[Feat] New data-source opentelekomcloud_hss_intrusion_events_v5 (#2781

) [Feat] New data-source `opentelekomcloud_hss_intrusion_events_v5` Summary of the Pull Request PR Checklist Refers to: #2532 Tests added/passed. Documentation updated. Schema updated. Release notes added. Acceptance Steps Performed === RUN TestAccDataSourceEvents_basic === PAUSE TestAccDataSourceEvents_basic === CONT TestAccDataSourceEvents_basic --- PASS: TestAccDataSourceEvents_basic (23.74s) PASS Process finished with the exit code 0 Reviewed-by: Artem Lifshits Reviewed-by: Aloento Reviewed-by: Muneeb H. Jan <[email protected]>
opentelekomcloud · Jan 15, 2025 · c19bcdd · c19bcdd
1 parent 4558d9d
commit c19bcdd
Show file tree

Hide file tree

Showing 7 changed files with 1,237 additions and 1 deletion.
diff --git a/docs/data-sources/hss_host_intrusion_events_v5.md b/docs/data-sources/hss_host_intrusion_events_v5.md
@@ -0,0 +1,182 @@
+---
+subcategory: “Host Security Service (HSS)”
+layout: “opentelekomcloud”
+page_title: “OpenTelekomCloud: opentelekomcloud_hss_intrusion_events_v5”
+sidebar_current: “docs-opentelekomcloud-datasource-hss-intrusion-events-v5”
+description: |-
+  Use this data source to query HSS events in OpenTelekomCloud, including host and container security events.
+---
+
+Up-to-date reference of API arguments for HSS events can be found at the
+[documentation portal](https://docs.otc.t-systems.com/host-security-service/api-ref/api_description/intrusion_detection/querying_the_detected_intrusion_list.html#)
+
+# opentelekomcloud_hss_intrusion_events_v5
+
+Use this data source to query HSS events, such as intrusion detections, malware alerts, or suspicious activities, within OpenTelekomCloud.
+
+## Example Usage
+
+```hcl
+variable "event_category" {}
+
+data "opentelekomcloud_hss_intrusion_events_v5" "events" {
+  category = var.event_category
+  days     = 7
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `category` - (Required, String) Specifies the category of the event. Valid values are:
+  *	`host` - Host security events.
+  *	`container` - Container security events.
+
+* `enterprise_project_id` - (Optional, String) Specifies the enterprise project ID. Use 0 for the default project or all_granted_eps to query all projects.
+
+* `days` - (Optional, Integer) Specifies the number of days to query events. This parameter is mutually exclusive with begin_time and end_time.
+
+* `host_name` - (Optional, String) Specifies the name of the server to query.
+
+* `host_id` - (Optional, String) Specifies the ID of the host to query.
+
+* `private_ip` - (Optional, String) Specifies the private IP address of the server.
+
+* `container_name` - (Optional, String) Specifies the name of the container instance to query.
+
+* `event_types` - (Optional, Set of Strings) Specifies the types of intrusion events to query. Possible values include but are not limited to:
+  *	`1001` - Malware.
+  *	`1010` - Rootkit.
+  *	`1015` - Web shell.
+  *	`3015` - High-risk command execution.
+  *	`4002` - Brute-force attack.
+
+* `handle_status` - (Optional, String) Specifies the status of the event. Valid values are:
+  *	`unhandled`
+  *	`handled`
+
+* `severity` - (Optional, String) Specifies the threat level. Valid values are:
+  *	`Security`
+  *	`Low`
+  *	`Medium`
+  *	`High`
+  *	`Critical`
+
+* `begin_time` - (Optional, String) Specifies the start time for querying events in ISO 8601 format. This is mutually exclusive with days.
+
+* `end_time` - (Optional, String) Specifies the end time for querying events in ISO 8601 format. This is mutually exclusive with days.
+
+## Attribute Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+* `id` - The data source ID in UUID format.
+
+* `events` - A list of events that match the query parameters. Each event has the following attributes:
+  * `id` - Event ID.
+  *	`event_class_id` - Event category identifier.
+  *	`event_type` - Intrusion type identifier.
+  *	`event_name` - Event name.
+  * `severity` - Threat level.
+  *	`host_name` - Name of the host associated with the event.
+  * `host_id` - Host ID.
+  * `private_ip` - Host private IP.
+  * `public_ip` - Host public IP (if available).
+  * `occur_time` - Time of event occurrence in milliseconds.
+  * `handle_status` - Processing status of the event (unhandled or handled).
