diff --git a/sysdig/resource_sysdig_secure_policy.go b/sysdig/resource_sysdig_secure_policy.go index 2ffdec289..fa5948f31 100644 --- a/sysdig/resource_sysdig_secure_policy.go +++ b/sysdig/resource_sysdig_secure_policy.go @@ -32,6 +32,7 @@ var validatePolicyType = validation.StringInSlice([]string{ "drift", "aws_machine_learning", "machine_learning", + "guardduty", }, false) func resourceSysdigSecurePolicy() *schema.Resource { diff --git a/sysdig/resource_sysdig_secure_policy_test.go b/sysdig/resource_sysdig_secure_policy_test.go index 603f8c0d8..a0682eb96 100644 --- a/sysdig/resource_sysdig_secure_policy_test.go +++ b/sysdig/resource_sysdig_secure_policy_test.go @@ -56,6 +56,7 @@ func TestAccPolicy(t *testing.T) { resource.TestStep{Config: policiesForFalcoCloudAWSCloudtrail(rText())}, resource.TestStep{Config: policiesForOkta(rText())}, resource.TestStep{Config: policiesForGithub(rText())}, + resource.TestStep{Config: policiesForGuardDuty(rText())}, ) } } @@ -254,3 +255,14 @@ resource "sysdig_secure_policy" "sample9" { } `, name, name) } + +func policiesForGuardDuty(name string) string { + return fmt.Sprintf(` +resource "sysdig_secure_policy" "sample10" { + name = "TERRAFORM TEST 4 %s" + description = "TERRAFORM TEST %s" + type = "guardduty" + actions {} +} +`, name, name) +} diff --git a/sysdig/resource_sysdig_secure_rule_falco.go b/sysdig/resource_sysdig_secure_rule_falco.go index fe4bdf2e7..197a9d3ef 100644 --- a/sysdig/resource_sysdig_secure_rule_falco.go +++ b/sysdig/resource_sysdig_secure_rule_falco.go @@ -18,7 +18,7 @@ import ( "github.com/spf13/cast" ) -var validateFalcoRuleSource = validation.StringInSlice([]string{"syscall", "k8s_audit", "aws_cloudtrail", "gcp_auditlog", "azure_platformlogs", "awscloudtrail", "okta", "github"}, false) +var validateFalcoRuleSource = validation.StringInSlice([]string{"syscall", "k8s_audit", "aws_cloudtrail", "gcp_auditlog", "azure_platformlogs", "awscloudtrail", "okta", "github", "guardduty"}, false) func resourceSysdigSecureRuleFalco() *schema.Resource { timeout := 5 * time.Minute diff --git a/sysdig/resource_sysdig_secure_rule_falco_test.go b/sysdig/resource_sysdig_secure_rule_falco_test.go index 1ab11b231..0779d7c84 100644 --- a/sysdig/resource_sysdig_secure_rule_falco_test.go +++ b/sysdig/resource_sysdig_secure_rule_falco_test.go @@ -285,6 +285,24 @@ func TestRuleGithubAppends(t *testing.T) { runTest(steps, t) } +func TestRuleGuardDuty(t *testing.T) { + steps := []resource.TestStep{ + { + Config: ruleGuardDuty(randomString()), + }, + } + runTest(steps, t) +} + +func TestRuleGuardDutyAppends(t *testing.T) { + steps := []resource.TestStep{ + { + Config: ruleGuardDutyWithAppend(), + }, + } + runTest(steps, t) +} + func randomString() string { return acctest.RandStringFromCharSet(10, acctest.CharSetAlphaNum) } func runTest(steps []resource.TestStep, t *testing.T) { @@ -564,3 +582,32 @@ resource "sysdig_secure_rule_falco" "github_append" { } }` } + +func ruleGuardDuty(name string) string { + return fmt.Sprintf(` + resource "sysdig_secure_rule_falco" "guardduty" { + name = "TERRAFORM TEST %[1]s - GuardDuty" + description = "TERRAFORM TEST %[1]s" + tags = ["guardduty"] + + condition = "guardduty.resourceType=\"Container\"" + output = "GuardDuty Event received (account ID=%%guardduty.accountId)" + priority = "debug" + source = "guardduty" + }`, name, name) +} + +func ruleGuardDutyWithAppend() string { + return ` + resource "sysdig_secure_rule_falco" "guardduty_append" { + name = "GuardDuty High Severity Finding on Container" + source = "guardduty" + append = true + exceptions { + name = "resource_type_tf" + fields = ["guardduty.resourceType"] + comps = ["="] + values = jsonencode([ ["Amazon S2"] ]) + } + }` +} diff --git a/website/docs/d/secure_custom_policy.md b/website/docs/d/secure_custom_policy.md index 8ed440e1f..28b7e59f6 100644 --- a/website/docs/d/secure_custom_policy.md +++ b/website/docs/d/secure_custom_policy.md @@ -26,7 +26,7 @@ data "sysdig_secure_custom_policy" "example" { * `name` - (Required) The name of the Secure custom policy. * `type` - (Optional) Specifies the type of the runtime policy. Must be one of: `falco`, `list_matching`, `k8s_audit`, - `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`, `awscloudtrail`, `okta`, `github`. By default it is `falco`. + `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`, `awscloudtrail`, `okta`, `github`, `guardduty`. By default it is `falco`. ## Attributes Reference diff --git a/website/docs/d/secure_managed_policy.md b/website/docs/d/secure_managed_policy.md index ab8ce6b5f..76d2bdd36 100644 --- a/website/docs/d/secure_managed_policy.md +++ b/website/docs/d/secure_managed_policy.md @@ -26,7 +26,7 @@ data "sysdig_secure_managed_policy" "example" { * `name` - (Required) The name of the Secure managed policy. * `type` - (Optional) Specifies the type of the runtime policy. Must be one of: `falco`, `list_matching`, `k8s_audit`, - `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`, `awscloudtrail`, `okta`, `github`. By default it is `falco`. + `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`, `awscloudtrail`, `okta`, `github`, `guardduty`. By default it is `falco`. ## Attributes Reference diff --git a/website/docs/d/secure_managed_ruleset.md b/website/docs/d/secure_managed_ruleset.md index 479eaecfa..f2e204a5d 100644 --- a/website/docs/d/secure_managed_ruleset.md +++ b/website/docs/d/secure_managed_ruleset.md @@ -26,7 +26,7 @@ data "sysdig_secure_managed_ruleset" "example" { * `name` - (Required) The name of the Secure managed ruleset. * `type` - (Optional) Specifies the type of the runtime policy. Must be one of: `falco`, `list_matching`, `k8s_audit`, - `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`, `awscloudtrail`, `okta`, `github`. By default it is `falco`. + `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`, `awscloudtrail`, `okta`, `github`, `guardduty`. By default it is `falco`. ## Attributes Reference diff --git a/website/docs/r/secure_custom_policy.md b/website/docs/r/secure_custom_policy.md index a489c5da9..e81b3a7e1 100644 --- a/website/docs/r/secure_custom_policy.md +++ b/website/docs/r/secure_custom_policy.md @@ -60,7 +60,7 @@ resource "sysdig_secure_custom_policy" "write_apt_database" { * `enabled` - (Optional) Will secure process with this rule?. By default this is true. * `type` - (Optional) Specifies the type of the runtime policy. Must be one of: `falco`, `list_matching`, `k8s_audit`, - `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`, `awscloudtrail`, `okta`, `github`. By default it is `falco`. + `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`, `awscloudtrail`, `okta`, `github`, `guardduty`. By default it is `falco`. * `runbook` - (Optional) Customer provided url that provides a runbook for a given policy. - - - diff --git a/website/docs/r/secure_managed_policy.md b/website/docs/r/secure_managed_policy.md index 2f4e66c77..ac14bff7f 100644 --- a/website/docs/r/secure_managed_policy.md +++ b/website/docs/r/secure_managed_policy.md @@ -51,7 +51,7 @@ resource "sysdig_secure_managed_policy" "sysdig_runtime_threat_detection" { * `name` - (Required) The name of the Secure managed policy. It must match the name of an existing managed policy. * `type` - (Optional) Specifies the type of the runtime policy. Must be one of: `falco`, `list_matching`, `k8s_audit`, - `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`, `awscloudtrail`, `okta`, `github`. By default it is `falco`. + `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`, `awscloudtrail`, `okta`, `github`, `guardduty`. By default it is `falco`. * `enabled` - (Optional) Will secure process with this policy?. By default this is true. diff --git a/website/docs/r/secure_managed_ruleset.md b/website/docs/r/secure_managed_ruleset.md index 55ab6c1b2..edbc43d0d 100644 --- a/website/docs/r/secure_managed_ruleset.md +++ b/website/docs/r/secure_managed_ruleset.md @@ -59,7 +59,7 @@ resource "sysdig_secure_managed_ruleset" "sysdig_runtime_threat_detection_manage * `enabled` - (Optional) Will secure process with this rule?. By default this is true. -* `type` - (Optional) Specifies the type of the runtime policy. Must be one