feat(legacy scanning policies and assignments): Add scanning policies and assignments for legacy engine (#248)

* Add old scanning engine policies resource

* added scanning policies acctests

* Adding Scanning Policy Assignment support for terraform provider

* Adding scanning policy and scanning policy assignment docs

* fix policy assingment url

* corrected scanning policy assignment acctest

* removed unused acctest from scanning policy assignments

* adding expected plan for scanning policy assignment

* removing expected plan for scanning policy assignment

* simplying acctest for scanning policy assignment

* Update sysdig/resource_sysdig_secure_scanningpolicies.go

Co-authored-by: Ben Lucas <[email protected]>

---------

Co-authored-by: Ben Lucas <[email protected]>

Author: ctolon22

sysdig/internal/client/secure/client.go

@@ -63,6 +63,15 @@ type SysdigSecureClient interface {
 	GetBenchmarkTask(context.Context, string) (*BenchmarkTask, error)
 	DeleteBenchmarkTask(context.Context, string) error
 	SetBenchmarkTaskEnabled(context.Context, string, bool) error
+
+	CreateScanningPolicy(context.Context, ScanningPolicy) (ScanningPolicy, error)
+	GetScanningPolicyById(context.Context, string) (ScanningPolicy, error)
+	DeleteScanningPolicyById(context.Context, string) error
+	UpdateScanningPolicyById(context.Context, ScanningPolicy) (ScanningPolicy, error)
+
+	CreateScanningPolicyAssignmentList(context.Context, ScanningPolicyAssignmentList) (ScanningPolicyAssignmentList, error)
+	GetScanningPolicyAssignmentList(context.Context) (ScanningPolicyAssignmentList, error)
+	DeleteScanningPolicyAssignmentList(context.Context, ScanningPolicyAssignmentList) error
 }
 
 func WithExtraHeaders(client SysdigSecureClient, extraHeaders map[string]string) SysdigSecureClient {

sysdig/internal/client/secure/models.go

@@ -417,3 +417,68 @@ func BenchmarkTaskFromJSON(body []byte) *BenchmarkTask {
 
 	return &result
 }
+
+// -------- Scanning Policies --------
+type ScanningPolicy struct {
+	ID             string         `json:"id,omitempty"`
+	Version        string         `json:"version,omitempty"`
+	Name           string         `json:"name"`
+	Comment        string         `json:"comment"`
+	IsDefault      bool           `json:"isDefault,omitempty"`
+	PolicyBundleId string         `json:"policyBundleId,omitempty"`
+	Rules          []ScanningGate `json:"rules"`
+}
+
+type ScanningGate struct {
+	ID      string              `json:"id,omitempty"`
+	Gate    string              `json:"gate"`
+	Trigger string              `json:"trigger"`
+	Action  string              `json:"action"`
+	Params  []ScanningGateParam `json:"params"`
+}
+
+type ScanningGateParam struct {
+	Name  string `json:"name"`
+	Value string `json:"value"`
+}
+
+func (policy *ScanningPolicy) ToJSON() io.Reader {
+	payload, _ := json.Marshal(policy)
+	return bytes.NewBuffer(payload)
+}
+
+func ScanningPolicyFromJSON(body []byte) (result ScanningPolicy) {
+	_ = json.Unmarshal(body, &result)
+	return result
+}
+
+// -------- Scanning Policy Assignments --------
+type ScanningPolicyAssignmentList struct {
+	Items          []ScanningPolicyAssignment `json:"items"`
+	PolicyBundleId string                     `json:"policyBundleId"`
+}
+
+type ScanningPolicyAssignment struct {
+	ID           string                        `json:"id,omitempty"`
+	Name         string                        `json:"name"`
+	Registry     string                        `json:"registry"`
+	Repository   string                        `json:"repository"`
+	Image        ScanningPolicyAssignmentImage `json:"image"`
+	PolicyIDs    []string                      `json:"policy_ids"`
+	WhitelistIDs []string                      `json:"whitelist_ids"`
+}
+
+type ScanningPolicyAssignmentImage struct {
+	Type  string `json:"type"`
+	Value string `json:"value"`
+}
+
+func (policy *ScanningPolicyAssignmentList) ToJSON() io.Reader {
+	payload, _ := json.Marshal(policy)
+	return bytes.NewBuffer(payload)
+}
+
+func ScanningPolicyAssignmentFromJSON(body []byte) (result ScanningPolicyAssignmentList) {
+	_ = json.Unmarshal(body, &result)
+	return result
+}

