diff --git a/.github/workflows/terraform_docs.yml b/.github/workflows/terraform_docs.yml
new file mode 100644
index 0000000..276d534
--- /dev/null
+++ b/.github/workflows/terraform_docs.yml
@@ -0,0 +1,29 @@
+name: Test that terraform docs has been run
+on: push
+jobs:
+ docs:
+ runs-on: ubuntu-latest
+ steps:
+ - uses: actions/checkout@v3
+ with:
+ ref: ${{ github.event.pull_request.head.ref }}
+ - name: Install terraform-docs
+ run: curl -L https://github.com/terraform-docs/terraform-docs/releases/download/v0.16.0/terraform-docs-v0.16.0-linux-amd64.tar.gz | (cd /usr/local/bin; tar zxvf -; chmod +x /usr/local/bin/terraform-docs)
+ - name: store hash of orig README.md
+ id: old_hash
+ run: echo "README_HASH=$(md5sum README.md)" >> $GITHUB_OUTPUT
+ - name: Update README.md using terraform-docs make target
+ run: make terraform-docs
+ - name: store hash of new README.md
+ id: new_hash
+ run: echo "README_HASH=$(md5sum README.md)" >> $GITHUB_OUTPUT
+ - name: echo hashes
+ run: |
+ echo ${{ steps.old_hash.outputs.README_HASH }}
+ echo ${{ steps.new_hash.outputs.README_HASH }}
+ - name: test to see of hashs are the same
+ if: ${{ steps.old_hash.outputs.README_HASH != steps.new_hash.outputs.README_HASH }}
+ uses: actions/github-script@v6
+ with:
+ script: |
+ core.setFailed('Please run "make terraform-docs" and try again')
\ No newline at end of file
diff --git a/.terraform-docs.yml b/.terraform-docs.yml
new file mode 100644
index 0000000..f46384b
--- /dev/null
+++ b/.terraform-docs.yml
@@ -0,0 +1,4 @@
+formatter: "markdown"
+version: "0.16.0"
+output:
+ file: README.md
diff --git a/GNUmakefile b/GNUmakefile
index 7fc7408..6f99db3 100644
--- a/GNUmakefile
+++ b/GNUmakefile
@@ -17,4 +17,8 @@ ci: ## *CI ONLY* Runs tests on CI pipeline
.PHONY: release
release: ci ## *CI ONLY* Prepares a release of the Terraform module
- scripts/release.sh prepare
\ No newline at end of file
+ scripts/release.sh prepare
+.PHONY: terraform-docs
+terraform-docs:
+ scripts/terraform-docs.sh
+
diff --git a/README.md b/README.md
index d3e1e3e..bdb27dd 100644
--- a/README.md
+++ b/README.md
@@ -34,13 +34,14 @@ serviceusage.googleapis.com
cloudresourcemanager.googleapis.com
```
+
## Requirements
| Name | Version |
|------|---------|
| [terraform](#requirement\_terraform) | >= 0.15.1 |
| [google](#requirement\_google) | >= 4.4.0, < 5.0.0 |
-| [lacework](#requirement\_lacework) | ~> 1.0 |
+| [lacework](#requirement\_lacework) | ~> 1.5 |
| [time](#requirement\_time) | ~> 0.6 |
## Providers
@@ -48,7 +49,7 @@ cloudresourcemanager.googleapis.com
| Name | Version |
|------|---------|
| [google](#provider\_google) | >= 4.4.0, < 5.0.0 |
-| [lacework](#provider\_lacework) | ~> 1.0 |
+| [lacework](#provider\_lacework) | ~> 1.5 |
| [random](#provider\_random) | n/a |
| [time](#provider\_time) | ~> 0.6 |
@@ -56,7 +57,7 @@ cloudresourcemanager.googleapis.com
| Name | Source | Version |
|------|--------|---------|
-| [lacework\_al\_ps\_svc\_account](#module\_lacework\_al\_ps\_svc\_account) | lacework/service-account/gcp | ~> 1.0 |
+| [lacework\_al\_ps\_svc\_account](#module\_lacework\_al\_ps\_svc\_account) | lacework/service-account/gcp | ~> 1.0 |
## Resources
@@ -65,6 +66,7 @@ cloudresourcemanager.googleapis.com
| [google_logging_organization_sink.lacework_organization_sink](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/logging_organization_sink) | resource |
| [google_logging_project_sink.lacework_project_sink](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/logging_project_sink) | resource |
| [google_organization_iam_audit_config.organization_audit_logs](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/organization_iam_audit_config) | resource |
+| [google_organization_iam_member.for_lacework_service_account](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/organization_iam_member) | resource |
| [google_project_iam_audit_config.project_audit_logs](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_audit_config) | resource |
