feat: GCP multi project Terraform (#1233)

Author: jon-stewart

cli/cmd/generate_gcp.go

@@ -2,6 +2,7 @@ package cmd
 
 import (
 	"regexp"
+	"strings"
 	"time"
 
 	"github.com/imdario/mergo"
@@ -46,7 +47,9 @@ var (
 
 	QuestionGcpAnotherAdvancedOpt      = "Configure another advanced integration option"
 	GcpAdvancedOptLocation             = "Customize output location"
+	GcpAdvancedOptProjects             = "Configure multiple projects"
 	QuestionGcpCustomizeOutputLocation = "Provide the location for the output to be written:"
+	QuestionGcpCustomizeProjects       = "Provide comma separated list of project ID"
 	QuestionGcpCustomFilter            = "Specify a custom Audit Log filter which supersedes all other filter options"
 	GcpAdvancedOptDone                 = "Done"
 
@@ -117,6 +120,7 @@ See help output for more details on the parameter value(s) required for Terrafor
 				gcp.WithPrefix(GenerateGcpCommandState.Prefix),
 				gcp.WithWaitTime(GenerateGcpCommandState.WaitTime),
 				gcp.WithEnableUBLA(GenerateGcpCommandState.EnableUBLA),
+				gcp.WithMultipleProject(GenerateGcpCommandState.Projects),
 			}
 
 			if GenerateGcpCommandState.OrganizationIntegration {
@@ -441,6 +445,11 @@ func initGenerateGcpTfCommandFlags() {
 		"use_pub_sub",
 		false,
 		"use pub/sub for the audit log data rather than bucket")
+	generateGcpTfCommand.PersistentFlags().StringSliceVar(
+		&GenerateGcpCommandState.Projects,
+		"projects",
+		[]string{},
+		"list of project IDs to integrate with (project-level integrations)")
 }
 
 // survey.Validator for gcp region
@@ -616,6 +625,44 @@ func promptCustomizeGcpOutputLocation(extraState *GcpGenerateCommandExtraState)
 	return err
 }
 
+func promptCustomizeGcpProjects(config *gcp.GenerateGcpTfConfigurationArgs) error {
+
+	validation := func(val interface{}) error {
+		switch value := val.(type) {
+		case string:
+			for _, id := range strings.Split(value, ",") {
+				err := validateGcpProjectId(strings.TrimSpace(id))
+				if err != nil {
+					return err
+				}
+			}
+		default:
+			return errors.New("value must be a string")
+		}
+
+		return nil
+	}
+
+	var projects string
+
+	err := SurveyQuestionInteractiveOnly(SurveyQuestionWithValidationArgs{
+		Prompt:   &survey.Input{Message: QuestionGcpCustomizeProjects},
+		Response: &projects,
+		Opts:     []survey.AskOpt{survey.WithValidator(validation)},
+		Required: true,
+	})
+
+	if err != nil {
+		return err
+	}
+
+	for _, id := range strings.Split(projects, ",") {
+		config.Projects = append(config.Projects, strings.TrimSpace(id))
+	}
+
+	return nil
+}
+
 func askAdvancedOptions(config *gcp.GenerateGcpTfConfigurationArgs, extraState *GcpGenerateCommandExtraState) error {
 	answer := ""
 
@@ -631,7 +678,7 @@ func askAdvancedOptions(config *gcp.GenerateGcpTfConfigurationArgs, extraState *
 			options = append(options, GcpAdvancedOptAuditLog)
 		}
 
-		options = append(options, GcpAdvancedOptExistingServiceAccount, GcpAdvancedOptIntegrationName, GcpAdvancedOptLocation, GcpAdvancedOptDone)
+		options = append(options, GcpAdvancedOptExistingServiceAccount, GcpAdvancedOptIntegrationName, GcpAdvancedOptLocation, GcpAdvancedOptProjects, GcpAdvancedOptDone)
 		if err := SurveyQuestionInteractiveOnly(SurveyQuestionWithValidationArgs{
 			Prompt: &survey.Select{
 				Message: "Which options would you like to configure?",
@@ -660,6 +707,10 @@ func askAdvancedOptions(config *gcp.GenerateGcpTfConfigurationArgs, extraState *
 			if err := promptCustomizeGcpOutputLocation(extraState); err != nil {
 				return err
 			}
+		case GcpAdvancedOptProjects:
+			if err := promptCustomizeGcpProjects(config); err != nil {
+				return err
+			}
 		}
 
