Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

chore: Implement --aws_assume_role flag for CLI aws integration #1434

Merged
merged 2 commits into from
Nov 6, 2023
Merged

chore: Implement --aws_assume_role flag for CLI aws integration #1434

merged 2 commits into from
Nov 6, 2023

Conversation

PengyuanZhao
Copy link
Contributor

Summary

Add the --aws_assume_role flag to lacework generate cloud-account aws

How did you test this change?

make test
make integration-context-tests

Run lacework generate cloud-account aws --noninteractive --agentless --config --cloudtrail --aws_profile org --aws_assume_role arn:aws:iam::123456789000:role/role_in_account_b --aws_region us-east-1 --aws_subaccount subaccount1:us-east-2,subaccount2:us-east-3. Then verify the generated terraform code:

terraform {
  required_providers {
    lacework = {
      source  = "lacework/lacework"
      version = "~> 1.0"
    }
  }
}

provider "aws" {
  alias   = "main"
  profile = "org"
  region  = "us-east-1"

  assume_role {
    role_arn = "arn:aws:iam::123456789000:role/role_in_account_b"
  }
}

provider "aws" {
  alias   = "subaccount1"
  profile = "subaccount1"
  region  = "us-east-2"
}

provider "aws" {
  alias   = "subaccount2"
  profile = "subaccount2"
  region  = "us-east-3"
}

module "aws_config" {
  source  = "lacework/config/aws"
  version = "~> 0.5"

  providers = {
    aws = aws.main
  }
}

module "aws_config_subaccount1" {
  source  = "lacework/config/aws"
  version = "~> 0.5"

  providers = {
    aws = aws.subaccount1
  }
}

module "aws_config_subaccount2" {
  source  = "lacework/config/aws"
  version = "~> 0.5"

  providers = {
    aws = aws.subaccount2
  }
}

module "main_cloudtrail" {
  source                = "lacework/cloudtrail/aws"
  version               = "~> 2.7"
  iam_role_arn          = module.aws_config.iam_role_arn
  iam_role_external_id  = module.aws_config.external_id
  iam_role_name         = module.aws_config.iam_role_name
  use_existing_iam_role = true

  providers = {
    aws = aws.main
  }
}

module "lacework_aws_agentless_scanning_global" {
  source   = "lacework/agentless-scanning/aws"
  version  = "~> 0.6"
  global   = true
  regional = true
}

module "lacework_aws_agentless_scanning_region_subaccount1" {
  source                  = "lacework/agentless-scanning/aws"
  version                 = "~> 0.6"
  global_module_reference = module.lacework_aws_agentless_scanning_global
  regional                = true

  providers = {
    aws = aws.subaccount1
  }
}

module "lacework_aws_agentless_scanning_region_subaccount2" {
  source                  = "lacework/agentless-scanning/aws"
  version                 = "~> 0.6"
  global_module_reference = module.lacework_aws_agentless_scanning_global
  regional                = true

  providers = {
    aws = aws.subaccount2
  }
}

Issue

https://lacework.atlassian.net/browse/GROW-2562

@PengyuanZhao PengyuanZhao requested a review from a team as a code owner November 4, 2023 23:36
jon-stewart
jon-stewart reviewed Nov 6, 2023
View reviewed changes
@PengyuanZhao PengyuanZhao merged commit a6bcd7f into main Nov 6, 2023
@PengyuanZhao PengyuanZhao deleted the GROW-2562 branch November 6, 2023 15:31
@lacework-releng lacework-releng mentioned this pull request Nov 9, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jon-stewart jon-stewart jon-stewart approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@PengyuanZhao @jon-stewart