From eb8d5c1f466d10e6a40612094c145e18ab7bc372 Mon Sep 17 00:00:00 2001 From: gspofford-lw <78378122+gspofford-lw@users.noreply.github.com> Date: Tue, 9 Jul 2024 09:37:19 -0700 Subject: [PATCH 1/7] chore(RAIN-93468): Remove use of the queryLanguage query property (#1638) * chore(RAIN-93468): Remove use of the queryLanguage query property * fix(RAIN-93468): Fix test expectations --- api/lql.go | 16 +------- api/lql_test.go | 61 +++-------------------------- api/lql_validate.go | 3 +- api/lql_validate_test.go | 9 ----- api/policy.go | 4 +- api/policy_test.go | 53 +++---------------------- cli/cmd/lql.go | 44 +++------------------ cli/cmd/lql_show.go | 5 +-- cli/cmd/lql_validate.go | 3 +- cli/cmd/policy.go | 19 ++------- integration/lql_create_test.go | 3 +- integration/lql_create_unix_test.go | 2 - internal/pointer/bool.go | 5 --- 13 files changed, 27 insertions(+), 200 deletions(-) diff --git a/api/lql.go b/api/lql.go index e30caa5a6..ae476d4db 100644 --- a/api/lql.go +++ b/api/lql.go @@ -29,9 +29,8 @@ import ( ) type NewQuery struct { - QueryID string `json:"queryId" yaml:"queryId"` - QueryLanguage *string `json:"queryLanguage,omitempty" yaml:"queryLanguage,omitempty"` - QueryText string `json:"queryText" yaml:"queryText"` + QueryID string `json:"queryId" yaml:"queryId"` + QueryText string `json:"queryText" yaml:"queryText"` } func ParseNewQuery(s string) (NewQuery, error) { @@ -50,7 +49,6 @@ func ParseNewQuery(s string) (NewQuery, error) { if err == nil && !reflect.DeepEqual(query, NewQuery{}) { // empty string unmarshals w/o error return query, nil } - // invalid query return query, errors.New("unable to parse query") } @@ -61,7 +59,6 @@ type UpdateQuery struct { type Query struct { QueryID string `json:"queryId" yaml:"queryId"` - QueryLanguage *string `json:"queryLanguage,omitempty" yaml:"queryLanguage,omitempty"` QueryText string `json:"queryText" yaml:"queryText"` Owner string `json:"owner"` LastUpdateTime string `json:"lastUpdateTime"` @@ -134,12 +131,3 @@ func (svc *QueryService) Get(id string) ( ) return } - -func (svc *QueryService) RegoQueryEnabled() bool { - response, err := svc.client.V2.FeatureFlags.GetFeatureFlagsMatchingPrefix("PUBLIC.lpp_rego_enabled") - if err != nil { - return false - } - - return len(response.Data.Flags) >= 1 -} diff --git a/api/lql_test.go b/api/lql_test.go index 581a75771..aff7b9f8c 100644 --- a/api/lql_test.go +++ b/api/lql_test.go @@ -22,7 +22,6 @@ import ( "encoding/json" "fmt" "net/http" - "strings" "testing" "github.com/pkg/errors" @@ -30,7 +29,6 @@ import ( "github.com/lacework/go-sdk/api" "github.com/lacework/go-sdk/internal/lacework" - "github.com/lacework/go-sdk/internal/pointer" ) var ( @@ -48,23 +46,6 @@ var ( queryId: %s queryText: %s`, newQuery.QueryID, newQuery.QueryText) lqlErrorReponse = `{ "message": "This is an error message" }` - - regoQueryID = "my_rego" - newRegoQueryText = "package clitest\n" + - "import future.keywords\n" + - "import data.lacework\n" + - "source := lacework.aws.cfg.list(\"s3\", \"list-buckets\")\n" + - "assess := assessment.violation(input, \"just because\")" - newRegoQuery = api.NewQuery{ - QueryID: regoQueryID, - QueryLanguage: pointer.Of("Rego"), - QueryText: newRegoQueryText, - } - newRegoQueryJSON = fmt.Sprintf(`{ - "queryId": "%s", - "queryLanguage": "Rego", - "queryText": %#v -}`, queryID, newRegoQueryText) ) func mockQueryDataResponse(data string) string { @@ -148,8 +129,8 @@ func TestQueryCreateMethod(t *testing.T) { assert.Nil(t, err) } -func createQueryOKTestHelper(t *testing.T, expectedResponseData string, testQuery api.NewQuery) { - mockResponse := mockQueryDataResponse(expectedResponseData) +func TestQueryCreateOK(t *testing.T) { + mockResponse := mockQueryDataResponse(newQueryJSON) fakeServer := lacework.MockServer() fakeServer.MockAPI( @@ -170,26 +151,10 @@ func createQueryOKTestHelper(t *testing.T, expectedResponseData string, testQuer _ = json.Unmarshal([]byte(mockResponse), &createExpected) var createActual api.QueryResponse - createActual, err = c.V2.Query.Create(testQuery) + createActual, err = c.V2.Query.Create(newQuery) assert.Nil(t, err) assert.Equal(t, createExpected, createActual) - - if strings.Contains(expectedResponseData, "queryLanguage") { - assert.Equal(t, "Rego", *createActual.Data.QueryLanguage) - } else { - assert.Nil(t, createActual.Data.QueryLanguage) - } -} - -func TestLQLQueryCreateOK(t *testing.T) { - // queryLanguage is not available - createQueryOKTestHelper(t, newQueryJSON, newQuery) -} - -func TestRegoQueryCreateOK(t *testing.T) { - // queryLanguage is available - createQueryOKTestHelper(t, newRegoQueryJSON, newRegoQuery) } func TestQueryCreateError(t *testing.T) { @@ -233,8 +198,8 @@ func TestQueryListMethod(t *testing.T) { assert.Nil(t, err) } -func getQueryByIDTestHelper(t *testing.T, expectedResponseData string, queryId string) { - mockResponse := mockQueryDataResponse(expectedResponseData) +func TestQueryGetQueryByIDOK(t *testing.T) { + mockResponse := mockQueryDataResponse(newQueryJSON) fakeServer := lacework.MockServer() fakeServer.MockAPI( @@ -260,22 +225,6 @@ func getQueryByIDTestHelper(t *testing.T, expectedResponseData string, queryId s assert.Nil(t, err) assert.Equal(t, getExpected, getActual) - - if strings.Contains(expectedResponseData, "queryLanguage") { - assert.Equal(t, "Rego", *getActual.Data.QueryLanguage) - } else { - assert.Nil(t, getActual.Data.QueryLanguage) - } -} - -func TestLQLQueryGetQueryByIDOK(t *testing.T) { - // queryLanguage is not available - getQueryByIDTestHelper(t, newQueryJSON, queryID) -} - -func TestRegoQueryGetQueryByIDOK(t *testing.T) { - // queryLanguage is available - getQueryByIDTestHelper(t, newRegoQueryJSON, regoQueryID) } func TestQueryGetNotFound(t *testing.T) { diff --git a/api/lql_validate.go b/api/lql_validate.go index 1857ff52e..1349242bd 100644 --- a/api/lql_validate.go +++ b/api/lql_validate.go @@ -19,8 +19,7 @@ package api type ValidateQuery struct { - QueryText string `json:"queryText"` - QueryLanguage *string `json:"queryLanguage,omitempty" yaml:"queryLanguage,omitempty"` + QueryText string `json:"queryText"` } func (svc *QueryService) Validate(vq ValidateQuery) ( diff --git a/api/lql_validate_test.go b/api/lql_validate_test.go index d3f57bd53..f9377118a 100644 --- a/api/lql_validate_test.go +++ b/api/lql_validate_test.go @@ -28,7 +28,6 @@ import ( "github.com/lacework/go-sdk/api" "github.com/lacework/go-sdk/internal/lacework" - "github.com/lacework/go-sdk/internal/pointer" ) var ( @@ -89,14 +88,6 @@ func TestLQLQueryValidateOK(t *testing.T) { testQueryValidateOKHelper(t, newQueryJSON, validateQuery) } -func TestRegoQueryValidateOK(t *testing.T) { - validateRegoQuery := api.ValidateQuery{ - QueryText: newRegoQueryText, - QueryLanguage: pointer.Of("Rego"), - } - testQueryValidateOKHelper(t, newRegoQueryJSON, validateRegoQuery) -} - func TestQueryValidateError(t *testing.T) { fakeServer := lacework.MockServer() fakeServer.MockAPI( diff --git a/api/policy.go b/api/policy.go index 0450e51c0..e5a832332 100644 --- a/api/policy.go +++ b/api/policy.go @@ -25,10 +25,9 @@ import ( "reflect" "time" + "github.com/lacework/go-sdk/internal/array" "github.com/pkg/errors" "gopkg.in/yaml.v3" - - "github.com/lacework/go-sdk/internal/array" ) // PolicyService is a service that interacts with the Custom Policies @@ -177,7 +176,6 @@ type Policy struct { PolicyID string `json:"policyId" yaml:"policyId"` PolicyType string `json:"policyType" yaml:"-"` QueryID string `json:"queryId" yaml:"queryId"` - QueryLanguage *string `json:"queryLanguage,omitempty" yaml:"queryLanguage,omitempty"` Title string `json:"title" yaml:"title"` Enabled bool `json:"enabled" yaml:"enabled"` Description string `json:"description" yaml:"description"` diff --git a/api/policy_test.go b/api/policy_test.go index e613c6926..bdc46c773 100644 --- a/api/policy_test.go +++ b/api/policy_test.go @@ -25,9 +25,8 @@ import ( "testing" "github.com/aws/smithy-go/ptr" - "github.com/stretchr/testify/assert" - "github.com/lacework/go-sdk/lwseverity" + "github.com/stretchr/testify/assert" "github.com/lacework/go-sdk/api" "github.com/lacework/go-sdk/internal/lacework" @@ -122,38 +121,6 @@ var ( ] } ` - - regoPolicyId = "rego-policy-1" - regoPolicy = api.NewPolicy{ - PolicyID: regoPolicyId, - PolicyType: "Violation", - QueryID: "MyRegoQuery", - Title: "My Rego Policy Title", - Enabled: false, - Description: "My Policy Description", - Remediation: "Check yourself...", - Severity: "high", - EvalFrequency: "Hourly", - Limit: 1000, - AlertEnabled: false, - AlertProfile: "LW_CloudTrail_Alerts", - } - regoPolicyCreateData = fmt.Sprintf(`{ - "policyId": "%s", - "policyType": "%s", - "queryId": "%s", - "title": "%s", - "enabled": %v, - "description": "%s", - "remediation": "%s", - "severity": "%s", - "evalFrequency": "%s", - "limit": %d, - "alertEnabled": %v, - "alertProfile": "%s" -}`, regoPolicy.PolicyID, regoPolicy.PolicyType, regoPolicy.QueryID, regoPolicy.Title, - regoPolicy.Enabled, regoPolicy.Description, regoPolicy.Remediation, regoPolicy.Severity, - regoPolicy.EvalFrequency, regoPolicy.Limit, regoPolicy.AlertEnabled, regoPolicy.AlertProfile) ) func