feat(resource): AWS consolidated CloudTrail support

examples/resource_lacework_integration_aws_ct/main.tf

@@ -8,3 +8,26 @@ resource "lacework_integration_aws_ct" "example" {
     external_id = "12345"
   }
 }
+
+resource "lacework_integration_aws_ct" "consolidated" {
+  name      = "A consolidated CloudTrail example"
+  queue_url = "https://sqs.us-east-2.amazonaws.com/123456789012/MyQueue"
+  credentials {
+    role_arn    = "arn:aws:iam::1234567890:role/lacework_iam_example_role"
+    external_id = "12345"
+  }
+
+  org_account_mappings {
+    default_lacework_account = "lw_account_1"
+
+    mapping {
+      lacework_account = "lw_account_2"
+      aws_accounts     = ["234556677", "774564564"]
+    }
+
+    mapping {
+      lacework_account = "lw_account_3"
+      aws_accounts     = ["553453453", "934534535"]
+    }
+  }
+}

go.mod

@@ -19,7 +19,7 @@ require (
 	github.com/hashicorp/terraform-plugin-sdk v1.15.0
 	github.com/hashicorp/terraform-svchost v0.0.0-20191119180714-d2e4933b9136 // indirect
 	github.com/hashicorp/yamux v0.0.0-20200609203250-aecfd211c9ce // indirect
-	github.com/lacework/go-sdk v0.2.6
+	github.com/lacework/go-sdk v0.2.10-0.20201202210122-3d71ed1dcb01
 	github.com/mattn/go-colorable v0.1.7 // indirect
 	github.com/mitchellh/cli v1.1.1 // indirect
 	github.com/mitchellh/go-homedir v1.1.0
@@ -29,6 +29,7 @@ require (
 	github.com/pkg/errors v0.9.1
 	github.com/posener/complete v1.2.3 // indirect
 	github.com/spf13/afero v1.3.1 // indirect
+	github.com/stretchr/testify v1.5.1
 	github.com/ulikunitz/xz v0.5.7 // indirect
 	github.com/vmihailenco/msgpack v4.0.4+incompatible // indirect
 	github.com/zclconf/go-cty v1.5.1 // indirect

go.sum

@@ -286,6 +286,10 @@ github.com/lacework/go-sdk v0.2.5 h1:WBKk/UEgCESVYDuB6iscEcXrMxYC8bzHRa570ICZqi8
 github.com/lacework/go-sdk v0.2.5/go.mod h1:sIJaaCHcBxAUT0GN/6zZVlth612KBYtgBtDdoFupN1E=
 github.com/lacework/go-sdk v0.2.6 h1:UlJ8irs8z7SDRoOhexvqLuYk4FbJVUaznMiV12cf0tg=
 github.com/lacework/go-sdk v0.2.6/go.mod h1:sIJaaCHcBxAUT0GN/6zZVlth612KBYtgBtDdoFupN1E=
+github.com/lacework/go-sdk v0.2.9 h1:/rQ/+Dg3L3nbMYiiqjQocCovzNom72wChCk8F2vwiDw=
+github.com/lacework/go-sdk v0.2.9/go.mod h1:sIJaaCHcBxAUT0GN/6zZVlth612KBYtgBtDdoFupN1E=
+github.com/lacework/go-sdk v0.2.10-0.20201202210122-3d71ed1dcb01 h1:ZY/Zlb2iRkMJ7JVk8guNz88FYE3z8oa/CpV1eVTCrCA=
+github.com/lacework/go-sdk v0.2.10-0.20201202210122-3d71ed1dcb01/go.mod h1:sIJaaCHcBxAUT0GN/6zZVlth612KBYtgBtDdoFupN1E=
 github.com/magiconair/properties v1.8.0/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/magiconair/properties v1.8.1/go.mod h1:PppfXfuXeibc/6YijjN8zIbojt8czPbwD3XqdrwzmxQ=
 github.com/mattn/go-colorable v0.0.9/go.mod h1:9vuHe8Xs5qXnSaW/c/ABM9alt+Vo+STaOChaDxuIBZU=
@@ -734,6 +738,7 @@ gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw=
 gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU=
 gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=

lacework/resource_lacework_integration_aws_ct.go

@@ -1,76 +1,116 @@
 package lacework
 
 import (
+	"encoding/json"
+	"fmt"
 	"log"
 
