diff --git a/cli/cmd/generate_gcp.go b/cli/cmd/generate_gcp.go index 0a5699729..630e6394f 100644 --- a/cli/cmd/generate_gcp.go +++ b/cli/cmd/generate_gcp.go @@ -19,7 +19,6 @@ var ( QuestionGcpEnableAgentless = "Enable Agentless integration?" QuestionGcpEnableConfiguration = "Enable Configuration integration?" QuestionGcpEnableAuditLog = "Enable Audit Log integration?" - QuestionUsePubSubAudit = "Use Pub Sub Audit Log?" QuestionGcpOrganizationIntegration = "Organization integration?" QuestionGcpOrganizationID = "Specify the GCP organization ID:" QuestionGcpProjectID = "Specify the project ID to be used to provision Lacework resources:" @@ -35,16 +34,9 @@ var ( "you want to monitor: (optional)" QuestionGcpRegions = "Specify a comma separated list of regions to deploy Agentless:" - GcpAdvancedOptAuditLog = "Configure additional Audit Log options" - QuestionGcpUseExistingBucket = "Use an existing bucket?" - QuestionGcpExistingBucketName = "Specify an existing bucket name:" - QuestionGcpConfigureNewBucket = "Configure settings for new bucket?" - QuestionGcpBucketRegion = "Specify the bucket region: (optional)" - QuestionGcpCustomBucketName = "Specify a custom bucket name: (optional)" - QuestionGcpBucketLifecycle = "Specify the bucket lifecycle rule age: (optional)" - QuestionGcpEnableUBLA = "Enable uniform bucket level access(UBLA)?" - QuestionGcpUseExistingSink = "Use an existing sink?" - QuestionGcpExistingSinkName = "Specify the existing sink name" + GcpAdvancedOptAuditLog = "Configure additional Audit Log options" + QuestionGcpUseExistingSink = "Use an existing sink?" + QuestionGcpExistingSinkName = "Specify the existing sink name" GcpAdvancedOptIntegrationName = "Customize integration name(s)" QuestionGcpConfigurationIntegrationName = "Specify a custom configuration integration name: (optional)" @@ -111,16 +103,11 @@ See help output for more details on the parameter value(s) required for Terrafor gcp.WithExistingServiceAccount(GenerateGcpCommandState.ExistingServiceAccount), gcp.WithConfigurationIntegrationName(GenerateGcpCommandState.ConfigurationIntegrationName), gcp.WithAuditLogLabels(GenerateGcpCommandState.AuditLogLabels), - gcp.WithBucketLabels(GenerateGcpCommandState.BucketLabels), gcp.WithPubSubSubscriptionLabels(GenerateGcpCommandState.PubSubSubscriptionLabels), gcp.WithPubSubTopicLabels(GenerateGcpCommandState.PubSubTopicLabels), - gcp.WithCustomBucketName(GenerateGcpCommandState.CustomBucketName), - gcp.WithBucketRegion(GenerateGcpCommandState.BucketRegion), - gcp.WithExistingLogBucketName(GenerateGcpCommandState.ExistingLogBucketName), gcp.WithExistingLogSinkName(GenerateGcpCommandState.ExistingLogSinkName), gcp.WithAuditLogIntegrationName(GenerateGcpCommandState.AuditLogIntegrationName), gcp.WithLaceworkProfile(GenerateGcpCommandState.LaceworkProfile), - gcp.WithLogBucketLifecycleRuleAge(GenerateGcpCommandState.LogBucketLifecycleRuleAge), gcp.WithFoldersToInclude(GenerateGcpCommandState.FoldersToInclude), gcp.WithFoldersToExclude(GenerateGcpCommandState.FoldersToExclude), gcp.WithCustomFilter(GenerateGcpCommandState.CustomFilter), @@ -128,10 +115,10 @@ See help output for more details on the parameter value(s) required for Terrafor gcp.WithK8sFilter(GenerateGcpCommandState.K8sFilter), gcp.WithPrefix(GenerateGcpCommandState.Prefix), gcp.WithWaitTime(GenerateGcpCommandState.WaitTime), - gcp.WithEnableUBLA(GenerateGcpCommandState.EnableUBLA), gcp.WithMultipleProject(GenerateGcpCommandState.Projects), gcp.WithProjectFilterList(GenerateGcpCommandState.ProjectFilterList), gcp.WithRegions(GenerateGcpCommandState.Regions), + gcp.WithUsePubSubAudit(true), // always set to true, storage based integration deprecated } if GenerateGcpCommandState.OrganizationIntegration { @@ -212,15 +199,6 @@ See help output for more details on the parameter value(s) required for Terrafor } } - // Validate gcp region, if passed - region, err := cmd.Flags().GetString("bucket_region") - if err != nil { - return errors.Wrap(err, "failed