 		// Re-prompt if not done

integration/gcp_generation_test.go

@@ -817,7 +817,7 @@ func TestGenerationAdvancedOptsDoneGcp(t *testing.T) {
 				MsgRsp{cmd.QuestionGcpOrganizationIntegration, "n"},
 				MsgRsp{cmd.QuestionGcpServiceAccountCredsPath, ""},
 				MsgRsp{cmd.QuestionGcpConfigureAdvanced, "y"},
-				MsgMenu{cmd.GcpAdvancedOptAuditLog, 4},
+				MsgMenu{cmd.GcpAdvancedOptAuditLog, 5},
 				MsgRsp{cmd.QuestionRunTfPlan, "n"},
 			})
 			final, _ = c.ExpectEOF()
@@ -849,7 +849,7 @@ func TestGenerationAdvancedOptsDoneGcpConfiguration(t *testing.T) {
 				MsgRsp{cmd.QuestionGcpOrganizationIntegration, "n"},
 				MsgRsp{cmd.QuestionGcpServiceAccountCredsPath, ""},
 				MsgRsp{cmd.QuestionGcpConfigureAdvanced, "y"},
-				MsgMenu{cmd.GcpAdvancedOptExistingServiceAccount, 3},
+				MsgMenu{cmd.GcpAdvancedOptDone, 4},
 				MsgRsp{cmd.QuestionRunTfPlan, "n"},
 			})
 			final, _ = c.ExpectEOF()
@@ -1323,6 +1323,85 @@ func TestGenerationGcpLaceworkProfile(t *testing.T) {
 	assert.Equal(t, buildTf, tfResult)
 }
 
+func TestGenerationGcpMultipleProjects(t *testing.T) {
+	os.Setenv("LW_NOCACHE", "true")
+	defer os.Setenv("LW_NOCACHE", "")
+	var final string
+	gcpProjects := []string{"project1", "project2", "project3"}
+
+	tfResult := runGcpGenerateTest(t,
+		func(c *expect.Console) {
+			expectsCliOutput(t, c, []MsgRspHandler{
+				MsgRsp{cmd.QuestionGcpEnableConfiguration, "y"},
+				MsgRsp{cmd.QuestionGcpEnableAuditLog, "y"},
+				MsgRsp{cmd.QuestionGcpProjectID, projectId},
+				MsgRsp{cmd.QuestionGcpOrganizationIntegration, "n"},
+				MsgRsp{cmd.QuestionGcpServiceAccountCredsPath, ""},
+				MsgRsp{cmd.QuestionGcpConfigureAdvanced, "n"},
+				MsgRsp{cmd.QuestionRunTfPlan, "n"},
+			})
+
+			final, _ = c.ExpectEOF()
+		},
+		"generate",
+		"cloud-account",
+		"gcp",
+		"--projects",
+		"project1",
+		"--projects",
+		"project2",
+		"--projects",
+		"project3",
+		"--projects",
+		"project1",
+	)
+
+	assertTerraformSaved(t, final)
+
+	buildTf, _ := gcp.NewTerraform(true, true, false,
+		gcp.WithProjectId(projectId),
+		gcp.WithMultipleProject(gcpProjects),
+	).Generate()
+	assert.Equal(t, buildTf, tfResult)
+}
+
+func TestGenerationGcpMultipleProjectsInteractive(t *testing.T) {
+	os.Setenv("LW_NOCACHE", "true")
+	defer os.Setenv("LW_NOCACHE", "")
+	var final string
+	gcpProjects := []string{"project1", "project2", "project3"}
+
+	tfResult := runGcpGenerateTest(t,
+		func(c *expect.Console) {
+			expectsCliOutput(t, c, []MsgRspHandler{
+				MsgRsp{cmd.QuestionGcpEnableConfiguration, "y"},
+				MsgRsp{cmd.QuestionGcpEnableAuditLog, "y"},
+				MsgRsp{cmd.QuestionGcpProjectID, projectId},
+				MsgRsp{cmd.QuestionGcpOrganizationIntegration, "n"},
+				MsgRsp{cmd.QuestionGcpServiceAccountCredsPath, ""},
+				MsgRsp{cmd.QuestionGcpConfigureAdvanced, "y"},
+				MsgMenu{cmd.GcpAdvancedOptProjects, 4},
+				MsgRsp{cmd.QuestionGcpCustomizeProjects, "project1, project2  ,project3"},
+				MsgRsp{cmd.QuestionGcpAnotherAdvancedOpt, "n"},
+				MsgRsp{cmd.QuestionRunTfPlan, "n"},
+			})
+
+			final, _ = c.ExpectEOF()
+		},
+		"generate",
+		"cloud-account",
+		"gcp",
+	)
+
+	assertTerraformSaved(t, final)
+
+	buildTf, _ := gcp.NewTerraform(true, true, false,
+		gcp.WithProjectId(projectId),
+		gcp.WithMultipleProject(gcpProjects),
+	).Generate()
+	assert.Equal(t, buildTf, tfResult)
+}
+
 func runGcpGenerateTest(t *testing.T, conditions func(*expect.Console), args ...string) string {
 	os.Setenv("HOME", tfPath)
 

integration/test_resources/help/generate_cloud-account_gcp

@@ -45,6 +45,7 @@ Flags:
       --output string                                 location to write generated content (default is ~/lacework/gcp)
       --prefix string                                 prefix that will be used at the beginning of every generated resource
       --project_id string                             specify the project id to be used to provision lacework resources (required)
+      --projects strings                              list of project IDs to integrate with (project-level integrations)
       --service_account_credentials string            specify service account credentials JSON file path (leave blank to make use of google credential ENV vars)
       --use_pub_sub                                   use pub/sub for the audit log data rather than bucket
       --wait_time string                              amount of time to wait before the next resource is provisioned

lwgenerate/gcp/gcp.go

@@ -1,6 +1,7 @@
 package gcp
 
 import (
+	"fmt"
 	"sort"
 
