From 1f96ac545b1094df4ef4787d368e71e29c789d62 Mon Sep 17 00:00:00 2001 From: ombellare Date: Wed, 9 Jul 2025 18:33:35 -0700 Subject: [PATCH 1/3] Add support for additional secure drift policy fields --- .../data_source_sysdig_secure_drift_policy.go | 21 +++++++----- ..._source_sysdig_secure_drift_policy_test.go | 8 +++++ sysdig/internal/client/v2/model.go | 1 + sysdig/resource_sysdig_secure_drift_policy.go | 1 + ...esource_sysdig_secure_drift_policy_test.go | 33 ++++++++++++------- sysdig/tfresource.go | 3 ++ website/docs/d/secure_drift_policy.md | 8 +++-- website/docs/r/secure_drift_policy.md | 4 +-- 8 files changed, 53 insertions(+), 26 deletions(-) diff --git a/sysdig/data_source_sysdig_secure_drift_policy.go b/sysdig/data_source_sysdig_secure_drift_policy.go index 108dd0ebf..8f7600eec 100644 --- a/sysdig/data_source_sysdig_secure_drift_policy.go +++ b/sysdig/data_source_sysdig_secure_drift_policy.go @@ -47,15 +47,18 @@ func createDriftPolicyDataSourceSchema() map[string]*schema.Schema { Computed: true, Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ - "id": ReadOnlyIntSchema(), - "name": ReadOnlyStringSchema(), - "description": DescriptionComputedSchema(), - "tags": TagsSchema(), - "version": VersionSchema(), - "enabled": BoolComputedSchema(), - "exceptions": ExceptionsComputedSchema(), - "prohibited_binaries": ExceptionsComputedSchema(), - "mounted_volume_drift_enabled": BoolComputedSchema(), + "id": ReadOnlyIntSchema(), + "name": ReadOnlyStringSchema(), + "description": DescriptionComputedSchema(), + "tags": TagsSchema(), + "version": VersionSchema(), + "enabled": BoolComputedSchema(), + "exceptions": ExceptionsComputedSchema(), + "prohibited_binaries": ExceptionsComputedSchema(), + "process_based_exceptions": ExceptionsComputedSchema(), + "process_based_prohibited_binaries": ExceptionsComputedSchema(), + "mounted_volume_drift_enabled": BoolComputedSchema(), + "use_regex": BoolComputedSchema(), }, }, }, diff --git a/sysdig/data_source_sysdig_secure_drift_policy_test.go b/sysdig/data_source_sysdig_secure_drift_policy_test.go index 50064436f..a903d76ea 100644 --- a/sysdig/data_source_sysdig_secure_drift_policy_test.go +++ b/sysdig/data_source_sysdig_secure_drift_policy_test.go @@ -47,6 +47,8 @@ resource "sysdig_secure_drift_policy" "policy_1" { rule { description = "Test Drift Rule Description" enabled = true + mounted_volume_drift_enabled = true + use_regex = true exceptions { items = ["/usr/bin/sh"] @@ -54,6 +56,12 @@ resource "sysdig_secure_drift_policy" "policy_1" { prohibited_binaries { items = ["/usr/bin/curl"] } + process_based_exceptions { + items = ["/usr/bin/curl"] + } + process_based_prohibited_binaries { + items = ["/usr/bin/sh"] + } } actions { diff --git a/sysdig/internal/client/v2/model.go b/sysdig/internal/client/v2/model.go index bf6ee3d81..11ae15b72 100644 --- a/sysdig/internal/client/v2/model.go +++ b/sysdig/internal/client/v2/model.go @@ -419,6 +419,7 @@ type DriftRuleDetails struct { ProhibitedBinaries *RuntimePolicyRuleList `json:"prohibitedBinaries"` Mode string `json:"mode"` MountedVolumeDriftEnabled bool `json:"mountedVolumeDriftEnabled"` + UseRegex bool `json:"useRegex"` Details `json:"-"` } diff --git a/sysdig/resource_sysdig_secure_drift_policy.go b/sysdig/resource_sysdig_secure_drift_policy.go index d46202cbe..beafac2ab 100644 --- a/sysdig/resource_sysdig_secure_drift_policy.go +++ b/sysdig/resource_sysdig_secure_drift_policy.go @@ -67,6 +67,7 @@ func resourceSysdigSecureDriftPolicy() *schema.Resource { "process_based_exceptions": ExceptionsSchema(), "process_based_prohibited_binaries": ExceptionsSchema(), "mounted_volume_drift_enabled": BoolSchema(), + "use_regex": BoolSchema(), }, }, }, diff --git a/sysdig/resource_sysdig_secure_drift_policy_test.go b/sysdig/resource_sysdig_secure_drift_policy_test.go index 8916f1f3d..c4091119e 100644 --- a/sysdig/resource_sysdig_secure_drift_policy_test.go +++ b/sysdig/resource_sysdig_secure_drift_policy_test.go @@ -67,9 +67,6 @@ resource "sysdig_secure_drift_policy" "sample" { prohibited_binaries { items = ["/usr/bin/curl"] } - process_based_exceptions { - items = ["/usr/bin/curl"] - } } actions { @@ -96,6 +93,7 @@ resource "sysdig_secure_drift_policy" "sample" { description = "Test Drift Rule Description" enabled = true + use_regex = true exceptions { items = ["/usr/bin/sh"] @@ -103,9 +101,12 @@ resource "sysdig_secure_drift_policy" "sample" { prohibited_binaries { items = ["/usr/bin/curl"] } - process_based_exceptions { + process_based_exceptions { items = ["/usr/bin/curl"] - } + } + process_based_prohibited_binaries { + items = ["/usr/bin/sh"] + } } actions { @@ -138,6 +139,7 @@ resource "sysdig_secure_drift_policy" "sample" { description = "Test Drift Rule Description" enabled = true + use_regex = true exceptions { items = ["/usr/bin/sh"] @@ -145,9 +147,9 @@ resource "sysdig_secure_drift_policy" "sample" { prohibited_binaries { items = ["/usr/bin/curl"] } - process_based_exceptions { + process_based_exceptions { items = ["/usr/bin/curl"] - } + } } actions {} @@ -177,9 +179,12 @@ resource "sysdig_secure_drift_policy" "sample" { prohibited_binaries { items = ["/usr/bin/curl"] } - process_based_exceptions { + process_based_exceptions { items = ["/usr/bin/curl"] - } + } + process_based_prohibited_binaries { + items = ["/usr/bin/sh"] + } } actions { @@ -227,8 +232,9 @@ resource "sysdig_secure_drift_policy" "sample" { rule { description = "Test Drift Rule Description" - mounted_volume_drift_enabled = true + enabled = true + mounted_volume_drift_enabled = true exceptions { items = ["/usr/bin/sh"] @@ -236,10 +242,13 @@ resource "sysdig_secure_drift_policy" "sample" { prohibited_binaries { items = ["/usr/bin/curl"] } - process_based_exceptions { + process_based_exceptions { items = ["/usr/bin/curl"] } - } + process_based_prohibited_binaries { + items = ["/usr/bin/sh"] + } + } } `, name) } diff --git a/sysdig/tfresource.go b/sysdig/tfresource.go index c9e975f20..f00689858 100644 --- a/sysdig/tfresource.go +++ b/sysdig/tfresource.go @@ -216,6 +216,7 @@ func setTFResourcePolicyRulesDrift(d *schema.ResourceData, policy v2.PolicyRules "tags": rule.Tags, "enabled": enabled, "mounted_volume_drift_enabled": driftDetails.MountedVolumeDriftEnabled, + "use_regex": driftDetails.UseRegex, } if exceptionsBlock != nil { @@ -498,6 +499,7 @@ func setPolicyRulesDrift(policy *v2.PolicyRulesComposite, d *schema.ResourceData } mountedVolumeDriftEnabled := d.Get("rule.0.mounted_volume_drift_enabled").(bool) + useRegex := d.Get("rule.0.use_regex").(bool) rule := &v2.RuntimePolicyRule{ // TODO: Do not hardcode the indexes @@ -512,6 +514,7 @@ func setPolicyRulesDrift(policy *v2.PolicyRulesComposite, d *schema.ResourceData ProcessBasedExceptions: &processBasedExceptions, ProcessBasedDenylist: &processBasedProhibitedBinaries, MountedVolumeDriftEnabled: mountedVolumeDriftEnabled, + UseRegex: useRegex, }, } diff --git a/website/docs/d/secure_drift_policy.md b/website/docs/d/secure_drift_policy.md index 76e1b42cb..cebd5677b 100644 --- a/website/docs/d/secure_drift_policy.md +++ b/website/docs/d/secure_drift_policy.md @@ -78,5 +78,9 @@ The rule block is required and supports: * `items` - (Required) Specify