feat: add module logic (#2)

Signed-off-by: Kolbeinn Karlsson <kolbeinn.karlsson@lacework.net>

README.md

@@ -1,18 +1,58 @@
 <a href="https://lacework.com"><img src="https://techally-content.s3-us-west-1.amazonaws.com/public-content/lacework_logo_full.png" width="600"></a>
 
-# terraform-<PROVIDER>-<NAME>
+# terraform-oci-iam-user
 
-[![GitHub release](https://img.shields.io/github/release/lacework/terraform-<PROVIDER>-<NAME>.svg)](https://github.com/lacework/terraform-<PROVIDER>-<NAME>/releases/)
+[![GitHub release](https://img.shields.io/github/release/lacework/terraform-oci-iam-user.svg)](https://github.com/lacework/terraform-oci-iam-user/releases/)
 [![Codefresh build status]( https://g.codefresh.io/api/badges/pipeline/lacework/terraform-modules%2Ftest-compatibility?type=cf-1&key=eyJhbGciOiJIUzI1NiJ9.NWVmNTAxOGU4Y2FjOGQzYTkxYjg3ZDEx.RJ3DEzWmBXrJX7m38iExJ_ntGv4_Ip8VTa-an8gBwBo)]( https://g.codefresh.io/pipelines/edit/new/builds?id=607e25e6728f5a6fba30431b&pipeline=test-compatibility&projects=terraform-modules&projectId=607db54b728f5a5f8930405d)
 
-A Terraform Module to __________________________ with Lacework.
+A Terraform Module to create a user and group to be used to integrate and OCI
+cloud account with Lacework.
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 0.14 |
+| <a name="requirement_oci"></a> [oci](#requirement\_oci) | >= 5.3.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_oci"></a> [oci](#provider\_oci) | >= 5.3.0 |
+
+## Modules
+
+No modules.
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [oci_identity_group.lacework_group](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/identity_group) | resource |
+| [oci_identity_user.lacework_user](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/identity_user) | resource |
+| [oci_identity_user_capabilities_management.lacework_user_capabilities_management](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/identity_user_capabilities_management) | resource |
+| [oci_identity_user_group_membership.lacework_user_group_membership](https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/identity_user_group_membership) | resource |
 
 ## Inputs
 
 | Name | Description | Type | Default | Required |
-|------|-------------|------|---------|----------|
+|------|-------------|------|---------|:--------:|
+| <a name="input_base_name"></a> [base\_name](#input\_base\_name) | Names for the created resources will be ${base\_name}\_{user,group} | `string` | `"lacework_security_integration"` | no |
+| <a name="input_create"></a> [create](#input\_create) | Set to false to prevent module from creating any resources | `bool` | `true` | no |
+| <a name="input_defined_tags"></a> [defined\_tags](#input\_defined\_tags) | defined tags for the resources created for Lacework integration | `map` | `{}` | no |
+| <a name="input_email"></a> [email](#input\_email) | Optional email associated with the created user | `string` | `"lacework@lacework.net"` | no |
+| <a name="input_freeform_tags"></a> [freeform\_tags](#input\_freeform\_tags) | freeform tags for the resources created for Lacework integration | `map` | `{}` | no |
+| <a name="input_group_name"></a> [group\_name](#input\_group\_name) | Name of the identity group for the Lacework user (overrides base\_name) | `string` | `""` | no |
+| <a name="input_tenancy_id"></a> [tenancy\_id](#input\_tenancy\_id) | OCID of the OCI tenancy to be integrated with Lacework | `string` | n/a | yes |
+| <a name="input_user_name"></a> [user\_name](#input\_user\_name) | Name of the IAM user used for Lacework integration (overrides base\_name) | `string` | `""` | no |
 
 ## Outputs
 
 | Name | Description |
 |------|-------------|
+| <a name="output_created"></a> [created](#output\_created) | Was the OCI user created |
+| <a name="output_group_name"></a> [group\_name](#output\_group\_name) | Name of the group created to manage permissions for the integration user |
+| <a name="output_group_ocid"></a> [group\_ocid](#output\_group\_ocid) | OCID of the group created to manage permissions for the integration user |
+| <a name="output_user_name"></a> [user\_name](#output\_user\_name) | Name of the user created for the Lacework integration |
+| <a name="output_user_ocid"></a> [user\_ocid](#output\_user\_ocid) | OCID of the user created for the Lacework integration |

