From 43a039fcc893afc9bfbca22c1d6747a3fd34dd8e Mon Sep 17 00:00:00 2001 From: kmvachhani <63314936+kmvachhani@users.noreply.github.com> Date: Fri, 26 Jan 2024 10:01:18 -0800 Subject: [PATCH] add support for awscloudtrail, okta, and github rules and policies (#473) * add support for awscloudtrail, okta, and github rules and policies --- sysdig/resource_sysdig_secure_policy.go | 2 +- sysdig/resource_sysdig_secure_policy_test.go | 42 +++++++ sysdig/resource_sysdig_secure_rule_falco.go | 2 +- .../resource_sysdig_secure_rule_falco_test.go | 105 ++++++++++++++++++ website/docs/d/secure_custom_policy.md | 2 +- website/docs/d/secure_managed_policy.md | 2 +- website/docs/d/secure_managed_ruleset.md | 2 +- website/docs/r/secure_custom_policy.md | 2 +- website/docs/r/secure_managed_policy.md | 2 +- website/docs/r/secure_managed_ruleset.md | 4 +- website/docs/r/secure_policy.md | 2 +- website/docs/r/secure_rule_falco.md | 4 +- 12 files changed, 159 insertions(+), 12 deletions(-) diff --git a/sysdig/resource_sysdig_secure_policy.go b/sysdig/resource_sysdig_secure_policy.go index a00add26..1bf50eea 100644 --- a/sysdig/resource_sysdig_secure_policy.go +++ b/sysdig/resource_sysdig_secure_policy.go @@ -18,7 +18,7 @@ import ( "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" ) -var validatePolicyType = validation.StringInSlice([]string{"falco", "list_matching", "k8s_audit", "aws_cloudtrail", "gcp_auditlog", "azure_platformlogs"}, false) +var validatePolicyType = validation.StringInSlice([]string{"falco", "list_matching", "k8s_audit", "aws_cloudtrail", "gcp_auditlog", "azure_platformlogs", "awscloudtrail", "okta", "github"}, false) // Creates the common policy schema that is shared between policy resources func createPolicySchema(original map[string]*schema.Schema) map[string]*schema.Schema { diff --git a/sysdig/resource_sysdig_secure_policy_test.go b/sysdig/resource_sysdig_secure_policy_test.go index 014459a5..bb757e26 100644 --- a/sysdig/resource_sysdig_secure_policy_test.go +++ b/sysdig/resource_sysdig_secure_policy_test.go @@ -56,6 +56,15 @@ func TestAccPolicy(t *testing.T) { { Config: policiesForAzurePlatformlogs(rText()), }, + { + Config: policiesForFalcoCloudAWSCloudtrail(rText()), + }, + { + Config: policiesForOkta(rText()), + }, + { + Config: policiesForGithub(rText()), + }, }, }) } @@ -210,3 +219,36 @@ resource "sysdig_secure_policy" "sample6" { } `, name, name) } + +func policiesForFalcoCloudAWSCloudtrail(name string) string { + return fmt.Sprintf(` +resource "sysdig_secure_policy" "sample7" { + name = "TERRAFORM TEST 4 %s" + description = "TERRAFORM TEST %s" + type = "awscloudtrail" + actions {} +} +`, name, name) +} + +func policiesForOkta(name string) string { + return fmt.Sprintf(` +resource "sysdig_secure_policy" "sample8" { + name = "TERRAFORM TEST 4 %s" + description = "TERRAFORM TEST %s" + type = "okta" + actions {} +} +`, name, name) +} + +func policiesForGithub(name string) string { + return fmt.Sprintf(` +resource "sysdig_secure_policy" "sample9" { + name = "TERRAFORM TEST 4 %s" + description = "TERRAFORM TEST %s" + type = "github" + actions {} +} +`, name, name) +} diff --git a/sysdig/resource_sysdig_secure_rule_falco.go b/sysdig/resource_sysdig_secure_rule_falco.go index 2999437b..fe4bdf2e 100644 --- a/sysdig/resource_sysdig_secure_rule_falco.go +++ b/sysdig/resource_sysdig_secure_rule_falco.go @@ -18,7 +18,7 @@ import ( "github.com/spf13/cast" ) -var validateFalcoRuleSource = validation.StringInSlice([]string{"syscall", "k8s_audit", "aws_cloudtrail", "gcp_auditlog", "azure_platformlogs"}, false) +var validateFalcoRuleSource = validation.StringInSlice([]string{"syscall", "k8s_audit", "aws_cloudtrail", "gcp_auditlog", "azure_platformlogs", "awscloudtrail", "okta", "github"}, false) func