318,7 @@ func resourceLaceworkIntegrationAwsOrgAgentlessScanningRead(d *schema.ResourceDa
 
 		}
 
-		err = d.Set("org_account_mappings", flattenOrgAccountMappings(accountMapFile))
+		err = d.Set("org_account_mappings", flattenOrgAccountMappings(accountMapFile, awsMappingType))
 		if err != nil {
 			return fmt.Errorf("Error flattening organization account mapping: %s", err)
 		}
@@ -354,7 +354,7 @@ func resourceLaceworkIntegrationAwsOrgAgentlessScanningUpdate(d *schema.Resource
 	}
 
 	// verify if the user provided an account mapping
-	accountMapFile := getResourceOrgAccountMappings(d)
+	accountMapFile := getResourceOrgAccountMappings(d, awsMappingType)
 	if !accountMapFile.Empty() {
 		accountMapFileBytes, err := json.Marshal(accountMapFile)
 		if err != nil {

lacework/resource_lacework_integration_gcp_agentless_scanning.go

@@ -2,6 +2,7 @@ package lacework
 
 import (
 	"context"
+	"encoding/json"
 	"fmt"
 	"log"
 	"strings"
@@ -208,6 +209,41 @@ func resourceLaceworkIntegrationGcpAgentlessScanning() *schema.Resource {
 				Default:     nil,
 				Description: "List of Projects to specifically include/exclude.",
 			},
+			"org_account_mappings": {
+				Type:        schema.TypeList,
+				Optional:    true,
+				Description: "Mapping of AWS accounts to Lacework accounts within a Lacework organization.",
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"default_lacework_account": {
+							Type:        schema.TypeString,
+							Required:    true,
+							Description: "The default Lacework account name where any non-mapped AWS account will appear",
+						},
+						"mapping": {
+							Type:        schema.TypeSet,
+							Required:    true,
+							Description: "A map of AWS accounts to Lacework account. This can be specified multiple times to map multiple Lacework accounts.",
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"lacework_account": {
+										Type:        schema.TypeString,
+										Required:    true,
+										Description: "The Lacework account name where the CloudTrail activity from the selected AWS accounts will appear.",
+									},
+									"aws_accounts": {
+										Type:        schema.TypeSet,
+										Elem:        &schema.Schema{Type: schema.TypeString},
+										MinItems:    1,
+										Required:    true,
+										Description: "The list of AWS account IDs to map.",
+									},
+								},
+							},
+						},
+					},
+				},
+			},
 		},
 	}
 }
@@ -226,28 +262,43 @@ func resourceLaceworkIntegrationGcpAgentlessScanningCreate(d *schema.ResourceDat
 	}
 	log.Printf("[INFO] Creating %s integration\n", api.GcpSidekickCloudAccount.String())
 
+	gcpSidekickData := api.GcpSidekickData{
+		ID:     d.Get("resource_id").(string),
+		IDType: resourceLevel.String(),
+		Credentials: api.GcpSidekickCredentials{
+			ClientID:     d.Get("credentials.0.client_id").(string),
+			ClientEmail:  d.Get("credentials.0.client_email").(string),
+			PrivateKeyID: d.Get("credentials.0.private_key_id").(string),
+			PrivateKey:   d.Get("credentials.0.private_key").(string),
+			TokenUri:     d.Get("credentials.0.token_uri").(string),
+		},
+		SharedBucket:            d.Get("bucket_name").(string),
+		ScanningProjectId:       d.Get("scanning_project_id").(string),
+		ScanFrequency:           d.Get("scan_frequency").(int),
+		ScanContainers:          d.Get("scan_containers").(bool),
+		ScanHostVulnerabilities: d.Get("scan_host_vulnerabilities").(bool),
+		ScanMultiVolume:         d.Get("scan_multi_volume").(bool),
+		ScanStoppedInstances:    d.Get("scan_stopped_instances").(bool),
+		QueryText:               d.Get("query_text").(string),
+		FilterList:              strings.Join(castAttributeToStringSlice(d, "filter_list"), ", "),
+	}
+
+	// verify if the user provided an account mapping
+	if d.Get("resource_level") == api.GcpOrganizationIntegration {
+		accountMapFile := getResourceOrgAccountMappings(d, gcpMappingType)
+		if !accountMapFile.Empty() {
+			accountMapFileBytes, err := json.Marshal(accountMapFile)
+			if err != nil {
+				return err
+			}
+
+			gcpSidekickData.EncodeAccountMappingFile(accountMapFileBytes)
+		}
+	}
+
 	data := api.NewCloudAccount(d.Get("name").(string),
 		api.GcpSidekickCloudAccount,
-		api.GcpSidekickData{
-			ID:     d.Get("resource_id").(string),
-			IDType: resourceLevel.String(),
-			Credentials: api.GcpSidekickCredentials{
-				ClientID:     d.Get("credentials.0.client_id").(string),
-				ClientEmail:  d.Get("credentials.0.client_email").(string),
-				PrivateKeyID: d.Get("credentials.0.private_key_id").(string),
-				PrivateKey:   d.Get("credentials.0.private_key").(string),
-				TokenUri:     d.Get("credentials.0.token_uri").(string),
-			},
-			SharedBucket:            d.Get("bucket_name").(string),
-			ScanningProjectId:       d.Get("scanning_project_id").(string),
-			ScanFrequency:           d.Get("scan_frequency").(int),
-			ScanContainers:          d.Get("scan_containers").(bool),
-			ScanHostVulnerabilities: d.Get("scan_host_vulnerabilities").(bool),
-			ScanMultiVolume:         d.Get("scan_multi_volume").(bool),
-			ScanStoppedInstances:    d.Get("scan_stopped_instances").(bool),
-			QueryText:               d.Get("query_text").(string),
-			FilterList:              strings.Join(castAttributeToStringSlice(d, "filter_list"), ", "),
-		},
+		gcpSidekickData,
 	)
 