 	"github.com/hashicorp/hcl/v2/hclwrite"
@@ -126,6 +127,8 @@ type GenerateGcpTfConfigurationArgs struct {
 	Prefix string
 
 	WaitTime string
+
+	Projects []string
 }
 
 // Ensure all combinations of inputs are valid for supported spec
@@ -376,6 +379,12 @@ func WithWaitTime(waitTime string) GcpTerraformModifier {
 	}
 }
 
+func WithMultipleProject(projects []string) GcpTerraformModifier {
+	return func(c *GenerateGcpTfConfigurationArgs) {
+		c.Projects = projects
+	}
+}
+
 // Generate new Terraform code based on the supplied args.
 func (args *GenerateGcpTfConfigurationArgs) Generate() (string, error) {
 	// Validate inputs
@@ -515,6 +524,14 @@ func createConfiguration(args *GenerateGcpTfConfigurationArgs) ([]*hclwrite.Bloc
 			attributes["wait_time"] = args.WaitTime
 		}
 
+		if len(args.Projects) > 0 {
+			value := make(map[string]string, len(args.Projects))
+			for _, p := range args.Projects {
+				value[p] = p
+			}
+			moduleDetails = append(moduleDetails, lwgenerate.HclModuleWithForEach("project_id", value))
+		}
+
 		moduleDetails = append(moduleDetails,
 			lwgenerate.HclModuleWithAttributes(attributes),
 		)
@@ -617,11 +634,18 @@ func createAuditLog(args *GenerateGcpTfConfigurationArgs) (*hclwrite.Block, erro
 
 		if args.ExistingServiceAccount == nil && args.Configuration {
 			attributes["use_existing_service_account"] = true
+
+			cfgModuleName := configurationModuleName
+
+			if len(args.Projects) > 0 {
+				cfgModuleName = fmt.Sprintf("%s[each.key]", cfgModuleName)
+			}
+
 			attributes["service_account_name"] = lwgenerate.CreateSimpleTraversal(
-				[]string{"module", configurationModuleName, "service_account_name"},
+				[]string{"module", cfgModuleName, "service_account_name"},
 			)
 			attributes["service_account_private_key"] = lwgenerate.CreateSimpleTraversal(
-				[]string{"module", configurationModuleName, "service_account_private_key"},
+				[]string{"module", cfgModuleName, "service_account_private_key"},
 			)
 		}
 
@@ -657,6 +681,14 @@ func createAuditLog(args *GenerateGcpTfConfigurationArgs) (*hclwrite.Block, erro
 			attributes["wait_time"] = args.WaitTime
 		}
 
+		if len(args.Projects) > 0 {
+			value := make(map[string]string)
+			for _, p := range args.Projects {
+				value[p] = p
+			}
+			moduleDetails = append(moduleDetails, lwgenerate.HclModuleWithForEach("project_id", value))
+		}
+
 		moduleDetails = append(moduleDetails,
 			lwgenerate.HclModuleWithAttributes(attributes),
 		)

lwgenerate/gcp/gcp_test.go

@@ -455,6 +455,26 @@ func TestGenerateGcpTfConfigurationArgs_Generate_AuditLog(t *testing.T) {
   version   = "~> 3.0"
   wait_time = "30s"
 }
+`),
+		},
+		{
+			"TestGenerationMultipleProject",
+			gcp.NewTerraform(false, true, false,
+				gcp.WithGcpServiceAccountCredentials("/path/to/credentials"),
+				gcp.WithProjectId(projectName),
+				gcp.WithMultipleProject([]string{"project1", "project2", "project3"}),
+			),
+			ReqProvider(projectName, `module "gcp_project_audit_log" {
+  source  = "lacework/audit-log/gcp"
+  version = "~> 3.0"
+
+  for_each = {
+    project1 = "project1"
+    project2 = "project2"
+    project3 = "project3"
+  }
+  project_id = each.key
+}
 `),
 		},
 	}
@@ -656,6 +676,26 @@ func TestGenerateGcpTfConfigurationArgs_Generate_Configuration(t *testing.T) {
   version   = "~> 2.3"
   wait_time = "30s"
 }
+`),
+		},
+		{
+			"TestGenerationMultipleProject",
+			gcp.NewTerraform(true, false, false,
+				gcp.WithGcpServiceAccountCredentials("/path/to/credentials"),
+				gcp.WithProjectId(projectName),
+				gcp.WithMultipleProject([]string{"project1", "project2", "project3"}),
+			),
+			ReqProvider(projectName, `module "gcp_project_level_config" {
+  source  = "lacework/config/gcp"
+  version = "~> 2.3"
+
+  for_each = {
+    project1 = "project1"
+    project2 = "project2"
+    project3 = "project3"
+  }
+  project_id = each.key
+}
 `),
 		},
 	}