sysdig/internal/client/secure/scanningpolicies.go

@@ -0,0 +1,146 @@
+package secure
+
+import (
+	"context"
+	"fmt"
+	"io"
+	"net/http"
+)
+
+func (client *sysdigSecureClient) scanningPoliciesURL() string {
+	return fmt.Sprintf("%s/api/scanning/v1/policies", client.URL)
+}
+
+func (client *sysdigSecureClient) scanningPolicyAssignmentURL() string {
+	return fmt.Sprintf("%s/api/scanning/v1/mappings?bundleId=default", client.URL)
+}
+
+func (client *sysdigSecureClient) scanningPolicyURL(scanningPolicyId string) string {
+	return fmt.Sprintf("%s/api/scanning/v1/policies/%s", client.URL, scanningPolicyId)
+}
+
+// Scanning Policies
+
+func (client *sysdigSecureClient) CreateScanningPolicy(ctx context.Context, scanningPolicyRequest ScanningPolicy) (scanningPolicy ScanningPolicy, err error) {
+	response, err := client.doSysdigSecureRequest(ctx, http.MethodPost, client.scanningPoliciesURL(), scanningPolicyRequest.ToJSON())
+	if err != nil {
+		return
+	}
+	defer response.Body.Close()
+
+	if response.StatusCode != http.StatusOK {
+		err = errorFromResponse(response)
+		return
+	}
+
+	body, err := io.ReadAll(response.Body)
+	if err != nil {
+		return
+	}
+
+	return ScanningPolicyFromJSON(body), nil
+}
+
+func (client *sysdigSecureClient) GetScanningPolicyById(ctx context.Context, scanningPolicyID string) (scanningPolicy ScanningPolicy, err error) {
+	response, err := client.doSysdigSecureRequest(ctx, http.MethodGet, client.scanningPolicyURL(scanningPolicyID), nil)
+	if err != nil {
+		return
+	}
+	defer response.Body.Close()
+
+	if response.StatusCode != http.StatusOK {
+		return ScanningPolicy{}, errorFromResponse(response)
+	}
+
+	body, err := io.ReadAll(response.Body)
+	if err != nil {
+		return
+	}
+	return ScanningPolicyFromJSON(body), nil
+}
+
+func (client *sysdigSecureClient) UpdateScanningPolicyById(ctx context.Context, scanningPolicyRequest ScanningPolicy) (scanningPolicy ScanningPolicy, err error) {
+	response, err := client.doSysdigSecureRequest(ctx, http.MethodPut, client.scanningPolicyURL(scanningPolicyRequest.ID), scanningPolicyRequest.ToJSON())
+	if err != nil {
+		return
+	}
+	defer response.Body.Close()
+
+	if response.StatusCode != http.StatusOK {
+		return ScanningPolicy{}, errorFromResponse(response)
+	}
+
+	body, err := io.ReadAll(response.Body)
+	if err != nil {
+		return
+	}
+	return ScanningPolicyFromJSON(body), nil
+}
+
+func (client *sysdigSecureClient) DeleteScanningPolicyById(ctx context.Context, scanningPolicyID string) error {
+	response, err := client.doSysdigSecureRequest(ctx, http.MethodDelete, client.scanningPolicyURL(scanningPolicyID), nil)
+	if err != nil {
+		return err
+	}
+	defer response.Body.Close()
+
+	if response.StatusCode != http.StatusNoContent && response.StatusCode != http.StatusOK {
+		return errorFromResponse(response)
+	}
+
+	return err
+}
+
+// Scanning Policy Assignments
+
+func (client *sysdigSecureClient) CreateScanningPolicyAssignmentList(ctx context.Context, scanningPolicyAssignmentRequest ScanningPolicyAssignmentList) (scanningPolicyAssignmentList ScanningPolicyAssignmentList, err error) {
+	response, err := client.doSysdigSecureRequest(ctx, http.MethodPut, client.scanningPolicyAssignmentURL(), scanningPolicyAssignmentRequest.ToJSON())
+	if err != nil {
+		return
+	}
+	defer response.Body.Close()
+
+	if response.StatusCode != http.StatusOK {
+		err = errorFromResponse(response)
+		return
+	}
+
+	body, err := io.ReadAll(response.Body)
+	if err != nil {
+		return
+	}
+
+	return ScanningPolicyAssignmentFromJSON(body), nil
+}
+
+func (client *sysdigSecureClient) DeleteScanningPolicyAssignmentList(ctx context.Context, scanningPolicyAssignmentList ScanningPolicyAssignmentList) error {
+	response, err := client.doSysdigSecureRequest(ctx, http.MethodPut, client.scanningPolicyAssignmentURL(), scanningPolicyAssignmentList.ToJSON())
+	if err != nil {
+		return err
+	}
+	defer response.Body.Close()
+
+	if response.StatusCode != http.StatusNoContent && response.StatusCode != http.StatusOK {
+		return errorFromResponse(response)
+	}
+
+	return err
+}
+
+func (client *sysdigSecureClient) GetScanningPolicyAssignmentList(ctx context.Context) (scanningPolicyAssignmentList ScanningPolicyAssignmentList, err error) {
+	response, err := client.doSysdigSecureRequest(ctx, http.MethodGet, client.scanningPolicyAssignmentURL(), nil)
+	if err != nil {
+		return
+	}
+	defer response.Body.Close()
+
+	if response.StatusCode != http.StatusOK {
+		return ScanningPolicyAssignmentList{}, errorFromResponse(response)
+	}
+
+	body, err := io.ReadAll(response.Body)
+	if err != nil {
+		return
+	}
+	return ScanningPolicyAssignmentFromJSON(body), nil
+}

sysdig/provider.go

@@ -72,6 +72,8 @@ func Provider() *schema.Provider {
 			"sysdig_secure_vulnerability_exception_list":   resourceSysdigSecureVulnerabilityExceptionList(),
 			"sysdig_secure_cloud_account":                  resourceSysdigSecureCloudAccount(),
 			"sysdig_secure_benchmark_task":                 resourceSysdigSecureBenchmarkTask(),
+			"sysdig_secure_scanning_policy":                resourceSysdigSecureScanningPolicy(),
+			"sysdig_secure_scanning_policy_assignment":     resourceSysdigSecureScanningPolicyAssignment(),
 
 			"sysdig_monitor_alert_downtime":                 resourceSysdigMonitorAlertDowntime(),
 			"sysdig_monitor_alert_metric":                   resourceSysdigMonitorAlertMetric(),