diff --git a/sysdig/data_source_sysdig_secure_drift_policy.go b/sysdig/data_source_sysdig_secure_drift_policy.go index 108dd0ebf..8f7600eec 100644 --- a/sysdig/data_source_sysdig_secure_drift_policy.go +++ b/sysdig/data_source_sysdig_secure_drift_policy.go @@ -47,15 +47,18 @@ func createDriftPolicyDataSourceSchema() map[string]*schema.Schema { Computed: true, Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ - "id": ReadOnlyIntSchema(), - "name": ReadOnlyStringSchema(), - "description": DescriptionComputedSchema(), - "tags": TagsSchema(), - "version": VersionSchema(), - "enabled": BoolComputedSchema(), - "exceptions": ExceptionsComputedSchema(), - "prohibited_binaries": ExceptionsComputedSchema(), - "mounted_volume_drift_enabled": BoolComputedSchema(), + "id": ReadOnlyIntSchema(), + "name": ReadOnlyStringSchema(), + "description": DescriptionComputedSchema(), + "tags": TagsSchema(), + "version": VersionSchema(), + "enabled": BoolComputedSchema(), + "exceptions": ExceptionsComputedSchema(), + "prohibited_binaries": ExceptionsComputedSchema(), + "process_based_exceptions": ExceptionsComputedSchema(), + "process_based_prohibited_binaries": ExceptionsComputedSchema(), + "mounted_volume_drift_enabled": BoolComputedSchema(), + "use_regex": BoolComputedSchema(), }, }, }, diff --git a/sysdig/data_source_sysdig_secure_drift_policy_test.go b/sysdig/data_source_sysdig_secure_drift_policy_test.go index 50064436f..c24752918 100644 --- a/sysdig/data_source_sysdig_secure_drift_policy_test.go +++ b/sysdig/data_source_sysdig_secure_drift_policy_test.go @@ -32,6 +32,12 @@ func TestAccDriftPolicyDataSource(t *testing.T) { { Config: driftPolicyDataSource(rText), }, + { + Config: driftPolicyWithUseRegexDataSource(rText), + }, + { + Config: driftPolicyWithProcessExceptionsDataSource(rText), + }, }, }) } @@ -68,3 +74,78 @@ data "sysdig_secure_drift_policy" "policy_2" { } `, name, name) } + +func driftPolicyWithUseRegexDataSource(name string) string { + return fmt.Sprintf(` +resource "sysdig_secure_drift_policy" "policy_1" { + name = "Test Drift Policy %s" + description = "Test Drift Policy Description %s" + enabled = true + severity = 4 + + rule { + description = "Test Drift Rule Description" + enabled = true + mounted_volume_drift_enabled = true + use_regex = true + + exceptions { + items = ["/usr/bin/sh"] + } + prohibited_binaries { + items = ["/usr/bin/curl"] + } + process_based_exceptions { + items = ["/usr/bin/curl"] + } + process_based_prohibited_binaries { + items = ["/usr/bin/sh"] + } + } + + actions { + prevent_drift = true + } + +} + +data "sysdig_secure_drift_policy" "policy_2" { + name = sysdig_secure_drift_policy.policy_1.name + depends_on = [sysdig_secure_drift_policy.policy_1] +} +`, name, name) +} + +func driftPolicyWithProcessExceptionsDataSource(name string) string { + return fmt.Sprintf(` +resource "sysdig_secure_drift_policy" "policy_1" { + name = "Test Drift Policy %s" + description = "Test Drift Policy Description %s" + enabled = true + severity = 4 + + rule { + description = "Test Drift Rule Description" + enabled = true + mounted_volume_drift_enabled = true + + process_based_exceptions { + items = ["/usr/bin/curl"] + } + process_based_prohibited_binaries { + items = ["/usr/bin/sh"] + } + } + + actions { + prevent_drift = true + } + +} + +data "sysdig_secure_drift_policy" "policy_2" { + name = sysdig_secure_drift_policy.policy_1.name + depends_on = [sysdig_secure_drift_policy.policy_1] +} +`, name, name) +} diff --git a/sysdig/internal/client/v2/model.go b/sysdig/internal/client/v2/model.go index bf6ee3d81..11ae15b72 100644 --- a/sysdig/internal/client/v2/model.go +++ b/sysdig/internal/client/v2/model.go @@ -419,6 +419,7 @@ type DriftRuleDetails struct { ProhibitedBinaries *RuntimePolicyRuleList `json:"prohibitedBinaries"` Mode string `json:"mode"` MountedVolumeDriftEnabled bool `json:"mountedVolumeDriftEnabled"` + UseRegex bool `json:"useRegex"` Details `json:"-"` } diff --git a/sysdig/resource_sysdig_secure_drift_policy.go b/sysdig/resource_sysdig_secure_drift_policy.go index d46202cbe..beafac2ab 100644 --- a/sysdig/resource_sysdig_secure_drift_policy.go +++ b/sysdig/resource_sysdig_secure_drift_policy.go @@ -67,6 +67,7 @@ func resourceSysdigSecureDriftPolicy() *schema.Resource { "process_based_exceptions": ExceptionsSchema(), "process_based_prohibited_binaries": ExceptionsSchema(), "mounted_volume_drift_enabled": BoolSchema(), + "use_regex": BoolSchema(), }, }, }, diff --git a/sysdig/resource_sysdig_secure_drift_policy_test.go b/sysdig/resource_sysdig_secure_drift_policy_test.go index 8916f1f3d..5c3346a7f 100644 --- a/sysdig/resource_sysdig_secure_drift_policy_test.go +++ b/sysdig/resource_sysdig_secure_drift_policy_test.go @@ -42,6 +42,9 @@ func TestAccDriftPolicy(t *testing.T) { { Config: driftPolicyWithMountedVolumeDriftEnabled(rText()), }, + { + Config: driftPolicyWithProcessBasedAndRegexEnabled(rText()), + }, }, }) } @@ -67,9 +70,9 @@ resource "sysdig_secure_drift_policy" "sample" { prohibited_binaries { items = ["/usr/bin/curl"] } - process_based_exceptions { + process_based_exceptions { items = ["/usr/bin/curl"] - } + } } actions { @@ -103,9 +106,9 @@ resource "sysdig_secure_drift_policy" "sample" { prohibited_binaries { items = ["/usr/bin/curl"] } - process_based_exceptions { + process_based_exceptions { items = ["/usr/bin/curl"] - } + } } actions { @@ -145,9 +148,9 @@ resource "sysdig_secure_drift_policy" "sample" { prohibited_binaries { items = ["/usr/bin/curl"] } - process_based_exceptions { + process_based_exceptions { items = ["/usr/bin/curl"] - } + } } actions {} @@ -177,9 +180,9 @@ resource "sysdig_secure_drift_policy" "sample" { prohibited_binaries { items = ["/usr/bin/curl"] } - process_based_exceptions { + process_based_exceptions { items = ["/usr/bin/curl"] - } + } } actions { @@ -228,18 +231,52 @@ resource "sysdig_secure_drift_policy" "sample" { rule { description = "Test Drift Rule Description" mounted_volume_drift_enabled = true + enabled = true + + exceptions { + items = ["/usr/bin/sh"] + } + prohibited_binaries { + items = ["/usr/bin/curl"] + } + process_based_exceptions { + items = ["/usr/bin/curl"] + } + } +} + `, name) +} + +func driftPolicyWithProcessBasedAndRegexEnabled(name string) string { + return fmt.Sprintf(` +resource "sysdig_secure_drift_policy" "sample" { + + name = "Test Drift Policy %s" + description = "Test Drift Policy Description" + enabled = true + severity = 4 + rule { + description = "Test Drift Rule Description" + mounted_volume_drift_enabled = true + + enabled = true + use_regex = true + exceptions { items = ["/usr/bin/sh"] } prohibited_binaries { items = ["/usr/bin/curl"] } - process_based_exceptions { + process_based_exceptions { items = ["/usr/bin/curl"] } - } + process_based_prohibited_binaries { + items = ["/usr/bin/sh"] + } + } } `, name) } diff --git a/sysdig/tfresource.go b/sysdig/tfresource.go index c9e975f20..f00689858 100644 --- a/sysdig/tfresource.go +++ b/sysdig/tfresource.go @@ -216,6 +216,7 @@ func setTFResourcePolicyRulesDrift(d *schema.ResourceData, policy v2.PolicyRules "tags": rule.Tags, "enabled": enabled, "mounted_volume_drift_enabled": driftDetails.MountedVolumeDriftEnabled, + "use_regex": driftDetails.UseRegex, } if exceptionsBlock != nil { @@ -498,6 +499,7 @@ func setPolicyRulesDrift(policy *v2.PolicyRulesComposite, d *schema.ResourceData } mountedVolumeDriftEnabled := d.Get("rule.0.mounted_volume_drift_enabled").(bool) + useRegex := d.Get("rule.0.use_regex").(bool) rule := &v2.RuntimePolicyRule{ // TODO: Do not hardcode the indexes @@ -512,6 +514,7 @@ func setPolicyRulesDrift(policy *v2.PolicyRulesComposite, d *schema.ResourceData ProcessBasedExceptions: &processBasedExceptions, ProcessBasedDenylist: &processBasedProhibitedBinaries, MountedVolumeDriftEnabled: mountedVolumeDriftEnabled, + UseRegex: useRegex, }, } diff --git a/website/docs/d/secure_drift_policy.md b/website/docs/d/secure_drift_policy.md index 76e1b42cb..cebd5677b 100644 --- a/website/docs/d/secure_drift_policy.md +++ b/website/docs/d/secure_drift_policy.md @@ -78,5 +78,9 @@ The rule block is required and supports: * `items` - (Required) Specify comma separated list of exceptions, e.g. `/usr/bin/rm, /usr/bin/curl`. * `prohibited_binaries` - (Optional) A prohibited binary can be a known harmful binary or one that facilitates discovery of your environment. * `items` - (Required) Specify comma separated list of prohibited binaries, e.g. `/usr/bin/rm, /usr/bin/curl`. - - +* `process_based_exceptions` - (Optional) List of processes that will be able to execute a drifted file + * `items` - (Required) Specify comma separated list of processes, e.g. `/usr/bin/rm, /usr/bin/curl`. +* `process_based_prohibited_binaries` - (Optional) List of processes that will be prohibited to execute a drifted file + * `items` - (Required) Specify comma separated list of processes, e.g. `/usr/bin/rm, /usr/bin/curl`. +* `mounted_volume_drift_enabled` - (Optional) Treat all binaries from mounted volumes as drifted. Default value is false/disabled. +* `use_regex` - (Optional) Pass exceptions and prohibited binaries as regex strings. Requires agent version 13.2.0 and above diff --git a/website/docs/r/secure_drift_policy.md b/website/docs/r/secure_drift_policy.md index 45419233d..4e2700510 100644 --- a/website/docs/r/secure_drift_policy.md +++ b/website/docs/r/secure_drift_policy.md @@ -123,6 +123,4 @@ The rule block is required and supports: * `process_based_prohibited_binaries` - (Optional) List of processes that will be prohibited to execute a drifted file * `items` - (Required) Specify comma separated list of processes, e.g. `/usr/bin/rm, /usr/bin/curl`. * `mounted_volume_drift_enabled` - (Optional) Treat all binaries from mounted volumes as drifted. Default value is false/disabled. - - - +* `use_regex` - (Optional) Pass exceptions and prohibited binaries as regex strings. Requires agent version 13.2.0 and above