feat: add new flag to generate cmds set lacework aws root account (#1121)

* feat: add new flag to generate cmds set lacework aws root account

Author: dmurray-lacework

cli/cmd/generate_aws.go

@@ -109,6 +109,7 @@ See help output for more details on the parameter value(s) required for Terrafor
 			mods := []aws.AwsTerraformModifier{
 				aws.WithAwsProfile(GenerateAwsCommandState.AwsProfile),
 				aws.WithLaceworkProfile(GenerateAwsCommandState.LaceworkProfile),
+				aws.WithLaceworkAccountID(GenerateAwsCommandState.LaceworkAccountID),
 				aws.ExistingCloudtrailBucketArn(GenerateAwsCommandState.ExistingCloudtrailBucketArn),
 				aws.ExistingSnsTopicArn(GenerateAwsCommandState.ExistingSnsTopicArn),
 				aws.WithSubaccounts(GenerateAwsCommandState.SubAccounts...),
@@ -442,6 +443,11 @@ func initGenerateAwsTfCommandFlags() {
 		"sqs_queue_name",
 		"",
 		"specify SQS queue name if creating new one")
+	generateAwsTfCommand.PersistentFlags().StringVar(
+		&GenerateAwsCommandState.LaceworkAccountID,
+		"lacework_aws_account_id",
+		"",
+		"the Lacework AWS root account id")
 }
 
 // survey.Validator for aws ARNs

cli/cmd/generate_aws_eks_audit.go

@@ -115,6 +115,7 @@ See help output for more details on the parameter values required for Terraform
 			// Setup modifiers for NewTerraform constructor
 			mods := []aws_eks_audit.AwsEksAuditTerraformModifier{
 				aws_eks_audit.WithAwsProfile(GenerateAwsEksAuditCommandState.AwsProfile),
+				aws_eks_audit.WithLaceworkAccountID(GenerateAwsEksAuditCommandState.LaceworkAccountID),
 				aws_eks_audit.WithBucketLifecycleExpirationDays(GenerateAwsEksAuditCommandState.BucketLifecycleExpirationDays),
 				aws_eks_audit.WithBucketSseAlgorithm(GenerateAwsEksAuditCommandState.BucketSseAlgorithm),
 				aws_eks_audit.WithBucketSseKeyArn(GenerateAwsEksAuditCommandState.BucketSseKeyArn),
@@ -333,6 +334,8 @@ func initGenerateAwsEksAuditTfCommandFlags() {
 	// TODO Share the help with the interactive generation
 	generateAwsEksAuditTfCommand.PersistentFlags().StringVar(
 		&GenerateAwsEksAuditCommandState.AwsProfile, "aws_profile", "", "specify aws profile")
+	generateAwsEksAuditTfCommand.PersistentFlags().StringVar(
+		&GenerateAwsEksAuditCommandState.LaceworkAccountID, "lacework_aws_account_id", "", "the Lacework AWS root account id")
 	generateAwsEksAuditTfCommand.PersistentFlags().BoolVar(
 		&GenerateAwsEksAuditCommandState.BucketEnableMfaDelete,
 		"enable_mfa_delete_s3",

cli/cmd/generate_gcp.go

@@ -434,7 +434,6 @@ func initGenerateGcpTfCommandFlags() {
 		"",
 		"location to write generated content (default is ~/lacework/gcp)",
 	)
-
 }
 
 // survey.Validator for gcp region

integration/test_resources/help/generate_cloud-account_aws

@@ -38,6 +38,7 @@ Flags:
       --existing_sns_topic_arn string         specify existing SNS topic arn
       --force_destroy_s3                      enable force destroy S3 bucket
   -h, --help                                  help for aws
+      --lacework_aws_account_id string        the Lacework AWS root account id
       --output string                         location to write generated content (default is ~/lacework/aws)
       --sns_topic_encryption_enabled          enable encryption on SNS topic when creating one (default true)
       --sns_topic_encryption_key_arn string   specify existing KMS encryption key arn for SNS topic

integration/test_resources/help/generate_k8s_eks

@@ -41,6 +41,7 @@ Flags:
   -h, --help                                      help for eks
       --integration_name string                   specify the name of the eks audit integration
       --kms_key_deletion_days int                 specify the kms waiting period before deletion, in number of days
+      --lacework_aws_account_id string            the Lacework AWS root account id
       --output string                             location to write generated content
       --prefix string                             specify the prefix that will be used at the beginning of every generated resource
       --region_clusters stringToString            configure eks clusters per aws region. To configure multiple regions pass the flag multiple times. Example format:  --region_clusters <region>="cluster,list" (default [])

lwgenerate/aws/aws.go

@@ -147,6 +147,9 @@ type GenerateAwsTfConfigurationArgs struct {
 
 	// Lacework Profile to use
 	LaceworkProfile string
+
+	// The Lacework AWS Root Account ID
+	LaceworkAccountID string
 }
 
 // Ensure all combinations of inputs our valid for supported spec
@@ -208,6 +211,13 @@ func WithLaceworkProfile(name string) AwsTerraformModifier {
 	}
 }
 
+// WithLaceworkAccountID Set the Lacework AWS root account ID to use
+func WithLaceworkAccountID(accountID string) AwsTerraformModifier {
+	return func(c *GenerateAwsTfConfigurationArgs) {
+		c.LaceworkAccountID = accountID
+	}
+}
+
 // ExistingCloudtrailBucketArn Set the bucket ARN of an existing Cloudtrail setup
 func ExistingCloudtrailBucketArn(arn string) AwsTerraformModifier {
 	return func(c *GenerateAwsTfConfigurationArgs) {
@@ -451,6 +461,9 @@ func createConfig(args *GenerateAwsTfConfigurationArgs) ([]*hclwrite.Block, erro
 			moduleDetails = append(moduleDetails,
 				lwgenerate.HclModuleWithProviderDetails(map[string]string{"aws": "aws.main"}))
 		}
+		if args.LaceworkAccountID != "" {
+			moduleDetails = append(moduleDetails, lwgenerate.HclModuleWithAttributes(map[string]interface{}{"lacework_aws_account_id": args.LaceworkAccountID}))
+		}
 
 		moduleBlock, err := lwgenerate.NewModule(
 			"aws_config",
@@ -489,6 +502,10 @@ func createCloudtrail(args *GenerateAwsTfConfigurationArgs) (*hclwrite.Block, er
 	if args.Cloudtrail {
 		attributes := map[string]interface{}{}
 		modDetails := []lwgenerate.HclModuleModifier{lwgenerate.HclModuleWithVersion(lwgenerate.AwsCloudTrailVersion)}
+
+		if args.LaceworkAccountID != "" {
+			attributes["lacework_aws_account_id"] = args.LaceworkAccountID
+		}
 		if args.ConsolidatedCloudtrail {
 			attributes["consolidated_trail"] = true
 		}

lwgenerate/aws/aws_test.go

@@ -63,6 +63,13 @@ func TestGenerationWithLaceworkProvider(t *testing.T) {
 	assert.Equal(t, reqProviderAndRegion(laceworkProvider, moduleImportCtWithoutConfig), hcl)
 }
 
+func TestGenerationWithLaceworkAccountID(t *testing.T) {
+	hcl, err := NewTerraform("us-east-2", true, true, WithLaceworkAccountID("123456789")).Generate()
+	assert.Nil(t, err)
+	assert.NotNil(t, hcl)
+	assert.Equal(t, reqProviderAndRegion(moduleImportConfigWithLaceworkAccountID, moduleImportCtWithLaceworkAccountID), hcl)
+}
+
 func TestGenerationCloudtrailForceDestroyS3(t *testing.T) {
 	data, err := createCloudtrail(&GenerateAwsTfConfigurationArgs{
 		Cloudtrail:           true,
@@ -412,3 +419,21 @@ var moduleImportConfig = `module "aws_config" {
   version = "~> 0.5"
 }
 `
+
+var moduleImportConfigWithLaceworkAccountID = `module "aws_config" {
+  source                  = "lacework/config/aws"
+  version                 = "~> 0.5"
+  lacework_aws_account_id = "123456789"
+}
+`
+
+var moduleImportCtWithLaceworkAccountID = `module "main_cloudtrail" {
+  source                  = "lacework/cloudtrail/aws"
+  version                 = "~> 2.0"
+  iam_role_arn            = module.aws_config.iam_role_arn
+  iam_role_external_id    = module.aws_config.external_id
+  iam_role_name           = module.aws_config.iam_role_name
+  lacework_aws_account_id = "123456789"
+  use_existing_iam_role   = true
+}
+`

