Add support for additional secure drift policy fields

Author: ombellare

sysdig/data_source_sysdig_secure_drift_policy.go

@@ -47,15 +47,18 @@ func createDriftPolicyDataSourceSchema() map[string]*schema.Schema {
 			Computed: true,
 			Elem: &schema.Resource{
 				Schema: map[string]*schema.Schema{
-					"id":                           ReadOnlyIntSchema(),
-					"name":                         ReadOnlyStringSchema(),
-					"description":                  DescriptionComputedSchema(),
-					"tags":                         TagsSchema(),
-					"version":                      VersionSchema(),
-					"enabled":                      BoolComputedSchema(),
-					"exceptions":                   ExceptionsComputedSchema(),
-					"prohibited_binaries":          ExceptionsComputedSchema(),
-					"mounted_volume_drift_enabled": BoolComputedSchema(),
+					"id":                                ReadOnlyIntSchema(),
+					"name":                              ReadOnlyStringSchema(),
+					"description":                       DescriptionComputedSchema(),
+					"tags":                              TagsSchema(),
+					"version":                           VersionSchema(),
+					"enabled":                           BoolComputedSchema(),
+					"exceptions":                        ExceptionsComputedSchema(),
+					"prohibited_binaries":               ExceptionsComputedSchema(),
+					"process_based_exceptions":          ExceptionsComputedSchema(),
+					"process_based_prohibited_binaries": ExceptionsComputedSchema(),
+					"mounted_volume_drift_enabled":      BoolComputedSchema(),
+					"use_regex":                         BoolComputedSchema(),
 				},
 			},
 		},

sysdig/data_source_sysdig_secure_drift_policy_test.go

@@ -47,13 +47,21 @@ resource "sysdig_secure_drift_policy" "policy_1" {
   rule {
     description = "Test Drift Rule Description"
     enabled = true
+    mounted_volume_drift_enabled = true
+    use_regex = true
 
     exceptions {
       items = ["/usr/bin/sh"]
     }
     prohibited_binaries {
       items = ["/usr/bin/curl"]
     }
+    process_based_exceptions {
+      items = ["/usr/bin/curl"]
+    }
+    process_based_prohibited_binaries {
+      items = ["/usr/bin/sh"]
+    }
   }
 
   actions {

sysdig/internal/client/v2/model.go

@@ -419,6 +419,7 @@ type DriftRuleDetails struct {
 	ProhibitedBinaries        *RuntimePolicyRuleList `json:"prohibitedBinaries"`
 	Mode                      string                 `json:"mode"`
 	MountedVolumeDriftEnabled bool                   `json:"mountedVolumeDriftEnabled"`
+	UseRegex                  bool                   `json:"useRegex"`
 	Details                   `json:"-"`
 }
 

sysdig/resource_sysdig_secure_drift_policy.go

@@ -67,6 +67,7 @@ func resourceSysdigSecureDriftPolicy() *schema.Resource {
 						"process_based_exceptions":          ExceptionsSchema(),
 						"process_based_prohibited_binaries": ExceptionsSchema(),
 						"mounted_volume_drift_enabled":      BoolSchema(),
+						"use_regex":                         BoolSchema(),
 					},
 				},
 			},

sysdig/resource_sysdig_secure_drift_policy_test.go

@@ -67,9 +67,6 @@ resource "sysdig_secure_drift_policy" "sample" {
     prohibited_binaries {
       items = ["/usr/bin/curl"]
     }
-	process_based_exceptions {
-      items = ["/usr/bin/curl"]
-	} 
   }
 
   actions {
@@ -96,16 +93,20 @@ resource "sysdig_secure_drift_policy" "sample" {
     description = "Test Drift Rule Description"
 
     enabled = true
+    use_regex = true
 
     exceptions {
       items = ["/usr/bin/sh"]
     }
     prohibited_binaries {
       items = ["/usr/bin/curl"]
     }
-	process_based_exceptions {
+    process_based_exceptions {
       items = ["/usr/bin/curl"]
-	} 
+    } 
+    process_based_prohibited_binaries {
+      items = ["/usr/bin/sh"]
+    }
   }
 
   actions {
@@ -138,16 +139,17 @@ resource "sysdig_secure_drift_policy" "sample" {
     description = "Test Drift Rule Description"
 
     enabled = true
+    use_regex = true
 
     exceptions {
       items = ["/usr/bin/sh"]
     }
     prohibited_binaries {
       items = ["/usr/bin/curl"]
     }
-	process_based_exceptions {
+    process_based_exceptions {
       items = ["/usr/bin/curl"]
-	} 
+    } 
   }
 