mockPolicyDataResponse(data string) string { @@ -189,7 +156,7 @@ func TestPolicyCreateMethod(t *testing.T) { assert.Nil(t, err) } -func TestLqlPolicyCreateOK(t *testing.T) { +func TestPolicyCreateOK(t *testing.T) { mockResponse := mockPolicyDataResponse(policyCreateData) fakeServer := lacework.MockServer() @@ -256,12 +223,12 @@ func TestPolicyGetMethod(t *testing.T) { assert.Nil(t, err) } -func testPolicyGetOKHelper(t *testing.T, expectedPolicyData string, testPolicyId string) { - mockResponse := mockPolicyDataResponse(expectedPolicyData) +func TestPolicyGetOK(t *testing.T) { + mockResponse := mockPolicyDataResponse(policyCreateData) fakeServer := lacework.MockServer() fakeServer.MockAPI( - fmt.Sprintf("%s/%s", policyURI, testPolicyId), + fmt.Sprintf("%s/%s", policyURI, policyID), func(w http.ResponseWriter, r *http.Request) { fmt.Fprint(w, mockResponse) }, @@ -278,20 +245,12 @@ func testPolicyGetOKHelper(t *testing.T, expectedPolicyData string, testPolicyId _ = json.Unmarshal([]byte(mockResponse), &getExpected) var getActual api.PolicyResponse - getActual, err = c.V2.Policy.Get(testPolicyId) + getActual, err = c.V2.Policy.Get(policyID) assert.Nil(t, err) assert.Equal(t, getExpected, getActual) } -func TestLQLPolicyGetOK(t *testing.T) { - testPolicyGetOKHelper(t, policyCreateData, policyID) -} - -func TestRegoPolicyGetOK(t *testing.T) { - testPolicyGetOKHelper(t, regoPolicyCreateData, regoPolicyId) -} - func TestPolicyGetNotFound(t *testing.T) { fakeServer := lacework.MockServer() fakeServer.MockAPI( diff --git a/cli/cmd/lql.go b/cli/cmd/lql.go index ccd959a83..e46f9a45f 100644 --- a/cli/cmd/lql.go +++ b/cli/cmd/lql.go @@ -297,26 +297,13 @@ func inputQueryFromURL(url string) (query string, err error) { } func inputQueryFromEditor(action string) (query string, err error) { - language := "LQL" - regoQueryEnabled := os.Getenv("LW_CLI_INTEGRATION_MODE") != "" || cli.LwApi.V2.Query.RegoQueryEnabled() - if action == "create" && !queryCmdState.EmptyTemplate && regoQueryEnabled { - languageSelect := &survey.Select{ - Message: "Choose query language: ", - Options: []string{ - "LQL", - "Rego", - }, - } - err = survey.AskOne(languageSelect, &language) - if err != nil { - return - } + prompt := &survey.Editor{ + Message: fmt.Sprintf("Type a query to %s", action), + FileName: "query*.yaml", } - var queryTextTemplate string - switch language { - case "LQL": - queryTextTemplate = `queryId: YourQueryID + if (action == "create" || action == "run") && !queryCmdState.EmptyTemplate { + prompt.Default = `queryId: YourQueryID queryText: |- { source { @@ -329,27 +316,6 @@ queryText: |- --- List fields to return from the selected source. Use 'lacework query describe '. } }` - case "Rego": - queryTextTemplate = `queryId: YourQueryID -queryLanguage: Rego -queryText: |- - package your.package - import your.dependency - import data.lacework - source := lacework.your.data.source.provider.function("servce", "apiKey") - assess := your.assess.rule` - default: - err = errors.New("Invalid query language: " + language) - return - } - - prompt := &survey.Editor{ - Message: fmt.Sprintf("Type a query to %s", action), - FileName: "query*.yaml", - } - - if (action == "create" || action == "run") && !queryCmdState.EmptyTemplate { - prompt.Default = queryTextTemplate prompt.HideDefault = true prompt.AppendDefault = true } else if (action == "create" || action == "run") && queryCmdState.EmptyTemplate { diff --git a/cli/cmd/lql_show.go b/cli/cmd/lql_show.go index 95bb346bf..7528002df 100644 --- a/cli/cmd/lql_show.go +++ b/cli/cmd/lql_show.go @@ -71,9 +71,8 @@ func showQuery(_ *cobra.Command, args []string) error { if cli.YAMLOutput() { return cli.OutputYAML(&api.NewQuery{ - QueryID: queryResponse.Data.QueryID, - QueryLanguage: queryResponse.Data.QueryLanguage, - QueryText: queryResponse.Data.QueryText, + QueryID: queryResponse.Data.QueryID, + QueryText: queryResponse.Data.QueryText, }) } diff --git a/cli/cmd/lql_validate.go b/cli/cmd/lql_validate.go index c6fe79025..1b5a8000e 100644 --- a/cli/cmd/lql_validate.go +++ b/cli/cmd/lql_validate.go @@ -89,8 +89,7 @@ func validateQuery(cmd *cobra.Command, args []string) error { func validateQueryAndOutput(nq api.NewQuery) error { vq := api.ValidateQuery{ - QueryText: nq.QueryText, - QueryLanguage: nq.QueryLanguage, + QueryText: nq.QueryText, } cli.StartProgress(" Validating query...") diff --git a/cli/cmd/policy.go b/cli/cmd/policy.go index 82e749882..45714c80f 100644 --- a/cli/cmd/policy.go +++ b/cli/cmd/policy.go @@ -29,14 +29,13 @@ import ( "strings" "github.com/AlecAivazis/survey/v2" + "github.com/lacework/go-sdk/api" + "github.com/lacework/go-sdk/internal/pointer" + "github.com/lacework/go-sdk/lwseverity" "github.com/olekukonko/tablewriter" "github.com/pkg/errors" "github.com/spf13/cobra" "gopkg.in/yaml.v3" - - "github.com/lacework/go-sdk/api" - "github.com/lacework/go-sdk/internal/pointer" - "github.com/lacework/go-sdk/lwseverity" ) var ( @@ -533,7 +532,6 @@ func showPolicy(_ *cobra.Command, args []string) error { PolicyID: policyResponse.Data.PolicyID, PolicyType: policyResponse.Data.PolicyType, QueryID: policyResponse.Data.QueryID, - QueryLanguage: policyResponse.Data.QueryLanguage, Title: policyResponse.Data.Title, Enabled: policyResponse.Data.Enabled, Description: policyResponse.Data.Description, @@ -592,17 +590,6 @@ func showPolicy(_ *cobra.Command, args []string) error { ) } // we know we are in human-readable format - if queryResponse.Data.QueryLanguage != nil { - cli.OutputHuman(renderOneLineCustomTable("QUERY LANGUAGE", - *queryResponse.Data.QueryLanguage, - tableFunc(func(t *tablewriter.Table) { - t.SetAlignment(tablewriter.ALIGN_LEFT) - t.SetColWidth(120) - t.SetBorder(false) - t.SetAutoWrapText(false) - }), - )) - } cli.OutputHuman(renderOneLineCustomTable("QUERY TEXT", queryResponse.Data.QueryText, tableFunc(func(t *tablewriter.Table) { diff --git a/integration/lql_create_test.go b/integration/lql_create_test.go index 4e30737a1..b734490bc 100644 --- a/integration/lql_create_test.go +++ b/integration/lql_create_test.go @@ -37,8 +37,7 @@ func TestQueryCreateHelp(t *testing.T) { } func TestQueryCreateEditor(t *testing.T) { - out, err, exitcode := LaceworkCLIWithTOMLConfig("query", "create") - assert.Contains(t, out.String(), "Choose query language") + _, err, exitcode := LaceworkCLIWithTOMLConfig("query", "create") assert.Contains(t, err.String(), "ERROR unable to create query:") assert.Equal(t, 1, exitcode, "EXITCODE is not the expected one") } diff --git a/integration/lql_create_unix_test.go b/integration/lql_create_unix_test.go index 97d785e18..d2953738e 100644 --- a/integration/lql_create_unix_test.go +++ b/integration/lql_create_unix_test.go @@ -38,8 +38,6 @@ func TestQueryCreateFromEditor(t *testing.T) { _ = runFakeTerminalTestFromDir(t, dir, func(c *expect.Console) { - expectString(t, c, "Choose query language") - c.SendLine("") time.Sleep(time.Millisecond) expectString(t, c, "Type a query to create") c.SendLine("") diff --git a/internal/pointer/bool.go b/internal/pointer/bool.go index efa73be36..1706c285d 100644 --- a/internal/pointer/bool.go +++ b/internal/pointer/bool.go @@ -8,8 +8,3 @@ func CompareBoolPtr(ptr *bool, b bool) bool { } return *ptr == b } - -// Of is a helper to allow taking the address of a string literal -func Of[E any](e E) *E { - return &e -} From 889c40aee2f816c2d45815ac679d71c3a2d085ba Mon Sep 17 00:00:00 2001 From: Matt Cadorette Date: Mon, 15 Jul 2024 14:47:37 -0400 Subject: [PATCH 2/7] chore(GROW-2952): update codeowners (#1647) --- .github/CODEOWNERS | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 98cd030da..1256e75c6 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,2 +1,2 @@ # Global rule: -* @lacework/growth-team +* @lacework/eng-product-platform From 5edd4cad417dacd13400e5e40ffed6d87601604f Mon Sep 17 00:00:00 2001 From: Matt Cadorette Date: Tue, 16 Jul 2024 09:46:55 -0400 Subject: [PATCH 3/7] fix(GROW-2950): disable use of gcp storage audit from generate (#1643) * fix(GROW-2950): disable use of gcp storage audit from generate * fix(GROW-2950): remove gcp audit log storage references * fix(GROW-2950): remove unused gcp pubsub func * fix(GROW-2950): all generation tests should use pub/sub * fix(GROW-2950): fix help text * fix(GROW-2950): remove ubla flags * fix(GROW-2950): remove references to gcp bucket_region * fix(GROW-2950): remove unused validateGcpRegion func * chore(GROW-2950): temporarily disable test * fix(GROW-2950): fix int tests not using pubsub audit * fix: re-enable test --- cli/cmd/generate_gcp.go | 191 +---------- integration/gcp_generation_test.go | 306 ++---------------- .../help/generate_cloud-account_gcp | 7 +- 3 files changed, 36 insertions(+), 468 deletions(-) diff --git a/cli/cmd/generate_gcp.go