| [google_project_iam_member.for_lacework_service_account](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_iam_member) | resource |
| [google_project_service.required_apis](https://registry.terraform.io/providers/hashicorp/google/latest/docs/resources/project_service) | resource |
@@ -79,23 +81,26 @@ cloudresourcemanager.googleapis.com
## Inputs
-| Name | Description | Type | Default | Required |
-|--------------------------------------------------------------------------------------------------------------------------------------------------|-------------|------|---------|:--------:|
-| [existing\_sink\_name](#input\_existing\_sink\_name) | The name of an existing sink to be re-used for this integration | `string` | `""` | no |
-| [integration\_type](#input\_integration\_type) | Specify the integration type. Can only be PROJECT or ORGANIZATION. Defaults to PROJECT | `string` | `"PROJECT"` | no |
-| [labels](#input\_labels) | Set of labels which will be added to the resources managed by the module | `map(string)` | `{}` | no |
-| [lacework\_integration\_name](#input\_lacework\_integration\_name) | n/a | `string` | `"TF pub_sub_audit_log"` | no |
-| [organization\_id](#input\_organization\_id) | The organization ID, required if integration\_type is set to ORGANIZATION | `string` | `""` | no |
-| [prefix](#input\_prefix) | The prefix that will be use at the beginning of every generated resource | `string` | `"lw-al-ps"` | no |
-| [project\_id](#input\_project\_id) | A project ID different from the default defined inside the provider | `string` | `""` | no |
-| [pubsub\_subscription\_labels](#input\_pubsub\_subscription\_labels) | Set of labels which will be added to the subscription | `map(string)` | `{}` | no |
-| [pubsub\_topic\_labels](#input\_pubsub\_topic\_labels) | Set of labels which will be added to the topic | `map(string)` | `{}` | no |
-| [required\_apis](#input\_required\_apis) | n/a | `map(any)` | {
"iam": "iam.googleapis.com",
"pubsub": "pubsub.googleapis.com",
"resourcemanager": "cloudresourcemanager.googleapis.com",
"serviceusage": "serviceusage.googleapis.com"
} | no |
-| [service\_account\_name](#input\_service\_account\_name) | The Service Account name (required when use\_existing\_service\_account is set to true) | `string` | `""` | no |
-| [service\_account\_private\_key](#input\_service\_account\_private\_key) | The private key in JSON format, base64 encoded (required when use\_existing\_service\_account is set to true) | `string` | `""` | no |
-| [skip\_create\_lacework\_integration](#input\_skip\_create\_lacework\_integration) | Set this to true to skip creating the LW integration during GCPv1 to GCPv2 migration | `bool` | `false` | no |
-| [use\_existing\_service\_account](#input\_use\_existing\_service\_account) | Set this to true to use an existing Service Account | `bool` | `false` | no |
-| [wait\_time](#input\_wait\_time) | Amount of time to wait before the next resource is provisioned. | `string` | `"10s"` | no |
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| [custom\_filter](#input\_custom\_filter) | Customer defined Audit Log filter which will supersede all other filter options when defined | `string` | `""` | no |
+| [existing\_sink\_name](#input\_existing\_sink\_name) | The name of an existing sink to be re-used for this integration | `string` | `""` | no |
+| [google\_workspace\_filter](#input\_google\_workspace\_filter) | Filter out Google Workspace login logs from GCP Audit Log sinks. Default is true | `bool` | `true` | no |
+| [integration\_type](#input\_integration\_type) | Specify the integration type. Can only be PROJECT or ORGANIZATION. Defaults to PROJECT | `string` | `"PROJECT"` | no |
+| [k8s\_filter](#input\_k8s\_filter) | Filter out GKE logs from GCP Audit Log sinks. Default is true | `bool` | `true` | no |
+| [labels](#input\_labels) | Set of labels which will be added to the resources managed by the module | `map(string)` | `{}` | no |
+| [lacework\_integration\_name](#input\_lacework\_integration\_name) | n/a | `string` | `"TF pub_sub_audit_log"` | no |