resourceSysdigSecureRuleFalco() *schema.Resource { timeout := 5 * time.Minute diff --git a/sysdig/resource_sysdig_secure_rule_falco_test.go b/sysdig/resource_sysdig_secure_rule_falco_test.go index d75aa3d7..607ffb52 100644 --- a/sysdig/resource_sysdig_secure_rule_falco_test.go +++ b/sysdig/resource_sysdig_secure_rule_falco_test.go @@ -94,6 +94,24 @@ func TestAccRuleFalco(t *testing.T) { ImportState: true, ImportStateVerify: true, }, + { + Config: ruleFalcoCloudAWSCloudtrail(randomText), + }, + { + Config: ruleFalcoCloudAWSCloudtrailWithAppend(), + }, + { + Config: ruleOkta(randomText), + }, + { + Config: ruleOktaWithAppend(), + }, + { + Config: ruleGithub(randomText), + }, + { + Config: ruleGithubWithAppend(), + }, }, }) } @@ -271,3 +289,90 @@ resource "sysdig_secure_rule_falco" "terminal_shell" { source = "syscall" // syscall or k8s_audit }`, name, name) } + +func ruleFalcoCloudAWSCloudtrail(name string) string { + return fmt.Sprintf(` +resource "sysdig_secure_rule_falco" "awscloudtrail" { + name = "TERRAFORM TEST %[1]s - AWSCloudtrail" + description = "TERRAFORM TEST %[1]s" + tags = ["awscloudtrail"] + + condition = "ct.name=\"CreateApp\"" + output = "AWSCloudtrail Event received (requesting user=%%ct.user)" + priority = "debug" + source = "awscloudtrail" +}`, name, name) +} + +func ruleFalcoCloudAWSCloudtrailWithAppend() string { + return ` +resource "sysdig_secure_rule_falco" "awscloudtrail_append" { + name = "Amplify Create App" + source = "awscloudtrail" + append = true + exceptions { + name = "user_name" + fields = ["ct.user"] + comps = ["="] + values = jsonencode([ ["user_a"] ]) + } +}` +} + +func ruleOkta(name string) string { + return fmt.Sprintf(` +resource "sysdig_secure_rule_falco" "okta" { + name = "TERRAFORM TEST %[1]s - Okta" + description = "TERRAFORM TEST %[1]s" + tags = ["okta"] + + condition = "okta.evt.type=\"user.account.update_password\"" + output = "Okta Event received (okta.severity=%%okta.severity)" + priority = "debug" + source = "okta" +}`, name, name) +} + +func ruleOktaWithAppend() string { + return ` +resource "sysdig_secure_rule_falco" "okta_append" { + name = "User changing password in to Okta" + source = "okta" + append = true + exceptions { + name = "actor_name" + fields = ["okta.actor.name"] + comps = ["="] + values = jsonencode([ ["user_b"] ]) + } +}` +} + +func ruleGithub(name string) string { + return fmt.Sprintf(` +resource "sysdig_secure_rule_falco" "github" { + name = "TERRAFORM TEST %[1]s - Github" + description = "TERRAFORM TEST %[1]s" + tags = ["github"] + + condition = "github.action=\"delete\"" + output = "Github Event received (github.user=%%github.user)" + priority = "debug" + source = "github" +}`, name, name) +} + +func ruleGithubWithAppend() string { + return ` +resource "sysdig_secure_rule_falco" "github_append" { + name = "Github Webhook Connected" + source = "github" + append = true + exceptions { + name = "user_name" + fields = ["github.user"] + comps = ["="] + values = jsonencode([ ["user_c"] ]) + } +}` +} diff --git a/website/docs/d/secure_custom_policy.md b/website/docs/d/secure_custom_policy.md index c2154892..8aed8ee1 100644 --- a/website/docs/d/secure_custom_policy.md +++ b/website/docs/d/secure_custom_policy.md @@ -26,7 +26,7 @@ data "sysdig_secure_custom_policy" "example" { * `name` - (Required) The name of the Secure custom policy. * `type` - (Optional) Specifies the type of the runtime policy. Must be one of: `falco`, `list_matching`, `k8s_audit`, - `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`. By default it is `falco`. + `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`, `awscloudtrail`, `okta`, `github`. By