-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
feat(secure): Add Malware, Drift, ML and AWS ML policy resources #476
Merged
Merged
Changes from all commits
Commits
Show all changes
58 commits
Select commit
Hold shift + click to select a range
e6a9540
refactor: Add common schema
alexeyovriakh ef36744
feat: Add composite policy resource
alexeyovriakh f2b9d2b
feat: Add composite policy data source
alexeyovriakh c5a5213
docs: Add docs for composite policy resource and data source
alexeyovriakh ca74f33
chore: Fix formatting issues
alexeyovriakh df4ba5f
chore: Update TODO comments in composite policies client
alexeyovriakh da61a82
feat: Filter policies by type and name
alexeyovriakh fa03712
chore: Clean up code
alexeyovriakh 5e3195a
chore: Update the docs
alexeyovriakh 1099321
Merge branch 'master' into feat/composite-policy-resource
alexeyovriakh c3dbf45
chore: Fix formatting issue
alexeyovriakh 11c6597
chore: Fix Sprintf args in test code
alexeyovriakh 2aa47a6
fix: Remove ability enable or disable individual rules
alexeyovriakh cd04d01
chore: Fix lint issues
alexeyovriakh 92b86f5
refactor: Introduce reducer pattern
alexeyovriakh c6f512d
refactor: Use a consistent way to get policy ID
alexeyovriakh c637e46
fix: Resolve copylock error
alexeyovriakh dcb69dd
refactor: Rename Composite to Malware policy
alexeyovriakh 92de16d
chore: Fix Linter errors
alexeyovriakh 9a53548
Fix: Resolve compilation error
alexeyovriakh ca7e5b6
feat: Add Drift policy resource and data source
alexeyovriakh bf6f5d8
test: Update Malware policy tests
alexeyovriakh 4ffa1c3
docs: Update Malware policy docs
alexeyovriakh e45e331
feat: Add ML policy
alexeyovriakh be97fa0
fix: Ensure the version number is sent to Policies API in order to up…
alexeyovriakh b867581
chore: Update Drift policy docs
alexeyovriakh f0fd76d
fix: Resolve Lin issue
alexeyovriakh 2e4360b
feat: Add AWS ML policy
alexeyovriakh 2a6ffdc
chore: Fix docs typo
alexeyovriakh 72a73fe
fix: Add AWS ML policy to TF provider
alexeyovriakh 13166d5
fix: Resolve "Setting state: Invalid address to set" error
alexeyovriakh e6b9612
fix: Resolve compilation error
alexeyovriakh e46a372
fix: Skip version 0 to resolve resource update error
alexeyovriakh b497128
fix: Resolve tfproviderdocs check error
alexeyovriakh f16971e
fix: Resolve "Invalid address to set" in drift policy resource
alexeyovriakh 8968587
fix: Fix resource_sysdig_secure_policy_test test failure
alexeyovriakh ded08a8
fix: Fix TestAccMalwarePolicy test failure
alexeyovriakh 52b8cfd
fix: Fix TestAccDriftPolicy test failure
alexeyovriakh 96f318f
feat: Hide tags
alexeyovriakh a9cea14
feat: Replace Drift rule Mode attribute with a boolean Enabled attribute
alexeyovriakh 3874b2c
fix: Fix Drift rule reducer
alexeyovriakh ce79716
fix: Hide Drift rule's match_items attribute
alexeyovriakh 2ebb337
fix: Fix "Invalid resource type" in TestAccMalwarePolicy test
alexeyovriakh 750ef4b
refactor: Remove details block and rename rules to rule
alexeyovriakh f60ff47
fix: Fix "provide at least one rule name" test error
alexeyovriakh b61ec4b
docs: Update docs to include the latest TF resource changes
alexeyovriakh 663f4cb
test: Update tests
alexeyovriakh ac29c96
chore: Update schema formatting
alexeyovriakh 3c4b042
fix: Escape query param
alexeyovriakh 8935262
refactor: Use const values
alexeyovriakh 55f226d
Merge branch 'master' into feat/composite-policy-resource
alexeyovriakh 47b7df2
tests: Generate unique policy name in data source tests
alexeyovriakh b6f387a
tests: Add more tests to resources
alexeyovriakh dd2068d
remove unnecessary changes
kmvachhani 9a28212
more small fixes
kmvachhani fb3efa6
set hash alias field as optional
kmvachhani 0c5776b
remove hash alias references
kmvachhani 094d5c1
Merge branch 'master' into feat/composite-policy-resource
kmvachhani File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,104 @@ | ||