examples/custom-iam-user/README.md

@@ -0,0 +1,17 @@
+# Skip creation of resources
+
+This example shows how to use the Terraform module with custom names for
+resources.
+
+```hcl
+module "lacework_iam_user" {
+  source = "../.."
+  tenancy_id = var.tenancy_id
+  base_name = "lacework_test"
+}
+
+variable "tenancy_id" {
+  type = string
+  description = "OCID of the tenancy to be integrated with Lacework"
+}
+```

examples/custom-iam-user/main.tf

@@ -0,0 +1,10 @@
+module "lacework_iam_user" {
+  source = "../.."
+  tenancy_id = var.tenancy_ocid
+	base_name = "lacework_test"
+}
+
+variable "tenancy_ocid" {
+  type = string
+  description = "OCID of the tenancy to be integrated with Lacework"
+}

examples/default-iam-user/README.md

@@ -0,0 +1,16 @@
+# Default Example
+
+This example creates an IAM user, group, and policy needed for Lacework integration/
+
+```hcl
+module "lacework_iam_user" {
+  source = "../.."
+  tenancy_id = var.tenancy_id
+}
+
+variable "tenancy_id" {
+  type = string
+  description = "OCID of the tenancy to be integrated with Lacework"
+}
+
+```

examples/default-iam-user/main.tf

@@ -0,0 +1,9 @@
+module "lacework_iam_user" {
+  source = "../.."
+  tenancy_id = var.tenancy_ocid
+}
+
+variable "tenancy_ocid" {
+  type = string
+  description = "OCID of the tenancy to be integrated with Lacework"
+}

examples/skip-creation-iam-user/README.md

@@ -0,0 +1,17 @@
+# Skip creation of resources
+
+This example shows how to run the Terraform module without creating resources.
+
+```hcl
+module "lacework_iam_user" {
+  source = "../.."
+  tenancy_id = var.tenancy_id
+  create = false
+}
+
+variable "tenancy_id" {
+  type = string
+  description = "OCID of the tenancy to be integrated with Lacework"
+}
+
+```

examples/skip-creation-iam-user/main.tf

@@ -0,0 +1,10 @@
+module "lacework_iam_user" {
+  source = "../.."
+  tenancy_id = var.tenancy_ocid
+  create = false
+}
+
+variable "tenancy_ocid" {
+  type = string
+  description = "OCID of the tenancy to be integrated with Lacework"
+}

main.tf

@@ -1 +1,52 @@
-# Your Terraform code goes here :)
+locals {
+  user_name  = length(var.user_name) > 0 ? var.user_name : "${var.base_name}_user"
+  group_name = length(var.group_name) > 0 ? var.group_name : "${var.base_name}_group"
+}
+
+resource "oci_identity_user" "lacework_user" {
+  count = var.create ? 1 : 0
+
+  compartment_id = var.tenancy_id
+  description    = "Identity user used for Lacework integration"
+  name           = local.user_name
+  email          = var.email
+  freeform_tags  = var.freeform_tags
+}
+
+resource "oci_identity_user_capabilities_management" "lacework_user_capabilities_management" {
+  count                        = var.create ? 1 : 0
+  user_id                      = oci_identity_user.lacework_user[count.index].id
+  can_use_api_keys             = true
+  can_use_auth_tokens          = false
+  can_use_console_password     = false
+  can_use_customer_secret_keys = false
+  can_use_smtp_credentials     = false
+}
+
+resource "oci_identity_group" "lacework_group" {
+  count          = var.create ? 1 : 0
+  compartment_id = var.tenancy_id
+  description    = "Identity group for the Lacework integration user"
+  name           = local.group_name
+  freeform_tags  = var.freeform_tags
+}
+
+resource "oci_identity_user_group_membership" "lacework_user_group_membership" {
+  count    = var.create ? 1 : 0
+  group_id = oci_identity_group.lacework_group[count.index].id
+  user_id  = oci_identity_user.lacework_user[count.index].id
+}
+
+resource "tls_private_key" "rsa_key" { 
+  count = var.create ? 1 : 0
+  algorithm = "RSA"
+  rsa_bits = 4096
+}
+
+resource "oci_identity_api_key" "lacework_api_key" {
+  count = var.create ? 1 : 0
+  user_id = oci_identity_user.lacework_user[count.index].id
+  key_value = tls_private_key.rsa_key[count.index].public_key_pem
+}
+
+# Use public_key_fingerprint_md5, private_key_pem, public_key_pem 

