diff --git a/sysdig/data_source_sysdig_secure_drift_policy.go b/sysdig/data_source_sysdig_secure_drift_policy.go index e42cf80f8..77094c52b 100644 --- a/sysdig/data_source_sysdig_secure_drift_policy.go +++ b/sysdig/data_source_sysdig_secure_drift_policy.go @@ -47,14 +47,15 @@ func createDriftPolicyDataSourceSchema() map[string]*schema.Schema { Computed: true, Elem: &schema.Resource{ Schema: map[string]*schema.Schema{ - "id": ReadOnlyIntSchema(), - "name": ReadOnlyStringSchema(), - "description": DescriptionComputedSchema(), - "tags": TagsSchema(), - "version": VersionSchema(), - "enabled": BoolComputedSchema(), - "exceptions": ExceptionsComputedSchema(), - "prohibited_binaries": ExceptionsComputedSchema(), + "id": ReadOnlyIntSchema(), + "name": ReadOnlyStringSchema(), + "description": DescriptionComputedSchema(), + "tags": TagsSchema(), + "version": VersionSchema(), + "enabled": BoolComputedSchema(), + "exceptions": ExceptionsComputedSchema(), + "prohibited_binaries": ExceptionsComputedSchema(), + "mounted_volume_drift_enabled": BoolComputedSchema(), }, }, }, diff --git a/sysdig/internal/client/v2/model.go b/sysdig/internal/client/v2/model.go index 106eed0df..17047bbf8 100644 --- a/sysdig/internal/client/v2/model.go +++ b/sysdig/internal/client/v2/model.go @@ -426,13 +426,14 @@ type RuntimePolicyRuleList struct { } type DriftRuleDetails struct { - RuleType ElementType `json:"ruleType"` - Exceptions *RuntimePolicyRuleList `json:"exceptionList"` - ProcessBasedExceptions *RuntimePolicyRuleList `json:"allowlistProcess"` - ProcessBasedDenylist *RuntimePolicyRuleList `json:"denylistProcess"` - ProhibitedBinaries *RuntimePolicyRuleList `json:"prohibitedBinaries"` - Mode string `json:"mode"` - Details `json:"-"` + RuleType ElementType `json:"ruleType"` + Exceptions *RuntimePolicyRuleList `json:"exceptionList"` + ProcessBasedExceptions *RuntimePolicyRuleList `json:"allowlistProcess"` + ProcessBasedDenylist *RuntimePolicyRuleList `json:"denylistProcess"` + ProhibitedBinaries *RuntimePolicyRuleList `json:"prohibitedBinaries"` + Mode string `json:"mode"` + MountedVolumeDriftEnabled bool `json:"mountedVolumeDriftEnabled"` + Details `json:"-"` } func (p DriftRuleDetails) GetRuleType() ElementType { diff --git a/sysdig/resource_sysdig_secure_drift_policy.go b/sysdig/resource_sysdig_secure_drift_policy.go index 6d869dc7e..7927a6eca 100644 --- a/sysdig/resource_sysdig_secure_drift_policy.go +++ b/sysdig/resource_sysdig_secure_drift_policy.go @@ -66,6 +66,7 @@ func resourceSysdigSecureDriftPolicy() *schema.Resource { "prohibited_binaries": ExceptionsSchema(), "process_based_exceptions": ExceptionsSchema(), "process_based_prohibited_binaries": ExceptionsSchema(), + "mounted_volume_drift_enabled": BoolSchema(), }, }, }, diff --git a/sysdig/resource_sysdig_secure_drift_policy_test.go b/sysdig/resource_sysdig_secure_drift_policy_test.go index 0ff56faff..8916f1f3d 100644 --- a/sysdig/resource_sysdig_secure_drift_policy_test.go +++ b/sysdig/resource_sysdig_secure_drift_policy_test.go @@ -39,6 +39,9 @@ func TestAccDriftPolicy(t *testing.T) { { Config: driftPolicyWithoutExceptions(rText()), }, + { + Config: driftPolicyWithMountedVolumeDriftEnabled(rText()), + }, }, }) } @@ -212,3 +215,31 @@ resource "sysdig_secure_drift_policy" "sample" { `, secureNotificationChannelEmailWithName(name), name) } + +func driftPolicyWithMountedVolumeDriftEnabled(name string) string { + return fmt.Sprintf(` +resource "sysdig_secure_drift_policy" "sample" { + + name = "Test Drift Policy %s" + description = "Test Drift Policy Description" + enabled = true + severity = 4 + + rule { + description = "Test Drift Rule Description" + mounted_volume_drift_enabled = true + enabled = true + + exceptions { + items = ["/usr/bin/sh"] + } + prohibited_binaries { + items = ["/usr/bin/curl"] + } + process_based_exceptions { + items = ["/usr/bin/curl"] + } + } +} + `, name) +} diff --git a/sysdig/tfresource.go b/sysdig/tfresource.go index b872f0c10..06145fe2a 100644 --- a/sysdig/tfresource.go +++ b/sysdig/tfresource.go @@ -209,12 +209,13 @@ func setTFResourcePolicyRulesDrift(d *schema.ResourceData, policy v2.PolicyRules enabled := (mode != "disabled") ruleMap := map[string]interface{}{ - "id": rule.Id, - "name": rule.Name, - "description": rule.Description, - "version": rule.Version, - "tags": rule.Tags, - "enabled": enabled, + "id": rule.Id, + "name": rule.Name, + "description": rule.Description, + "version": rule.Version, + "tags": rule.Tags, + "enabled": enabled, + "mounted_volume_drift_enabled": driftDetails.MountedVolumeDriftEnabled, } if exceptionsBlock != nil { @@ -495,18 +496,21 @@ func setPolicyRulesDrift(policy *v2.PolicyRulesComposite, d *schema.ResourceData mode = "disabled" } + mountedVolumeDriftEnabled := d.Get("rule.0.mounted_volume_drift_enabled").(bool) + rule := &v2.RuntimePolicyRule{ // TODO: Do not hardcode the indexes Name: d.Get("rule.0.name").(string), Description: d.Get("rule.0.description").(string), Tags: tags, Details: v2.DriftRuleDetails{ - RuleType: v2.ElementType(driftElementType), // TODO: Use const - Mode: mode, - Exceptions: &exceptions, - ProhibitedBinaries: &prohibitedBinaries, - ProcessBasedExceptions: &processBasedExceptions, - ProcessBasedDenylist: &processBasedProhibitedBinaries, + RuleType: v2.ElementType(driftElementType), // TODO: Use const + Mode: mode, + Exceptions: &exceptions, + ProhibitedBinaries: &prohibitedBinaries, + ProcessBasedExceptions: &processBasedExceptions, + ProcessBasedDenylist: &processBasedProhibitedBinaries, + MountedVolumeDriftEnabled: mountedVolumeDriftEnabled, }, } diff --git a/website/docs/r/secure_drift_policy.md b/website/docs/r/secure_drift_policy.md index 5f4afd7f6..45419233d 100644 --- a/website/docs/r/secure_drift_policy.md +++ b/website/docs/r/secure_drift_policy.md @@ -122,6 +122,7 @@ The rule block is required and supports: * `items` - (Required) Specify comma separated list of processes, e.g. `/usr/bin/rm, /usr/bin/curl`. * `process_based_prohibited_binaries` - (Optional) List of processes that will be prohibited to execute a drifted file * `items` - (Required) Specify comma separated list of processes, e.g. `/usr/bin/rm, /usr/bin/curl`. +* `mounted_volume_drift_enabled` - (Optional) Treat all binaries from mounted volumes as drifted. Default value is false/disabled.