 	if !d.Get("enabled").(bool) {
@@ -290,6 +341,27 @@ func resourceLaceworkIntegrationGcpAgentlessScanningCreate(d *schema.ResourceDat
 		d.Set("server_token", integration.ServerToken)
 		d.Set("uri", integration.Uri)
 
+		accountMapFileBytes, err := integration.Data.DecodeAccountMappingFile()
+		if err != nil {
+			return resource.NonRetryableError(err)
+		}
+
+		accountMapFile := new(accountMappingsFile)
+		if len(accountMapFileBytes) != 0 {
+			// The integration has an account mapping file
+			// unmarshal its content into the account mapping struct
+			err := json.Unmarshal(accountMapFileBytes, accountMapFile)
+			if err != nil {
+				return resource.NonRetryableError(fmt.Errorf("Error decoding organization account mapping: %s", err))
+			}
+
+		}
+
+		err = d.Set("org_account_mappings", flattenOrgAccountMappings(accountMapFile, gcpMappingType))
+		if err != nil {
+			return resource.NonRetryableError(fmt.Errorf("Error flattening organization account mapping: %s", err))
+		}
+
 		log.Printf("[INFO] Created %s integration with guid: %v\n",
 			api.GcpSidekickCloudAccount.String(), integration.IntgGuid)
 		return nil
@@ -360,28 +432,41 @@ func resourceLaceworkIntegrationGcpAgentlessScanningUpdate(d *schema.ResourceDat
 		resourceLevel = api.GcpOrganizationIntegration
 	}
 
+	gcpSidekickData := api.GcpSidekickData{
+		ID:     d.Get("resource_id").(string),
+		IDType: resourceLevel.String(),
+		Credentials: api.GcpSidekickCredentials{
+			ClientID:     d.Get("credentials.0.client_id").(string),
+			ClientEmail:  d.Get("credentials.0.client_email").(string),
+			PrivateKeyID: d.Get("credentials.0.private_key_id").(string),
+			PrivateKey:   d.Get("credentials.0.private_key").(string),
+			TokenUri:     d.Get("credentials.0.token_uri").(string),
+		},
+		SharedBucket:            d.Get("bucket_name").(string),
+		ScanningProjectId:       d.Get("scanning_project_id").(string),
+		ScanFrequency:           d.Get("scan_frequency").(int),
+		ScanContainers:          d.Get("scan_containers").(bool),
+		ScanHostVulnerabilities: d.Get("scan_host_vulnerabilities").(bool),
+		ScanMultiVolume:         d.Get("scan_multi_volume").(bool),
+		ScanStoppedInstances:    d.Get("scan_stopped_instances").(bool),
+		QueryText:               d.Get("query_text").(string),
+		FilterList:              strings.Join(castAttributeToStringSlice(d, "filter_list"), ", "),
+	}
+
+	// verify if the user provided an account mapping
+	accountMapFile := getResourceOrgAccountMappings(d, gcpMappingType)
+	if !accountMapFile.Empty() {
+		accountMapFileBytes, err := json.Marshal(accountMapFile)
+		if err != nil {
+			return err
+		}
+
+		gcpSidekickData.EncodeAccountMappingFile(accountMapFileBytes)
+	}
+
 	data := api.NewCloudAccount(d.Get("name").(string),
 		api.GcpSidekickCloudAccount,
-		api.GcpSidekickData{
-			ID:     d.Get("resource_id").(string),
-			IDType: resourceLevel.String(),
-			Credentials: api.GcpSidekickCredentials{
-				ClientID:     d.Get("credentials.0.client_id").(string),
-				ClientEmail:  d.Get("credentials.0.client_email").(string),
-				PrivateKeyID: d.Get("credentials.0.private_key_id").(string),
-				PrivateKey:   d.Get("credentials.0.private_key").(string),
-				TokenUri:     d.Get("credentials.0.token_uri").(string),
-			},
-			SharedBucket:            d.Get("bucket_name").(string),
-			ScanningProjectId:       d.Get("scanning_project_id").(string),
-			ScanFrequency:           d.Get("scan_frequency").(int),
-			ScanContainers:          d.Get("scan_containers").(bool),
-			ScanHostVulnerabilities: d.Get("scan_host_vulnerabilities").(bool),
-			ScanMultiVolume:         d.Get("scan_multi_volume").(bool),
-			ScanStoppedInstances:    d.Get("scan_stopped_instances").(bool),
-			QueryText:               d.Get("query_text").(string),
-			FilterList:              strings.Join(castAttributeToStringSlice(d, "filter_list"), ", "),
-		},
+		gcpSidekickData,
 	)
 
 	if !d.Get("enabled").(bool) {