SSPROD-42234 | posture policy - add data source to get policy by id (#…

…515) * add data soucre to get policy by id * add test * add return * remove ibm * fix test * fix * fix * fix test and err handling * add err check * add zohar to codeowner
sysdiglabs · May 30, 2024 · 0b0403f · 0b0403f
1 parent 825f2dd
commit 0b0403f
Show file tree

Hide file tree

Showing 9 changed files with 258 additions and 8 deletions.
diff --git a/CODEOWNERS b/CODEOWNERS
@@ -11,7 +11,7 @@
 *monitor*groupmapping* @shadow649
 
 # policies/rules
-*secure*policy* @kmvachhani @rosenbloomb-sysdig @ombellare @miguelgordo @ivanlysiuk-sysdig @daniel-almeida @jbainbridgesysdig @IvanNik @hila1608 @yaminSapir @chen-shmilovich-sysdig
+*secure*policy* @kmvachhani @rosenbloomb-sysdig @ombellare @miguelgordo @ivanlysiuk-sysdig @daniel-almeida @jbainbridgesysdig @IvanNik @hila1608 @yaminSapir @chen-shmilovich-sysdig @zohar-arad
 
 # internal components
 /sysdig/internal/client/v2/client.go @filiptubic @mbarbieri @draraksysdig

diff --git a/sysdig/data_source_sysdig_secure_posture_policy.go b/sysdig/data_source_sysdig_secure_posture_policy.go
@@ -0,0 +1,130 @@
+package sysdig
+
+import (
+	"context"
+	"strconv"
+	"time"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+func dataSourceSysdigSecurePosturePolicy() *schema.Resource {
+	return &schema.Resource{
+		ReadContext: dataSourceSysdigSecurePosturePolicyRead,
+		Timeouts: &schema.ResourceTimeout{
+			Read: schema.DefaultTimeout(5 * time.Minute),
+		},
+		Schema: map[string]*schema.Schema{
+			SchemaIDKey: {
+				Type:     schema.TypeString,
+				Required: true,
+			},
+			SchemaNameKey: {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			SchemaDescriptionKey: {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			SchemaTypeKey: {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			SchemaLinkKey: {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			SchemaMinKubeVersionKey: {
+				Type:     schema.TypeFloat,
+				Computed: true,
+			},
+			SchemaMaxKubeVersionKey: {
+				Type:     schema.TypeFloat,
+				Computed: true,
+			},
+			SchemaIsActiveKey: {
+				Type:     schema.TypeBool,
+				Computed: true,
+			},
+			SchemaPlatformKey: {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			SchemaGroupKey: {
+				Type:     schema.TypeList,
+				Optional: true,
+				Elem:     createGroupSchema(1),
+			},
+		},
+	}
+}
+
+func dataSourceSysdigSecurePosturePolicyRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	client, err := getPosturePolicyClient(meta.(SysdigClients))
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	id, err := strconv.ParseInt(d.Get("id").(string), 10, 64)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+	policy, err := client.GetPosturePolicy(ctx, id)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+	err = d.Set(SchemaIDKey, policy.ID)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	err = d.Set(SchemaNameKey, policy.Name)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	err = d.Set(SchemaDescriptionKey, policy.Description)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	err = d.Set(SchemaTypeKey, policy.Type)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	err = d.Set(SchemaLinkKey, policy.Link)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	err = d.Set(SchemaMinKubeVersionKey, policy.MinKubeVersion)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	err = d.Set(SchemaMaxKubeVersionKey, policy.MaxKubeVersion)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	err = d.Set(SchemaIsActiveKey, policy.IsActive)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	err = d.Set(SchemaPlatformKey, policy.Platform)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	// Set groups
+	if err := setGroups(d, policy.RequirementsGroup); err != nil {
+		return diag.FromErr(err)
+	}
+
+	d.SetId(policy.ID)
+	return nil
+}
diff --git a/sysdig/data_source_sysdig_secure_posture_policy_test.go b/sysdig/data_source_sysdig_secure_posture_policy_test.go
@@ -0,0 +1,46 @@
+//go:build tf_acc_sysdig_secure
+
+package sysdig_test
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/draios/terraform-provider-sysdig/sysdig"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
+)
+
+func TestAccPosturePolicyDataSource(t *testing.T) {
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck: preCheckAnyEnv(t, SysdigSecureApiTokenEnv),
+		ProviderFactories: map[string]func() (*schema.Provider, error){
+			"sysdig": func() (*schema.Provider, error) {
+				return sysdig.Provider(), nil
+			},
+		},
+		Steps: []resource.TestStep{
+			{
+				Config: `
+				data "sysdig_secure_posture_policy" "policy" {
+					id = 2
+				}`,
+				Check: func(state *terraform.State) error {
+					policyRef := "data.sysdig_secure_posture_policy.policy"
+					s, ok := state.RootModule().Resources[policyRef]
+					if !ok {
+						return fmt.Errorf("%s not found", policyRef)
+					}
+					if s.Primary.ID != "2" {
+						return fmt.Errorf("expected policy ID to be 2")
+					}
+					if s.Primary.Attributes["name"] != "Sysdig Kubernetes" {
+						return fmt.Errorf("expected policy name to be `Sysdig Kubernetes`")
+					}
+					return nil
+				},
+			},
+		},
+	})
+}
diff --git a/sysdig/internal/client/v2/model.go b/sysdig/internal/client/v2/model.go
@@ -979,8 +979,8 @@ type Requirement struct {
 }
 