to load command flags") - } - if err := validateGcpRegion(region); err != nil { - return err - } - projectId, err := cmd.Flags().GetString("project_id") if err != nil { return errors.Wrap(err, "failed to load command flags") @@ -283,20 +261,17 @@ See help output for more details on the parameter value(s) required for Terrafor ) type GcpGenerateCommandExtraState struct { - AskAdvanced bool - Output string - ConfigureNewBucketSettings bool - UseExistingServiceAccount bool - UseExistingBucket bool - UseExistingSink bool - TerraformApply bool + AskAdvanced bool + Output string + UseExistingServiceAccount bool + UseExistingSink bool + TerraformApply bool } func (gcp *GcpGenerateCommandExtraState) isEmpty() bool { return gcp.Output == "" && !gcp.AskAdvanced && !gcp.UseExistingServiceAccount && - !gcp.UseExistingBucket && !gcp.UseExistingSink && !gcp.TerraformApply } @@ -361,22 +336,6 @@ func initGenerateGcpTfCommandFlags() { "configuration_integration_name", "", "specify a custom configuration integration name") - generateGcpTfCommand.PersistentFlags().StringVar( - &GenerateGcpCommandState.CustomBucketName, - "custom_bucket_name", - "", - "override prefix based storage bucket name generation with a custom name") - // TODO: Implement AuditLogLabels, BucketLabels, PubSubSubscriptionLabels & PubSubTopicLabels - generateGcpTfCommand.PersistentFlags().StringVar( - &GenerateGcpCommandState.BucketRegion, - "bucket_region", - "", - "specify bucket region") - generateGcpTfCommand.PersistentFlags().StringVar( - &GenerateGcpCommandState.ExistingLogBucketName, - "existing_bucket_name", - "", - "specify existing bucket name") generateGcpTfCommand.PersistentFlags().StringVar( &GenerateGcpCommandState.ExistingLogSinkName, "existing_sink_name", @@ -393,27 +352,8 @@ func initGenerateGcpTfCommandFlags() { []string{}, "List of GCP regions to deploy for Agentless integration") - // DEPRECATED - generateGcpTfCommand.PersistentFlags().BoolVar( - &GenerateGcpCommandState.EnableForceDestroyBucket, - "enable_force_destroy_bucket", - true, - "enable force bucket destroy") - errcheckWARN(generateGcpTfCommand.PersistentFlags().MarkDeprecated( - "enable_force_destroy_bucket", "by default, force destroy is enabled.", - )) // --- - generateGcpTfCommand.PersistentFlags().BoolVar( - &GenerateGcpCommandState.EnableUBLA, - "enable_ubla", - true, - "enable universal bucket level access(ubla)") - generateGcpTfCommand.PersistentFlags().IntVar( - &GenerateGcpCommandState.LogBucketLifecycleRuleAge, - "bucket_lifecycle_rule_age", - -1, - "specify the lifecycle rule age") generateGcpTfCommand.PersistentFlags().StringVar( &GenerateGcpCommandState.CustomFilter, "custom_filter", @@ -476,8 +416,8 @@ func initGenerateGcpTfCommandFlags() { generateGcpTfCommand.PersistentFlags().BoolVar( &GenerateGcpCommandState.UsePubSubAudit, "use_pub_sub", - false, - "use pub/sub for the audit log data rather than bucket") + true, + "deprecated: pub/sub audit log integration is always used and only supported type") generateGcpTfCommand.PersistentFlags().StringSliceVar( &GenerateGcpCommandState.Projects, "projects", @@ -485,30 +425,6 @@ func initGenerateGcpTfCommandFlags() { "list of project IDs to integrate with (project-level integrations)") } -// survey.Validator for gcp region -func validateGcpRegion(val interface{}) error { - switch value := val.(type) { - case string: - // as this field is optional, it is valid for this field to be empty - if value != "" { - // if value doesn't match regex, return invalid arn - ok, err := regexp.MatchString(GcpRegionRegex, value) - if err != nil { - return errors.Wrap(err, "failed to validate input") - } - - if !ok { - return errors.New("invalid region name supplied") - } - } - default: - // if the value passed is not a string - return errors.New("value must be a string") - } - - return nil -} - func promptGcpAgentlessQuestions( config *gcp.GenerateGcpTfConfigurationArgs, extraState *GcpGenerateCommandExtraState, @@ -534,20 +450,6 @@ func