+  *	`handle_time` - Handling time in milliseconds (if applicable).
+  *	`recommendation` - Recommended action for the event.
+  *	`event_details` - Brief description of the event.
+  *	`region` - Region where the event occurred.
+  * `operate_detail_list` - List of operation details associated with the event.
+    * The [operate_detail_list](#hss_operate_detail_list) structure is documented below.
+  * `resource_info` - Information about the resource associated with the event.
+    * The [resource_info](#hss_resource_info) structure is documented below.
+  * `process_info_list` - List of process information associated with the event.
+    * The [process_info_list](#hss_process_info_list) structure is documented below.
+  * `user_info_list` - List of user information associated with the event.
+    * The [user_info_list](#hss_user_info_list) structure is documented below.
+  * `file_info_list` - List of file information associated with the event.
+    * The [file_info_list](#hss_file_info_list) structure is documented below.
+
+* `region` - Region where the event occurred.
+
+<a name="hss_operate_detail_list"></a>
+The `operate_detail_list` block supports:
+
+* `agent_id` - Agent ID.
+* `process_pid` - Process ID.
+* `is_parent` - Indicates whether the process is a parent process.
+* `file_hash` - File hash.
+* `file_path` - Path to the file.
+* `file_attr` - File attribute.
+* `private_ip` - Server private IP address.
+* `login_ip` - Login source IP address.
+* `login_user_name` - Login username.
+* `keyword` - Alarm event keyword.
+* `hash` - Alarm event hash.
+
+<a name="hss_resource_info"></a>
+The `resource_info` block supports:
+* `domain_id` - User account ID.
+* `project_id` - Project ID.
+* `enterprise_project_id` - Enterprise project ID.
+* `region_name` - Region name.
+* `vpc_id` - VPC ID.
+* `ecs_id` - ECS ID.
+* `vm_name` - VM name.
+* `vm_uuid` - VM UUID.
+* `container_id` - Container ID.
+* `image_id` - Image ID.
+* `image_name` - Image name.
+* `host_attr` - Host attribute.
+* `service` - Service.
+* `microservice` - Microservice.
+* `sys_arch` - System CPU architecture.
+* `os_bit` - OS bit version.
+* `os_type` - OS type.
+* `os_name` - OS name.
+* `os_version` - OS version.
+
+<a name="hss_process_info_list"></a>
+The `process_info_list` block supports:
+* `process_name` - Process name.
+* `process_path` - Process file path.
+* `process_pid` - Process ID.
+* `process_uid` - Process user ID.
+* `process_username` - Process username.
+* `process_cmdline` - Command line used to start the process.
+* `process_filename` - Process file name.
+* `process_start_time` - Process start time.
+* `parent_process_name` - Parent process name.
+* `parent_process_path` - Parent process file path.
+* `parent_process_pid` - Parent process ID.
+
+<a name="hss_user_info_list"></a>
+The `user_info_list` block supports:
+* `user_id` - User UID.
+* `user_gid` - User GID.
+* `user_name` - Username.
+* `user_group_name` - User group name.
+* `user_home_dir` - User home directory.
+* `login_ip` - User login IP address.
+* `service_type` - Type of service used for login.
+* `service_port` - Login service port.
+* `login_mode` - Login mode.
+* `login_last_time` - Last login time.
+* `login_fail_count` - Number of failed login attempts.
+
+<a name="hss_file_info_list"></a>
+The `file_info_list` block supports:
+* `file_path` - Path to the file.
+* `file_alias` - File alias.
+* `file_size` - Size of the file in bytes.
+* `file_mtime` - Time when a file was last modified.
+* `file_atime` - Time when a file was last accessed.
+* `file_ctime` - Time when the status of a file was last changed.
+* `file_hash` - Hash of the file.
+* `file_type` - Type of the file.
+* `file_content` - File content.
+* `file_attr` - File attribute.
+* `file_operation` - File operation type.
diff --git a/go.mod b/go.mod
@@ -17,7 +17,7 @@ require (
 	github.com/jmespath/go-jmespath v0.4.0
 	github.com/keybase/go-crypto v0.0.0-20200123153347-de78d2cb44f4
 	github.com/mitchellh/go-homedir v1.1.0
-	github.com/opentelekomcloud/gophertelekomcloud v0.9.4-0.20241217130728-c35f3bd67003
+	github.com/opentelekomcloud/gophertelekomcloud v0.9.4-0.20250114085603-274cd406ed0d
 	github.com/unknwon/com v1.0.1
 	golang.org/x/crypto v0.31.0
 	golang.org/x/sync v0.10.0