 type Control struct {
-	Name    string `json:"name,omitempty"`
-	Enabled bool   `json:"enabled,omitempty"`
+	Name   string `json:"name,omitempty"`
+	Status bool   `json:"status,omitempty"`
 }
 
 type CreatePosturePolicy struct {

diff --git a/sysdig/provider.go b/sysdig/provider.go
@@ -245,6 +245,7 @@ func (p *SysdigProvider) Provider() *schema.Provider {
 			"sysdig_monitor_notification_channel_ibm_event_notification":   dataSourceSysdigMonitorNotificationChannelIBMEventNotification(),
 			"sysdig_monitor_notification_channel_ibm_function":             dataSourceSysdigMonitorNotificationChannelIBMFunction(),
 			"sysdig_monitor_custom_role_permissions":                       dataSourceSysdigMonitorCustomRolePermissions(),
+			"sysdig_secure_posture_policy":                                 dataSourceSysdigSecurePosturePolicy(),
 		},
 		ConfigureContextFunc: p.providerConfigure,
 	}

diff --git a/sysdig/resource_sysdig_secure_posture_policy.go b/sysdig/resource_sysdig_secure_posture_policy.go
@@ -156,7 +156,6 @@ func resourceSysdigSecurePosturePolicy() *schema.Resource {
 			SchemaTypeKey: {
 				Type:     schema.TypeString,
 				Optional: true,
-				Default:  "",
 			},
 			SchemaLinkKey: {
 				Type:     schema.TypeString,
@@ -284,7 +283,9 @@ func resourceSysdigSecurePosturePolicyRead(ctx context.Context, d *schema.Resour
 	if err := setGroups(d, policy.RequirementsGroup); err != nil {
 		return diag.FromErr(err)
 	}
-
+	if err != nil {
+		return diag.FromErr(err)
+	}
 	return nil
 }
 
@@ -356,7 +357,7 @@ func setControls(controls []v2.Control) []interface{} {
 	for _, ctrl := range controls {
 		ctrlData := map[string]interface{}{
 			"name":    ctrl.Name,
-			"enabled": ctrl.Enabled,
+			"enabled": ctrl.Status,
 		}
 		controlsData = append(controlsData, ctrlData)
 	}