promptGcpAuditLogQuestions( extraState *GcpGenerateCommandExtraState, ) error { - // Only ask these questions if configure audit log is true - if err := SurveyMultipleQuestionWithValidation([]SurveyQuestionWithValidationArgs{ - { - Prompt: &survey.Confirm{Message: QuestionUsePubSubAudit, Default: config.UsePubSubAudit}, - Checks: []*bool{&config.AuditLog}, - Response: &config.UsePubSubAudit, - }, - }, config.AuditLog); err != nil { - return err - } - // Present the user with Bucket Configuration options, if required - if err := promptGcpBucketConfiguration(config, extraState); err != nil { - return err - } err := SurveyMultipleQuestionWithValidation([]SurveyQuestionWithValidationArgs{ { Prompt: &survey.Confirm{Message: QuestionGcpUseExistingSink, Default: extraState.UseExistingSink}, @@ -571,77 +473,6 @@ func promptGcpAuditLogQuestions( return err } -func promptGcpBucketConfiguration( - config *gcp.GenerateGcpTfConfigurationArgs, extraState *GcpGenerateCommandExtraState, -) error { - // Prompt to configure bucket information (not required when using the Pub Sub Audit Log) - if err := SurveyMultipleQuestionWithValidation([]SurveyQuestionWithValidationArgs{ - { - Prompt: &survey.Confirm{Message: QuestionGcpUseExistingBucket, Default: extraState.UseExistingBucket}, - Checks: []*bool{&config.AuditLog, usePubSubActivityDisabled(config)}, - Response: &extraState.UseExistingBucket, - }, - { - Prompt: &survey.Input{Message: QuestionGcpExistingBucketName, Default: config.ExistingLogBucketName}, - Checks: []*bool{&config.AuditLog, &extraState.UseExistingBucket, usePubSubActivityDisabled(config)}, - Required: true, - Response: &config.ExistingLogBucketName, - }, - }, config.AuditLog); err != nil { - return err - } - - newBucket := !extraState.UseExistingBucket - err := SurveyMultipleQuestionWithValidation([]SurveyQuestionWithValidationArgs{ - { - Prompt: &survey.Confirm{Message: QuestionGcpConfigureNewBucket, Default: extraState.ConfigureNewBucketSettings}, - Checks: []*bool{&config.AuditLog, &newBucket, usePubSubActivityDisabled(config)}, - Required: true, - Response: &extraState.ConfigureNewBucketSettings, - }, - { - Prompt: &survey.Input{Message: QuestionGcpBucketRegion, Default: config.BucketRegion}, - Checks: []*bool{&config.AuditLog, - &newBucket, - &extraState.ConfigureNewBucketSettings, - usePubSubActivityDisabled(config)}, - Opts: []survey.AskOpt{survey.WithValidator(validateGcpRegion)}, - Response: &config.BucketRegion, - }, - { - Prompt: &survey.Input{Message: QuestionGcpCustomBucketName, Default: config.CustomBucketName}, - Checks: []*bool{&config.AuditLog, - &newBucket, - &extraState.ConfigureNewBucketSettings, - usePubSubActivityDisabled(config)}, - Response: &config.CustomBucketName, - }, - { - Prompt: &survey.Input{Message: QuestionGcpBucketLifecycle, Default: "-1"}, - Checks: []*bool{&config.AuditLog, - &newBucket, - &extraState.ConfigureNewBucketSettings, - usePubSubActivityDisabled(config)}, - Response: &config.LogBucketLifecycleRuleAge, - }, - { - Prompt: &survey.Confirm{Message: QuestionGcpEnableUBLA, Default: config.EnableUBLA}, - Checks: []*bool{&config.AuditLog, - &newBucket, - &extraState.ConfigureNewBucketSettings, - usePubSubActivityDisabled(config)}, - Required: true, - Response: &config.EnableUBLA, - }, - }, config.AuditLog) - - return err -} - -func usePubSubActivityDisabled(config *gcp.GenerateGcpTfConfigurationArgs) *bool { - usePubSubActivityDisabled := !config.UsePubSubAudit - return &usePubSubActivityDisabled -} func promptGcpExistingServiceAccountQuestions(config *gcp.GenerateGcpTfConfigurationArgs) error { // ensure struct is initialized if config.ExistingServiceAccount == nil { diff --git a/integration/gcp_generation_test.go b/integration/gcp_generation_test.go index bb82e3bdc..334513046 100644 --- a/integration/gcp_generation_test.go +++ b/integration/gcp_generation_test.go @@ -73,7 +73,7 @@ func TestGenerationGcpSimple(t *testing.T) { assertTerraformSaved(t, final) - buildTf, _ := gcp.NewTerraform(false, true, true, false, + buildTf, _ := gcp.NewTerraform(false, true, true, true, gcp.WithProjectId(projectId), ).Generate() assert.Equal(t, buildTf, tfResult) @@ -111,7 +111,7 @@ func TestGenerationGcpAgentless(t *testing.T) { assertTerraformSaved(t, final) - buildTf, _ := gcp.NewTerraform(true, false, false, false, + buildTf, _ := gcp.NewTerraform(true, false, false, true, gcp.WithProjectId(projectId), gcp.WithOrganizationIntegration(true), gcp.WithOrganizationId(organizationId), @@ -149,7 +149,7 @@ func TestGenerationGcpConfig(t *testing.T) { assertTerraformSaved(t, final) - buildTf, _ := gcp.NewTerraform(false, true, false, false, + buildTf, _ := gcp.NewTerraform(false, true, false, true, gcp.WithProjectId(projectId), ).Generate() assert.Equal(t, buildTf, tfResult) @@ -183,7 +183,7 @@ func TestGenerationGcpAuditLog(t *testing.T) { assertTerraformSaved(t, final) - buildTf, _ := gcp.NewTerraform(false, false, true, false, + buildTf, _ := gcp.NewTerraform(false, false, true, true, gcp.WithProjectId(projectId), ).Generate() assert.Equal(t, buildTf, tfResult) @@ -206,7 +206,6 @@ func TestGenerationGcpAuditLogPubSub(t *testing.T) { MsgRsp{cmd.QuestionGcpServiceAccountCredsPath, ""}, MsgRsp{cmd.QuestionGcpConfigureAdvanced, "y"}, MsgMenu{cmd.GcpAdvancedOptAuditLog, 0}, - MsgRsp{cmd.QuestionUsePubSubAudit, "y"}, MsgRsp{cmd.QuestionGcpUseExistingSink, "n"}, MsgRsp{cmd.QuestionGcpCustomFilter, ""}, MsgRsp{cmd.QuestionGcpAnotherAdvancedOpt, "n"}, @@ -245,7 +244,6 @@ func TestGenerationGcpAuditLogPubSubOrg(t *testing.T) { MsgRsp{cmd.QuestionGcpServiceAccountCredsPath, ""}, MsgRsp{cmd.QuestionGcpConfigureAdvanced, "y"}, MsgMenu{cmd.GcpAdvancedOptAuditLog, 0}, - MsgRsp{cmd.QuestionUsePubSubAudit, "y"}, MsgRsp{cmd.QuestionGcpUseExistingSink, "n"}, MsgRsp{cmd.QuestionGcpCustomFilter, ""}, MsgRsp{cmd.QuestionGcpAnotherAdvancedOpt, "n"}, @@ -268,75 +266,6 @@ func TestGenerationGcpAuditLogPubSubOrg(t *testing.T) { ).Generate() assert.Equal(t, buildTf, tfResult) } -func TestGenerationGcpAuditLogEnableUBLA(t *testing.T) { - os.Setenv("LW_NOCACHE", "true") - defer os.Setenv("LW_NOCACHE", "") - var final string - projectId := "project-1" - - tfResult := runGcpGenerateTest(t, - func(c *expect.Console) { - expectsCliOutput(t, c, []MsgRspHandler{ - MsgRsp{cmd.QuestionGcpEnableAgentless, "n"}, - MsgRsp{cmd.QuestionGcpEnableConfiguration, "n"}, - MsgRsp{cmd.QuestionGcpEnableAuditLog, "y"}, - MsgRsp{cmd.QuestionGcpProjectID, projectId}, - MsgRsp{cmd.QuestionGcpOrganizationIntegration, "n"}, - MsgRsp{cmd.QuestionGcpServiceAccountCredsPath, ""}, - MsgRsp{cmd.QuestionGcpConfigureAdvanced, "n"}, - MsgRsp{cmd.QuestionRunTfPlan, "n"}, - }) - final, _ = c.ExpectEOF() - }, - "generate", - "cloud-account", - "gcp", - "--enable_ubla", - ) - - assert.Contains(t, final, "Terraform code saved in") - - buildTf, _ := gcp.NewTerraform(false, false, true, false, - gcp.WithProjectId("project-1"), - gcp.WithEnableUBLA(true), - ).Generate() - assert.Equal(t, buildTf, tfResult) -} - -func TestGenerationGcpAuditLogDisableUBLA(t *testing.T) { - os.Setenv("LW_NOCACHE", "true") - defer os.Setenv("LW_NOCACHE", "") - var final string - projectId := "project-1" - - tfResult := runGcpGenerateTest(t, - func(c *expect.Console) { - expectsCliOutput(t, c, []MsgRspHandler{ - MsgRsp{cmd.QuestionGcpEnableAgentless, "n"}, - MsgRsp{cmd.QuestionGcpEnableConfiguration, "n"}, - MsgRsp{cmd.QuestionGcpEnableAuditLog, "y"}, - MsgRsp{cmd.QuestionGcpProjectID, projectId}, - MsgRsp{cmd.QuestionGcpOrganizationIntegration, "n"}, - MsgRsp{cmd.QuestionGcpServiceAccountCredsPath, ""}, - MsgRsp{cmd.QuestionGcpConfigureAdvanced, "n"}, - MsgRsp{cmd.QuestionRunTfPlan, "n"}, - }) - final, _ = c.ExpectEOF() - }, - "generate", - "cloud-account", - "gcp", - "--enable_ubla=false", - ) - - assert.Contains(t, final, "Terraform code saved in") - - buildTf, _ := gcp.NewTerraform(false, false, true, false, - gcp.WithProjectId("project-1"), - gcp.WithEnableUBLA(false), - ).Generate() - assert.Equal(t, buildTf, tfResult) -} // Test