diff --git a/go.sum b/go.sum
@@ -158,6 +158,10 @@ github.com/oklog/run v1.0.0 h1:Ru7dDtJNOyC66gQ5dQmaCa0qIsAUFY3sFpK1Xk8igrw=
 github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA=
 github.com/opentelekomcloud/gophertelekomcloud v0.9.4-0.20241217130728-c35f3bd67003 h1:yZzN1AJUxA1fpFZSsgokbCfBWS+/McwRSlc56A2oqjU=
 github.com/opentelekomcloud/gophertelekomcloud v0.9.4-0.20241217130728-c35f3bd67003/go.mod h1:la8cQVYopRoEbNe2L7HlGTdLxUQOwIqHp1VHtjE/5qA=
+github.com/opentelekomcloud/gophertelekomcloud v0.9.4-0.20250110095240-c5e793bd3e9c h1:unSvIZSJ0xWPRiFNfS7u/11B3j1HtPO/wh6wRirJ6u0=
+github.com/opentelekomcloud/gophertelekomcloud v0.9.4-0.20250110095240-c5e793bd3e9c/go.mod h1:la8cQVYopRoEbNe2L7HlGTdLxUQOwIqHp1VHtjE/5qA=
+github.com/opentelekomcloud/gophertelekomcloud v0.9.4-0.20250114085603-274cd406ed0d h1:VfXw7flhcMF/VCPsG0eSy6GpWaNnYQfJjgSa7Ws+Z8M=
+github.com/opentelekomcloud/gophertelekomcloud v0.9.4-0.20250114085603-274cd406ed0d/go.mod h1:la8cQVYopRoEbNe2L7HlGTdLxUQOwIqHp1VHtjE/5qA=
 github.com/pkg/errors v0.8.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
 github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM=

diff --git a/opentelekomcloud/acceptance/hss/data_source_opentelekomcloud_hss_intrusion_events_v5_test.go b/opentelekomcloud/acceptance/hss/data_source_opentelekomcloud_hss_intrusion_events_v5_test.go
@@ -0,0 +1,38 @@
+package hss
+
+import (
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/opentelekomcloud/terraform-provider-opentelekomcloud/opentelekomcloud/acceptance/common"
+)
+
+func TestAccDataSourceEvents_basic(t *testing.T) {
+	dataSource := "data.opentelekomcloud_hss_intrusion_events_v5.events"
+	dc := common.InitDataSourceCheck(dataSource)
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck: func() {
+			common.TestAccPreCheck(t)
+		},
+		ProviderFactories: common.TestAccProviderFactories,
+		Steps: []resource.TestStep{
+			{
+				Config: testDataSourceIntrusionEvents_basic(),
+				Check: resource.ComposeTestCheckFunc(
+					dc.CheckResourceExists(),
+					resource.TestCheckResourceAttrSet(dataSource, "events.#"),
+				),
+			},
+		},
+	})
+}
+
+func testDataSourceIntrusionEvents_basic() string {
+	return `
+
+data "opentelekomcloud_hss_intrusion_events_v5" "events" {
+  category = "host"
+}
+`
+}
diff --git a/opentelekomcloud/provider.go b/opentelekomcloud/provider.go
@@ -307,6 +307,7 @@ func Provider() *schema.Provider {
 			"opentelekomcloud_hss_host_groups_v5":                hss.DataSourceHostGroups(),
 			"opentelekomcloud_hss_quotas_v5":                     hss.DataSourceQuotas(),
 			"opentelekomcloud_hss_hosts_v5":                      hss.DataSourceHosts(),
+			"opentelekomcloud_hss_intrusion_events_v5":           hss.DataSourceEvents(),
 			"opentelekomcloud_identity_agency_v3":                iam.DataSourceIdentityAgencyV3(),
 			"opentelekomcloud_identity_auth_scope_v3":            iam.DataSourceIdentityAuthScopeV3(),
 			"opentelekomcloud_identity_credential_v3":            iam.DataSourceIdentityCredentialV3(),