 	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
 
 	"github.com/lacework/go-sdk/api"
 )
 
-func resourceLaceworkIntegrationAwsCloudTrail() *schema.Resource {
-	return &schema.Resource{
-		Create: resourceLaceworkIntegrationAwsCloudTrailCreate,
-		Read:   resourceLaceworkIntegrationAwsCloudTrailRead,
-		Update: resourceLaceworkIntegrationAwsCloudTrailUpdate,
-		Delete: resourceLaceworkIntegrationAwsCloudTrailDelete,
-
-		Importer: &schema.ResourceImporter{
-			State: importLaceworkIntegration,
-		},
-
-		Schema: map[string]*schema.Schema{
-			"name": {
-				Type:     schema.TypeString,
-				Required: true,
-			},
-			"intg_guid": {
-				Type:     schema.TypeString,
-				Computed: true,
-			},
-			"enabled": {
-				Type:     schema.TypeBool,
-				Optional: true,
-				Default:  true,
-			},
-			"queue_url": {
-				Type:     schema.TypeString,
-				Required: true,
+var awsCloudTrailIntegrationSchema = map[string]*schema.Schema{
+	"name": {
+		Type:        schema.TypeString,
+		Required:    true,
+		Description: "The integration name.",
+	},
+	"intg_guid": {
+		Type:     schema.TypeString,
+		Computed: true,
+	},
+	"enabled": {
+		Type:        schema.TypeBool,
+		Optional:    true,
+		Default:     true,
+		Description: "The state of the external integration.",
+	},
+	"queue_url": {
+		Type:        schema.TypeString,
+		Required:    true,
+		Description: "The SQS Queue URL.",
+	},
+	"credentials": {
+		Type:        schema.TypeList,
+		MaxItems:    1,
+		Required:    true,
+		Description: "The credentials needed by the integration.",
+		Elem: &schema.Resource{
+			Schema: map[string]*schema.Schema{
+				"role_arn": {
+					Type:     schema.TypeString,
+					Required: true,
+				},
+				"external_id": {
+					Type:     schema.TypeString,
+					Required: true,
+				},
 			},
-			"credentials": {
-				Type:     schema.TypeList,
-				MaxItems: 1,
-				Required: true,
-				Elem: &schema.Resource{
-					Schema: map[string]*schema.Schema{
-						"role_arn": {
-							Type:     schema.TypeString,
-							Required: true,
-						},
-						"external_id": {
-							Type:     schema.TypeString,
-							Required: true,
+		},
+	},
+	"org_account_mappings": {
+		Type:        schema.TypeList,
+		Optional:    true,
+		MaxItems:    1,
+		Description: "Mapping of AWS accounts to Lacework accounts within a Lacework organization.",
+		Elem: &schema.Resource{
+			Schema: map[string]*schema.Schema{
+				"default_lacework_account": {
+					Type:        schema.TypeString,
+					Required:    true,
+					Description: "The default Lacework account name where any non-mapped AWS account will appear",
+				},
+				"mapping": {
+					Type:        schema.TypeSet,
+					Required:    true,
+					Description: "A map of AWS accounts to Lacework account. This can be specified multiple times to map multiple Lacework accounts.",
+					Elem: &schema.Resource{
+						Schema: map[string]*schema.Schema{
+							"lacework_account": {
+								Type:        schema.TypeString,
+								Required:    true,
+								Description: "The Lacework account name where the CloudTrail activity from the selected AWS accounts will appear.",
+							},
+							"aws_accounts": {
+								Type:        schema.TypeSet,
+								Elem:        &schema.Schema{Type: schema.TypeString},
+								MinItems:    1,
+								Required:    true,
+								Description: "The list of AWS account IDs to map.",
+							},
 						},
 					},
 				},
 			},
-			"created_or_updated_time": {
-				Type:     schema.TypeString,
-				Computed: true,
-			},
-			"created_or_updated_by": {
-				Type:     schema.TypeString,
-				Computed: true,
-			},
-			"type_name": {
-				Type:     schema.TypeString,
-				Computed: true,
-			},
-			"org_level": {
-				Type:     schema.TypeBool,
-				Computed: true,
-			},
 		},
+	},
+	"created_or_updated_time": {
+		Type:     schema.TypeString,
+		Computed: true,
+	},
+	"created_or_updated_by": {
+		Type:     schema.TypeString,
+		Computed: true,
+	},
+	"type_name": {
+		Type:     schema.TypeString,
+		Computed: true,
+	},
+	"org_level": {
+		Type:     schema.TypeBool,
+		Computed: true,
+	},
+}
+
+func resourceLaceworkIntegrationAwsCloudTrail() *schema.Resource {
+	return &schema.Resource{
+		Create:   resourceLaceworkIntegrationAwsCloudTrailCreate,
+		Read:     resourceLaceworkIntegrationAwsCloudTrailRead,
+		Update:   resourceLaceworkIntegrationAwsCloudTrailUpdate,
+		Delete:   resourceLaceworkIntegrationAwsCloudTrailDelete,
+		Schema:   awsCloudTrailIntegrationSchema,
+		Importer: &schema.ResourceImporter{State: importLaceworkIntegration},
 	}
 }
 