organization integration for Agentless, Configuration and Audit Log func TestGenerationGcpAllIntegrationsOrg(t *testing.T) { @@ -371,7 +300,7 @@ func TestGenerationGcpAllIntegrationsOrg(t *testing.T) { assertTerraformSaved(t, final) - buildTf, _ := gcp.NewTerraform(true, true, true, false, + buildTf, _ := gcp.NewTerraform(true, true, true, true, gcp.WithProjectId(projectId), gcp.WithOrganizationIntegration(true), gcp.WithOrganizationId(organizationId), @@ -413,7 +342,7 @@ func TestGenerationGcpPrefixAndWait(t *testing.T) { assertTerraformSaved(t, final) - buildTf, _ := gcp.NewTerraform(false, true, true, false, + buildTf, _ := gcp.NewTerraform(false, true, true, true, gcp.WithProjectId(projectId), gcp.WithPrefix(prefix), gcp.WithWaitTime(waitTime), @@ -465,146 +394,13 @@ func TestGenerationGcpSACreds(t *testing.T) { assertTerraformSaved(t, final) - buildTf, _ := gcp.NewTerraform(false, true, true, false, + buildTf, _ := gcp.NewTerraform(false, true, true, true, gcp.WithProjectId(projectId), gcp.WithGcpServiceAccountCredentials(serviceAccountFilePath), ).Generate() assert.Equal(t, buildTf, tfResult) } -// Test Audit Log with existing Bucket -func TestGenerationGcpAuditLogExistingBucket(t *testing.T) { - os.Setenv("LW_NOCACHE", "true") - defer os.Setenv("LW_NOCACHE", "") - var final string - - tfResult := runGcpGenerateTest(t, - func(c *expect.Console) { - expectsCliOutput(t, c, []MsgRspHandler{ - MsgRsp{cmd.QuestionGcpEnableAgentless, "n"}, - MsgRsp{cmd.QuestionGcpEnableConfiguration, "y"}, - MsgRsp{cmd.QuestionGcpEnableAuditLog, "y"}, - MsgRsp{cmd.QuestionGcpProjectID, projectId}, - MsgRsp{cmd.QuestionGcpOrganizationIntegration, "n"}, - MsgRsp{cmd.QuestionGcpServiceAccountCredsPath, ""}, - MsgRsp{cmd.QuestionGcpConfigureAdvanced, "y"}, - MsgMenu{cmd.GcpAdvancedOptAuditLog, 0}, - MsgRsp{cmd.QuestionUsePubSubAudit, "n"}, - MsgRsp{cmd.QuestionGcpUseExistingBucket, "y"}, - MsgRsp{cmd.QuestionGcpExistingBucketName, "bucketMcBucketFace"}, - MsgRsp{cmd.QuestionGcpUseExistingSink, "n"}, - MsgRsp{cmd.QuestionGcpCustomFilter, ""}, - MsgRsp{cmd.QuestionGcpAnotherAdvancedOpt, "n"}, - MsgRsp{cmd.QuestionRunTfPlan, "n"}, - }) - - final, _ = c.ExpectEOF() - - }, - "generate", - "cloud-account", - "gcp", - ) - - assertTerraformSaved(t, final) - - buildTf, _ := gcp.NewTerraform(false, true, true, false, - gcp.WithProjectId(projectId), - gcp.WithExistingLogBucketName("bucketMcBucketFace"), - ).Generate() - assert.Equal(t, buildTf, tfResult) -} - -// Test Audit Log with new Bucket -func TestGenerationGcpAuditLogNewBucket(t *testing.T) { - os.Setenv("LW_NOCACHE", "true") - defer os.Setenv("LW_NOCACHE", "") - var final string - - tfResult := runGcpGenerateTest(t, - func(c *expect.Console) { - expectsCliOutput(t, c, []MsgRspHandler{ - MsgRsp{cmd.QuestionGcpEnableAgentless, "n"}, - MsgRsp{cmd.QuestionGcpEnableConfiguration, "y"}, - MsgRsp{cmd.QuestionGcpEnableAuditLog, "y"}, - MsgRsp{cmd.QuestionGcpProjectID, projectId}, - MsgRsp{cmd.QuestionGcpOrganizationIntegration, "n"}, - MsgRsp{cmd.QuestionGcpServiceAccountCredsPath, ""}, - MsgRsp{cmd.QuestionGcpConfigureAdvanced, "y"}, - MsgMenu{cmd.GcpAdvancedOptAuditLog, 0}, - MsgRsp{cmd.QuestionUsePubSubAudit, "n"}, - MsgRsp{cmd.QuestionGcpUseExistingBucket, "n"}, - MsgRsp{cmd.QuestionGcpConfigureNewBucket, "n"}, - MsgRsp{cmd.QuestionGcpUseExistingSink, "n"}, - MsgRsp{cmd.QuestionGcpCustomFilter, ""}, - MsgRsp{cmd.QuestionGcpAnotherAdvancedOpt, "n"}, - MsgRsp{cmd.QuestionRunTfPlan, "n"}, - }) - - final, _ = c.ExpectEOF() - }, - "generate", - "cloud-account", - "gcp", - ) - - assertTerraformSaved(t, final) - - buildTf, _ := gcp.NewTerraform(false, true, true, false, - gcp.WithProjectId(projectId), - ).Generate() - assert.Equal(t, buildTf, tfResult) -} - -// Test Audit Log with custom new Bucket -func TestGenerationGcpAuditLogCustomNewBucket(t *testing.T) { - os.Setenv("LW_NOCACHE", "true") - defer os.Setenv("LW_NOCACHE", "") - var final string - bucketName := "my-new-bucket" - - tfResult := runGcpGenerateTest(t, - func(c *expect.Console) { - expectsCliOutput(t, c, []MsgRspHandler{ - MsgRsp{cmd.QuestionGcpEnableAgentless, "n"}, - MsgRsp{cmd.QuestionGcpEnableConfiguration, "y"}, - MsgRsp{cmd.QuestionGcpEnableAuditLog, "y"}, - MsgRsp{cmd.QuestionGcpProjectID, projectId}, - MsgRsp{cmd.QuestionGcpOrganizationIntegration, "n"}, - MsgRsp{cmd.QuestionGcpServiceAccountCredsPath, ""}, - MsgRsp{cmd.QuestionGcpConfigureAdvanced, "y"}, - MsgMenu{cmd.GcpAdvancedOptAuditLog, 0}, - MsgRsp{cmd.QuestionUsePubSubAudit, "n"}, - MsgRsp{cmd.QuestionGcpUseExistingBucket, "n"}, - MsgRsp{cmd.QuestionGcpConfigureNewBucket, "y"}, - MsgRsp{cmd.QuestionGcpBucketRegion, "us-west1"}, - MsgRsp{cmd.QuestionGcpCustomBucketName, bucketName}, - MsgRsp{cmd.QuestionGcpBucketLifecycle, "420"}, - MsgRsp{cmd.QuestionGcpEnableUBLA, "y"}, - MsgRsp{cmd.QuestionGcpUseExistingSink, "n"}, - MsgRsp{cmd.QuestionGcpCustomFilter, ""}, - MsgRsp{cmd.QuestionGcpAnotherAdvancedOpt, "n"}, - MsgRsp{cmd.QuestionRunTfPlan, "n"}, - }) - final, _ = c.ExpectEOF() - }, - "generate", - "cloud-account", - "gcp", - ) - - assertTerraformSaved(t, final) - - buildTf, _ := gcp.NewTerraform(false, true, true, false, - gcp.WithProjectId(projectId), - gcp.WithBucketRegion("us-west1"), - gcp.WithCustomBucketName(bucketName), - gcp.WithLogBucketLifecycleRuleAge(420), - gcp.WithEnableUBLA(true), - ).Generate() - assert.Equal(t, buildTf, tfResult) -} - // Test Audit Log with existing sink. func TestGenerationGcpAuditLogWithExistingSink(t *testing.T) { os.Setenv("LW_NOCACHE", "true") @@ -622,13 +418,6 @@ func TestGenerationGcpAuditLogWithExistingSink(t *testing.T) { MsgRsp{cmd.QuestionGcpServiceAccountCredsPath, ""}, MsgRsp{cmd.QuestionGcpConfigureAdvanced, "y"}, MsgMenu{cmd.GcpAdvancedOptAuditLog, 0}, - MsgRsp{cmd.QuestionUsePubSubAudit, "n"}, - MsgRsp{cmd.QuestionGcpUseExistingBucket, "n"}, - MsgRsp{cmd.QuestionGcpConfigureNewBucket, "y"}, - MsgRsp{cmd.QuestionGcpBucketRegion, "us-west1"}, - MsgRsp{cmd.QuestionGcpCustomBucketName, ""}, - MsgRsp{cmd.QuestionGcpBucketLifecycle, "420"}, - MsgRsp{cmd.QuestionGcpEnableUBLA, "y"}, MsgRsp{cmd.QuestionGcpUseExistingSink, "y"}, MsgRsp{cmd.QuestionGcpExistingSinkName, "sink"}, MsgRsp{cmd.QuestionGcpCustomFilter, ""}, @@ -644,59 +433,13 @@ func TestGenerationGcpAuditLogWithExistingSink(t *testing.T) { assertTerraformSaved(t, final) - buildTf, _ := gcp.NewTerraform(false, true, true, false, + buildTf, _ := gcp.NewTerraform(false, true, true, true, gcp.WithProjectId(projectId), - gcp.WithBucketRegion("us-west1"), - gcp.WithLogBucketLifecycleRuleAge(420), - gcp.WithEnableUBLA(true), gcp.WithExistingLogSinkName("sink"), ).Generate() assert.Equal(t, buildTf, tfResult) } -// Test Audit Log with existing bucket -func TestGenerationGcpAuditLogWithExistingBucket(t *testing.T) { - os.Setenv("LW_NOCACHE", "true") - defer os.Setenv("LW_NOCACHE", "") - var final string - filter := "filter" - - tfResult := runGcpGenerateTest(t, - func(c *expect.Console) { - expectsCliOutput(t, c, []MsgRspHandler{ - MsgRsp{cmd.QuestionGcpEnableAgentless, "n"}, - MsgRsp{cmd.QuestionGcpEnableConfiguration, "n"}, - MsgRsp{cmd.QuestionGcpEnableAuditLog, "y"}, - MsgRsp{cmd.QuestionGcpProjectID, projectId}, - MsgRsp{cmd.QuestionGcpOrganizationIntegration, "n"}, - MsgRsp{cmd.QuestionGcpServiceAccountCredsPath, ""}, - MsgRsp{cmd.QuestionGcpConfigureAdvanced, "y"}, - MsgMenu{cmd.GcpAdvancedOptAuditLog, 0}, - MsgRsp{cmd.QuestionUsePubSubAudit, "n"}, - MsgRsp{cmd.QuestionGcpUseExistingBucket, "y"}, - MsgRsp{cmd.QuestionGcpExistingBucketName, "bucketMcBucketFace"}, - MsgRsp{cmd.QuestionGcpUseExistingSink, "n"}, - MsgRsp{cmd.QuestionGcpCustomFilter, filter}, - MsgRsp{cmd.QuestionGcpAnotherAdvancedOpt, "n"}, - MsgRsp{cmd.QuestionRunTfPlan, "n"}, - }) - final, _ = c.ExpectEOF() - }, - "generate", - "cloud-account", - "gcp", - ) - - assertTerraformSaved(t, final) - - buildTf, _ := gcp.NewTerraform(false, false, true, false, - gcp.WithProjectId(projectId), - gcp.WithExistingLogBucketName("bucketMcBucketFace"), - gcp.WithCustomFilter(filter), - ).Generate() - assert.Equal(t, buildTf, tfResult) -} - // Test integrations with existing Service Account details func TestGenerationGcpExistingSA(t *testing.T) { os.Setenv("LW_NOCACHE", "true") @@ -732,7 +475,7 @@ func TestGenerationGcpExistingSA(t *testing.T) { serviceAccountDetails.Name = "SA_1" serviceAccountDetails.PrivateKey = "cGFzc3dvcmRNY1Bhc3N3b3JkRmFjZQ==" - buildTf, _ := gcp.NewTerraform(false, true, true, false, + buildTf, _ := gcp.NewTerraform(false, true, true, true, gcp.WithProjectId(projectId), gcp.WithExistingServiceAccount(serviceAccountDetails), ).Generate() @@ -756,7 +499,6 @@ func TestGenerationGcpPubSubUseExistingSA(t *testing.T) { MsgRsp{cmd.QuestionGcpServiceAccountCredsPath, ""}, MsgRsp{cmd.QuestionGcpConfigureAdvanced, "y"}, MsgMenu{cmd.GcpAdvancedOptAuditLog, 0}, - MsgRsp{cmd.QuestionUsePubSubAudit, "y"}, MsgRsp{cmd.QuestionGcpUseExistingSink, "n"}, MsgRsp{cmd.QuestionGcpCustomFilter, ""}, MsgRsp{cmd.QuestionGcpAnotherAdvancedOpt, "y"}, @@ -819,7 +561,7 @@ func TestGenerationGcpConfigurationWithCustomIntegrationName(t *testing.T) { assertTerraformSaved(t, final) // Create the TF directly with lwgenerate and validate same result via CLI - buildTf, _ := gcp.NewTerraform(false, true, true, false, + buildTf, _ := gcp.NewTerraform(false, true, true, true, gcp.WithProjectId(projectId), gcp.WithConfigurationIntegrationName("customConfigurationIntegrationName"), ).Generate() @@ -858,7 +600,7 @@ func TestGenerationGcpAuditLogWithCustomIntegrationName(t *testing.T) { assertTerraformSaved(t, final) - buildTf, _ := gcp.NewTerraform(false, true, true, false, + buildTf, _ := gcp.NewTerraform(false, true, true, true, gcp.WithProjectId(projectId), gcp.WithAuditLogIntegrationName("customAuditLogIntegrationName"), ).Generate() @@ -903,7 +645,7 @@ func TestGenerationGcpCustomizedOutputLocation(t *testing.T) { result, _ := os.ReadFile(filepath.FromSlash(fmt.Sprintf("%s/main.tf", dir))) - buildTf, _ := gcp.NewTerraform(false, true, true, false, + buildTf, _ := gcp.NewTerraform(false, true, true, true, gcp.WithProjectId(projectId), ).Generate() assert.Equal(t, buildTf, string(result)) @@ -937,7 +679,7 @@ func TestGenerationGcpAdvancedOptsDone(t *testing.T) { assertTerraformSaved(t, final) - buildTf, _ := gcp.NewTerraform(false, true, true, false, + buildTf, _ := gcp.NewTerraform(false, true, true, true, gcp.WithProjectId(projectId), ).Generate() assert.Equal(t, buildTf, tfResult) @@ -971,7 +713,7 @@ func TestGenerationGcpAdvancedOptsDoneConfigurationOnly(t *testing.T) { assertTerraformSaved(t, final) - buildTf, _ := gcp.NewTerraform(false, true, false, false, + buildTf, _ := gcp.NewTerraform(false, true, false, true, gcp.WithProjectId(projectId), ).Generate() assert.Equal(t, buildTf, tfResult) @@ -1057,7 +799,7 @@ func TestGenerationGcpFolders(t *testing.T) { assertTerraformSaved(t, final) - buildTf, _ := gcp.NewTerraform(false, true, true, false, + buildTf, _ := gcp.NewTerraform(false, true, true, true, gcp.WithProjectId(projectId), gcp.WithOrganizationIntegration(true), gcp.WithOrganizationId(organizationId), @@ -1100,7 +842,7 @@ func TestGenerationGcpFoldersShorthand(t *testing.T) { assertTerraformSaved(t, final) - buildTf, _ := gcp.NewTerraform(false, true, true, false, + buildTf, _ := gcp.NewTerraform(false, true, true, true, gcp.WithProjectId(projectId), gcp.WithOrganizationIntegration(true), gcp.WithOrganizationId(organizationId), @@ -1141,7 +883,7 @@ func TestGenerationGcpIncludeRootProjects(t *testing.T) { assertTerraformSaved(t, final) - buildTf, _ := gcp.NewTerraform(false, true, true, false, + buildTf, _ := gcp.NewTerraform(false, true, true, true, gcp.WithProjectId(projectId), gcp.WithOrganizationIntegration(true), gcp.WithOrganizationId(organizationId), @@ -1182,7 +924,7 @@ func TestGenerationGcpIncludeRootProjectsFalse(t *testing.T) { assertTerraformSaved(t, final) - buildTf, _ := gcp.NewTerraform(false, true, true, false, + buildTf, _ := gcp.NewTerraform(false, true, true, true, gcp.WithProjectId(projectId), gcp.WithOrganizationIntegration(true), gcp.WithOrganizationId(organizationId), @@ -1221,7 +963,7 @@ func TestGenerationGcpAuditLogFiltersTrue(t *testing.T) { assertTerraformSaved(t, final) - buildTf, _ := gcp.NewTerraform(false, false, true, false, + buildTf, _ := gcp.NewTerraform(false, false, true, true, gcp.WithProjectId(projectId), gcp.WithGoogleWorkspaceFilter(true), gcp.WithK8sFilter(true), @@ -1258,7 +1000,7 @@ func TestGenerationGcpAuditLogFiltersFalse(t *testing.T) { assertTerraformSaved(t, final) - buildTf, _ := gcp.NewTerraform(false, false, true, false, + buildTf, _ := gcp.NewTerraform(false, false, true, true, gcp.WithProjectId(projectId), gcp.WithGoogleWorkspaceFilter(false), gcp.WithK8sFilter(false), @@ -1295,7 +1037,7 @@ func TestGenerationGcpInvalidProjectId(t *testing.T) { assertTerraformSaved(t, final) - buildTf, _ := gcp.NewTerraform(false, false, true, false, + buildTf, _ := gcp.NewTerraform(false, false, true, true, gcp.WithProjectId(projectId), ).Generate() assert.Equal(t, buildTf, tfResult) @@ -1449,7 +1191,7 @@ func TestGenerationGcpLaceworkProfile(t *testing.T) { assertTerraformSaved(t, final) - buildTf, _ := gcp.NewTerraform(false, true, true, false, + buildTf, _ := gcp.NewTerraform(false, true, true, true, gcp.WithProjectId(projectId), gcp.WithLaceworkProfile(gcpProfile), ).Generate() @@ -1493,7 +1235,7 @@ func TestGenerationGcpMultipleProjects(t *testing.T) { assertTerraformSaved(t, final) - buildTf, _ := gcp.NewTerraform(false, true, true, false, + buildTf, _ := gcp.NewTerraform(false, true, true, true, gcp.WithProjectId(projectId), gcp.WithMultipleProject(gcpProjects), ).Generate() @@ -1532,7 +1274,7 @@ func TestGenerationGcpMultipleProjectsInteractive(t *testing.T) { assertTerraformSaved(t, final) - buildTf, _ := gcp.NewTerraform(false, true, true, false, + buildTf, _ := gcp.NewTerraform(false, true, true, true, gcp.WithProjectId(projectId), gcp.WithMultipleProject(gcpProjects), ).Generate() diff --git a/integration/test_resources/help/generate_cloud-account_gcp b/integration/test_resources/help/generate_cloud-account_gcp index d130875ff..b5efc231d 100644 --- a/integration/test_resources/help/generate_cloud-account_gcp +++ b/integration/test_resources/help/generate_cloud-account_gcp @@ -25,14 +25,9 @@ Flags: --apply run terraform apply without executing plan or prompting --audit_log enable audit log integration --audit_log_integration_name string specify a custom audit log integration name - --bucket_lifecycle_rule_age int specify the lifecycle rule age (default -1) - --bucket_region string specify bucket region --configuration enable configuration integration --configuration_integration_name string specify a custom configuration integration name - --custom_bucket_name string override prefix based storage bucket name generation with a custom name --custom_filter string Audit Log filter which supersedes all other filter options when defined - --enable_ubla enable universal bucket level access(ubla) (default true) - --existing_bucket_name string specify existing bucket name --existing_service_account_name string specify existing service account name --existing_service_account_private_key string specify existing service account private key (base64 encoded) --existing_sink_name string specify existing sink name @@ -51,7 +46,7 @@ Flags: --projects strings list of project IDs to integrate with (project-level integrations) --regions strings List of GCP regions to deploy for Agentless integration --service_account_credentials string specify service account credentials JSON file path (leave blank to make use of google credential ENV vars) - --use_pub_sub use pub/sub for the audit log data rather than bucket + --use_pub_sub deprecated: pub/sub audit log integration is always used and only supported type (default true) --wait_time string amount of time to wait before the next resource is provisioned Global Flags: