feat(secure-policies): support new fields in drift policy (#656)

* Add support for additional secure drift policy fields

* Address review comments

* Fixed spacing issue

---------

Co-authored-by: Fede Barcelona <[email protected]>

Author: ombellare

sysdig/data_source_sysdig_secure_drift_policy.go

@@ -47,15 +47,18 @@ func createDriftPolicyDataSourceSchema() map[string]*schema.Schema {
 			Computed: true,
 			Elem: &schema.Resource{
 				Schema: map[string]*schema.Schema{
-					"id":                           ReadOnlyIntSchema(),
-					"name":                         ReadOnlyStringSchema(),
-					"description":                  DescriptionComputedSchema(),
-					"tags":                         TagsSchema(),
-					"version":                      VersionSchema(),
-					"enabled":                      BoolComputedSchema(),
-					"exceptions":                   ExceptionsComputedSchema(),
-					"prohibited_binaries":          ExceptionsComputedSchema(),
-					"mounted_volume_drift_enabled": BoolComputedSchema(),
+					"id":                                ReadOnlyIntSchema(),
+					"name":                              ReadOnlyStringSchema(),
+					"description":                       DescriptionComputedSchema(),
+					"tags":                              TagsSchema(),
+					"version":                           VersionSchema(),
+					"enabled":                           BoolComputedSchema(),
+					"exceptions":                        ExceptionsComputedSchema(),
+					"prohibited_binaries":               ExceptionsComputedSchema(),
+					"process_based_exceptions":          ExceptionsComputedSchema(),
+					"process_based_prohibited_binaries": ExceptionsComputedSchema(),
+					"mounted_volume_drift_enabled":      BoolComputedSchema(),
+					"use_regex":                         BoolComputedSchema(),
 				},
 			},
 		},

sysdig/data_source_sysdig_secure_drift_policy_test.go

@@ -32,6 +32,12 @@ func TestAccDriftPolicyDataSource(t *testing.T) {
 			{
 				Config: driftPolicyDataSource(rText),
 			},
+			{
+				Config: driftPolicyWithUseRegexDataSource(rText),
+			},
+			{
+				Config: driftPolicyWithProcessExceptionsDataSource(rText),
+			},
 		},
 	})
 }
@@ -47,13 +53,96 @@ resource "sysdig_secure_drift_policy" "policy_1" {
   rule {
     description = "Test Drift Rule Description"
     enabled = true
+    mounted_volume_drift_enabled = true
+    use_regex = true
 
     exceptions {
       items = ["/usr/bin/sh"]
     }
     prohibited_binaries {
       items = ["/usr/bin/curl"]
     }
+    process_based_exceptions {
+      items = ["/usr/bin/curl"]
+    }
+    process_based_prohibited_binaries {
+      items = ["/usr/bin/sh"]
+    }
+  }
+
+  actions {
+    prevent_drift = true
+  }
+
+}
+	
+data "sysdig_secure_drift_policy" "policy_2" {
+  name       = sysdig_secure_drift_policy.policy_1.name
+  depends_on = [sysdig_secure_drift_policy.policy_1]
+}
+`, name, name)
+}
+
+func driftPolicyWithUseRegexDataSource(name string) string {
+	return fmt.Sprintf(`
+resource "sysdig_secure_drift_policy" "policy_1" {
+  name        = "Test Drift Policy %s"
+  description = "Test Drift Policy Description %s"
+  enabled     = true
+  severity    = 4
+
+  rule {
+    description = "Test Drift Rule Description"
+    enabled = true
+    mounted_volume_drift_enabled = true
+    use_regex = true
+
+    exceptions {
+      items = ["/usr/bin/sh"]
+    }
+    prohibited_binaries {
+      items = ["/usr/bin/curl"]
+    }
+    process_based_exceptions {
+      items = ["/usr/bin/curl"]
+    }
+    process_based_prohibited_binaries {
+      items = ["/usr/bin/sh"]
+    }
+  }
+
+  actions {
+    prevent_drift = true
+  }
+
+}
+	
+data "sysdig_secure_drift_policy" "policy_2" {
+  name       = sysdig_secure_drift_policy.policy_1.name
+  depends_on = [sysdig_secure_drift_policy.policy_1]
+}
+`, name, name)
+}
+
+func driftPolicyWithProcessExceptionsDataSource(name string) string {
+	return fmt.Sprintf(`
+resource "sysdig_secure_drift_policy" "policy_1" {	
+  name        = "Test Drift Policy %s"
+  description = "Test Drift Policy Description %s"
+  enabled     = true
+  severity    = 4
+
+  rule {
+    description = "Test Drift Rule Description"
+    enabled = true
+	mounted_volume_drift_enabled = true
+
+    process_based_exceptions {
+      items = ["/usr/bin/curl"]
+    }
+    process_based_prohibited_binaries {
+      items = ["/usr/bin/sh"]
+    }
   }
 