diff --git a/website/docs/d/secure_posture_policy.md b/website/docs/d/secure_posture_policy.md
@@ -0,0 +1,71 @@
+---
+subcategory: "Sysdig Secure"
+layout: "sysdig"
+page_title: "Sysdig: sysdig_secure_posture_policy"
+description: |-
+  Retrieves Posture policy by ID.
+---
+
+# Data Source: sysdig_secure_posture_policies
+
+Retrieves the information of all Posture policies.
+
+-> **Note:** Sysdig Terraform Provider is under rapid development at this point. If you experience any issue or discrepancy while using it, please make sure you have the latest version. If the issue persists, or you have a Feature Request to support an additional set of resources, please open a [new issue](https://github.com/sysdiglabs/terraform-provider-sysdig/issues/new) in the GitHub repository.
+
+## Example Usage
+
+```terraform
+data sysdig_secure_posture_policies policy {
+  id = "454678"
+}
+```
+
+## Argument Reference
+
+- `id` - (Required) The ID of the Posture Policy, eg. `2`
+
+## Attributes Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+- `id` - The ID of the Posture Policy, eg. `452`
+- `name` - The name of the Posture Policy, eg. `CIS Docker Benchmark`
+- `description` - The description of the Posture Poliy,  eg. `CIS Docker Benchmark`
+* `link` - Policy link
+* `type` - Policy type:
+  - AWS - `aws`
+  - GCP - `gcp`
+  - Azure - `azure`
+  - Kubernetes - `kubernetes`
+  - Linux - `linux`
+  - Docker - `docker`
+  - OCI = `oci`
+* `min_kube_version` - Policy minimum Kubernetes version, eg. `1.24`
+* `max_kube_version` - Policy maximum Kubernetes version, eg. `1.26`
+* `is_active` - Policy is active flag (active means policy is published, not active means policy is draft). by default is true.
+* `platform` - Policy platform: 
+    - IKS -     `iks`,
+    - GKE -     `gke`,
+    - Vanilla -  `vanilla`,
+    - AKS -     `aks`,
+    - RKE2 -     `rke2`,
+    - OCP4  -     `ocp4`,
+    - MKE  -      `mke`,
+    - EKS  -     `eks`,
+* `groups` - Group block defines list of groups attached to Policy
+
+### Groups block
+- `id` - The ID of the Group, eg. `15000`
+- `name` - The name of the Posture Policy Group.
+- `description` - The description of the Posture Policy Group.
+- `requirements` - Requirements block defines list of requirements attached to Group
+
+### Requirements block
+- `id` - The ID of the Requirement, eg. `15000`
+- `name` - The name of the Posture Policy Requirement.
+- `description` - The description of the Posture Policy Requirement.
+- `controls` - Controls block defines list of controls linked to requirments
+
+### Controls block
+- `name` - The name of the Posture Control.
+- `enabled` - The 'Control is enabled' flag indicates whether the control will affect the policy evaluation or not. By default, it is set to true
diff --git a/website/docs/index.md b/website/docs/index.md
@@ -261,6 +261,7 @@ When IBM Workload Protection resources are to be created, this authentication mu
 > - `sysdig_current_user`
 > - `sysdig_secure_notification_channel`
 > - `sysdig_secure_posture_policies`
+> - `sysdig_secure_posture_policy`
 
 ###  Others
 * `extra_headers` - (Optional) Defines extra HTTP headers that will be added to the client

diff --git a/website/docs/r/secure_posture_policy.md b/website/docs/r/secure_posture_policy.md
@@ -17,7 +17,7 @@ Creates a Sysdig Secure Posture Policy.
 ```terraform
 resource "sysdig_secure_posture_policy" "example" {
     name = "demo policy"
-    type = "kuberenetes"
+    type = "kubernetes"
     platform = "vanilla"
     max_kube_version = 2.0
     description = "demo create policy from terraform"
@@ -65,7 +65,7 @@ resource "sysdig_secure_posture_policy" "example" {
   - Kubernetes - `kubernetes`
   - Linux - `linux`
   - Docker - `docker`
-  - OCI = `oci`
+  - OCI - `oci`
 * `min_kube_version` -  (Optional) Policy minimum Kubernetes version, eg. `1.24`
 * `max_kube_version` -  (Optional) Policy maximum Kubernetes version, eg. `1.26`
 * `is_active` -  (Optional) Policy is active flag (active means policy is published, not active means policy is draft). by default is true.