default it is `falco`. ## Attributes Reference diff --git a/website/docs/d/secure_managed_policy.md b/website/docs/d/secure_managed_policy.md index c1bb0e25..ab8ce6b5 100644 --- a/website/docs/d/secure_managed_policy.md +++ b/website/docs/d/secure_managed_policy.md @@ -26,7 +26,7 @@ data "sysdig_secure_managed_policy" "example" { * `name` - (Required) The name of the Secure managed policy. * `type` - (Optional) Specifies the type of the runtime policy. Must be one of: `falco`, `list_matching`, `k8s_audit`, - `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`. By default it is `falco`. + `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`, `awscloudtrail`, `okta`, `github`. By default it is `falco`. ## Attributes Reference diff --git a/website/docs/d/secure_managed_ruleset.md b/website/docs/d/secure_managed_ruleset.md index a19fe4f9..479eaecf 100644 --- a/website/docs/d/secure_managed_ruleset.md +++ b/website/docs/d/secure_managed_ruleset.md @@ -26,7 +26,7 @@ data "sysdig_secure_managed_ruleset" "example" { * `name` - (Required) The name of the Secure managed ruleset. * `type` - (Optional) Specifies the type of the runtime policy. Must be one of: `falco`, `list_matching`, `k8s_audit`, - `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`. By default it is `falco`. + `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`, `awscloudtrail`, `okta`, `github`. By default it is `falco`. ## Attributes Reference diff --git a/website/docs/r/secure_custom_policy.md b/website/docs/r/secure_custom_policy.md index 5ea0a27e..79c2f8e1 100644 --- a/website/docs/r/secure_custom_policy.md +++ b/website/docs/r/secure_custom_policy.md @@ -60,7 +60,7 @@ resource "sysdig_secure_custom_policy" "write_apt_database" { * `enabled` - (Optional) Will secure process with this rule?. By default this is true. * `type` - (Optional) Specifies the type of the runtime policy. Must be one of: `falco`, `list_matching`, `k8s_audit`, - `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`. By default it is `falco`. + `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`, `awscloudtrail`, `okta`, `github`. By default it is `falco`. * `runbook` - (Optional) Customer provided url that provides a runbook for a given policy. - - - diff --git a/website/docs/r/secure_managed_policy.md b/website/docs/r/secure_managed_policy.md index eff00ea8..ec080f29 100644 --- a/website/docs/r/secure_managed_policy.md +++ b/website/docs/r/secure_managed_policy.md @@ -51,7 +51,7 @@ resource "sysdig_secure_managed_policy" "sysdig_runtime_threat_detection" { * `name` - (Required) The name of the Secure managed policy. It must match the name of an existing managed policy. * `type` - (Optional) Specifies the type of the runtime policy. Must be one of: `falco`, `list_matching`, `k8s_audit`, - `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`. By default it is `falco`. + `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`, `awscloudtrail`, `okta`, `github`. By default it is `falco`. * `enabled` - (Optional) Will secure process with this policy?. By default this is true. diff --git a/website/docs/r/secure_managed_ruleset.md b/website/docs/r/secure_managed_ruleset.md index 56e3070b..e92c3da2 100644 --- a/website/docs/r/secure_managed_ruleset.md +++ b/website/docs/r/secure_managed_ruleset.md @@ -59,7 +59,7 @@ resource "sysdig_secure_managed_ruleset" "sysdig_runtime_threat_detection_manage * `enabled` - (Optional) Will secure process with this rule?. By default this is true. -* `type` - (Optional) Specifies the type of the runtime policy. Must be one of: `falco`, `list_matching`, `k8s_audit`, `aws_cloudtrail`. By default it is `falco`. +* `type` - (Optional) Specifies the type of the runtime