   actions {

sysdig/data_source_sysdig_secure_malware_policy.go

@@ -57,8 +57,11 @@ func createMalwarePolicyDataSourceSchema() map[string]*schema.Schema {
 					"tags":               TagsSchema(),
 					"version":            VersionSchema(),
 					"use_managed_hashes": BoolComputedSchema(),
-					"additional_hashes":  HashesComputedSchema(),
-					"ignore_hashes":      HashesComputedSchema(),
+					"use_yara_rules":     BoolComputedSchema(),
+					"additional_hashes":  StringListComputedSchema(),
+					"ignore_hashes":      StringListComputedSchema(),
+					"use_regex":          BoolComputedSchema(),
+					"ignore_paths":       StringListComputedSchema(),
 				},
 			},
 		},

sysdig/data_source_sysdig_secure_malware_policy_test.go

@@ -49,13 +49,15 @@ resource "sysdig_secure_malware_policy" "policy_1" {
 
     use_managed_hashes = true
 
-    additional_hashes {
-      hash         = "304ef4cdda3463b24bf53f9cdd69ad3ecdab0842e7e70e2f3cfbb9f14e1c4ae6"
-    }
+    additional_hashes = [
+      "304ef4cdda3463b24bf53f9cdd69ad3ecdab0842e7e70e2f3cfbb9f14e1c4ae6",
+      "304ef4cdda3463b24bf53f9cdd69ad3ecdab0842e7e70e2f3cfbb9f14e1c4ae7"
+    ]
 
-    ignore_hashes {
-      hash         = "6ac3c336e4094835293a3fed8a4b5fedde1b5e2626d9838fed50693bba00af0e"
-    }
+    ignore_hashes = [
+      "6ac3c336e4094835293a3fed8a4b5fedde1b5e2626d9838fed50693bba00af0e",
+      "6ac3c336e4094835293a3fed8a4b5fedde1b5e2626d9838fed50693bba00af0f"
+    ]
   }
 
   actions {

sysdig/internal/client/v2/model.go

@@ -397,8 +397,11 @@ func (p MLRuleDetails) GetRuleType() ElementType {
 type MalwareRuleDetails struct {
 	RuleType         ElementType         `json:"ruleType"`
 	UseManagedHashes bool                `json:"useManagedHashes"`
+	UseYaraRules     bool                `json:"usePolymorphicRules"`
 	AdditionalHashes map[string][]string `json:"additionalHashes"`
 	IgnoreHashes     map[string][]string `json:"ignoreHashes"`
+	UseRegex         bool                `json:"useRegex"`
+	IgnorePaths      map[string][]string `json:"ignorePaths"`
 	Details          `json:"-"`
 }
 
@@ -419,6 +422,7 @@ type DriftRuleDetails struct {
 	ProhibitedBinaries        *RuntimePolicyRuleList `json:"prohibitedBinaries"`
 	Mode                      string                 `json:"mode"`
 	MountedVolumeDriftEnabled bool                   `json:"mountedVolumeDriftEnabled"`
+	UseRegex                  bool                   `json:"useRegex"`
 	Details                   `json:"-"`
 }
 

sysdig/resource_sysdig_secure_drift_policy.go

@@ -67,6 +67,7 @@ func resourceSysdigSecureDriftPolicy() *schema.Resource {
 						"process_based_exceptions":          ExceptionsSchema(),
 						"process_based_prohibited_binaries": ExceptionsSchema(),
 						"mounted_volume_drift_enabled":      BoolSchema(),
+						"use_regex":                         BoolSchema(),
 					},
 				},
 			},