| package sysdig | ||
|
|
||
| import ( | ||
| "context" | ||
| "time" | ||
|
|
||
| v2 "github.com/draios/terraform-provider-sysdig/sysdig/internal/client/v2" | ||
| "github.com/hashicorp/terraform-plugin-log/tflog" | ||
| "github.com/hashicorp/terraform-plugin-sdk/v2/diag" | ||
| "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" | ||
| ) | ||
|
|
||
| func dataSourceSysdigSecureAWSMLPolicy() *schema.Resource { | ||
| timeout := 5 * time.Minute | ||
|
|
||
| return &schema.Resource{ | ||
| ReadContext: dataSourceSysdigSecureAWSMLPolicyRead, | ||
|
|
||
| Timeouts: &schema.ResourceTimeout{ | ||
| Read: schema.DefaultTimeout(timeout), | ||
| }, | ||
|
|
||
| Schema: createAWSMLPolicyDataSourceSchema(), | ||
| } | ||
| } | ||
|
|
||
| func dataSourceSysdigSecureAWSMLPolicyRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { | ||
| return awsMLPolicyDataSourceRead(ctx, d, meta, "custom policy", isCustomCompositePolicy) | ||
| } | ||
|
|
||
| func createAWSMLPolicyDataSourceSchema() map[string]*schema.Schema { | ||
| return map[string]*schema.Schema{ | ||
| // IMPORTANT: Type is implicit: It's automatically added upon conversion to JSON | ||
| "type": { | ||
| Type: schema.TypeString, | ||
| Computed: true, | ||
| }, | ||
| "name": NameSchema(), | ||
| "description": DescriptionComputedSchema(), | ||
| "enabled": EnabledComputedSchema(), | ||
| "severity": SeverityComputedSchema(), | ||
| "scope": ScopeComputedSchema(), | ||
| "version": VersionSchema(), | ||
| "notification_channels": NotificationChannelsComputedSchema(), | ||
| "runbook": RunbookComputedSchema(), | ||
| "rule": { | ||
| Type: schema.TypeList, | ||
| Computed: true, | ||
| Elem: &schema.Resource{ | ||
| Schema: map[string]*schema.Schema{ | ||
| "id": ReadOnlyIntSchema(), | ||
| "name": ReadOnlyStringSchema(), | ||
| "description": DescriptionComputedSchema(), | ||
| "tags": TagsSchema(), | ||
| "version": VersionSchema(), | ||
| "anomalous_console_login": MLRuleThresholdAndSeverityComputedSchema(), | ||
| }, | ||
| }, | ||
| }, | ||
| } | ||
| } | ||
|
|
||
| func awsMLPolicyDataSourceRead(ctx context.Context, d *schema.ResourceData, meta interface{}, resourceName string, validationFunc func(v2.PolicyRulesComposite) bool) diag.Diagnostics { | ||
| client, err := getSecureCompositePolicyClient(meta.(SysdigClients)) | ||
| if err != nil { | ||
| return diag.FromErr(err) | ||
| } | ||
|
|
||
| policyName := d.Get("name").(string) | ||
| policyType := policyTypeAWSML | ||
|
|
||
| policies, _, err := client.FilterCompositePoliciesByNameAndType(ctx, policyType, policyName) | ||
| if err != nil { | ||
| return diag.FromErr(err) | ||
| } | ||
|
|
||
| var policy v2.PolicyRulesComposite | ||
| for _, existingPolicy := range policies { | ||
| tflog.Debug(ctx, "Filtered policies", map[string]interface{}{"name": existingPolicy.Policy.Name}) | ||
|
|
||
| if existingPolicy.Policy.Name == policyName && existingPolicy.Policy.Type == policyType { | ||
| if !validationFunc(existingPolicy) { | ||
| return diag.Errorf("policy is not a %s", resourceName) | ||
| } | ||
| policy = existingPolicy | ||
| break | ||
| } | ||
| } | ||
|
|
||
| if policy.Policy == nil { | ||
| return diag.Errorf("unable to find policy %s", resourceName) | ||
| } | ||
|
|
||
| if policy.Policy.ID == 0 { | ||
| return diag.Errorf("unable to find %s", resourceName) | ||
| } | ||
|
|
||
| err = awsMLPolicyToResourceData(&policy, d) | ||
| if err != nil { | ||
| return diag.FromErr(err) | ||
| } | ||
|
|
||
| return nil | ||
| } | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,64 @@ | ||
| //go:build tf_acc_sysdig_secure || tf_acc_policies || tf_acc_onprem_secure | ||
|
|
||
| package sysdig_test | ||
|
|
||
| import ( | ||
| "fmt" | ||
| "os" | ||
| "testing" | ||
|
|
||
| "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" | ||
| "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" | ||
