From 6c08ea34d86bc93d6647dc89b5b40953c3e1f484 Mon Sep 17 00:00:00 2001
From: Mike Laramie <mike.laramie@lacework.net>
Date: Wed, 12 Jan 2022 17:20:49 -0500
Subject: [PATCH] fix: adding roles/storage.objectViewer and enabling library
 scanning by default

---
 main.tf      | 11 +++++++++--
 variables.tf |  2 +-
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/main.tf b/main.tf
index fb811e5..29b97eb 100644
--- a/main.tf
+++ b/main.tf
@@ -39,12 +39,18 @@ resource "google_project_service" "required_apis_for_gar_integration" {
 }
 
 // Role(s) for a GAR integration
-resource "google_project_iam_member" "for_gar_integration" {
+resource "google_project_iam_member" "gar_reader" {
   project = local.project_id
   role    = "roles/artifactregistry.reader"
   member  = "serviceAccount:${local.service_account_json_key.client_email}"
 }
 
+resource "google_project_iam_member" "storage_reader" {
+  project = local.project_id
+  role    = "roles/storage.objectViewer"
+  member  = "serviceAccount:${local.service_account_json_key.client_email}"
+}
+
 # wait for X seconds for things to settle down in the GCP side
 # before trying to create the Lacework external integration
 resource "time_sleep" "wait_time" {
@@ -52,7 +58,8 @@ resource "time_sleep" "wait_time" {
   depends_on = [
     module.lacework_gar_svc_account,
     google_project_service.required_apis_for_gar_integration,
-    google_project_iam_member.for_gar_integration
+    google_project_iam_member.gar_reader,
+    google_project_iam_member.storage_reader
   ]
 }
 
diff --git a/variables.tf b/variables.tf
index d5a6a6f..d277fea 100644
--- a/variables.tf
+++ b/variables.tf
@@ -82,6 +82,6 @@ variable "limit_num_imgs" {
 
 variable "non_os_package_support" {
   type        = bool
-  default     = false
+  default     = true
   description = "Whether or not the integration should check non-os packages in the container for vulnerabilities"
 }