+| [organization\_id](#input\_organization\_id) | The organization ID, required if integration\_type is set to ORGANIZATION | `string` | `""` | no |
+| [prefix](#input\_prefix) | The prefix that will be use at the beginning of every generated resource | `string` | `"lw-al-ps"` | no |
+| [project\_id](#input\_project\_id) | A project ID different from the default defined inside the provider | `string` | `""` | no |
+| [pubsub\_subscription\_labels](#input\_pubsub\_subscription\_labels) | Set of labels which will be added to the subscription | `map(string)` | `{}` | no |
+| [pubsub\_topic\_labels](#input\_pubsub\_topic\_labels) | Set of labels which will be added to the topic | `map(string)` | `{}` | no |
+| [required\_apis](#input\_required\_apis) | n/a | `map(any)` | {
"iam": "iam.googleapis.com",
"pubsub": "pubsub.googleapis.com",
"resourcemanager": "cloudresourcemanager.googleapis.com",
"serviceusage": "serviceusage.googleapis.com"
} | no |
+| [service\_account\_name](#input\_service\_account\_name) | The Service Account name (required when use\_existing\_service\_account is set to true) | `string` | `""` | no |
+| [service\_account\_private\_key](#input\_service\_account\_private\_key) | The private key in JSON format, base64 encoded (required when use\_existing\_service\_account is set to true) | `string` | `""` | no |
+| [skip\_create\_lacework\_integration](#input\_skip\_create\_lacework\_integration) | Set this to true to skip creating the LW integration during GCPv1 to GCPv2 migration | `bool` | `false` | no |
+| [use\_existing\_service\_account](#input\_use\_existing\_service\_account) | Set this to true to use an existing Service Account | `bool` | `false` | no |
+| [wait\_time](#input\_wait\_time) | Amount of time to wait before the next resource is provisioned. | `string` | `"10s"` | no |
## Outputs
@@ -105,4 +110,5 @@ cloudresourcemanager.googleapis.com
| [pubsub\_topic\_name](#output\_pubsub\_topic\_name) | The PubSub topic name |
| [service\_account\_name](#output\_service\_account\_name) | The Service Account name |
| [service\_account\_private\_key](#output\_service\_account\_private\_key) | The private key in JSON format, base64 encoded |
-| [sink\_name](#output\_sink\_name) | The sink name |
\ No newline at end of file
+| [sink\_name](#output\_sink\_name) | The sink name |
+
\ No newline at end of file
diff --git a/scripts/release_helpers.sh b/scripts/release_helpers.sh
index d9a8235..3106297 100644
--- a/scripts/release_helpers.sh
+++ b/scripts/release_helpers.sh
@@ -1,6 +1,6 @@
#
# Name:: release_helpers.sh
-# Description:: A set of helper funtions to be used by our release.sh script
+# Description:: A set of helper functions to be used by our release.sh script
# Author:: Salim Afiune Maya ()
#
@@ -137,6 +137,7 @@ prepare_release() {
prerequisites
remove_tag_version
check_for_minor_version_bump
+ generate_readme
generate_release_notes
update_changelog
push_release
@@ -192,6 +193,10 @@ generate_release_notes() {
echo "$(cat CHANGES.md)" >> RELEASE_NOTES.md
}
+generate_readme() {
+ make terraform-docs
+}
+
load_list_of_changes() {
latest_version=$(find_latest_version)
local _list_of_changes=$(git log --no-merges --pretty="* %s (%an)([%h](https://github.com/${org_name}/${project_name}/commit/%H))" ${latest_version}..${main_branch})
diff --git a/scripts/terraform-docs.sh b/scripts/terraform-docs.sh
new file mode 100755
index 0000000..96e4f65
--- /dev/null
+++ b/scripts/terraform-docs.sh
@@ -0,0 +1,13 @@
+
+if which terraform-docs >/dev/null; then
+ terraform-docs .
+elif which docker >/dev/null; then
+ echo "## terraform-docs not found in PATH, but docker was found"
+ echo "## running terraform-docs in docker"
+ terraform_docs_version=$(cat .terraform-docs.yml | grep version | cut -d\" -f 2)
+ docker run --rm -v `pwd`:/data cytopia/terraform-docs:${terraform_docs_version} terraform-docs .
+else
+ echo "## terraform-docs not found in PATH, neither was docker"
+ echo "## please install terraform-docs or docker"
+ exit 1
+fi
\ No newline at end of file