b/cli/cmd/generate_gcp.go index 0a5699729..630e6394f 100644 --- a/cli/cmd/generate_gcp.go +++ b/cli/cmd/generate_gcp.go @@ -19,7 +19,6 @@ var ( QuestionGcpEnableAgentless = "Enable Agentless integration?" QuestionGcpEnableConfiguration = "Enable Configuration integration?" QuestionGcpEnableAuditLog = "Enable Audit Log integration?" - QuestionUsePubSubAudit = "Use Pub Sub Audit Log?" QuestionGcpOrganizationIntegration = "Organization integration?" QuestionGcpOrganizationID = "Specify the GCP organization ID:" QuestionGcpProjectID = "Specify the project ID to be used to provision Lacework resources:" @@ -35,16 +34,9 @@ var ( "you want to monitor: (optional)" QuestionGcpRegions = "Specify a comma separated list of regions to deploy Agentless:" - GcpAdvancedOptAuditLog = "Configure additional Audit Log options" - QuestionGcpUseExistingBucket = "Use an existing bucket?" - QuestionGcpExistingBucketName = "Specify an existing bucket name:" - QuestionGcpConfigureNewBucket = "Configure settings for new bucket?" - QuestionGcpBucketRegion = "Specify the bucket region: (optional)" - QuestionGcpCustomBucketName = "Specify a custom bucket name: (optional)" - QuestionGcpBucketLifecycle = "Specify the bucket lifecycle rule age: (optional)" - QuestionGcpEnableUBLA = "Enable uniform bucket level access(UBLA)?" - QuestionGcpUseExistingSink = "Use an existing sink?" - QuestionGcpExistingSinkName = "Specify the existing sink name" + GcpAdvancedOptAuditLog = "Configure additional Audit Log options" + QuestionGcpUseExistingSink = "Use an existing sink?" + QuestionGcpExistingSinkName = "Specify the existing sink name" GcpAdvancedOptIntegrationName = "Customize integration name(s)" QuestionGcpConfigurationIntegrationName = "Specify a custom configuration integration name: (optional)" @@ -111,16 +103,11 @@ See help output for more details on the parameter value(s) required for Terrafor gcp.WithExistingServiceAccount(GenerateGcpCommandState.ExistingServiceAccount), gcp.WithConfigurationIntegrationName(GenerateGcpCommandState.ConfigurationIntegrationName), gcp.WithAuditLogLabels(GenerateGcpCommandState.AuditLogLabels), - gcp.WithBucketLabels(GenerateGcpCommandState.BucketLabels), gcp.WithPubSubSubscriptionLabels(GenerateGcpCommandState.PubSubSubscriptionLabels), gcp.WithPubSubTopicLabels(GenerateGcpCommandState.PubSubTopicLabels), - gcp.WithCustomBucketName(GenerateGcpCommandState.CustomBucketName), - gcp.WithBucketRegion(GenerateGcpCommandState.BucketRegion), - gcp.WithExistingLogBucketName(GenerateGcpCommandState.ExistingLogBucketName), gcp.WithExistingLogSinkName(GenerateGcpCommandState.ExistingLogSinkName), gcp.WithAuditLogIntegrationName(GenerateGcpCommandState.AuditLogIntegrationName), gcp.WithLaceworkProfile(GenerateGcpCommandState.LaceworkProfile), - gcp.WithLogBucketLifecycleRuleAge(GenerateGcpCommandState.LogBucketLifecycleRuleAge), gcp.WithFoldersToInclude(GenerateGcpCommandState.FoldersToInclude), gcp.WithFoldersToExclude(GenerateGcpCommandState.FoldersToExclude), gcp.WithCustomFilter(GenerateGcpCommandState.CustomFilter), @@ -128,10 +115,10 @@ See help output for more details on the parameter value(s) required for Terrafor gcp.WithK8sFilter(GenerateGcpCommandState.K8sFilter), gcp.WithPrefix(GenerateGcpCommandState.Prefix), gcp.WithWaitTime(GenerateGcpCommandState.WaitTime), - gcp.WithEnableUBLA(GenerateGcpCommandState.EnableUBLA), gcp.WithMultipleProject(GenerateGcpCommandState.Projects), gcp.WithProjectFilterList(GenerateGcpCommandState.ProjectFilterList), gcp.WithRegions(GenerateGcpCommandState.Regions), + gcp.WithUsePubSubAudit(true), // always set to true, storage based integration deprecated } if GenerateGcpCommandState.OrganizationIntegration { @@ -212,15 +199,6 @@ See help output for more details on the parameter value(s) required for Terrafor } } - // Validate gcp region, if passed - region, err := cmd.Flags().GetString("bucket_region") - if err != nil { - return errors.Wrap(err, "failed to load command flags") - } - if err := validateGcpRegion(region); err != nil { - return err - } - projectId, err := cmd.Flags().GetString("project_id") if err != nil { return errors.Wrap(err, "failed to load command flags") @@ -283,20 +261,17 @@ See help output for more details on the parameter value(s) required for Terrafor ) type GcpGenerateCommandExtraState struct { - AskAdvanced bool - Output string - ConfigureNewBucketSettings bool - UseExistingServiceAccount bool - UseExistingBucket bool - UseExistingSink bool - TerraformApply bool + AskAdvanced bool + Output string + UseExistingServiceAccount bool + UseExistingSink bool + TerraformApply bool } func (gcp *GcpGenerateCommandExtraState) isEmpty() bool { return gcp.Output == "" && !gcp.AskAdvanced && !gcp.UseExistingServiceAccount && - !gcp.UseExistingBucket && !gcp.UseExistingSink && !gcp.TerraformApply } @@ -361,22 +336,6 @@ func initGenerateGcpTfCommandFlags() { "configuration_integration_name", "", "specify a custom configuration integration name") - generateGcpTfCommand.PersistentFlags().StringVar( - &GenerateGcpCommandState.CustomBucketName, - "custom_bucket_name", - "", - "override prefix based storage bucket name generation with a custom name") - // TODO: Implement AuditLogLabels, BucketLabels, PubSubSubscriptionLabels & PubSubTopicLabels - generateGcpTfCommand.PersistentFlags().StringVar( - &GenerateGcpCommandState.BucketRegion, - "bucket_region", - "", - "specify bucket region") - generateGcpTfCommand.PersistentFlags().StringVar( - &GenerateGcpCommandState.ExistingLogBucketName, - "existing_bucket_name", - "", - "specify existing bucket name") generateGcpTfCommand.PersistentFlags().StringVar( &GenerateGcpCommandState.ExistingLogSinkName, "existing_sink_name", @@ -393,27 +352,8 @@ func initGenerateGcpTfCommandFlags() { []string{}, "List of GCP regions to deploy for Agentless integration") - // DEPRECATED - generateGcpTfCommand.PersistentFlags().BoolVar( - &GenerateGcpCommandState.EnableForceDestroyBucket, - "enable_force_destroy_bucket", - true, - "enable force bucket destroy") - errcheckWARN(generateGcpTfCommand.PersistentFlags().MarkDeprecated( - "enable_force_destroy_bucket", "by default, force destroy is enabled.", - )) // --- - generateGcpTfCommand.PersistentFlags().BoolVar( - &GenerateGcpCommandState.EnableUBLA, - "enable_ubla", - true, - "enable universal bucket level access(ubla)") - generateGcpTfCommand.PersistentFlags().IntVar( - &GenerateGcpCommandState.LogBucketLifecycleRuleAge, - "bucket_lifecycle_rule_age", - -1, - "specify the lifecycle rule age") generateGcpTfCommand.PersistentFlags().StringVar( &GenerateGcpCommandState.CustomFilter, "custom_filter", @@ -476,8 +416,8 @@ func initGenerateGcpTfCommandFlags() { generateGcpTfCommand.PersistentFlags().BoolVar( &GenerateGcpCommandState.UsePubSubAudit, "use_pub_sub", - false, - "use pub/sub for the audit log data rather than bucket") + true, + "deprecated: pub/sub audit log integration is always used and only supported type") generateGcpTfCommand.PersistentFlags().StringSliceVar( &GenerateGcpCommandState.Projects, "projects", @@ -485,30 +425,6 @@ func initGenerateGcpTfCommandFlags() { "list of project IDs to integrate with (project-level integrations)") } -// survey.Validator for gcp region -func validateGcpRegion(val interface{}) error { - switch value := val.(type) { - case string: - // as this field is optional, it is valid for this field to be empty - if value != "" { - // if value doesn't match regex, return invalid arn - ok, err := regexp.MatchString(GcpRegionRegex, value) - if err != nil { - return errors.Wrap(err, "failed to validate input") - } - - if !ok { - return errors.New("invalid region name supplied") - } - } - default: - // if the value passed is not a string - return errors.New("value must be a string") - } - - return nil -} - func promptGcpAgentlessQuestions( config *gcp.GenerateGcpTfConfigurationArgs, extraState *GcpGenerateCommandExtraState, @@ -534,20 +450,6 @@ func promptGcpAuditLogQuestions( extraState *GcpGenerateCommandExtraState, ) error { - // Only ask these questions if configure audit log is true - if err := SurveyMultipleQuestionWithValidation([]SurveyQuestionWithValidationArgs{ - { - Prompt: &survey.Confirm{Message: QuestionUsePubSubAudit, Default: config.UsePubSubAudit}, - Checks: []*bool{&config.AuditLog}, - Response: &config.UsePubSubAudit, - }, - }, config.AuditLog); err != nil { - return err - } - // Present the user with Bucket Configuration options, if required - if err := promptGcpBucketConfiguration(config, extraState); err != nil { - return err - } err := SurveyMultipleQuestionWithValidation([]SurveyQuestionWithValidationArgs{ { Prompt: &survey.Confirm{Message: QuestionGcpUseExistingSink, Default: extraState.UseExistingSink}, @@ -571,77 +473,6 @@ func promptGcpAuditLogQuestions( return err } -func promptGcpBucketConfiguration( - config *gcp.GenerateGcpTfConfigurationArgs, extraState *GcpGenerateCommandExtraState, -) error { - // Prompt