@@ -92,6 +132,20 @@ func resourceLaceworkIntegrationAwsCloudTrailCreate(d *schema.ResourceData, meta
 		aws.Enabled = 0
 	}
 
+	// verify if the user provided an account mapping
+	accountMapFile := getResourceOrgAccountMappings(d)
+	accountMapFileBytes, err := json.Marshal(accountMapFile)
+	if err != nil {
+		return err
+	}
+
+	if !accountMapFile.Empty() {
+		aws.Data.EncodeAccountMappingFile(accountMapFileBytes)
+
+		// switch this integration to be at the organization level
+		aws.IsOrg = 1
+	}
+
 	// @afiune should we do this if there is sensitive information?
 	log.Printf("[INFO] Creating %s integration with data:\n%+v\n", api.AwsCloudTrailIntegration.String(), aws)
 	response, err := lacework.Integrations.CreateAws(aws)
@@ -147,8 +201,30 @@ func resourceLaceworkIntegrationAwsCloudTrailRead(d *schema.ResourceData, meta i
 			d.Set("credentials", []map[string]string{creds})
 			d.Set("queue_url", integration.Data.QueueUrl)
 
+			accountMapFileBytes, err := integration.Data.DecodeAccountMappingFile()
+			if err != nil {
+				return err
+			}
+
+			accountMapFile := new(accountMappingsFile)
+			if len(accountMapFileBytes) != 0 {
+				// The integration has an account mapping file
+				// unmarshal its content into the account mapping struct
+				err := json.Unmarshal(accountMapFileBytes, accountMapFile)
+				if err != nil {
+					return fmt.Errorf("Error decoding organization account mapping: %s", err)
+				}
+
+			}
+
+			err = d.Set("org_account_mappings", flattenOrgAccountMappings(accountMapFile))
+			if err != nil {
+				return fmt.Errorf("Error flattening organization account mapping: %s", err)
+			}
+
 			log.Printf("[INFO] Read %s integration with guid: %v\n",
-				api.AwsCloudTrailIntegration.String(), integration.IntgGuid)
+				api.AwsCloudTrailIntegration.String(), integration.IntgGuid,
+			)
 			return nil
 		}
 	}
@@ -178,6 +254,20 @@ func resourceLaceworkIntegrationAwsCloudTrailUpdate(d *schema.ResourceData, meta
 
 	aws.IntgGuid = d.Id()
 
