lacework · dmurray-lacework · Feb 23, 2022 · Feb 14, 2022 · Feb 14, 2022 · Feb 16, 2022
@@ -0,0 +1,45 @@
+terraform {
+  required_providers {
+    lacework = {
+      source = "lacework/lacework"
+    }
+  }
+}
+
+resource "lacework_query" "example" {
+  query_id     = var.query_id
+  evaluator_id = var.eval_id
+  query        = var.query
+}
+
+variable "query_id" {
+  type    = string
+  default = "Lql_Terraform_Query"
+}
+
+variable "eval_id" {
+  type    = string
+  default = "Cloudtrail"
+}
+
+variable "query" {
+  type    = string
+  default = <<EOT
+    Lql_Terraform_Query {
+      source {CloudTrailRawEvents}
+      filter {EVENT_SOURCE = 'signin.amazonaws.com'
+      and EVENT:userIdentity."type"::String = 'AWSService'
+      and EVENT:sourceIPAddress not in ('1.1.1.1', '2.2.2.2')
+      and ERROR_CODE is null}
+    return distinct {INSERT_ID, INSERT_TIME, EVENT_TIME, EVENT}
+    }
+   EOT
+}
+
+output "query_id" {
+  value = lacework_query.example.id
+}
+
+output "query" {
+  value = lacework_query.example.query
+}
@@ -230,6 +230,16 @@ func GetIDFromTerraResults(result string) string {
 	return GetSpecificIDFromTerraResults(1, result)
 }
 
+func GetQueryProps(result string) api.QueryResponse {
+	id := GetSpecificIDFromTerraResults(1, result)
+
+	resp, err := LwClient.V2.Query.Get(id)
+	if err != nil {
+		log.Fatalf("Unable to retrieve vulnerability exception with id: %s", id)
+	}
+	return resp
+}
+
 func GetPolicyProps(result string) api.PolicyResponse {
 	id := GetSpecificIDFromTerraResults(1, result)
 

@@ -0,0 +1,184 @@
+package integration
+
+import (
+	"testing"
+
+	"github.com/gruntwork-io/terratest/modules/terraform"
+	"github.com/stretchr/testify/assert"
+)
+
+// TestQueryCreate applies integration terraform:
+// => '../examples/resource_lacework_query'
+//
+// It uses the go-sdk to verify the created query,
+// applies an update and destroys it
+//nolint
+func TestQueryCreate(t *testing.T) {
+	terraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{
+		TerraformDir: "../examples/resource_lacework_query",
+		Vars: map[string]interface{}{
+			"query_id": "Lql_Terraform_Query",
+			"eval_id":  "Cloudtrail",
+			"query":    queryString},
+	})
+	defer terraform.Destroy(t, terraformOptions)
+
+	// Create new Query
+	create := terraform.InitAndApplyAndIdempotent(t, terraformOptions)
+	createProps := GetQueryProps(create)
+
+	actualQueryID := terraform.Output(t, terraformOptions, "query_id")
+	actualQuery := terraform.Output(t, terraformOptions, "query")
+
+	assert.Equal(t, "Lql_Terraform_Query", createProps.Data.QueryID)
+	assert.Equal(t, queryString, createProps.Data.QueryText)
+
+	assert.Equal(t, "Lql_Terraform_Query", actualQueryID)
+	assert.Equal(t, queryString, actualQuery)
+
+	// Update Query
+	terraformOptions.Vars = map[string]interface{}{
+		"query_id": "Lql_Terraform_Query",
+		"eval_id":  "Cloudtrail",
+		"query":    updatedQueryString,
+	}
+
+	update := terraform.ApplyAndIdempotent(t, terraformOptions)
+	updateProps := GetQueryProps(update)
+
+	actualQueryID = terraform.Output(t, terraformOptions, "query_id")
+	actualQuery = terraform.Output(t, terraformOptions, "query")
+
+	assert.Equal(t, "Lql_Terraform_Query", updateProps.Data.QueryID)
+	assert.Equal(t, updatedQueryString, updateProps.Data.QueryText)
+
+	assert.Equal(t, "Lql_Terraform_Query", actualQueryID)
+	assert.Equal(t, updatedQueryString, actualQuery)
+
+	// Attempt to update query_id should return error
+	terraformOptions.Vars = map[string]interface{}{
+		"query_id": "Lql_Terraform_Query_Changed",
+		"eval_id":  "Cloudtrail",
+		"query":    updatedQueryString,
+	}
+
+	msg, err := terraform.ApplyE(t, terraformOptions)
+
+	assert.Error(t, err)
+	assert.Contains(t, msg, "unable to change ID of an existing query")
+}
+
+func TestQueryCreateWithEmptyEvaluatorID(t *testing.T) {
+	terraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{
+		TerraformDir: "../examples/resource_lacework_query",
+		Vars: map[string]interface{}{