   actions {}
@@ -177,9 +179,12 @@ resource "sysdig_secure_drift_policy" "sample" {
     prohibited_binaries {
       items = ["/usr/bin/curl"]
     }
-	process_based_exceptions {
+    process_based_exceptions {
       items = ["/usr/bin/curl"]
-	} 
+    }
+    process_based_prohibited_binaries {
+      items = ["/usr/bin/sh"]
+    }
   }
 
   actions {
@@ -227,19 +232,23 @@ resource "sysdig_secure_drift_policy" "sample" {
 
   rule {
     description = "Test Drift Rule Description"
-    mounted_volume_drift_enabled = true
+
     enabled = true
+    mounted_volume_drift_enabled = true
 
     exceptions {
       items = ["/usr/bin/sh"]
     }
     prohibited_binaries {
       items = ["/usr/bin/curl"]
     }
-	  process_based_exceptions {
+    process_based_exceptions {
       items = ["/usr/bin/curl"]
     }
-	} 
+    process_based_prohibited_binaries {
+      items = ["/usr/bin/sh"]
+    }
+  }
 }
   `, name)
 }

sysdig/tfresource.go

@@ -216,6 +216,7 @@ func setTFResourcePolicyRulesDrift(d *schema.ResourceData, policy v2.PolicyRules
 			"tags":                         rule.Tags,
 			"enabled":                      enabled,
 			"mounted_volume_drift_enabled": driftDetails.MountedVolumeDriftEnabled,
+			"use_regex":                    driftDetails.UseRegex,
 		}
 
 		if exceptionsBlock != nil {
@@ -498,6 +499,7 @@ func setPolicyRulesDrift(policy *v2.PolicyRulesComposite, d *schema.ResourceData
 		}
 
 		mountedVolumeDriftEnabled := d.Get("rule.0.mounted_volume_drift_enabled").(bool)
+		useRegex := d.Get("rule.0.use_regex").(bool)
 
 		rule := &v2.RuntimePolicyRule{
 			// TODO: Do not hardcode the indexes
@@ -512,6 +514,7 @@ func setPolicyRulesDrift(policy *v2.PolicyRulesComposite, d *schema.ResourceData
 				ProcessBasedExceptions:    &processBasedExceptions,
 				ProcessBasedDenylist:      &processBasedProhibitedBinaries,
 				MountedVolumeDriftEnabled: mountedVolumeDriftEnabled,
+				UseRegex:                  useRegex,
 			},
 		}
 

website/docs/d/secure_drift_policy.md

@@ -78,5 +78,9 @@ The rule block is required and supports:
     * `items` - (Required) Specify comma separated list of exceptions, e.g. `/usr/bin/rm, /usr/bin/curl`.
 * `prohibited_binaries` - (Optional) A prohibited binary can be a known harmful binary or one that facilitates discovery of your environment.
     * `items` - (Required) Specify comma separated list of prohibited binaries, e.g. `/usr/bin/rm, /usr/bin/curl`.
-
-
+* `process_based_exceptions` - (Optional) List of processes that will be able to execute a drifted file 
+    * `items` - (Required) Specify comma separated list of processes, e.g. `/usr/bin/rm, /usr/bin/curl`.
+* `process_based_prohibited_binaries` - (Optional) List of processes that will be prohibited to execute a drifted file
+    * `items` - (Required) Specify comma separated list of processes, e.g. `/usr/bin/rm, /usr/bin/curl`.
+* `mounted_volume_drift_enabled` - (Optional) Treat all binaries from mounted volumes as drifted. Default value is false/disabled.
+* `use_regex` - (Optional) Pass exceptions and prohibited binaries as regex strings. Requires agent version 13.2.0 and above

website/docs/r/secure_drift_policy.md

@@ -123,6 +123,4 @@ The rule block is required and supports:
 * `process_based_prohibited_binaries` - (Optional) List of processes that will be prohibited to execute a drifted file
     * `items` - (Required) Specify comma separated list of processes, e.g. `/usr/bin/rm, /usr/bin/curl`.
 * `mounted_volume_drift_enabled` - (Optional) Treat all binaries from mounted volumes as drifted. Default value is false/disabled.
-
-
-
+* `use_regex` - (Optional) Pass exceptions and prohibited binaries as regex strings. Requires agent version 13.2.0 and above