to configure bucket information (not required when using the Pub Sub Audit Log) - if err := SurveyMultipleQuestionWithValidation([]SurveyQuestionWithValidationArgs{ - { - Prompt: &survey.Confirm{Message: QuestionGcpUseExistingBucket, Default: extraState.UseExistingBucket}, - Checks: []*bool{&config.AuditLog, usePubSubActivityDisabled(config)}, - Response: &extraState.UseExistingBucket, - }, - { - Prompt: &survey.Input{Message: QuestionGcpExistingBucketName, Default: config.ExistingLogBucketName}, - Checks: []*bool{&config.AuditLog, &extraState.UseExistingBucket, usePubSubActivityDisabled(config)}, - Required: true, - Response: &config.ExistingLogBucketName, - }, - }, config.AuditLog); err != nil { - return err - } - - newBucket := !extraState.UseExistingBucket - err := SurveyMultipleQuestionWithValidation([]SurveyQuestionWithValidationArgs{ - { - Prompt: &survey.Confirm{Message: QuestionGcpConfigureNewBucket, Default: extraState.ConfigureNewBucketSettings}, - Checks: []*bool{&config.AuditLog, &newBucket, usePubSubActivityDisabled(config)}, - Required: true, - Response: &extraState.ConfigureNewBucketSettings, - }, - { - Prompt: &survey.Input{Message: QuestionGcpBucketRegion, Default: config.BucketRegion}, - Checks: []*bool{&config.AuditLog, - &newBucket, - &extraState.ConfigureNewBucketSettings, - usePubSubActivityDisabled(config)}, - Opts: []survey.AskOpt{survey.WithValidator(validateGcpRegion)}, - Response: &config.BucketRegion, - }, - { - Prompt: &survey.Input{Message: QuestionGcpCustomBucketName, Default: config.CustomBucketName}, - Checks: []*bool{&config.AuditLog, - &newBucket, - &extraState.ConfigureNewBucketSettings, - usePubSubActivityDisabled(config)}, - Response: &config.CustomBucketName, - }, - { - Prompt: &survey.Input{Message: QuestionGcpBucketLifecycle, Default: "-1"}, - Checks: []*bool{&config.AuditLog, - &newBucket, - &extraState.ConfigureNewBucketSettings, - usePubSubActivityDisabled(config)}, - Response: &config.LogBucketLifecycleRuleAge, - }, - { - Prompt: &survey.Confirm{Message: QuestionGcpEnableUBLA, Default: config.EnableUBLA}, - Checks: []*bool{&config.AuditLog, - &newBucket, - &extraState.ConfigureNewBucketSettings, - usePubSubActivityDisabled(config)}, - Required: true, - Response: &config.EnableUBLA, - }, - }, config.AuditLog) - - return err -} - -func usePubSubActivityDisabled(config *gcp.GenerateGcpTfConfigurationArgs) *bool { - usePubSubActivityDisabled := !config.UsePubSubAudit - return &usePubSubActivityDisabled -} func promptGcpExistingServiceAccountQuestions(config *gcp.GenerateGcpTfConfigurationArgs) error { // ensure struct is initialized if config.ExistingServiceAccount == nil { diff --git a/integration/gcp_generation_test.go b/integration/gcp_generation_test.go index bb82e3bdc..334513046 100644 --- a/integration/gcp_generation_test.go +++ b/integration/gcp_generation_test.go @@ -73,7 +73,7 @@ func TestGenerationGcpSimple(t *testing.T) { assertTerraformSaved(t, final) - buildTf, _ := gcp.NewTerraform(false, true, true, false, + buildTf, _ := gcp.NewTerraform(false, true, true, true, gcp.WithProjectId(projectId), ).Generate() assert.Equal(t, buildTf, tfResult) @@ -111,7 +111,7 @@ func TestGenerationGcpAgentless(t *testing.T) { assertTerraformSaved(t, final) - buildTf, _ := gcp.NewTerraform(true, false, false, false, + buildTf, _ := gcp.NewTerraform(true, false, false, true, gcp.WithProjectId(projectId), gcp.WithOrganizationIntegration(true), gcp.WithOrganizationId(organizationId), @@ -149,7 +149,7 @@ func TestGenerationGcpConfig(t *testing.T) { assertTerraformSaved(t, final) - buildTf, _ := gcp.NewTerraform(false, true, false, false, + buildTf, _ := gcp.NewTerraform(false, true, false, true, gcp.WithProjectId(projectId), ).Generate() assert.Equal(t, buildTf, tfResult) @@ -183,7 +183,7 @@ func TestGenerationGcpAuditLog(t *testing.T) { assertTerraformSaved(t, final) - buildTf, _ := gcp.NewTerraform(false, false, true, false, + buildTf, _ := gcp.NewTerraform(false, false, true, true, gcp.WithProjectId(projectId), ).Generate() assert.Equal(t, buildTf, tfResult) @@ -206,7 +206,6 @@ func TestGenerationGcpAuditLogPubSub(t *testing.T) { MsgRsp{cmd.QuestionGcpServiceAccountCredsPath, ""}, MsgRsp{cmd.QuestionGcpConfigureAdvanced, "y"}, MsgMenu{cmd.GcpAdvancedOptAuditLog, 0}, - MsgRsp{cmd.QuestionUsePubSubAudit, "y"}, MsgRsp{cmd.QuestionGcpUseExistingSink, "n"}, MsgRsp{cmd.QuestionGcpCustomFilter, ""}, MsgRsp{cmd.QuestionGcpAnotherAdvancedOpt, "n"}, @@ -245,7 +244,6 @@ func TestGenerationGcpAuditLogPubSubOrg(t *testing.T) { MsgRsp{cmd.QuestionGcpServiceAccountCredsPath, ""}, MsgRsp{cmd.QuestionGcpConfigureAdvanced, "y"}, MsgMenu{cmd.GcpAdvancedOptAuditLog, 0}, - MsgRsp{cmd.QuestionUsePubSubAudit, "y"}, MsgRsp{cmd.QuestionGcpUseExistingSink, "n"}, MsgRsp{cmd.QuestionGcpCustomFilter, ""}, MsgRsp{cmd.QuestionGcpAnotherAdvancedOpt, "n"}, @@ -268,75 +266,6 @@ func TestGenerationGcpAuditLogPubSubOrg(t *testing.T) { ).Generate() assert.Equal(t, buildTf, tfResult) } -func TestGenerationGcpAuditLogEnableUBLA(t *testing.T) { - os.Setenv("LW_NOCACHE", "true") - defer os.Setenv("LW_NOCACHE", "") - var final string - projectId := "project-1" - - tfResult := runGcpGenerateTest(t, - func(c *expect.Console) { - expectsCliOutput(t, c, []MsgRspHandler{ - MsgRsp{cmd.QuestionGcpEnableAgentless, "n"}, - MsgRsp{cmd.QuestionGcpEnableConfiguration, "n"}, - MsgRsp{cmd.QuestionGcpEnableAuditLog, "y"}, - MsgRsp{cmd.QuestionGcpProjectID, projectId}, - MsgRsp{cmd.QuestionGcpOrganizationIntegration, "n"}, - MsgRsp{cmd.QuestionGcpServiceAccountCredsPath, ""}, - MsgRsp{cmd.QuestionGcpConfigureAdvanced, "n"}, - MsgRsp{cmd.QuestionRunTfPlan, "n"}, - }) - final, _ = c.ExpectEOF() - }, - "generate", - "cloud-account", - "gcp", - "--enable_ubla", - ) - - assert.Contains(t, final, "Terraform code saved in") - - buildTf, _ := gcp.NewTerraform(false, false, true, false, - gcp.WithProjectId("project-1"), - gcp.WithEnableUBLA(true), - ).Generate() - assert.Equal(t, buildTf, tfResult) -} - -func TestGenerationGcpAuditLogDisableUBLA(t *testing.T) { - os.Setenv("LW_NOCACHE", "true") - defer os.Setenv("LW_NOCACHE", "") - var final string - projectId := "project-1" - - tfResult := runGcpGenerateTest(t, - func(c *expect.Console) { - expectsCliOutput(t, c, []MsgRspHandler{ - MsgRsp{cmd.QuestionGcpEnableAgentless, "n"}, - MsgRsp{cmd.QuestionGcpEnableConfiguration, "n"}, - MsgRsp{cmd.QuestionGcpEnableAuditLog, "y"}, - MsgRsp{cmd.QuestionGcpProjectID, projectId}, - MsgRsp{cmd.QuestionGcpOrganizationIntegration, "n"}, - MsgRsp{cmd.QuestionGcpServiceAccountCredsPath, ""}, - MsgRsp{cmd.QuestionGcpConfigureAdvanced, "n"}, - MsgRsp{cmd.QuestionRunTfPlan, "n"}, - }) - final, _ = c.ExpectEOF() - }, - "generate", - "cloud-account", - "gcp", - "--enable_ubla=false", - ) - - assert.Contains(t, final, "Terraform code saved in") - - buildTf, _ := gcp.NewTerraform(false, false, true, false, - gcp.WithProjectId("project-1"), - gcp.WithEnableUBLA(false), - ).Generate() - assert.Equal(t, buildTf, tfResult) -} // Test organization integration for Agentless, Configuration and Audit Log func TestGenerationGcpAllIntegrationsOrg(t *testing.T) { @@ -371,7 +300,7 @@ func TestGenerationGcpAllIntegrationsOrg(t *testing.T) { assertTerraformSaved(t, final) - buildTf, _ := gcp.NewTerraform(true, true, true, false, + buildTf, _ := gcp.NewTerraform(true, true, true, true, gcp.WithProjectId(projectId), gcp.WithOrganizationIntegration(true), gcp.WithOrganizationId(organizationId), @@ -413,7 +342,7 @@ func TestGenerationGcpPrefixAndWait(t *testing.T) { assertTerraformSaved(t, final) - buildTf, _ := gcp.NewTerraform(false, true, true, false, + buildTf, _ := gcp.NewTerraform(false, true, true, true, gcp.WithProjectId(projectId), gcp.WithPrefix(prefix), gcp.WithWaitTime(waitTime), @@ -465,146 +394,13 @@ func TestGenerationGcpSACreds(t *testing.T) { assertTerraformSaved(t, final) - buildTf, _ := gcp.NewTerraform(false, true, true, false, + buildTf, _ := gcp.NewTerraform(false, true, true, true, gcp.WithProjectId(projectId), gcp.WithGcpServiceAccountCredentials(serviceAccountFilePath), ).Generate() assert.Equal(t, buildTf, tfResult) } -// Test Audit Log with existing Bucket -func TestGenerationGcpAuditLogExistingBucket(t *testing.T) { - os.Setenv("LW_NOCACHE", "true") - defer os.Setenv("LW_NOCACHE", "") - var final string - - tfResult := runGcpGenerateTest(t, - func(c *expect.Console) { - expectsCliOutput(t, c, []MsgRspHandler{ - MsgRsp{cmd.QuestionGcpEnableAgentless, "n"}, - MsgRsp{cmd.QuestionGcpEnableConfiguration, "y"}, - MsgRsp{cmd.QuestionGcpEnableAuditLog, "y"}, - MsgRsp{cmd.QuestionGcpProjectID, projectId}, - MsgRsp{cmd.QuestionGcpOrganizationIntegration, "n"}, - MsgRsp{cmd.QuestionGcpServiceAccountCredsPath, ""}, - MsgRsp{cmd.QuestionGcpConfigureAdvanced, "y"}, - MsgMenu{cmd.GcpAdvancedOptAuditLog, 