| "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" | ||
|
|
||
| "github.com/draios/terraform-provider-sysdig/sysdig" | ||
| ) | ||
|
|
||
| func TestAccAWSMLPolicyDataSource(t *testing.T) { | ||
| rText := acctest.RandStringFromCharSet(10, acctest.CharSetAlphaNum) | ||
|
|
||
| resource.ParallelTest(t, resource.TestCase{ | ||
| PreCheck: func() { | ||
| if v := os.Getenv("SYSDIG_SECURE_API_TOKEN"); v == "" { | ||
| t.Fatal("SYSDIG_SECURE_API_TOKEN must be set for acceptance tests") | ||
| } | ||
| }, | ||
| ProviderFactories: map[string]func() (*schema.Provider, error){ | ||
| "sysdig": func() (*schema.Provider, error) { | ||
| return sysdig.Provider(), nil | ||
| }, | ||
| }, | ||
| Steps: []resource.TestStep{ | ||
| { | ||
| Config: awsAWSMLPolicyDataSource(rText), | ||
| }, | ||
| }, | ||
| }) | ||
| } | ||
|
|
||
| func awsAWSMLPolicyDataSource(name string) string { | ||
| return fmt.Sprintf(` | ||
| resource "sysdig_secure_aws_ml_policy" "policy_1" { | ||
| name = "Test AWS ML Policy %s" | ||
| description = "Test AWS ML Policy Description %s" | ||
| enabled = true | ||
| severity = 4 | ||
|
|
||
| rule { | ||
| description = "Test AWS ML Rule Description" | ||
|
|
||
| anomalous_console_login { | ||
| enabled = true | ||
| threshold = 2 | ||
| severity = 1 | ||
| } | ||
| } | ||
|
|
||
| } | ||
|
|
||
| data "sysdig_secure_aws_ml_policy" "policy_2" { | ||
| name = sysdig_secure_aws_ml_policy.policy_1.name | ||
| depends_on = [sysdig_secure_aws_ml_policy.policy_1] | ||
| } | ||
| `, name, name) | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,117 @@ | ||
| package sysdig | ||
|
|
||
| import ( | ||
| "context" | ||
| "time" | ||
|
|
||
| v2 "github.com/draios/terraform-provider-sysdig/sysdig/internal/client/v2" | ||
| "github.com/hashicorp/terraform-plugin-log/tflog" | ||
| "github.com/hashicorp/terraform-plugin-sdk/v2/diag" | ||
| "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" | ||
| ) | ||
|
|
||
| func dataSourceSysdigSecureDriftPolicy() *schema.Resource { | ||
| timeout := 5 * time.Minute | ||
|
|
||
| return &schema.Resource{ | ||
| ReadContext: dataSourceSysdigSecureDriftPolicyRead, | ||
|
|
||
| Timeouts: &schema.ResourceTimeout{ | ||
| Read: schema.DefaultTimeout(timeout), | ||
| }, | ||
|
|
||
| Schema: createDriftPolicyDataSourceSchema(), | ||
| } | ||
| } | ||
|
|
||
| func dataSourceSysdigSecureDriftPolicyRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { | ||
| return driftPolicyDataSourceRead(ctx, d, meta, "custom policy", isCustomCompositePolicy) | ||
| } | ||
|
|
||
| func createDriftPolicyDataSourceSchema() map[string]*schema.Schema { | ||
| return map[string]*schema.Schema{ | ||
| // IMPORTANT: Type is implicit: It's automatically added upon conversion to JSON | ||
| "type": { | ||
| Type: schema.TypeString, | ||
| Computed: true, | ||
| }, | ||
| "name": NameSchema(), | ||
| "description": DescriptionComputedSchema(), | ||
| "enabled": EnabledComputedSchema(), | ||
| "severity": SeverityComputedSchema(), | ||
| "scope": ScopeComputedSchema(), | ||
| "version": VersionSchema(), | ||
| "notification_channels": NotificationChannelsComputedSchema(), | ||
| "runbook": RunbookComputedSchema(), | ||
| "rule": { | ||
| Type: schema.TypeList, | ||
| Computed: true, | ||
| Elem: &schema.Resource{ | ||
| Schema: map[string]*schema.Schema{ | ||
| "id": ReadOnlyIntSchema(), | ||
| "name": ReadOnlyStringSchema(), | ||
| "description": DescriptionComputedSchema(), | ||
| "tags": TagsSchema(), | ||
| "version": VersionSchema(), | ||
| "enabled": BoolComputedSchema(), | ||
| "exceptions": ExceptionsComputedSchema(), | ||
| "prohibited_binaries": ExceptionsComputedSchema(), | ||
| }, | ||
| }, | ||
| }, | ||
| "actions": { | ||
| Type: schema.TypeList, | ||
| Computed: true, | ||
| Elem: &schema.Resource{ | ||
| Schema: map[string]*schema.Schema{ | ||