policy. Must be one of: `falco`, `list_matching`, `k8s_audit`, `aws_cloudtrail`, `awscloudtrail`, `okta`, `github`. By default it is `falco`. * `runbook` - (Optional) Customer provided url that provides a runbook for a given policy. - - - @@ -70,7 +70,7 @@ The `inherited_from` block is required and identifies the managed policy that th * `name` - (Required) The name of the Secure managed policy. It must match the name of an existing managed policy. -* `type` - (Optional) Specifies the type of the runtime policy. Must be one of: `falco`, `list_matching`, `k8s_audit`, `aws_cloudtrail`. By default it is `falco`. +* `type` - (Optional) Specifies the type of the runtime policy. Must be one of: `falco`, `list_matching`, `k8s_audit`, `aws_cloudtrail`, `awscloudtrail`, `okta`, `github`. By default it is `falco`. - - - diff --git a/website/docs/r/secure_policy.md b/website/docs/r/secure_policy.md index 2983cae7..8779f778 100644 --- a/website/docs/r/secure_policy.md +++ b/website/docs/r/secure_policy.md @@ -60,7 +60,7 @@ resource "sysdig_secure_policy" "write_apt_database" { * `enabled` - (Optional) Will secure process with this rule?. By default this is true. * `type` - (Optional) Specifies the type of the runtime policy. Must be one of: `falco`, `list_matching`, `k8s_audit`, - `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`. By default it is `falco`. + `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`, `awscloudtrail`, `okta`, `github`. By default it is `falco`. * `runbook` - (Optional) Customer provided url that provides a runbook for a given policy. - - - diff --git a/website/docs/r/secure_rule_falco.md b/website/docs/r/secure_rule_falco.md index d8c03472..33a236e4 100644 --- a/website/docs/r/secure_rule_falco.md +++ b/website/docs/r/secure_rule_falco.md @@ -23,7 +23,7 @@ resource "sysdig_secure_rule_falco" "example" { condition = "spawned_process and container and shell_procs and proc.tty != 0 and container_entrypoint" output = "A shell was spawned in a container with an attached terminal (user=%user.name %container.info shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository)" priority = "notice" - source = "syscall" // syscall, k8s_audit, aws_cloudtrail, gcp_auditlog or azure_platformlogs + source = "syscall" // syscall, k8s_audit, aws_cloudtrail, gcp_auditlog, azure_platformlogs, awscloudtrail okta, github exceptions { @@ -64,7 +64,7 @@ The following arguments are supported: * `condition` - (Required) A [Falco condition](https://falco.org/docs/rules/) is simply a Boolean predicate on Sysdig events expressed using the Sysdig [filter syntax](http://www.sysdig.org/wiki/sysdig-user-guide/#filtering) and macro terms. * `output` - (Optional) Add additional information to each Falco notification's output. Required if append is false. * `priority` - (Optional) The priority of the Falco rule. It can be: "emergency", "alert", "critical", "error", "warning", "notice", "info" or "debug". By default is "warning". -* `source` - (Optional) The source of the event. It can be either "syscall", "k8s_audit", "aws_cloudtrail", "gcp_auditlog", or "azure_platformlogs". Required if append is false. +* `source` - (Optional) The source of the event. It can be either "syscall", "k8s_audit", "aws_cloudtrail", "gcp_auditlog", "azure_platformlogs", "awscloudtrail", "okta", or "github". Required if append is false. * `exceptions` - (Optional) The exceptions key is a list of identifier plus list of tuples of filtercheck fields. See below for details. * `append` - (Optional) This indicates that the rule being created appends the condition to an existing Sysdig-provided rule. By default this is false. Appending to user-created rules is not supported by the API.