0}, - MsgRsp{cmd.QuestionUsePubSubAudit, "n"}, - MsgRsp{cmd.QuestionGcpUseExistingBucket, "y"}, - MsgRsp{cmd.QuestionGcpExistingBucketName, "bucketMcBucketFace"}, - MsgRsp{cmd.QuestionGcpUseExistingSink, "n"}, - MsgRsp{cmd.QuestionGcpCustomFilter, ""}, - MsgRsp{cmd.QuestionGcpAnotherAdvancedOpt, "n"}, - MsgRsp{cmd.QuestionRunTfPlan, "n"}, - }) - - final, _ = c.ExpectEOF() - - }, - "generate", - "cloud-account", - "gcp", - ) - - assertTerraformSaved(t, final) - - buildTf, _ := gcp.NewTerraform(false, true, true, false, - gcp.WithProjectId(projectId), - gcp.WithExistingLogBucketName("bucketMcBucketFace"), - ).Generate() - assert.Equal(t, buildTf, tfResult) -} - -// Test Audit Log with new Bucket -func TestGenerationGcpAuditLogNewBucket(t *testing.T) { - os.Setenv("LW_NOCACHE", "true") - defer os.Setenv("LW_NOCACHE", "") - var final string - - tfResult := runGcpGenerateTest(t, - func(c *expect.Console) { - expectsCliOutput(t, c, []MsgRspHandler{ - MsgRsp{cmd.QuestionGcpEnableAgentless, "n"}, - MsgRsp{cmd.QuestionGcpEnableConfiguration, "y"}, - MsgRsp{cmd.QuestionGcpEnableAuditLog, "y"}, - MsgRsp{cmd.QuestionGcpProjectID, projectId}, - MsgRsp{cmd.QuestionGcpOrganizationIntegration, "n"}, - MsgRsp{cmd.QuestionGcpServiceAccountCredsPath, ""}, - MsgRsp{cmd.QuestionGcpConfigureAdvanced, "y"}, - MsgMenu{cmd.GcpAdvancedOptAuditLog, 0}, - MsgRsp{cmd.QuestionUsePubSubAudit, "n"}, - MsgRsp{cmd.QuestionGcpUseExistingBucket, "n"}, - MsgRsp{cmd.QuestionGcpConfigureNewBucket, "n"}, - MsgRsp{cmd.QuestionGcpUseExistingSink, "n"}, - MsgRsp{cmd.QuestionGcpCustomFilter, ""}, - MsgRsp{cmd.QuestionGcpAnotherAdvancedOpt, "n"}, - MsgRsp{cmd.QuestionRunTfPlan, "n"}, - }) - - final, _ = c.ExpectEOF() - }, - "generate", - "cloud-account", - "gcp", - ) - - assertTerraformSaved(t, final) - - buildTf, _ := gcp.NewTerraform(false, true, true, false, - gcp.WithProjectId(projectId), - ).Generate() - assert.Equal(t, buildTf, tfResult) -} - -// Test Audit Log with custom new Bucket -func TestGenerationGcpAuditLogCustomNewBucket(t *testing.T) { - os.Setenv("LW_NOCACHE", "true") - defer os.Setenv("LW_NOCACHE", "") - var final string - bucketName := "my-new-bucket" - - tfResult := runGcpGenerateTest(t, - func(c *expect.Console) { - expectsCliOutput(t, c, []MsgRspHandler{ - MsgRsp{cmd.QuestionGcpEnableAgentless, "n"}, - MsgRsp{cmd.QuestionGcpEnableConfiguration, "y"}, - MsgRsp{cmd.QuestionGcpEnableAuditLog, "y"}, - MsgRsp{cmd.QuestionGcpProjectID, projectId}, - MsgRsp{cmd.QuestionGcpOrganizationIntegration, "n"}, - MsgRsp{cmd.QuestionGcpServiceAccountCredsPath, ""}, - MsgRsp{cmd.QuestionGcpConfigureAdvanced, "y"}, - MsgMenu{cmd.GcpAdvancedOptAuditLog, 0}, - MsgRsp{cmd.QuestionUsePubSubAudit, "n"}, - MsgRsp{cmd.QuestionGcpUseExistingBucket, "n"}, - MsgRsp{cmd.QuestionGcpConfigureNewBucket, "y"}, - MsgRsp{cmd.QuestionGcpBucketRegion, "us-west1"}, - MsgRsp{cmd.QuestionGcpCustomBucketName, bucketName}, - MsgRsp{cmd.QuestionGcpBucketLifecycle, "420"}, - MsgRsp{cmd.QuestionGcpEnableUBLA, "y"}, - MsgRsp{cmd.QuestionGcpUseExistingSink, "n"}, - MsgRsp{cmd.QuestionGcpCustomFilter, ""}, - MsgRsp{cmd.QuestionGcpAnotherAdvancedOpt, "n"}, - MsgRsp{cmd.QuestionRunTfPlan, "n"}, - }) - final, _ = c.ExpectEOF() - }, - "generate", - "cloud-account", - "gcp", - ) - - assertTerraformSaved(t, final) - - buildTf, _ := gcp.NewTerraform(false, true, true, false, - gcp.WithProjectId(projectId), - gcp.WithBucketRegion("us-west1"), - gcp.WithCustomBucketName(bucketName), - gcp.WithLogBucketLifecycleRuleAge(420), - gcp.WithEnableUBLA(true), - ).Generate() - assert.Equal(t, buildTf, tfResult) -} - // Test Audit Log with existing sink. func TestGenerationGcpAuditLogWithExistingSink(t *testing.T) { os.Setenv("LW_NOCACHE", "true") @@ -622,13 +418,6 @@ func TestGenerationGcpAuditLogWithExistingSink(t *testing.T) { MsgRsp{cmd.QuestionGcpServiceAccountCredsPath, ""}, MsgRsp{cmd.QuestionGcpConfigureAdvanced, "y"}, MsgMenu{cmd.GcpAdvancedOptAuditLog, 0}, - MsgRsp{cmd.QuestionUsePubSubAudit, "n"}, - MsgRsp{cmd.QuestionGcpUseExistingBucket, "n"}, - MsgRsp{cmd.QuestionGcpConfigureNewBucket, "y"}, - MsgRsp{cmd.QuestionGcpBucketRegion, "us-west1"}, - MsgRsp{cmd.QuestionGcpCustomBucketName, ""}, - MsgRsp{cmd.QuestionGcpBucketLifecycle, "420"}, - MsgRsp{cmd.QuestionGcpEnableUBLA, "y"}, MsgRsp{cmd.QuestionGcpUseExistingSink, "y"}, MsgRsp{cmd.QuestionGcpExistingSinkName, "sink"}, MsgRsp{cmd.QuestionGcpCustomFilter, ""}, @@ -644,59 +433,13 @@ func TestGenerationGcpAuditLogWithExistingSink(t *testing.T) { assertTerraformSaved(t, final) - buildTf, _ := gcp.NewTerraform(false, true, true, false, + buildTf, _ := gcp.NewTerraform(false, true, true, true, gcp.WithProjectId(projectId), - gcp.WithBucketRegion("us-west1"), - gcp.WithLogBucketLifecycleRuleAge(420), - gcp.WithEnableUBLA(true), gcp.WithExistingLogSinkName("sink"), ).Generate() assert.Equal(t, buildTf, tfResult) } -// Test Audit Log with existing bucket -func TestGenerationGcpAuditLogWithExistingBucket(t *testing.T) { - os.Setenv("LW_NOCACHE", "true") - defer os.Setenv("LW_NOCACHE", "") - var final string - filter := "filter" - - tfResult := runGcpGenerateTest(t, - func(c *expect.Console) { - expectsCliOutput(t, c, []MsgRspHandler{ - MsgRsp{cmd.QuestionGcpEnableAgentless, "n"}, - MsgRsp{cmd.QuestionGcpEnableConfiguration, "n"}, - MsgRsp{cmd.QuestionGcpEnableAuditLog, "y"}, - MsgRsp{cmd.QuestionGcpProjectID, projectId}, - MsgRsp{cmd.QuestionGcpOrganizationIntegration, "n"}, - MsgRsp{cmd.QuestionGcpServiceAccountCredsPath, ""}, - MsgRsp{cmd.QuestionGcpConfigureAdvanced, "y"}, - MsgMenu{cmd.GcpAdvancedOptAuditLog, 0}, - MsgRsp{cmd.QuestionUsePubSubAudit, "n"}, - MsgRsp{cmd.QuestionGcpUseExistingBucket, "y"}, - MsgRsp{cmd.QuestionGcpExistingBucketName, "bucketMcBucketFace"}, - MsgRsp{cmd.QuestionGcpUseExistingSink, "n"}, - MsgRsp{cmd.QuestionGcpCustomFilter, filter}, - MsgRsp{cmd.QuestionGcpAnotherAdvancedOpt, "n"}, - MsgRsp{cmd.QuestionRunTfPlan, "n"}, - }) - final, _ = c.ExpectEOF() - }, - "generate", - "cloud-account", - "gcp", - ) - - assertTerraformSaved(t, final) - - buildTf, _ := gcp.NewTerraform(false, false, true, false, - gcp.WithProjectId(projectId), - gcp.WithExistingLogBucketName("bucketMcBucketFace"), - gcp.WithCustomFilter(filter), - ).Generate() - assert.Equal(t, buildTf, tfResult) -} - // Test integrations with existing Service Account details func TestGenerationGcpExistingSA(t *testing.T) { os.Setenv("LW_NOCACHE", "true") @@ -732,7 +475,7 @@ func TestGenerationGcpExistingSA(t *testing.T) { serviceAccountDetails.Name = "SA_1" serviceAccountDetails.PrivateKey = "cGFzc3dvcmRNY1Bhc3N3b3JkRmFjZQ==" - buildTf, _ := gcp.NewTerraform(false, true, true, false, + buildTf, _ := gcp.NewTerraform(false, true, true, true, gcp.WithProjectId(projectId), gcp.WithExistingServiceAccount(serviceAccountDetails), ).Generate() @@ -756,7 +499,6 @@ func TestGenerationGcpPubSubUseExistingSA(t *testing.T) { MsgRsp{cmd.QuestionGcpServiceAccountCredsPath, ""}, MsgRsp{cmd.QuestionGcpConfigureAdvanced, "y"}, MsgMenu{cmd.GcpAdvancedOptAuditLog, 0}, - MsgRsp{cmd.QuestionUsePubSubAudit, "y"}, MsgRsp{cmd.QuestionGcpUseExistingSink, "n"}, MsgRsp{cmd.QuestionGcpCustomFilter, ""}, MsgRsp{cmd.QuestionGcpAnotherAdvancedOpt, "y"}, @@ -819,7 +561,7 @@ func TestGenerationGcpConfigurationWithCustomIntegrationName(t *testing.T) { assertTerraformSaved(t, final) // Create the TF directly with lwgenerate and validate same result via CLI - buildTf, _ := gcp.NewTerraform(false, true, true, false, + buildTf, _ := gcp.NewTerraform(false, true, true, true, gcp.WithProjectId(projectId), gcp.WithConfigurationIntegrationName("customConfigurationIntegrationName"), ).Generate() @@ -858,7 +600,7 @@ func TestGenerationGcpAuditLogWithCustomIntegrationName(t *testing.T) { assertTerraformSaved(t, final) - buildTf, _ := gcp.NewTerraform(false, true, true, false, + buildTf, _ := gcp.NewTerraform(false, true, true, true, gcp.WithProjectId(projectId), gcp.WithAuditLogIntegrationName("customAuditLogIntegrationName"), ).Generate() @@ -903,7 +645,7 @@ func TestGenerationGcpCustomizedOutputLocation(t *testing.T) { result, _ := os.ReadFile(filepath.FromSlash(fmt.Sprintf("%s/main.tf", dir))) - buildTf, _ := gcp.NewTerraform(false, true, true, false, + buildTf, _ := gcp.NewTerraform(false, true, true, true, gcp.WithProjectId(projectId), ).Generate() assert.Equal(t, buildTf, string(result)) @@ -937,7 +679,7 @@ func TestGenerationGcpAdvancedOptsDone(t *testing.T) { assertTerraformSaved(t, final) - buildTf, _ := gcp.NewTerraform(false, true, true, false, + buildTf, _ := gcp.NewTerraform(false, true, true, true, gcp.WithProjectId(projectId), ).Generate() assert.Equal(t, buildTf, tfResult) @@ -971,7 +713,7 @@ func TestGenerationGcpAdvancedOptsDoneConfigurationOnly(t *testing.T) { assertTerraformSaved(t, final) - buildTf, _ := gcp.NewTerraform(false, true, false, false, + buildTf, _ := gcp.NewTerraform(false, true, false, true, gcp.WithProjectId(projectId), ).Generate() assert.Equal(t, buildTf, tfResult) @@ -1057,7 +799,7 @@ func TestGenerationGcpFolders(t *testing.T) { assertTerraformSaved(t, final) - buildTf, _ := gcp.NewTerraform(false, true, true, false, + buildTf, _ := gcp.NewTerraform(false, true, true, true, gcp.WithProjectId(projectId), gcp.WithOrganizationIntegration(true), gcp.WithOrganizationId(organizationId), @@ -1100,7 +842,7 @@ func TestGenerationGcpFoldersShorthand(t *testing.T) { assertTerraformSaved(t, final) - buildTf, _ := gcp.NewTerraform(false, true, true, false, + buildTf, _ := gcp.NewTerraform(false, true, true, true, gcp.WithProjectId(projectId), gcp.WithOrganizationIntegration(true), gcp.WithOrganizationId(organizationId), @@ -1141,7 +883,7 @@ func TestGenerationGcpIncludeRootProjects(t *testing.T) { assertTerraformSaved(t, final) - buildTf, _ := gcp.NewTerraform(false, true, true, false, + buildTf, _ := gcp.NewTerraform(false, true, true, true, gcp.WithProjectId(projectId), gcp.WithOrganizationIntegration(true), gcp.WithOrganizationId(organizationId), @@ -1182,7 +924,7 @@ func TestGenerationGcpIncludeRootProjectsFalse(t *testing.T) { assertTerraformSaved(t, final) - buildTf, _ := gcp.NewTerraform(false, true, true, false, + buildTf, _ := gcp.NewTerraform(false, true, true, true, gcp.WithProjectId(projectId), gcp.WithOrganizationIntegration(true), gcp.WithOrganizationId(organizationId), @@ -1221,7 +963,7 @@ func TestGenerationGcpAuditLogFiltersTrue(t *testing.T) { assertTerraformSaved(t, final) - buildTf, _ := gcp.NewTerraform(false, false, true, false, + buildTf, _ := gcp.NewTerraform(false, false, true, true, gcp.WithProjectId(projectId), gcp.WithGoogleWorkspaceFilter(true), gcp.WithK8sFilter(true), @@ -1258,7 +1000,7 @@ func TestGenerationGcpAuditLogFiltersFalse(t *testing.T) { assertTerraformSaved(t, final) - buildTf, _ := gcp.NewTerraform(false, false, true, false, + buildTf, _ := gcp.NewTerraform(false, false, true, true, gcp.WithProjectId(projectId), gcp.WithGoogleWorkspaceFilter(false), gcp.WithK8sFilter(false), @@ -1295,7 +1037,7 @@ func TestGenerationGcpInvalidProjectId(t *testing.T) { assertTerraformSaved(t, final) - buildTf, _ := gcp.NewTerraform(false, false, true, false, + buildTf, _ := gcp.NewTerraform(false, false, true, true, gcp.WithProjectId(projectId), ).Generate() assert.Equal(t, buildTf, tfResult) @@ -1449,7 +1191,7 @@ func TestGenerationGcpLaceworkProfile(t *testing.T) { assertTerraformSaved(t, final) - buildTf, _ := gcp.NewTerraform(false, true, true, false, + buildTf, _ := gcp.NewTerraform(false, true, true, true, gcp.WithProjectId(projectId), gcp.WithLaceworkProfile(gcpProfile), ).Generate() @@ -1493,7 +1235,7 @@ func TestGenerationGcpMultipleProjects(t *testing.T) { assertTerraformSaved(t, final) - buildTf, _ := gcp.NewTerraform(false, true, true, false, + buildTf, _ := gcp.NewTerraform(false, true, true, true, gcp.WithProjectId(projectId), gcp.WithMultipleProject(gcpProjects), ).Generate() @@ -1532,7 +1274,7 @@ func TestGenerationGcpMultipleProjectsInteractive(t *testing.T) { assertTerraformSaved(t, final) - buildTf, _ := gcp.NewTerraform(false, true, true, false, + buildTf, _ := gcp.NewTerraform(false, true, true, true, gcp.WithProjectId(projectId), gcp.WithMultipleProject(gcpProjects), ).Generate() diff --git a/integration/test_resources/help/generate_cloud-account_gcp b/integration/test_resources/help/generate_cloud-account_gcp index d130875ff..b5efc231d 100644 --- a/integration/test_resources/help/generate_cloud-account_gcp +++ b/integration/test_resources/help/generate_cloud-account_gcp @@ -25,14 +25,9 @@ Flags: --apply run terraform apply without executing plan or prompting --audit_log enable audit log integration --audit_log_integration_name string specify a custom audit log integration name - --bucket_lifecycle_rule_age int specify the lifecycle rule age (default -1) - --bucket_region string specify bucket region --configuration enable configuration integration --configuration_integration_name string specify a custom configuration integration name - --custom_bucket_name string override prefix based storage bucket name generation with a custom name --custom_filter string Audit Log filter which supersedes all other filter options when defined - --enable_ubla enable universal bucket level access(ubla) (default true) - --existing_bucket_name string specify existing bucket name --existing_service_account_name string specify existing service account name --existing_service_account_private_key string specify existing service account private key (base64 encoded) --existing_sink_name string specify existing sink name @@ -51,7 +46,7 @@ Flags: --projects strings list of project IDs to integrate with (project-level integrations) --regions strings List of GCP regions to deploy for Agentless integration --service_account_credentials string specify service account credentials JSON file path (leave blank to make use of google credential ENV vars) - --use_pub_sub use pub/sub for the audit log data rather than bucket + --use_pub_sub deprecated: pub/sub audit log integration is always used and only supported type (default true) --wait_time string amount of time to wait before the next resource is provisioned Global Flags: From cbe5213a1685dc93be2c5c6e20caf8a89a3830f7 Mon Sep 17 00:00:00 2001 From: Lei Jin <166442440+leijin-lw@users.noreply.github.com> Date: Tue, 16 Jul 2024 16:05:45 -0700 Subject: [PATCH 4/7] chore: Add uuid for resource group tests (#1651) Signed-off-by: Lei Jin --- integration/resource_groups_test.go | 11 +++++++---- 1 file changed, 7 insertions(+), 4 deletions(-) diff --git a/integration/resource_groups_test.go b/integration/resource_groups_test.go index c1cac14ac..bcbddcb46 100644 --- a/integration/resource_groups_test.go +++ b/integration/resource_groups_test.go @@ -22,12 +22,14 @@ import ( "fmt" "testing" + "github.com/google/uuid" + "github.com/lacework/go-sdk/api" "github.com/pkg/errors" "github.com/stretchr/testify/assert" ) -func createResourceGroup(typ string) (string, error) { +func createResourceGroup(typ string, uid string) (string, error) { iType, _ := api.FindResourceGroupType(typ) var testQuery api.RGQuery @@ -37,7 +39,7 @@ func createResourceGroup(typ string) (string, error) { } var testResourceGroup api.ResourceGroupDataWithQuery = api.ResourceGroupDataWithQuery{ - Name: fmt.Sprintf("CLI_TestCreateResourceGroup_%s", iType.String()), + Name: fmt.Sprintf("CLI_TestCreateResourceGroup_%s", iType.String()+"_"+uid), Type: iType.String(), Query: &testQuery, Description: "Resource Group Created By CLI Integration Testing", @@ -172,9 +174,10 @@ func TestResourceGroupDelete(t *testing.T) { // skip lw_account t.Run(i.String(), func(t *testing.T) { // setup resource group - resourceGroupID, err := createResourceGroup(i.String()) + uid := uuid.New().String()[:8] + resourceGroupID, err := createResourceGroup(i.String(), uid) if err != nil { - assert.FailNow(t, err.Error(), fmt.Sprintf("Manually delete resourceGroup CLI_TestCreateResourceGroup_%s", i.String())) + assert.FailNow(t, err.Error(), fmt.Sprintf("Manually delete resourceGroup CLI_TestCreateResourceGroup_%s", i.String()+"_"+uid)) } // delete resource group From 152359d3ee25effd49e301f1d1db0d77a4f7aa97 Mon Sep 17 00:00:00 2001 From: Lei Jin <166442440+leijin-lw@users.noreply.github.com> Date: Thu, 18 Jul 2024 08:50:46 -0700 Subject: [PATCH 5/7] feat(GROW-2949): Provide organization_id for project level agentless integration (#1648) * feat(GROW-2949): Provide organization_id for project level integration Signed-off-by: Lei Jin * feat: remove restriction on org level integration Signed-off-by: Lei Jin * feat: Require org_id for gcp agentless integration Signed-off-by: Lei Jin --------- Signed-off-by: Lei Jin --- cli/cdk/go/proto/v1/cdk.pb.go | 5 ++- cli/cdk/go/proto/v1/cdk_grpc.pb.go | 1 + cli/cmd/generate_gcp.go | 12 +++++- .../lacework_generate_cloud-account_gcp.md | 2 +- integration/gcp_generation_test.go | 42 +++++++++++++++++++ .../help/generate_cloud-account_gcp | 2 +- lwgenerate/gcp/gcp.go | 7 +--- lwgenerate/gcp/gcp_test.go | 41 +++++++++++------- 8 files changed, 87 insertions(+), 25 deletions(-) diff --git a/cli/cdk/go/proto/v1/cdk.pb.go b/cli/cdk/go/proto/v1/cdk.pb.go index 2e5716254..4ab3a18e6 100644 --- a/cli/cdk/go/proto/v1/cdk.pb.go +++ b/cli/cdk/go/proto/v1/cdk.pb.go @@ -25,11 +25,12 @@ package cdk import ( + reflect "reflect" + sync "sync" + timestamp "github.com/golang/protobuf/ptypes/timestamp" protoreflect "google.golang.org/protobuf/reflect/protoreflect" protoimpl "google.golang.org/protobuf/runtime/protoimpl" - reflect "reflect" - sync "sync" ) const ( diff --git a/cli/cdk/go/proto/v1/cdk_grpc.pb.go b/cli/cdk/go/proto/v1/cdk_grpc.pb.go index 7431fd74e..3603a28ac 100644 --- a/cli/cdk/go/proto/v1/cdk_grpc.pb.go +++ b/cli/cdk/go/proto/v1/cdk_grpc.pb.go @@ -8,6 +8,7 @@ package cdk import ( context "context" + grpc "google.golang.org/grpc" codes "google.golang.org/grpc/codes" status "google.golang.org/grpc/status" diff --git a/cli/cmd/generate_gcp.go b/cli/cmd/generate_gcp.go index 630e6394f..e2fecb48a 100644 --- a/cli/cmd/generate_gcp.go +++ b/cli/cmd/generate_gcp.go @@ -315,7 +315,7 @@ func initGenerateGcpTfCommandFlags() { &GenerateGcpCommandState.GcpOrganizationId, "organization_id", "", - "specify the organization id (only set if organization_integration is set)") + "specify the organization id (only set if agentless integration or organization_integration is set)") generateGcpTfCommand.PersistentFlags().StringVar( &GenerateGcpCommandState.GcpProjectId, "project_id", @@ -736,9 +736,17 @@ func promptGcpGenerate( Prompt: &survey.Confirm{Message: QuestionGcpOrganizationIntegration, Default: config.OrganizationIntegration}, Response: &config.OrganizationIntegration, }, + }); err != nil { + return err + } + + organizationIdRequired := config.Agentless || config.OrganizationIntegration + + if err := SurveyMultipleQuestionWithValidation( + []SurveyQuestionWithValidationArgs{ { Prompt: &survey.Input{Message: QuestionGcpOrganizationID, Default: config.GcpOrganizationId}, - Checks: []*bool{&config.OrganizationIntegration}, + Checks: []*bool{&organizationIdRequired}, Required: true, Response: &config.GcpOrganizationId, }, diff --git a/cli/docs/lacework_generate_cloud-account_gcp.md b/cli/docs/lacework_generate_cloud-account_gcp.md index c5eaca95f..c695dde0b 100644 --- a/cli/docs/lacework_generate_cloud-account_gcp.md +++ b/cli/docs/lacework_generate_cloud-account_gcp.md @@ -58,7 +58,7 @@ lacework generate cloud-account gcp [flags] -h, --help help for gcp --include_root_projects Disables logic that includes root-level projects if excluding folders (default true) --k8s_filter filter out GKE logs from GCP Audit Log sinks (default true) - --organization_id string specify the organization id (only set if organization_integration is set) + --organization_id string specify the organization id (only set if agentless integration or organization_integration is set) --organization_integration enable organization integration --output string location to write generated content (default is ~/lacework/gcp) --prefix string prefix that will be used at the beginning of every generated resource diff --git a/integration/gcp_generation_test.go b/integration/gcp_generation_test.go index 334513046..e1680b1d1 100644 --- a/integration/gcp_generation_test.go +++ b/integration/gcp_generation_test.go @@ -121,6 +121,48 @@ func TestGenerationGcpAgentless(t *testing.T) { assert.Equal(t, buildTf, tfResult) } +// Test Agentless only generation +func TestGenerationGcpAgentlessProjectLevel(t *testing.T) { + os.Setenv("LW_NOCACHE", "true") + defer os.Setenv("LW_NOCACHE", "") + var final string + + tfResult := runGcpGenerateTest(t, + func(c *expect.Console) { + expectsCliOutput(t, c, []MsgRspHandler{ + MsgRsp{cmd.QuestionGcpEnableAgentless, "y"}, + MsgRsp{cmd.QuestionGcpEnableConfiguration, "n"}, + MsgRsp{cmd.QuestionGcpEnableAuditLog, "n"}, + MsgRsp{cmd.QuestionGcpProjectID, projectId}, + MsgRsp{cmd.QuestionGcpRegions, "us-east1"}, + MsgRsp{cmd.QuestionGcpOrganizationIntegration, "n"}, + MsgRsp{cmd.QuestionGcpOrganizationID, organizationId}, + MsgRsp{cmd.QuestionGcpConfigureAdvanced, "y"}, + MsgMenu{cmd.GcpAdvancedOptAgentless, 0}, + MsgRsp{cmd.QuestionGcpProjectFilterList, "p1,p2"}, + MsgRsp{cmd.QuestionGcpAnotherAdvancedOpt, "n"}, + MsgRsp{cmd.QuestionRunTfPlan, "n"}, + }) + + final, _ = c.ExpectEOF() + }, + "generate", + "cloud-account", + "gcp", + ) + + assertTerraformSaved(t, final) + + buildTf, _ := gcp.NewTerraform(true, false, false, true, + gcp.WithProjectId(projectId), + gcp.WithOrganizationIntegration(false), + gcp.WithOrganizationId(organizationId), + gcp.WithRegions([]string{"us-east1"}), + gcp.WithProjectFilterList([]string{"p1", "p2"}), + ).Generate() + assert.Equal(t, buildTf, tfResult) +} + // Test configuration only generation func TestGenerationGcpConfig(t *testing.T) { os.Setenv("LW_NOCACHE", "true") diff --git a/integration/test_resources/help/generate_cloud-account_gcp b/integration/test_resources/help/generate_cloud-account_gcp index b5efc231d..ad6aeb856 100644 --- a/integration/test_resources/help/generate_cloud-account_gcp +++ b/integration/test_resources/help/generate_cloud-account_gcp @@ -37,7 +37,7 @@ Flags: -h, --help help for gcp --include_root_projects Disables logic that includes root-level projects if excluding folders (default true) --k8s_filter filter out GKE logs from GCP Audit Log sinks (default true) - --organization_id string specify the organization id (only set if organization_integration is set) + --organization_id string specify the organization id (only set if agentless integration or organization_integration is set) --organization_integration enable organization integration --output string location to write generated content (default is ~/lacework/gcp) --prefix string prefix that will be used at the beginning of every generated resource diff --git a/lwgenerate/gcp/gcp.go b/lwgenerate/gcp/gcp.go index a0c93d67f..791b83ec0 100644 --- a/lwgenerate/gcp/gcp.go +++ b/lwgenerate/gcp/gcp.go @@ -173,11 +173,6 @@ func (args *GenerateGcpTfConfigurationArgs) validate() error { return errors.New("an Organization ID must be provided for an Organization Integration") } - // Validate if an organization id has been provided that this is and organization integration - if !args.OrganizationIntegration && args.GcpOrganizationId != "" { - return errors.New("to provide an Organization ID, Organization Integration must be true") - } - // Validate existing Service Account values, if set if args.ExistingServiceAccount != nil { if args.ExistingServiceAccount.Name == "" || @@ -631,6 +626,8 @@ func createAgentless(args *GenerateGcpTfConfigurationArgs) ([]*hclwrite.Block, e } if args.OrganizationIntegration { attributes["integration_type"] = "ORGANIZATION" + } + if len(args.GcpOrganizationId) > 0 { attributes["organization_id"] = args.GcpOrganizationId } } diff --git a/lwgenerate/gcp/gcp_test.go b/lwgenerate/gcp/gcp_test.go index 31dd74b65..0865b3a19 100644 --- a/lwgenerate/gcp/gcp_test.go +++ b/lwgenerate/gcp/gcp_test.go @@ -44,6 +44,17 @@ func TestGenerateGcpTfConfigurationArgs_Generate_AuditLog(t *testing.T) { gcp.WithProjectId(projectName)), ReqProvider(projectName, moduleImportProjectLevelPubSubAuditLogWithoutConfiguration), }, + { + "TestGenerationProjectLevelPubSubAuditLogWithoutConfigWithOrgId", + gcp.NewTerraform( + false, + false, + true, + true, + gcp.WithGcpServiceAccountCredentials("/path/to/credentials"), + gcp.WithProjectId(projectName), gcp.WithOrganizationId("123456789")), + ReqProvider(projectName, moduleImportProjectLevelPubSubAuditLogWithoutConfiguration), + }, { "TestGenerationProjectLevelAuditLogWithoutCredentialsAndProject", gcp.NewTerraform(false, false, true, false), @@ -513,6 +524,16 @@ func TestGenerateGcpTfConfigurationArgs_Generate_Configuration(t *testing.T) { ), ReqProvider(projectName, moduleImportProjectLevelConfigurationExistingSA), }, + { + "TestGenerationProjectLevelConfigurationExistingSAWithOrgId", + gcp.NewTerraform(false, true, false, false, + gcp.WithGcpServiceAccountCredentials("/path/to/credentials"), + gcp.WithProjectId(projectName), + gcp.WithOrganizationId("123456789"), + gcp.WithExistingServiceAccount(gcp.NewExistingServiceAccountDetails("foo", "123456789")), + ), + ReqProvider(projectName, moduleImportProjectLevelConfigurationExistingSA), + }, { "TestGenerationProjectLevelConfigurationCustomIntegrationName", gcp.NewTerraform(false, true, false, false, @@ -720,6 +741,7 @@ func TestGenerateGcpTfConfigurationArgs_Generate_Agentless(t *testing.T) { "TestGenerationProjectLevelAgentless", gcp.NewTerraform(true, false, false, false, gcp.WithProjectId(projectName), + gcp.WithOrganizationId("123456789"), gcp.WithRegions([]string{"us-east1"}), ), fmt.Sprintf("%s\n%s", RequiredProviders, moduleImportProjectLevelAgentless), @@ -769,16 +791,6 @@ func TestGenerationOrganizationLevelAuditLogNoOrgId(t *testing.T) { assert.EqualError(t, err, "invalid inputs: an Organization ID must be provided for an Organization Integration") } -func TestGenerationOrganizationLevelAuditLogNoOrgIntegrationFlag(t *testing.T) { - hcl, err := gcp.NewTerraform(false, false, true, false, - gcp.WithGcpServiceAccountCredentials("/path/to/credentials"), - gcp.WithProjectId(projectName), - gcp.WithOrganizationId("123456789"), - ).Generate() - assert.Empty(t, hcl) - assert.EqualError(t, err, "invalid inputs: to provide an Organization ID, Organization Integration must be true") -} - func TestGenerationNoIntegration(t *testing.T) { hcl, err := gcp.NewTerraform(false, false, false, false, gcp.WithGcpServiceAccountCredentials("/path/to/credentials"), @@ -1181,10 +1193,11 @@ var moduleImportProjectLevelAgentless = `provider "google" { } module "lacework_gcp_agentless_scanning_global" { - source = "lacework/agentless-scanning/gcp" - version = "~> 2.0" - global = true - regional = true + source = "lacework/agentless-scanning/gcp" + version = "~> 2.0" + global = true + organization_id = "123456789" + regional = true providers = { google = google.us-east1 From d7c92df8a37e702764cc4f97626c71a01bd0ba15 Mon Sep 17 00:00:00 2001 From: lacework-releng <73366105+lacework-releng@users.noreply.github.com> Date: Thu, 18 Jul 2024 12:15:00 -0400 Subject: [PATCH 6/7] release: v1.52.0 (#1652) Signed-off-by: Lacework --- CHANGELOG.md | 13 ++++++++++++ RELEASE_NOTES.md | 20 ++++++++----------- VERSION | 2 +- api/version.go | 4 ++-- .../lacework_generate_cloud-account_gcp.md | 7 +------ 5 files changed, 25 insertions(+), 21 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 50f609f87..c0f7fb091 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,16 @@ +# v1.52.0 + +## Features +* feat(GROW-2949): Provide organization_id for project level agentless integration (#1648) (Lei Jin)([152359d3](https://github.com/lacework/go-sdk/commit/152359d3ee25effd49e301f1d1db0d77a4f7aa97)) +## Bug Fixes +* fix(GROW-2950): disable use of gcp storage audit from generate (#1643) (Matt Cadorette)([5edd4cad](https://github.com/lacework/go-sdk/commit/5edd4cad417dacd13400e5e40ffed6d87601604f)) +* fix: vuln integration test host id (#1645) (Matt Cadorette)([3cfc4caa](https://github.com/lacework/go-sdk/commit/3cfc4caa32711d45e75724e35786b7fc26a59e16)) +## Other Changes +* chore: Add uuid for resource group tests (#1651) (Lei Jin)([cbe5213a](https://github.com/lacework/go-sdk/commit/cbe5213a1685dc93be2c5c6e20caf8a89a3830f7)) +* chore(GROW-2952): update codeowners (#1647) (Matt Cadorette)([889c40ae](https://github.com/lacework/go-sdk/commit/889c40aee2f816c2d45815ac679d71c3a2d085ba)) +* chore(RAIN-93468): Remove use of the queryLanguage query property (#1638) (gspofford-lw)([eb8d5c1f](https://github.com/lacework/go-sdk/commit/eb8d5c1f466d10e6a40612094c145e18ab7bc372)) +* ci: version bump to v1.51.1-dev (Lacework)([31adf212](https://github.com/lacework/go-sdk/commit/31adf212216ef685d7b8d2237921d010e2b977ce)) +--- # v1.51.0 ## Features diff --git a/RELEASE_NOTES.md b/RELEASE_NOTES.md index 66841eee8..c80a41a35 100644 --- a/RELEASE_NOTES.md +++ b/RELEASE_NOTES.md @@ -1,20 +1,16 @@ # Release Notes -Another day, another release. These are the release notes for the version `v1.51.0`. +Another day, another release. These are the release notes for the version `v1.52.0`. ## Features -* feat: prosast component data upload (#1639) (jonathan stewart)([635f2d30](https://github.com/lacework/go-sdk/commit/635f2d30643ce70c3ebd6b0c49542954a5e7a828)) -* feat(GROW-2928): Upgrade the gcp terraform version (#1637) (Lei Jin)([02bcccab](https://github.com/lacework/go-sdk/commit/02bcccabd229620b4d08755b95615d4f4c17a71a)) -* feat(GROW-2931): Add support for GCP default labels (#1633) (Lei Jin)([6d765866](https://github.com/lacework/go-sdk/commit/6d765866a99a07e3cb0bf0ccc9eaa73612b2f3c4)) -* feat(GROW-2929): update lwgenerate to support GCP generation (#1631) (Lei Jin)([2c64710e](https://github.com/lacework/go-sdk/commit/2c64710ee725d77d7341274e940dc5cec27d3c3d)) -* feat(GROW-2819): enable custom blocks with azure generate (#1630) (Matt Cadorette)([67c7bbc9](https://github.com/lacework/go-sdk/commit/67c7bbc9b88a7492fa3d387d44d5e1f290eef79e)) -* feat(GROW-2908): lwgenerate enable custom root terraform blocks and provider arguments (#1626) (Matt Cadorette)([8d50d317](https://github.com/lacework/go-sdk/commit/8d50d317e44bf379523c0138fcb12ec34b4ed302)) -* feat(GROW-2883): lwgenerate enable adding aws provider default tags (#1623) (Matt Cadorette)([5d6ef3df](https://github.com/lacework/go-sdk/commit/5d6ef3dfbbc1349abaf5e1c0fca325f0ac65960a)) +* feat(GROW-2949): Provide organization_id for project level agentless integration (#1648) (Lei Jin)([152359d3](https://github.com/lacework/go-sdk/commit/152359d3ee25effd49e301f1d1db0d77a4f7aa97)) ## Bug Fixes -* fix(GROW-2931): GCP default label should be attributes (#1636) (Lei Jin)([e575eac8](https://github.com/lacework/go-sdk/commit/e575eac82b34e8a9ce840928d6f73e13675291e0)) -* fix(GROW-2819): split azuread/azurerm gen args (#1632) (Matt Cadorette)([6ae460a7](https://github.com/lacework/go-sdk/commit/6ae460a7212365947c80889ec0ff02499a05bdd5)) +* fix(GROW-2950): disable use of gcp storage audit from generate (#1643) (Matt Cadorette)([5edd4cad](https://github.com/lacework/go-sdk/commit/5edd4cad417dacd13400e5e40ffed6d87601604f)) +* fix: vuln integration test host id (#1645) (Matt Cadorette)([3cfc4caa](https://github.com/lacework/go-sdk/commit/3cfc4caa32711d45e75724e35786b7fc26a59e16)) ## Other Changes -* chore: update cloud-account migrate cmd desc (#1625) (Manan Bhatia)([8c76d482](https://github.com/lacework/go-sdk/commit/8c76d482af778977c8eeb35c150fea9e1fed7be1)) -* ci: version bump to v1.50.1-dev (Lacework)([f469da52](https://github.com/lacework/go-sdk/commit/f469da5287671e0ef893df381b6e64ae4530c50d)) +* chore: Add uuid for resource group tests (#1651) (Lei Jin)([cbe5213a](https://github.com/lacework/go-sdk/commit/cbe5213a1685dc93be2c5c6e20caf8a89a3830f7)) +* chore(GROW-2952): update codeowners (#1647) (Matt Cadorette)([889c40ae](https://github.com/lacework/go-sdk/commit/889c40aee2f816c2d45815ac679d71c3a2d085ba)) +* chore(RAIN-93468): Remove use of the queryLanguage query property (#1638) (gspofford-lw)([eb8d5c1f](https://github.com/lacework/go-sdk/commit/eb8d5c1f466d10e6a40612094c145e18ab7bc372)) +* ci: version bump to v1.51.1-dev (Lacework)([31adf212](https://github.com/lacework/go-sdk/commit/31adf212216ef685d7b8d2237921d010e2b977ce)) ## :whale: [Docker Image](https://hub.docker.com/r/lacework/lacework-cli) ``` diff --git a/VERSION b/VERSION index a93d7c9f2..d4f820371 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.51.1-dev \ No newline at end of file +1.52.0 \ No newline at end of file diff --git a/api/version.go b/api/version.go index b80ca90c8..b54b11f7b 100644 --- a/api/version.go +++ b/api/version.go @@ -1,5 +1,5 @@ // Code generated by: scripts/version_updater.sh -// File generated at: 20240610150006 +// File generated at: 20240718160216 // // <<< DO NOT EDIT >>> // @@ -7,4 +7,4 @@ package api // Version is the semver coming from the VERSION file -const Version = "1.51.1-dev" +const Version = "1.52.0" diff --git a/cli/docs/lacework_generate_cloud-account_gcp.md b/cli/docs/lacework_generate_cloud-account_gcp.md index c695dde0b..4d54e3d27 100644 --- a/cli/docs/lacework_generate_cloud-account_gcp.md +++ b/cli/docs/lacework_generate_cloud-account_gcp.md @@ -41,14 +41,9 @@ lacework generate cloud-account gcp [flags] --apply run terraform apply without executing plan or prompting --audit_log enable audit log integration --audit_log_integration_name string specify a custom audit log integration name - --bucket_lifecycle_rule_age int specify the lifecycle rule age (default -1) - --bucket_region string specify bucket region --configuration enable configuration integration --configuration_integration_name string specify a custom configuration integration name - --custom_bucket_name string override prefix based storage bucket name generation with a custom name --custom_filter string Audit Log filter which supersedes all other filter options when defined - --enable_ubla enable universal bucket level access(ubla) (default true) - --existing_bucket_name string specify existing bucket name --existing_service_account_name string specify existing service account name --existing_service_account_private_key string specify existing service account private key (base64 encoded) --existing_sink_name string specify existing sink name @@ -67,7 +62,7 @@ lacework generate cloud-account gcp [flags] --projects strings list of project IDs to integrate with (project-level integrations) --regions strings List of GCP regions to deploy for Agentless integration --service_account_credentials string specify service account credentials JSON file path (leave blank to make use of google credential ENV vars) - --use_pub_sub use pub/sub for the audit log data rather than bucket + --use_pub_sub deprecated: pub/sub audit log integration is always used and only supported type (default true) --wait_time string amount of time to wait before the next resource is provisioned ``` From d25c70d7fd62de5045423cbee3b83be8e4db0009 Mon Sep 17 00:00:00 2001 From: Lacework Date: Thu, 18 Jul 2024 16:23:51 +0000 Subject: [PATCH 7/7] ci: version bump to v1.52.1-dev Signed-off-by: Lacework --- VERSION | 2 +- api/version.go | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/VERSION b/VERSION index d4f820371..ae94500a6 100644 --- a/VERSION +++ b/VERSION @@ -1 +1 @@ -1.52.0 \ No newline at end of file +1.52.1-dev \ No newline at end of file diff --git a/api/version.go b/api/version.go index b54b11f7b..ab028d58a 100644 --- a/api/version.go +++ b/api/version.go @@ -1,5 +1,5 @@ // Code generated by: scripts/version_updater.sh -// File generated at: 20240718160216 +// File generated at: 20240718162351 // // <<< DO NOT EDIT >>> // @@ -7,4 +7,4 @@ package api // Version is the semver coming from the VERSION file -const Version = "1.52.0" +const Version = "1.52.1-dev"