output.tf

@@ -1,4 +1,36 @@
-#output "example" {
-#  value       = var.example
-#  description = "This is just an example of an output"
-#}
+output "created" {
+  value       = var.create
+  description = "Was the OCI user created"
+}
+
+output "user_ocid" {
+  value       = var.create ? oci_identity_user.lacework_user[0].id : ""
+  description = "OCID of the user created for the Lacework integration"
+}
+
+output "user_name" {
+  value       = var.create ? oci_identity_user.lacework_user[0].name : ""
+  description = "Name of the user created for the Lacework integration"
+}
+
+output "group_ocid" {
+  value       = var.create ? oci_identity_group.lacework_group[0].id : ""
+  description = "OCID of the group created to manage permissions for the integration user"
+}
+
+output "group_name" {
+  value       = var.create ? oci_identity_group.lacework_group[0].name : ""
+  description = "Name of the group created to manage permissions for the integration user"
+}
+
+output "user_private_key_pem" {
+  value = var.create ? tls_private_key.rsa_key[0].private_key_pem : ""
+  description = "The private key of the API key of the user created for integration"
+  sensitive = true
+}
+
+output "user_public_key_fingerprint" {
+  value = var.create ? oci_identity_api_key.lacework_api_key[0].fingerprint : ""
+  description = "The public key fingerprint of the API key created for integration"
+}
+

scripts/ci_tests.sh

@@ -6,10 +6,13 @@
 #
 set -eou pipefail
 
-readonly project_name=terraform-<PROVIDER>-<NAME>
+readonly project_name=terraform-oci-iam-user
+private_key_file_name=oci_private_key.pem
 
 TEST_CASES=(
-  examples/default
+  examples/default-iam-user
+  examples/custom-iam-user
+  examples/skip-creation-iam-user
 )
 
 log() {
@@ -20,6 +23,17 @@ warn() {
   echo "xxx ${project_name}: $1" >&2
 }
 
+export_oci_credentials() {
+  # This is necessary because environment variables with newlines in them are
+  # hard to store in Codefresh.
+  echo $OCI_PRIVATE_KEY | sed 's/%/\r\n/g' > $private_key_file_name
+  export TF_VAR_private_key_path=$(pwd)/${private_key_file_name}
+}
+
+cleanup_oci_credentials() {
+  rm ${private_key_file_name}
+}
+
 integration_tests() {
   for tcase in ${TEST_CASES[*]}; do
     log "Running tests at $tcase"
@@ -38,7 +52,9 @@ lint_tests() {
 
 main() {
   lint_tests
+  export_oci_credentials
   integration_tests
+  cleanup_oci_credentials
 }
 
 main || exit 99

scripts/release.sh

@@ -13,7 +13,7 @@ source scripts/release_helpers.sh
 
 # Required Variables
 readonly org_name=lacework
-readonly project_name=terraform-<PROVIDER>-<NAME>
+readonly project_name=terraform-oci-iam-user
 readonly git_user="Lacework Inc."
 readonly git_email="tech-ally@lacework.net"
 readonly required_files_for_release=(

variables.tf

@@ -1,5 +1,44 @@
-#variable "example" {
-#  type        = string
-#  default     = ""
-#  description = "This is just an example of a variable"
-#}
+# Required
+
+variable "tenancy_id" {
+  type        = string
+  description = "OCID of the OCI tenancy to be integrated with Lacework"
+}
+
+# Optional
+
+variable "create" {
+  type        = bool
+  default     = true
+  description = "Set to false to prevent module from creating any resources"
+}
+
+variable "freeform_tags" {
+  type        = map(any)
+  default     = {}
+  description = "freeform tags for the resources created for Lacework integration"
+}
+
+variable "email" {
+  type        = string
+  default     = "lacework@lacework.net"
+  description = "Optional email associated with the created user"
+}
+
+variable "base_name" {
+  type        = string
+  default     = "lacework_security_integration"
+  description = "Names for the created resources will be $${base_name}_{user,group}"
+}
+
+variable "user_name" {
+  type        = string
+  default     = ""
+  description = "Name of the IAM user used for Lacework integration (overrides base_name)"
+}
+
+variable "group_name" {
+  type        = string
+  default     = ""
+  description = "Name of the identity group for the Lacework user (overrides base_name)"
+}