Kill Process Runtime Policies Support (#531)

* add support for kill_process

* add docs for kill_process

* fix lint

Author: IgorEulalio

sysdig/data_source_sysdig_secure_policy.go

@@ -80,6 +80,11 @@ func createPolicyDataSourceSchema() map[string]*schema.Schema {
 						Optional: true,
 						Computed: true,
 					},
+					"kill_process": {
+						Type:     schema.TypeString,
+						Optional: true,
+						Computed: true,
+					},
 					"capture": {
 						Type:     schema.TypeList,
 						Optional: true,
@@ -137,11 +142,9 @@ func policyDataSourceToResourceData(policy v2.Policy, d *schema.ResourceData) {
 	_ = d.Set("runbook", policy.Runbook)
 
 	actions := []map[string]interface{}{{}}
+
 	for _, action := range policy.Actions {
-		if action.Type != "POLICY_ACTION_CAPTURE" {
-			action := strings.Replace(action.Type, "POLICY_ACTION_", "", 1)
-			actions[0]["container"] = strings.ToLower(action)
-		} else {
+		if action.Type == "POLICY_ACTION_CAPTURE" {
 			actions[0]["capture"] = []map[string]interface{}{{
 				"seconds_after_event":  action.AfterEventNs / 1000000000,
 				"seconds_before_event": action.BeforeEventNs / 1000000000,
@@ -150,6 +153,12 @@ func policyDataSourceToResourceData(policy v2.Policy, d *schema.ResourceData) {
 				"bucket_name":          action.BucketName,
 				"folder":               action.Folder,
 			}}
+
+		} else if action.Type == "POLICY_ACTION_KILL_PROCESS" {
+			actions[0]["kill_process"] = "true"
+		} else {
+			action := strings.Replace(action.Type, "POLICY_ACTION_", "", 1)
+			actions[0]["container"] = strings.ToLower(action)
 		}
 	}
 

sysdig/resource_sysdig_secure_custom_policy_test.go

@@ -48,6 +48,9 @@ func TestAccCustomPolicy(t *testing.T) {
 		{
 			Config: customPoliciesWithDisabledRules(rText()),
 		},
+		{
+			Config: customPoliciesWithKillProcessAction(rText()),
+		},
 	}
 
 	if !buildinfo.OnpremSecure {
@@ -222,8 +225,8 @@ resource "sysdig_secure_custom_policy" "sample_%d" {
 
 func customPoliciesWithKillAction(name string) (res string) {
 	return fmt.Sprintf(`
-resource "sysdig_secure_custom_policy" "sample" {
-  name = "TERRAFORM TEST 1 %s"
+resource "sysdig_secure_custom_policy" "sample10" {
+  name = "TERRAFORM TEST 10 %s"
   description = "TERRAFORM TEST %s"
   enabled = true
   severity = 4
@@ -241,6 +244,27 @@ resource "sysdig_secure_custom_policy" "sample" {
 `, name, name)
 }
 
+func customPoliciesWithKillProcessAction(name string) (res string) {
+	return fmt.Sprintf(`
+resource "sysdig_secure_custom_policy" "sample10" {
+ name = "TERRAFORM TEST 1 %s"
+ description = "TERRAFORM TEST %s"
+ enabled = true
+ severity = 4
+ scope = "container.id != \"\""
+
+ rules {
+   name = "Terminal shell in container"
+   enabled = true
+ }
+
+ actions {
+   kill_process = "true"
+ }
+}
+`, name, name)
+}
+
 func customPoliciesForAWSCloudtrail(name string) string {
 	return fmt.Sprintf(`
 resource "sysdig_secure_custom_policy" "sample4" {

sysdig/resource_sysdig_secure_policy.go

@@ -121,11 +121,7 @@ func commonPolicyToResourceData(policy *v2.Policy, d *schema.ResourceData) {
 