sysdig/resource_sysdig_secure_drift_policy_test.go

@@ -42,6 +42,9 @@ func TestAccDriftPolicy(t *testing.T) {
 			{
 				Config: driftPolicyWithMountedVolumeDriftEnabled(rText()),
 			},
+			{
+				Config: driftPolicyWithProcessBasedAndRegexEnabled(rText()),
+			},
 		},
 	})
 }
@@ -67,9 +70,6 @@ resource "sysdig_secure_drift_policy" "sample" {
     prohibited_binaries {
       items = ["/usr/bin/curl"]
     }
-	process_based_exceptions {
-      items = ["/usr/bin/curl"]
-	} 
   }
 
   actions {
@@ -96,16 +96,20 @@ resource "sysdig_secure_drift_policy" "sample" {
     description = "Test Drift Rule Description"
 
     enabled = true
+    use_regex = true
 
     exceptions {
       items = ["/usr/bin/sh"]
     }
     prohibited_binaries {
       items = ["/usr/bin/curl"]
     }
-	process_based_exceptions {
+    process_based_exceptions {
       items = ["/usr/bin/curl"]
-	} 
+    } 
+    process_based_prohibited_binaries {
+      items = ["/usr/bin/sh"]
+    }
   }
 
   actions {
@@ -138,16 +142,17 @@ resource "sysdig_secure_drift_policy" "sample" {
     description = "Test Drift Rule Description"
 
     enabled = true
+    use_regex = true
 
     exceptions {
       items = ["/usr/bin/sh"]
     }
     prohibited_binaries {
       items = ["/usr/bin/curl"]
     }
-	process_based_exceptions {
+    process_based_exceptions {
       items = ["/usr/bin/curl"]
-	} 
+    } 
   }
 
   actions {}
@@ -177,9 +182,12 @@ resource "sysdig_secure_drift_policy" "sample" {
     prohibited_binaries {
       items = ["/usr/bin/curl"]
     }
-	process_based_exceptions {
+    process_based_exceptions {
       items = ["/usr/bin/curl"]
-	} 
+    }
+    process_based_prohibited_binaries {
+      items = ["/usr/bin/sh"]
+    }
   }
 
   actions {
@@ -227,19 +235,25 @@ resource "sysdig_secure_drift_policy" "sample" {
 
   rule {
     description = "Test Drift Rule Description"
-    mounted_volume_drift_enabled = true
+
     enabled = true
+    mounted_volume_drift_enabled = true
 
+    enabled = true
+    
     exceptions {
       items = ["/usr/bin/sh"]
     }
     prohibited_binaries {
       items = ["/usr/bin/curl"]
     }
-	  process_based_exceptions {
+    process_based_exceptions {
       items = ["/usr/bin/curl"]
     }
-	} 
+    process_based_prohibited_binaries {
+      items = ["/usr/bin/sh"]
+    }
+  }
 }
   `, name)
 }

sysdig/resource_sysdig_secure_malware_policy.go

@@ -54,6 +54,7 @@ func resourceSysdigSecureMalwarePolicy() *schema.Resource {
 			"rule": {
 				Type:     schema.TypeList,
 				Required: true,
+				MaxItems: 1,
 				Elem: &schema.Resource{
 					Schema: map[string]*schema.Schema{
 						"id":   ReadOnlyIntSchema(),
@@ -64,8 +65,11 @@ func resourceSysdigSecureMalwarePolicy() *schema.Resource {
 						"tags":               TagsSchema(),
 						"version":            VersionSchema(),
 						"use_managed_hashes": BoolSchema(),
-						"additional_hashes":  HashesSchema(),
-						"ignore_hashes":      HashesSchema(),
+						"use_yara_rules":     BoolSchema(),
+						"additional_hashes":  StringListSchema(),
+						"ignore_hashes":      StringListSchema(),
+						"use_regex":          BoolSchema(),
+						"ignore_paths":       StringListSchema(),
 					},
 				},
 			},