diff --git a/sysdig/data_source_sysdig_secure_policy.go b/sysdig/data_source_sysdig_secure_policy.go index 818f67827..806458f61 100644 --- a/sysdig/data_source_sysdig_secure_policy.go +++ b/sysdig/data_source_sysdig_secure_policy.go @@ -80,6 +80,11 @@ func createPolicyDataSourceSchema() map[string]*schema.Schema { Optional: true, Computed: true, }, + "kill_process": { + Type: schema.TypeString, + Optional: true, + Computed: true, + }, "capture": { Type: schema.TypeList, Optional: true, @@ -137,11 +142,9 @@ func policyDataSourceToResourceData(policy v2.Policy, d *schema.ResourceData) { _ = d.Set("runbook", policy.Runbook) actions := []map[string]interface{}{{}} + for _, action := range policy.Actions { - if action.Type != "POLICY_ACTION_CAPTURE" { - action := strings.Replace(action.Type, "POLICY_ACTION_", "", 1) - actions[0]["container"] = strings.ToLower(action) - } else { + if action.Type == "POLICY_ACTION_CAPTURE" { actions[0]["capture"] = []map[string]interface{}{{ "seconds_after_event": action.AfterEventNs / 1000000000, "seconds_before_event": action.BeforeEventNs / 1000000000, @@ -150,6 +153,12 @@ func policyDataSourceToResourceData(policy v2.Policy, d *schema.ResourceData) { "bucket_name": action.BucketName, "folder": action.Folder, }} + + } else if action.Type == "POLICY_ACTION_KILL_PROCESS" { + actions[0]["kill_process"] = "true" + } else { + action := strings.Replace(action.Type, "POLICY_ACTION_", "", 1) + actions[0]["container"] = strings.ToLower(action) } } diff --git a/sysdig/resource_sysdig_secure_custom_policy_test.go b/sysdig/resource_sysdig_secure_custom_policy_test.go index 0591a1633..cf80c8cb3 100644 --- a/sysdig/resource_sysdig_secure_custom_policy_test.go +++ b/sysdig/resource_sysdig_secure_custom_policy_test.go @@ -48,6 +48,9 @@ func TestAccCustomPolicy(t *testing.T) { { Config: customPoliciesWithDisabledRules(rText()), }, + { + Config: customPoliciesWithKillProcessAction(rText()), + }, } if !buildinfo.OnpremSecure { @@ -222,8 +225,8 @@ resource "sysdig_secure_custom_policy" "sample_%d" { func customPoliciesWithKillAction(name string) (res string) { return fmt.Sprintf(` -resource "sysdig_secure_custom_policy" "sample" { - name = "TERRAFORM TEST 1 %s" +resource "sysdig_secure_custom_policy" "sample10" { + name = "TERRAFORM TEST 10 %s" description = "TERRAFORM TEST %s" enabled = true severity = 4 @@ -241,6 +244,27 @@ resource "sysdig_secure_custom_policy" "sample" { `, name, name) } +func customPoliciesWithKillProcessAction(name string) (res string) { + return fmt.Sprintf(` +resource "sysdig_secure_custom_policy" "sample10" { + name = "TERRAFORM TEST 1 %s" + description = "TERRAFORM TEST %s" + enabled = true + severity = 4 + scope = "container.id != \"\"" + + rules { + name = "Terminal shell in container" + enabled = true + } + + actions { + kill_process = "true" + } +} +`, name, name) +} + func customPoliciesForAWSCloudtrail(name string) string { return fmt.Sprintf(` resource "sysdig_secure_custom_policy" "sample4" { diff --git a/sysdig/resource_sysdig_secure_policy.go b/sysdig/resource_sysdig_secure_policy.go index 7e876f951..2ffdec289 100644 --- a/sysdig/resource_sysdig_secure_policy.go +++ b/sysdig/resource_sysdig_secure_policy.go @@ -121,11 +121,7 @@ func commonPolicyToResourceData(policy *v2.Policy, d *schema.ResourceData) { actions := []map[string]interface{}{{}} for _, action := range policy.Actions { - if action.Type != "POLICY_ACTION_CAPTURE" { - action := strings.Replace(action.Type, "POLICY_ACTION_", "", 1) - actions[0]["container"] = strings.ToLower(action) - // d.Set("actions.0.container", strings.ToLower(action)) - } else { + if action.Type == "POLICY_ACTION_CAPTURE" { actions[0]["capture"] = []map[string]interface{}{{ "seconds_after_event": action.AfterEventNs / 1000000000, "seconds_before_event": action.BeforeEventNs / 1000000000, @@ -134,6 +130,12 @@ func commonPolicyToResourceData(policy *v2.Policy, d *schema.ResourceData) { "bucket_name": action.BucketName, "folder": action.Folder, }} + + } else if action.Type == "POLICY_ACTION_KILL_PROCESS" { + actions[0]["kill_process"] = true + } else { + action := strings.Replace(action.Type, "POLICY_ACTION_", "", 1) + actions[0]["container"] = strings.ToLower(action) } } @@ -214,6 +216,11 @@ func addActionsToPolicy(d *schema.ResourceData, policy *v2.Policy) { policy.Actions = append(policy.Actions, v2.Action{Type: "POLICY_ACTION_PREVENT_MALWARE"}) } + killProcessAction, ok := d.GetOk("actions.0.kill_process") + if ok && killProcessAction.(bool) { + policy.Actions = append(policy.Actions, v2.Action{Type: "POLICY_ACTION_KILL_PROCESS"}) + } + containerAction := d.Get("actions.0.container").(string) if containerAction != "" { containerAction = strings.ToUpper("POLICY_ACTION_" + containerAction) diff --git a/sysdig/schema.go b/sysdig/schema.go index ca8d93c51..51bf024f0 100644 --- a/sysdig/schema.go +++ b/sysdig/schema.go @@ -205,6 +205,14 @@ func ContainerActionSchema() *schema.Schema { } } +func ContainerKillProcessActionSchema() *schema.Schema { + return &schema.Schema{ + Type: schema.TypeBool, + Optional: true, + Default: false, + } +} + func ContainerActionComputedSchema() *schema.Schema { return &schema.Schema{ Type: schema.TypeString, @@ -448,8 +456,9 @@ func createPolicySchema(original map[string]*schema.Schema) map[string]*schema.S Optional: true, Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ - "container": ContainerActionSchema(), - "capture": CaptureActionSchema(), + "container": ContainerActionSchema(), + "kill_process": ContainerKillProcessActionSchema(), + "capture": CaptureActionSchema(), }, }, }, diff --git a/website/docs/d/secure_custom_policy.md b/website/docs/d/secure_custom_policy.md index 8aed8ee1c..8ed440e1f 100644 --- a/website/docs/d/secure_custom_policy.md +++ b/website/docs/d/secure_custom_policy.md @@ -58,6 +58,10 @@ The actions block is optional and supports: triggered. Can be *stop*, *pause* or *kill*. If this is not specified, no action will be applied at the container level. +* `kill_process` - (Optional) Whether to kill the process that triggered the rule. + If this is not specified, + no action will be applied at the process level. + * `capture` - (Optional) Captures with Sysdig the stream of system calls: * `seconds_before_event` - (Required) Captures the system calls during the amount of seconds before the policy was triggered. diff --git a/website/docs/r/secure_custom_policy.md b/website/docs/r/secure_custom_policy.md index 79c2f8e14..a489c5da9 100644 --- a/website/docs/r/secure_custom_policy.md +++ b/website/docs/r/secure_custom_policy.md @@ -81,6 +81,9 @@ The actions block is optional and supports: triggered. Can be *stop*, *pause* or *kill*. If this is not specified, no action will be applied at the container level. +* `kill_process` - (Optional) Whether to kill the process that triggered the rule. + If this is not specified, + no action will be applied at the process level. * `capture` - (Optional) Captures with Sysdig the stream of system calls: * `seconds_before_event` - (Required) Captures the system calls during the amount of seconds before the policy was triggered.