+			"query_id": "Lql_Terraform_Query",
+			"eval_id":  "",
+			"query":    queryStringK8},
+	})
+	defer terraform.Destroy(t, terraformOptions)
+
+	// Create new Query
+	create := terraform.InitAndApplyAndIdempotent(t, terraformOptions)
+	createProps := GetQueryProps(create)
+
+	actualQueryID := terraform.Output(t, terraformOptions, "query_id")
+	actualQuery := terraform.Output(t, terraformOptions, "query")
+
+	assert.Equal(t, "Lql_Terraform_Query", createProps.Data.QueryID)
+	assert.Equal(t, queryStringK8, createProps.Data.QueryText)
+
+	assert.Equal(t, "Lql_Terraform_Query", actualQueryID)
+	assert.Equal(t, queryStringK8, actualQuery)
+
+	// Update Query
+	terraformOptions.Vars = map[string]interface{}{
+		"query_id": "Lql_Terraform_Query",
+		"eval_id":  "",
+		"query":    queryStringK8,
+	}
+
+	update := terraform.ApplyAndIdempotent(t, terraformOptions)
+	updateProps := GetQueryProps(update)
+
+	actualQueryID = terraform.Output(t, terraformOptions, "query_id")
+	actualQuery = terraform.Output(t, terraformOptions, "query")
+
+	assert.Equal(t, "Lql_Terraform_Query", updateProps.Data.QueryID)
+	assert.Equal(t, queryStringK8, updateProps.Data.QueryText)
+
+	assert.Equal(t, "Lql_Terraform_Query", actualQueryID)
+	assert.Equal(t, queryStringK8, actualQuery)
+
+	// Run apply again
+	thirdApply := terraform.ApplyAndIdempotent(t, terraformOptions)
+
+	thirdApplyProps := GetQueryProps(thirdApply)
+
+	actualQueryID = terraform.Output(t, terraformOptions, "query_id")
+	actualQuery = terraform.Output(t, terraformOptions, "query")
+
+	assert.Equal(t, "Lql_Terraform_Query", thirdApplyProps.Data.QueryID)
+	assert.Equal(t, queryStringK8, thirdApplyProps.Data.QueryText)
+
+	assert.Equal(t, "Lql_Terraform_Query", actualQueryID)
+	assert.Equal(t, queryStringK8, actualQuery)
+}
+
+var (
+	queryString = `Lql_Terraform_Query {
+    source {
+        CloudTrailRawEvents
+    }
+    filter {
+        EVENT_SOURCE = 'signin.amazonaws.com'
+        and EVENT_NAME in ('ConsoleLogin')
+        and EVENT:additionalEventData.MFAUsed::String = 'No'
+        and EVENT:responseElements.ConsoleLogin::String = 'Success'
+        and ERROR_CODE is null
+    }
+    return distinct {
+        INSERT_ID,
+        INSERT_TIME,
+        EVENT_TIME,
+        EVENT
+    }
+}`
+	queryStringK8 = `Lql_Terraform_Query {
+      source {
+          LW_ACT_K8S_AUDIT
+      }
+      filter {
+          (EVENT_JSON:requestURI = '/api/v1/namespaces'
+              or EVENT_JSON:requestURI like '/api/v1/namespaces?%')
+          and EVENT_JSON:verb = 'create'
+          and EVENT_JSON:responseStatus.code between 200 and 299
+      }
+      return distinct {
+          EVENT_NAME,
+          EVENT_OBJECT,
+          CLUSTER_TYPE,
+          CLUSTER_ID
+      }
+  }`
+
+	updatedQueryString = `Lql_Terraform_Query {
+    source {
+        CloudTrailRawEvents
+    }
+    filter {
+        EVENT_SOURCE = 'signin.amazonaws.com'
+        and EVENT_NAME in ('ConsoleLogin')
+        and EVENT:additionalEventData.MFAUsed::String = 'No'
+        and EVENT:responseElements.ConsoleLogin::String = 'Success'
+        and EVENT:userIdentity."type"::String not in ('IAMUser')
+        and ERROR_CODE is null
+    }
+    return distinct {
+        INSERT_ID,
+        INSERT_TIME,
+        EVENT_TIME,
+        EVENT
+    }        
+}`
+)
@@ -93,6 +93,7 @@ func Provider() *schema.Provider {
 			"lacework_integration_gar":                   resourceLaceworkIntegrationGar(),
 			"lacework_integration_gcr":                   resourceLaceworkIntegrationGcr(),
 			"lacework_integration_ghcr":                  resourceLaceworkIntegrationGhcr(),
+			"lacework_query":                             resourceLaceworkQuery(),
 			"lacework_policy":                            resourceLaceworkPolicy(),
 			"lacework_report_rule":                       resourceLaceworkReportRule(),
 			"lacework_resource_group_account":            resourceLaceworkResourceGroupLwAccount(),