+	// verify if the user provided an account mapping
+	accountMapFile := getResourceOrgAccountMappings(d)
+	accountMapFileBytes, err := json.Marshal(accountMapFile)
+	if err != nil {
+		return err
+	}
+
+	if !accountMapFile.Empty() {
+		aws.Data.EncodeAccountMappingFile(accountMapFileBytes)
+
+		// switch this integration to be at the organization level
+		aws.IsOrg = 1
+	}
+
 	log.Printf("[INFO] Updating %s integration with data:\n%+v\n", api.AwsCloudTrailIntegration.String(), aws)
 	response, err := lacework.Integrations.UpdateAws(aws)
 	if err != nil {
@@ -216,3 +306,72 @@ func resourceLaceworkIntegrationAwsCloudTrailDelete(d *schema.ResourceData, meta
 	log.Printf("[INFO] Deleted %s integration with guid: %v\n", api.AwsCloudTrailIntegration.String(), d.Id())
 	return nil
 }
+
+type accountMappingsFile struct {
+	DefaultLaceworkAccount string                 `json:"defaultLaceworkAccountAws"`
+	Mappings               map[string]interface{} `json:"integration_mappings"`
+}
+
+func (f *accountMappingsFile) Empty() bool {
+	return f.DefaultLaceworkAccount == ""
+}
+
+func getResourceOrgAccountMappings(d *schema.ResourceData) *accountMappingsFile {
+	accountMapFile := new(accountMappingsFile)
+	accMapsInt := d.Get("org_account_mappings").([]interface{})
+	if len(accMapsInt) != 0 && accMapsInt[0] != nil {
+		accountMappings := accMapsInt[0].(map[string]interface{})
+
+		accountMapFile = &accountMappingsFile{
+			DefaultLaceworkAccount: accountMappings["default_lacework_account"].(string),
+			Mappings:               map[string]interface{}{},
+		}
+
+		mappingSet := accountMappings["mapping"].(*schema.Set)
+		for _, m := range mappingSet.List() {
+			mapping := m.(map[string]interface{})
+			accountMapFile.Mappings[mapping["lacework_account"].(string)] = map[string]interface{}{
+				"aws_accounts": castStringArray(mapping["aws_accounts"].(*schema.Set).List()),
+			}
+		}
+
+	}
+
+	return accountMapFile
+}
+
+func flattenOrgAccountMappings(mappingFile *accountMappingsFile) []map[string]interface{} {
+	orgAccMappings := make([]map[string]interface{}, 0, 1)
+
+	if mappingFile.Empty() {
+		return orgAccMappings
+	}
+
+	mappings := map[string]interface{}{
+		"default_lacework_account": mappingFile.DefaultLaceworkAccount,
+		"mapping":                  flattenMappings(mappingFile.Mappings),
+	}
+
+	orgAccMappings = append(orgAccMappings, mappings)
+	return orgAccMappings
+}
+
+func flattenMappings(mappings map[string]interface{}) *schema.Set {
+	var (
+		orgAccountMappingsSchema = awsCloudTrailIntegrationSchema["org_account_mappings"].Elem.(*schema.Resource)
+		mappingSchema            = orgAccountMappingsSchema.Schema["mapping"].Elem.(*schema.Resource)
+		awsAccountsSchema        = mappingSchema.Schema["aws_accounts"].Elem.(*schema.Schema)
+		res                      = schema.NewSet(schema.HashResource(mappingSchema), []interface{}{})
+	)
+	for laceworkAccount, m := range mappings {
+		mappingValue := m.(map[string]interface{})
+		res.Add(map[string]interface{}{
+			"lacework_account": laceworkAccount,
+			"aws_accounts": schema.NewSet(schema.HashSchema(awsAccountsSchema),
+				mappingValue["aws_accounts"].([]interface{}),
+			),
+		})
+	}
+
+	return res
+}

lacework/resource_lacework_integration_docker_hub.go

@@ -148,7 +148,6 @@ func resourceLaceworkIntegrationDockerHubRead(d *schema.ResourceData, meta inter
 			d.Set("org_level", integration.IsOrg == 1)
 
 			d.Set("username", integration.Data.Credentials.Username)
-			d.Set("password", integration.Data.Credentials.Password)
 			d.Set("limit_by_tag", integration.Data.LimitByTag)
 			d.Set("limit_by_label", integration.Data.LimitByLabel)
 			d.Set("limit_by_repos", integration.Data.LimitByRep)