of: `falco`, `list_matching`, `k8s_audit`, `aws_cloudtrail`, `awscloudtrail`, `okta`, `github`. By default it is `falco`. +* `type` - (Optional) Specifies the type of the runtime policy. Must be one of: `falco`, `list_matching`, `k8s_audit`, `aws_cloudtrail`, `awscloudtrail`, `okta`, `github`, `guardduty`. By default it is `falco`. * `runbook` - (Optional) Customer provided url that provides a runbook for a given policy. - - - @@ -70,7 +70,7 @@ The `inherited_from` block is required and identifies the managed policy that th * `name` - (Required) The name of the Secure managed policy. It must match the name of an existing managed policy. -* `type` - (Optional) Specifies the type of the runtime policy. Must be one of: `falco`, `list_matching`, `k8s_audit`, `aws_cloudtrail`, `awscloudtrail`, `okta`, `github`. By default it is `falco`. +* `type` - (Optional) Specifies the type of the runtime policy. Must be one of: `falco`, `list_matching`, `k8s_audit`, `aws_cloudtrail`, `awscloudtrail`, `okta`, `github`, `guardduty`. By default it is `falco`. - - - diff --git a/website/docs/r/secure_policy.md b/website/docs/r/secure_policy.md index 8779f778f..260ffb1d9 100644 --- a/website/docs/r/secure_policy.md +++ b/website/docs/r/secure_policy.md @@ -60,7 +60,7 @@ resource "sysdig_secure_policy" "write_apt_database" { * `enabled` - (Optional) Will secure process with this rule?. By default this is true. * `type` - (Optional) Specifies the type of the runtime policy. Must be one of: `falco`, `list_matching`, `k8s_audit`, - `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`, `awscloudtrail`, `okta`, `github`. By default it is `falco`. + `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`, `awscloudtrail`, `okta`, `github`, `guardduty`. By default it is `falco`. * `runbook` - (Optional) Customer provided url that provides a runbook for a given policy. - - - diff --git a/website/docs/r/secure_rule_falco.md b/website/docs/r/secure_rule_falco.md index 33a236e4e..6b6f696ae 100644 --- a/website/docs/r/secure_rule_falco.md +++ b/website/docs/r/secure_rule_falco.md @@ -23,7 +23,7 @@ resource "sysdig_secure_rule_falco" "example" { condition = "spawned_process and container and shell_procs and proc.tty != 0 and container_entrypoint" output = "A shell was spawned in a container with an attached terminal (user=%user.name %container.info shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository)" priority = "notice" - source = "syscall" // syscall, k8s_audit, aws_cloudtrail, gcp_auditlog, azure_platformlogs, awscloudtrail okta, github + source = "syscall" // syscall, k8s_audit, aws_cloudtrail, gcp_auditlog, azure_platformlogs, awscloudtrail, okta, github, guardduty exceptions { @@ -64,7 +64,7 @@ The following arguments are supported: * `condition` - (Required) A [Falco condition](https://falco.org/docs/rules/) is simply a Boolean predicate on Sysdig events expressed using the Sysdig [filter syntax](http://www.sysdig.org/wiki/sysdig-user-guide/#filtering) and macro terms. * `output` - (Optional) Add additional information to each Falco notification's output. Required if append is false. * `priority` - (Optional) The priority of the Falco rule. It can be: "emergency", "alert", "critical", "error", "warning", "notice", "info" or "debug". By default is "warning". -* `source` - (Optional) The source of the event. It can be either "syscall", "k8s_audit", "aws_cloudtrail", "gcp_auditlog", "azure_platformlogs", "awscloudtrail", "okta", or "github". Required if append is false. +* `source` - (Optional) The source of the event. It can be either "syscall", "k8s_audit", "aws_cloudtrail", "gcp_auditlog", "azure_platformlogs", "awscloudtrail", "okta", "github", or "guardduty". Required if append is false. * `exceptions` - (Optional) The exceptions key is a list of identifier plus list of tuples of filtercheck fields. See below for details. * `append` - (Optional) This indicates that the rule being created appends the condition to an existing Sysdig-provided rule. By default this is false. Appending to user-created rules is not supported by the API.