| "prevent_drift": PreventActionComputedSchema(), | ||
| "container": ContainerActionComputedSchema(), | ||
| "capture": CaptureActionComputedSchema(), | ||
| }, | ||
| }, | ||
| }, | ||
| } | ||
| } | ||
|
|
||
| func driftPolicyDataSourceRead(ctx context.Context, d *schema.ResourceData, meta interface{}, resourceName string, validationFunc func(v2.PolicyRulesComposite) bool) diag.Diagnostics { | ||
| client, err := getSecureCompositePolicyClient(meta.(SysdigClients)) | ||
| if err != nil { | ||
| return diag.FromErr(err) | ||
| } | ||
|
|
||
| policyName := d.Get("name").(string) | ||
| policyType := policyTypeDrift | ||
|
|
||
| policies, _, err := client.FilterCompositePoliciesByNameAndType(ctx, policyType, policyName) | ||
| if err != nil { | ||
| return diag.FromErr(err) | ||
| } | ||
|
|
||
| var policy v2.PolicyRulesComposite | ||
| for _, existingPolicy := range policies { | ||
| tflog.Debug(ctx, "Filtered policies", map[string]interface{}{"name": existingPolicy.Policy.Name}) | ||
|
|
||
| if existingPolicy.Policy.Name == policyName && existingPolicy.Policy.Type == policyType { | ||
| if !validationFunc(existingPolicy) { | ||
| return diag.Errorf("policy is not a %s", resourceName) | ||
| } | ||
| policy = existingPolicy | ||
| break | ||
| } | ||
| } | ||
|
|
||
| if policy.Policy == nil { | ||
| return diag.Errorf("unable to find policy %s", resourceName) | ||
| } | ||
|
|
||
| if policy.Policy.ID == 0 { | ||
| return diag.Errorf("unable to find %s", resourceName) | ||
| } | ||
|
|
||
| err = driftPolicyToResourceData(&policy, d) | ||
| if err != nil { | ||
| return diag.FromErr(err) | ||
| } | ||
|
|
||
| return nil | ||
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,70 @@ | ||
| //go:build tf_acc_sysdig_secure || tf_acc_policies || tf_acc_onprem_secure | ||
|
|
||
| package sysdig_test | ||
|
|
||
| import ( | ||
| "fmt" | ||
| "os" | ||
| "testing" | ||
|
|
||
| "github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest" | ||
| "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" | ||
| "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" | ||
|
|
||
| "github.com/draios/terraform-provider-sysdig/sysdig" | ||
| ) | ||
|
|
||
| func TestAccDriftPolicyDataSource(t *testing.T) { | ||
| rText := acctest.RandStringFromCharSet(10, acctest.CharSetAlphaNum) | ||
|
|
||
| resource.ParallelTest(t, resource.TestCase{ | ||
| PreCheck: func() { | ||
| if v := os.Getenv("SYSDIG_SECURE_API_TOKEN"); v == "" { | ||
| t.Fatal("SYSDIG_SECURE_API_TOKEN must be set for acceptance tests") | ||
| } | ||
| }, | ||
| ProviderFactories: map[string]func() (*schema.Provider, error){ | ||
| "sysdig": func() (*schema.Provider, error) { | ||
| return sysdig.Provider(), nil | ||
| }, | ||
| }, | ||
| Steps: []resource.TestStep{ | ||
| { | ||
| Config: driftPolicyDataSource(rText), | ||
| }, | ||
| }, | ||
| }) | ||
| } | ||
|
|
||
| func driftPolicyDataSource(name string) string { | ||
| return fmt.Sprintf(` | ||
| resource "sysdig_secure_drift_policy" "policy_1" { | ||
| name = "Test Drift Policy %s" | ||
| description = "Test Drift Policy Description %s" | ||
| enabled = true | ||
| severity = 4 | ||
|
|
||
| rule { | ||
| description = "Test Drift Rule Description" | ||
| enabled = true | ||
|
|
||
| exceptions { | ||
| items = ["/usr/bin/sh"] | ||
| } | ||
| prohibited_binaries { | ||
| items = ["/usr/bin/curl"] | ||
| } | ||
| } | ||
|
|
||
| actions { | ||
| prevent_drift = true | ||
| } | ||
|
|
||
| } | ||
|
|
||
| data "sysdig_secure_drift_policy" "policy_2" { | ||
| name = sysdig_secure_drift_policy.policy_1.name | ||
| depends_on = [sysdig_secure_drift_policy.policy_1] | ||
| } | ||
| `, name, name) | ||
| } |
Oops, something went wrong.
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should the message be more clear here "custom AWS ML policy"? Similarly for other types