diff --git a/sysdig/common.go b/sysdig/common.go index 9ef82056d..01d83aab7 100644 --- a/sysdig/common.go +++ b/sysdig/common.go @@ -27,9 +27,12 @@ const ( SchemaCreatedDateKey = "date_created" SchemaMinKubeVersionKey = "min_kube_version" SchemaMaxKubeVersionKey = "max_kube_version" + SchemaMinVersionKey = "min_version" + SchemaMaxVersionKey = "max_version" SchemaIsCustomKey = "is_custom" SchemaIsActiveKey = "is_active" SchemaPlatformKey = "platform" + SchemaTargetKey = "target" SchemaZonesKey = "zones" SchemaZonesIDsKey = "zone_ids" SchemaAllZones = "all_zones" diff --git a/sysdig/internal/client/v2/model.go b/sysdig/internal/client/v2/model.go index 1a9f5bc17..fed051839 100644 --- a/sysdig/internal/client/v2/model.go +++ b/sysdig/internal/client/v2/model.go @@ -952,21 +952,29 @@ type PosturePolicy struct { } type FullPosturePolicy struct { - ID string `json:"id,omitempty"` - Name string `json:"name,omitempty"` - Type string `json:"type,omitempty"` - Description string `json:"description,omitempty"` - Version string `json:"version,omitempty"` - Link string `json:"link,omitempty"` - Authors string `json:"authors,omitempty"` - PublishedData string `json:"publishedDate,omitempty"` - RequirementsGroup []RequirementsGroup `json:"requirementFolders,omitempty"` - MinKubeVersion float64 `json:"minKubeVersion,omitempty"` - MaxKubeVersion float64 `json:"maxKubeVersion,omitempty"` - IsCustom bool `json:"isCustom,omitempty"` - IsActive bool `json:"isActive,omitempty"` - Platform string `json:"platform,omitempty"` + ID string `json:"id,omitempty"` + Name string `json:"name,omitempty"` + Type string `json:"type,omitempty"` + Description string `json:"description,omitempty"` + Version string `json:"version,omitempty"` + Link string `json:"link,omitempty"` + Authors string `json:"authors,omitempty"` + PublishedData string `json:"publishedDate,omitempty"` + RequirementsGroup []RequirementsGroup `json:"requirementFolders,omitempty"` + MinKubeVersion float64 `json:"minKubeVersion,omitempty"` + MaxKubeVersion float64 `json:"maxKubeVersion,omitempty"` + IsCustom bool `json:"isCustom,omitempty"` + IsActive bool `json:"isActive,omitempty"` + Platform string `json:"platform,omitempty"` + VersionConstraints []VersionConstraint `json:"targets,omitempty"` +} + +type VersionConstraint struct { + Platform string `json:"platform"` + MinVersion float64 `json:"minVersion,omitempty"` + MaxVersion float64 `json:"maxVersion,omitempty"` } + type RequirementsGroup struct { ID string `json:"id,omitempty"` Name string `json:"name,omitempty"` @@ -992,17 +1000,18 @@ type Control struct { } type CreatePosturePolicy struct { - ID string `json:"id,omitempty"` - Name string `json:"name,omitempty"` - Description string `json:"description,omitempty"` - Type string `json:"type,omitempty"` - Link string `json:"link,omitempty"` - Version string `json:"version,omitempty"` - RequirementGroups []CreateRequirementsGroup `json:"groups,omitempty"` - MinKubeVersion float64 `json:"minKubeVersion,omitempty"` - MaxKubeVersion float64 `json:"maxKubeVersion,omitempty"` - IsActive bool `json:"isActive,omitempty"` - Platform string `json:"platform,omitempty"` + ID string `json:"id,omitempty"` + Name string `json:"name,omitempty"` + Description string `json:"description,omitempty"` + Type string `json:"type,omitempty"` + Link string `json:"link,omitempty"` + Version string `json:"version,omitempty"` + RequirementGroups []CreateRequirementsGroup `json:"groups,omitempty"` + MinKubeVersion float64 `json:"minKubeVersion,omitempty"` + MaxKubeVersion float64 `json:"maxKubeVersion,omitempty"` + IsActive bool `json:"isActive,omitempty"` + Platform string `json:"platform,omitempty"` + VersionConstraints []VersionConstraint `json:"targets,omitempty"` } type CreateRequirementsGroup struct { diff --git a/sysdig/resource_sysdig_secure_posture_policy.go b/sysdig/resource_sysdig_secure_posture_policy.go index 2db78659e..a04a905eb 100644 --- a/sysdig/resource_sysdig_secure_posture_policy.go +++ b/sysdig/resource_sysdig_secure_posture_policy.go @@ -156,6 +156,7 @@ func resourceSysdigSecurePosturePolicy() *schema.Resource { SchemaTypeKey: { Type: schema.TypeString, Optional: true, + Default: "Unknown", }, SchemaLinkKey: { Type: schema.TypeString, @@ -178,7 +179,26 @@ func resourceSysdigSecurePosturePolicy() *schema.Resource { SchemaPlatformKey: { Type: schema.TypeString, Optional: true, - Default: "", + }, + SchemaTargetKey: { + Type: schema.TypeList, + Optional: true, + Elem: &schema.Resource{ + Schema: map[string]*schema.Schema{ + SchemaMinVersionKey: { + Type: schema.TypeFloat, + Optional: true, + }, + SchemaMaxVersionKey: { + Type: schema.TypeFloat, + Optional: true, + }, + SchemaPlatformKey: { + Type: schema.TypeString, + Optional: true, + }, + }, + }, }, SchemaGroupKey: { Type: schema.TypeList, @@ -198,18 +218,21 @@ func resourceSysdigSecurePosturePolicyCreateOrUpdate(ctx context.Context, d *sch groups := extractGroupsRecursive(d.Get(SchemaGroupKey)) req := &v2.CreatePosturePolicy{ - ID: getStringValue(d, SchemaIDKey), - Name: getStringValue(d, SchemaNameKey), - Type: getStringValue(d, SchemaTypeKey), - Description: getStringValue(d, SchemaDescriptionKey), - MinKubeVersion: getFloatValue(d, SchemaMinKubeVersionKey), - MaxKubeVersion: getFloatValue(d, SchemaMaxKubeVersionKey), - IsActive: getBoolValue(d, SchemaIsActiveKey), - Platform: getStringValue(d, SchemaPlatformKey), - Link: getStringValue(d, SchemaLinkKey), - RequirementGroups: groups, + ID: getStringValue(d, SchemaIDKey), + Name: getStringValue(d, SchemaNameKey), + Type: getStringValue(d, SchemaTypeKey), + Description: getStringValue(d, SchemaDescriptionKey), + MinKubeVersion: getFloatValue(d, SchemaMinKubeVersionKey), + MaxKubeVersion: getFloatValue(d, SchemaMaxKubeVersionKey), + IsActive: getBoolValue(d, SchemaIsActiveKey), + Platform: getStringValue(d, SchemaPlatformKey), + VersionConstraints: getVersionConstraintsValue(d, SchemaTargetKey), + Link: getStringValue(d, SchemaLinkKey), + RequirementGroups: groups, } + new, errStatus, err := client.CreateOrUpdatePosturePolicy(ctx, req) + if err != nil { return diag.Errorf("Error creating new policy with groups. error status: %s err: %s", errStatus, err) } @@ -279,6 +302,11 @@ func resourceSysdigSecurePosturePolicyRead(ctx context.Context, d *schema.Resour return diag.FromErr(err) } + err = setVersionConstraints(d, SchemaTargetKey, policy.VersionConstraints) + + if err != nil { + return diag.FromErr(err) + } // Set groups groupsData, err := setGroups(d, policy.RequirementsGroup) if err != nil { @@ -378,6 +406,33 @@ func getStringValue(d *schema.ResourceData, key string) string { return "" } +// Helper function to retrieve version constraints value from ResourceData and handle nil case +func getVersionConstraintsValue(d *schema.ResourceData, key string) []v2.VersionConstraint { + pvc := []v2.VersionConstraint{} + versionContraintsMap, ok := d.Get(key).([]interface{}) + if !ok { + return nil + } + for _, vc := range versionContraintsMap { + vcMap := vc.(map[string]interface{}) + minVersion := 0.0 + maxVersion := 0.0 + if vcMap["min_version"] != nil { + minVersion = vcMap["min_version"].(float64) + } + if vcMap["max_version"] != nil { + maxVersion = vcMap["max_version"].(float64) + } + versionConstraint := v2.VersionConstraint{ + MinVersion: minVersion, + MaxVersion: maxVersion, + Platform: vcMap["platform"].(string), + } + pvc = append(pvc, versionConstraint) + } + return pvc +} + // Helper function to retrieve float64 value from ResourceData and handle nil case func getFloatValue(d *schema.ResourceData, key string) float64 { if value, ok := d.GetOk(key); ok { @@ -442,3 +497,20 @@ func extractGroupsRecursive(data interface{}) []v2.CreateRequirementsGroup { return groups } + +// Helper function to set version constraints in the Terraform schema +func setVersionConstraints(d *schema.ResourceData, key string, constraints []v2.VersionConstraint) error { + var constraintsData []interface{} + for _, vc := range constraints { + constraint := map[string]interface{}{ + "min_version": vc.MinVersion, + "max_version": vc.MaxVersion, + "platform": vc.Platform, + } + constraintsData = append(constraintsData, constraint) + } + if err := d.Set(key, constraintsData); err != nil { + return err + } + return nil +} diff --git a/website/docs/r/secure_posture_policy.md b/website/docs/r/secure_posture_policy.md index 79a5551e9..1e8c549ed 100644 --- a/website/docs/r/secure_posture_policy.md +++ b/website/docs/r/secure_posture_policy.md @@ -16,41 +16,59 @@ Creates a Sysdig Secure Posture Policy. ```terraform resource "sysdig_secure_posture_policy" "example" { - name = "demo policy" - type = "kubernetes" - platform = "vanilla" - max_kube_version = 2.0 - description = "demo create policy from terraform" - group { - name = "Security" - description = "Security description" - requirement{ - name = "Security Enforce access control" - description = "Enforce description" - control { - name = "Create Pods" - enabled = false - } - control { - name = "Kubelet - Disabled AlwaysAllowed Authorization" - } - } + name = "demo policy" + type = "kubernetes" + platform = "Vanilla" // Currently supported, but will be deprecated in the future + min_kube_version = 1.5 // Currently supported, but will be deprecated in the future + max_kube_version = 2.0 // Currently supported, but will be deprecated in the future + description = "demo create policy from terraform" + + // New targets field to specify version constraints + target + { + platform = "Vanilla" + minVersion = 1.5 + maxVersion = 2.0 + } + + group { + name = "Security" + description = "Security description" + + requirement { + name = "Security Enforce access control" + description = "Enforce description" + + control { + name = "Create Pods" + enabled = false } - group { - name = "Data protection" - description = "Data protection description" - requirement{ - name = "Enforce access control" - description = "Enforce description" - control { - name = "Create Pods" - } - control { - name = "Kubelet - Disabled AlwaysAllowed Authorization" - } - } + + control { + name = "Kubelet - Disabled AlwaysAllowed Authorization" + } + } + } + + group { + name = "Data protection" + description = "Data protection description" + + requirement { + name = "Enforce access control" + description = "Enforce description" + + control { + name = "Create Pods" + } + + control { + name = "Kubelet - Disabled AlwaysAllowed Authorization" } + } + } } + ``` ## Argument Reference @@ -66,19 +84,32 @@ resource "sysdig_secure_posture_policy" "example" { - Linux - `linux` - Docker - `docker` - OCI - `oci` -* `min_kube_version` - (Optional) Policy minimum Kubernetes version, eg. `1.24` -* `max_kube_version` - (Optional) Policy maximum Kubernetes version, eg. `1.26` -* `is_active` - (Optional) Policy is active flag (active means policy is published, not active means policy is draft). by default is true. -* `platform` - (Optional) Policy platform: - - IKS - `iks`, - - GKE - `gke`, - - Vanilla - `vanilla`, - - AKS - `aks`, - - RKE2 - `rke2`, - - OCP4 - `ocp4`, - - MKE - `mke`, - - EKS - `eks`, -* `groups` - (Optional) Group block defines list of groups attached to Policy + * `platform`: (Optional) Platform for which the policy applies. This field will be deprecated in the future, and you should use the targets field instead to describe policy platform and version. Supported platforms include: + + IKS - iks + GKE - gke + Vanilla - vanilla + AKS - aks + RKE2 - rke2 + OCP4 - ocp4 + MKE - mke + EKS - eks + OCI - oci + +* `minKubeVersion`: (Optional) Policy minimum Kubernetes version, e.g., 1.24. This field will be deprecated in the future, and you should use the targets field instead to describe policy platform and version. + +* `maxKubeVersion`: (Optional) Policy maximum Kubernetes version, e.g., 1.26. This field will be deprecated in the future, and you should use the targets field instead to describe policy platform and version. + +* `target`:(Optional) Specifies target platforms and version ranges. This field should replace Platform, MinKubeVersion, and MaxKubeVersion for more flexible and detailed policy descriptions. + + Note: The fields Platform, MinKubeVersion, and MaxKubeVersion will be deprecated in the future. We recommend using the targets field now to describe policy platform and version constraints + +* `group` - (Optional) Group block defines list of groups attached to Policy + +### Targets block + - `platform` (Optional): Name of the target platform (e.g., IKS, AWS). + - `minVersion` (Optional): Minimum version of the platform.(e.g., 1.24) + - `maxVersion` (Optional): Maximum version of the platform. (e.g., 1.26) ### Groups block - `name` - (Required) The name of the Posture Policy Group.