comma separated list of exceptions, e.g. `/usr/bin/rm, /usr/bin/curl`. * `prohibited_binaries` - (Optional) A prohibited binary can be a known harmful binary or one that facilitates discovery of your environment. * `items` - (Required) Specify comma separated list of prohibited binaries, e.g. `/usr/bin/rm, /usr/bin/curl`. - - +* `process_based_exceptions` - (Optional) List of processes that will be able to execute a drifted file + * `items` - (Required) Specify comma separated list of processes, e.g. `/usr/bin/rm, /usr/bin/curl`. +* `process_based_prohibited_binaries` - (Optional) List of processes that will be prohibited to execute a drifted file + * `items` - (Required) Specify comma separated list of processes, e.g. `/usr/bin/rm, /usr/bin/curl`. +* `mounted_volume_drift_enabled` - (Optional) Treat all binaries from mounted volumes as drifted. Default value is false/disabled. +* `use_regex` - (Optional) Pass exceptions and prohibited binaries as regex strings. Requires agent version 13.2.0 and above diff --git a/website/docs/r/secure_drift_policy.md b/website/docs/r/secure_drift_policy.md index 45419233d..4e2700510 100644 --- a/website/docs/r/secure_drift_policy.md +++ b/website/docs/r/secure_drift_policy.md @@ -123,6 +123,4 @@ The rule block is required and supports: * `process_based_prohibited_binaries` - (Optional) List of processes that will be prohibited to execute a drifted file * `items` - (Required) Specify comma separated list of processes, e.g. `/usr/bin/rm, /usr/bin/curl`. * `mounted_volume_drift_enabled` - (Optional) Treat all binaries from mounted volumes as drifted. Default value is false/disabled. - - - +* `use_regex` - (Optional) Pass exceptions and prohibited binaries as regex strings. Requires agent version 13.2.0 and above From 86affe39f5e43b8d8271948c30fdaf2d89644f52 Mon Sep 17 00:00:00 2001 From: ombellare Date: Wed, 16 Jul 2025 10:33:49 -0700 Subject: [PATCH 2/3] Address review comments --- ..._source_sysdig_secure_drift_policy_test.go | 73 +++++++++++++++++++ ...esource_sysdig_secure_drift_policy_test.go | 44 +++++++++-- 2 files changed, 109 insertions(+), 8 deletions(-) diff --git a/sysdig/data_source_sysdig_secure_drift_policy_test.go b/sysdig/data_source_sysdig_secure_drift_policy_test.go index a903d76ea..c24752918 100644 --- a/sysdig/data_source_sysdig_secure_drift_policy_test.go +++ b/sysdig/data_source_sysdig_secure_drift_policy_test.go @@ -32,6 +32,12 @@ func TestAccDriftPolicyDataSource(t *testing.T) { { Config: driftPolicyDataSource(rText), }, + { + Config: driftPolicyWithUseRegexDataSource(rText), + }, + { + Config: driftPolicyWithProcessExceptionsDataSource(rText), + }, }, }) } @@ -44,6 +50,39 @@ resource "sysdig_secure_drift_policy" "policy_1" { enabled = true severity = 4 + rule { + description = "Test Drift Rule Description" + enabled = true + + exceptions { + items = ["/usr/bin/sh"] + } + prohibited_binaries { + items = ["/usr/bin/curl"] + } + } + + actions { + prevent_drift = true + } + +} + +data "sysdig_secure_drift_policy" "policy_2" { + name = sysdig_secure_drift_policy.policy_1.name + depends_on = [sysdig_secure_drift_policy.policy_1] +} +`, name, name) +} + +func driftPolicyWithUseRegexDataSource(name string) string { + return fmt.Sprintf(` +resource "sysdig_secure_drift_policy" "policy_1" { + name = "Test Drift Policy %s" + description = "Test Drift Policy Description %s" + enabled = true + severity = 4 + rule { description = "Test Drift Rule Description" enabled = true @@ -76,3 +115,37 @@ data "sysdig_secure_drift_policy" "policy_2" { } `, name, name) } + +func