Alright, enough talk, let’s get into it!

Steps

Below are steps for performing the integration using Terraform or manually with `gcloud` and the Lacework console. Follow along with whichever fits your needs.

Using Terraform

NOTE: In the following steps, we assume that you know Terraform, and you have already configured your environment and the providers for Lacework and GCP.

1. Create a dedicated service account for the integration and bind it to the appropriate roles at an organization level.

   # ... assuming prior provider setup for Lacework and GCP
   
   ################################
   # Platform Scanner Integration #
   ################################
   resource "google_service_account" "lw_platform_scanner_sa" {
       account_id   = "lw-platform-scanner-sa"
       display_name = "LW Platform Scanner Service Account"
       description  = "Service Account for integrating the Lacework Platform Scanner."
       project      = var.project_id
   }
   
   resource "google_service_account_key" "lw_platform_scanner_sa_key" {
       service_account_id = google_service_account.lw_platform_scanner_sa.name
       public_key_type    = "TYPE_X509_PEM_FILE"
   }
   
   resource "google_organization_iam_member" "organization_level_artifact_registry_role" {
       org_id = "111122223333"
       role   = "roles/artifactregistry.reader"
       member = "serviceAccount:${google_service_account.lw_platform_scanner_sa.email}"
   }
   
   resource "google_organization_iam_member" "organization_level_storage_role" {
       org_id = "111122223333"
       role   = "roles/storage.objectViewer"
       member = "serviceAccount:${google_service_account.lw_platform_scanner_sa.email}"
   }

    

2. Create the Lacework GAR Container Registry integration using our lacework terraform module.

   # ... append to the end of the previous Terraform snippet.
   
   module "lacework_gar" {
       source = "lacework/gar/gcp"
       version = "~> 0.1"
   
       lacework_integration_name = "LW GAR Integration (${var.region})"
       registry_domain = "${var.region}-docker.pkg.dev"
   
       use_existing_service_account = true
       service_account_name = google_service_account.lw_platform_scanner_sa.name
       service_account_private_key = google_service_account_key.lw_platform_scanner_sa_key.private_key
   }

    

Running Manually

NOTE: In the following steps, we assume that you have the GCP `gcloud` CLI installed and are authenticated.

1. Create a service account at the project level (Google Docs). We recommend using a dedicated “security” or “lacework” specific project.

   gcloud iam service-accounts create NAME \
       [--description=DESCRIPTION] \
       [--display-name=DISPLAY_NAME] \
       [GCLOUD_WIDE_FLAG …]
   
   # Example
   export SA_NAME=lw-platform-scanner-sa
   export PROJECT_ID=lw-general-sandbox
   gcloud iam service-accounts create $SA_NAME \
       --display-name="LW Platform Scanner Service Account" \
       --description="Service Account for integrating the Lacework Platform Scanner." \
       --project=$PROJECT_ID

    

2. Bind the service account to the organization for the required roles (Google Docs).

   gcloud organizations add-iam-policy-binding ORGANIZATION \
       --member=PRINCIPAL \
       --role=ROLE \
       [--condition=[KEY=VALUE,…] | --condition-from-file=CONDITION_FROM_FILE] \
       [GCLOUD_WIDE_FLAG …]
   
   # Example
   export ORG_ID=111122223333
   export SA_EMAIL=$(gcloud iam service-accounts list --project=$PROJECT_ID --format="value(email)" --filter="name:$SA_NAME")
   gcloud organizations add-iam-policy-binding $ORG_ID \
       --member=serviceAccount:$SA_EMAIL \
       --role=roles/artifactregistry.reader
   gcloud organizations add-iam-policy-binding $ORG_ID \
       --member=serviceAccount:$SA_EMAIL \
       --role=roles/storage.objectViewer

    

3. Review that the IAM policy bindings took effect and ensure the service account has the correct roles.

   # Example
   gcloud organizations get-iam-policy $ORG_ID

    

4. Generate a service account JSON key for the service account and download it to your local machine (Google Docs).

   gcloud iam service-accounts keys create OUTPUT-FILE \
       --iam-account=IAM_ACCOUNT \
       [--key-file-type=KEY_FILE_TYPE; default="json"] \
       [GCLOUD_WIDE_FLAG …]
   
   # Example
   export SA_KEY_FILE="./lw-platform-scanner-sa-key.json"
   gcloud iam service-accounts keys create $SA_KEY_FILE --iam-account=$SA_EMAIL

    

5. Create the Lacework Container Registry integration by heading over to the Lacework Platform.

   1. Navigate to the Lacework Console then "Settings" > "Container registries".

   2. Click on the "+ Add New" button.

   3. Select "Google Artifact Registry (GAR)" from the platform list and click "Next".

   4. Fill in the following details:

      - Name: <whatever name you want for the integration>
      - Upload GCP Credentials: <upload the service account JSON key you downloaded earlier>
      - Registry Domain: <the domain of your GAR registry>
      - Optional settings: <default is fine, but up to you and your requirements>
   5. Click “Save”

Regardless of which route you took, after about 15 minutes, you should start to see your GCP container registries and images pop up in the Vulnerabilities > All Images section of the platform.