lwgenerate/aws_eks_audit/aws_eks_audit.go

@@ -129,6 +129,9 @@ type GenerateAwsEksAuditTfConfigurationArgs struct {
 
 	// Lacework Profile to use
 	LaceworkProfile string
+
+	// The Lacework AWS Root Account ID
+	LaceworkAccountID string
 }
 
 // Ensure all combinations of inputs our valid for supported spec
@@ -184,6 +187,13 @@ func NewTerraform(mods ...AwsEksAuditTerraformModifier) *GenerateAwsEksAuditTfCo
 	return config
 }
 
+// WithLaceworkAccountID Set the Lacework AWS root account ID to use
+func WithLaceworkAccountID(accountID string) AwsEksAuditTerraformModifier {
+	return func(c *GenerateAwsEksAuditTfConfigurationArgs) {
+		c.LaceworkAccountID = accountID
+	}
+}
+
 // WithAwsProfile Set the AWS Profile to utilize when integrating
 func WithAwsProfile(name string) AwsEksAuditTerraformModifier {
 	return func(c *GenerateAwsEksAuditTfConfigurationArgs) {
@@ -477,6 +487,10 @@ func createEksAudit(args *GenerateAwsEksAuditTfConfigurationArgs) ([]*hclwrite.B
 	resourceAttrs := map[string]interface{}{}
 	moduleDetails := []lwgenerate.HclModuleModifier{lwgenerate.HclModuleWithVersion(lwgenerate.AwsEksAuditVersion)}
 
+	if args.LaceworkAccountID != "" {
+		moduleAttrs["lacework_aws_account_id"] = args.LaceworkAccountID
+	}
+
 	if args.BucketEnableMfaDelete && args.BucketVersioning {
 		moduleAttrs["bucket_enable_mfa_delete"] = true
 	}

lwgenerate/aws_eks_audit/aws_eks_audit_test.go

@@ -32,6 +32,15 @@ func TestGenerationEksSingleRegion(t *testing.T) {
 	assert.Equal(t, reqProviderAndRegion(moduleSingleRegionBasic), hcl)
 }
 
+func TestGenerationEksSingleWithLaceworkAccountID(t *testing.T) {
+	clusterMap := make(map[string][]string)
+	clusterMap["us-east-1"] = []string{"cluster1", "cluster2"}
+	hcl, err := NewTerraform(WithParsedRegionClusterMap(clusterMap), WithLaceworkAccountID("123456789")).Generate()
+	assert.Nil(t, err)
+	assert.NotNil(t, hcl)
+	assert.Equal(t, reqProviderAndRegion(moduleSingleRegionWithLaceworkAccountID), hcl)
+}
+
 func TestGenerationEksMultiRegion(t *testing.T) {
 	clusterMap := make(map[string][]string)
 	clusterMap["us-east-1"] = []string{"cluster1", "cluster2"}
@@ -409,6 +418,21 @@ module "aws_eks_audit_log" {
 }
 `
 
+var moduleSingleRegionWithLaceworkAccountID = `provider "aws" {
+  region = "us-east-1"
+}
+
+module "aws_eks_audit_log" {
+  source                    = "lacework/eks-audit-log/aws"
+  version                   = "~> 0.4"
+  cloudwatch_regions        = ["us-east-1"]
+  cluster_names             = ["cluster1", "cluster2"]
+  kms_key_multi_region      = false
+  lacework_aws_account_id   = "123456789"
+  no_cw_subscription_filter = false
+}
+`
+
 var multiRegionBasic = `provider "aws" {
   alias  = "us-east-1"
   region = "us-east-1"