driftPolicyWithProcessExceptionsDataSource(name string) string { + return fmt.Sprintf(` +resource "sysdig_secure_drift_policy" "policy_1" { + name = "Test Drift Policy %s" + description = "Test Drift Policy Description %s" + enabled = true + severity = 4 + + rule { + description = "Test Drift Rule Description" + enabled = true + mounted_volume_drift_enabled = true + + process_based_exceptions { + items = ["/usr/bin/curl"] + } + process_based_prohibited_binaries { + items = ["/usr/bin/sh"] + } + } + + actions { + prevent_drift = true + } + +} + +data "sysdig_secure_drift_policy" "policy_2" { + name = sysdig_secure_drift_policy.policy_1.name + depends_on = [sysdig_secure_drift_policy.policy_1] +} +`, name, name) +} diff --git a/sysdig/resource_sysdig_secure_drift_policy_test.go b/sysdig/resource_sysdig_secure_drift_policy_test.go index c4091119e..17fdad509 100644 --- a/sysdig/resource_sysdig_secure_drift_policy_test.go +++ b/sysdig/resource_sysdig_secure_drift_policy_test.go @@ -42,6 +42,9 @@ func TestAccDriftPolicy(t *testing.T) { { Config: driftPolicyWithMountedVolumeDriftEnabled(rText()), }, + { + Config: driftPolicyWithProcessBasedAndRegexEnabled(rText()), + }, }, }) } @@ -67,6 +70,9 @@ resource "sysdig_secure_drift_policy" "sample" { prohibited_binaries { items = ["/usr/bin/curl"] } + process_based_exceptions { + items = ["/usr/bin/curl"] + } } actions { @@ -93,7 +99,6 @@ resource "sysdig_secure_drift_policy" "sample" { description = "Test Drift Rule Description" enabled = true - use_regex = true exceptions { items = ["/usr/bin/sh"] @@ -103,9 +108,6 @@ resource "sysdig_secure_drift_policy" "sample" { } process_based_exceptions { items = ["/usr/bin/curl"] - } - process_based_prohibited_binaries { - items = ["/usr/bin/sh"] } } @@ -139,7 +141,6 @@ resource "sysdig_secure_drift_policy" "sample" { description = "Test Drift Rule Description" enabled = true - use_regex = true exceptions { items = ["/usr/bin/sh"] @@ -182,9 +183,6 @@ resource "sysdig_secure_drift_policy" "sample" { process_based_exceptions { items = ["/usr/bin/curl"] } - process_based_prohibited_binaries { - items = ["/usr/bin/sh"] - } } actions { @@ -232,10 +230,40 @@ resource "sysdig_secure_drift_policy" "sample" { rule { description = "Test Drift Rule Description" + mounted_volume_drift_enabled = true enabled = true + + exceptions { + items = ["/usr/bin/sh"] + } + prohibited_binaries { + items = ["/usr/bin/curl"] + } + process_based_exceptions { + items = ["/usr/bin/curl"] + } + } +} + `, name) +} + +func driftPolicyWithProcessBasedAndRegexEnabled(name string) string { + return fmt.Sprintf(` +resource "sysdig_secure_drift_policy" "sample" { + + name = "Test Drift Policy %s" + description = "Test Drift Policy Description" + enabled = true + severity = 4 + + rule { + description = "Test Drift Rule Description" mounted_volume_drift_enabled = true + enabled = true + use_regex = true + exceptions { items = ["/usr/bin/sh"] } From 9988347f14fa1dd07a3d31ee3688ed7022a5d57a Mon Sep 17 00:00:00 2001 From: ombellare Date: Wed, 16 Jul 2025 11:35:17 -0700 Subject: [PATCH 3/3] Fixed spacing issue --- sysdig/resource_sysdig_secure_drift_policy_test.go | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/sysdig/resource_sysdig_secure_drift_policy_test.go b/sysdig/resource_sysdig_secure_drift_policy_test.go index 17fdad509..5c3346a7f 100644 --- a/sysdig/resource_sysdig_secure_drift_policy_test.go +++ b/sysdig/resource_sysdig_secure_drift_policy_test.go @@ -72,7 +72,7 @@ resource "sysdig_secure_drift_policy" "sample" { } process_based_exceptions { items = ["/usr/bin/curl"] - } + } } actions {