 	actions := []map[string]interface{}{{}}
 	for _, action := range policy.Actions {
-		if action.Type != "POLICY_ACTION_CAPTURE" {
-			action := strings.Replace(action.Type, "POLICY_ACTION_", "", 1)
-			actions[0]["container"] = strings.ToLower(action)
-			// d.Set("actions.0.container", strings.ToLower(action))
-		} else {
+		if action.Type == "POLICY_ACTION_CAPTURE" {
 			actions[0]["capture"] = []map[string]interface{}{{
 				"seconds_after_event":  action.AfterEventNs / 1000000000,
 				"seconds_before_event": action.BeforeEventNs / 1000000000,
@@ -134,6 +130,12 @@ func commonPolicyToResourceData(policy *v2.Policy, d *schema.ResourceData) {
 				"bucket_name":          action.BucketName,
 				"folder":               action.Folder,
 			}}
+
+		} else if action.Type == "POLICY_ACTION_KILL_PROCESS" {
+			actions[0]["kill_process"] = true
+		} else {
+			action := strings.Replace(action.Type, "POLICY_ACTION_", "", 1)
+			actions[0]["container"] = strings.ToLower(action)
 		}
 	}
 
@@ -214,6 +216,11 @@ func addActionsToPolicy(d *schema.ResourceData, policy *v2.Policy) {
 		policy.Actions = append(policy.Actions, v2.Action{Type: "POLICY_ACTION_PREVENT_MALWARE"})
 	}
 
+	killProcessAction, ok := d.GetOk("actions.0.kill_process")
+	if ok && killProcessAction.(bool) {
+		policy.Actions = append(policy.Actions, v2.Action{Type: "POLICY_ACTION_KILL_PROCESS"})
+	}
+
 	containerAction := d.Get("actions.0.container").(string)
 	if containerAction != "" {
 		containerAction = strings.ToUpper("POLICY_ACTION_" + containerAction)

sysdig/schema.go

@@ -205,6 +205,14 @@ func ContainerActionSchema() *schema.Schema {
 	}
 }
 
+func ContainerKillProcessActionSchema() *schema.Schema {
+	return &schema.Schema{
+		Type:     schema.TypeBool,
+		Optional: true,
+		Default:  false,
+	}
+}
+
 func ContainerActionComputedSchema() *schema.Schema {
 	return &schema.Schema{
 		Type:     schema.TypeString,
@@ -448,8 +456,9 @@ func createPolicySchema(original map[string]*schema.Schema) map[string]*schema.S
 			Optional: true,
 			Elem: &schema.Resource{
 				Schema: map[string]*schema.Schema{
-					"container": ContainerActionSchema(),
-					"capture":   CaptureActionSchema(),
+					"container":    ContainerActionSchema(),
+					"kill_process": ContainerKillProcessActionSchema(),
+					"capture":      CaptureActionSchema(),
 				},
 			},
 		},

website/docs/d/secure_custom_policy.md

@@ -58,6 +58,10 @@ The actions block is optional and supports:
     triggered. Can be *stop*, *pause* or *kill*. If this is not specified,
     no action will be applied at the container level.
 
+* `kill_process` - (Optional) Whether to kill the process that triggered the rule.
+  If this is not specified,
+  no action will be applied at the process level.
+
 * `capture` - (Optional) Captures with Sysdig the stream of system calls:
     * `seconds_before_event` - (Required) Captures the system calls during the
     amount of seconds before the policy was triggered.

website/docs/r/secure_custom_policy.md

@@ -81,6 +81,9 @@ The actions block is optional and supports:
     triggered. Can be *stop*, *pause* or *kill*. If this is not specified,
     no action will be applied at the container level.
 
+* `kill_process` - (Optional) Whether to kill the process that triggered the rule.
+  If this is not specified,
+  no action will be applied at the process level.
 * `capture` - (Optional) Captures with Sysdig the stream of system calls:
     * `seconds_before_event` - (Required) Captures the system calls during the
     amount of seconds before the policy was triggered.