[policies] manage mounted volume toggle in drift policies (#602)

* manage mounted volume toggle in drift policies

* update docs

Author: kmvachhani

sysdig/data_source_sysdig_secure_drift_policy.go

@@ -47,14 +47,15 @@ func createDriftPolicyDataSourceSchema() map[string]*schema.Schema {
 			Computed: true,
 			Elem: &schema.Resource{
 				Schema: map[string]*schema.Schema{
-					"id":                  ReadOnlyIntSchema(),
-					"name":                ReadOnlyStringSchema(),
-					"description":         DescriptionComputedSchema(),
-					"tags":                TagsSchema(),
-					"version":             VersionSchema(),
-					"enabled":             BoolComputedSchema(),
-					"exceptions":          ExceptionsComputedSchema(),
-					"prohibited_binaries": ExceptionsComputedSchema(),
+					"id":                           ReadOnlyIntSchema(),
+					"name":                         ReadOnlyStringSchema(),
+					"description":                  DescriptionComputedSchema(),
+					"tags":                         TagsSchema(),
+					"version":                      VersionSchema(),
+					"enabled":                      BoolComputedSchema(),
+					"exceptions":                   ExceptionsComputedSchema(),
+					"prohibited_binaries":          ExceptionsComputedSchema(),
+					"mounted_volume_drift_enabled": BoolComputedSchema(),
 				},
 			},
 		},

sysdig/internal/client/v2/model.go

@@ -426,13 +426,14 @@ type RuntimePolicyRuleList struct {
 }
 
 type DriftRuleDetails struct {
-	RuleType               ElementType            `json:"ruleType"`
-	Exceptions             *RuntimePolicyRuleList `json:"exceptionList"`
-	ProcessBasedExceptions *RuntimePolicyRuleList `json:"allowlistProcess"`
-	ProcessBasedDenylist   *RuntimePolicyRuleList `json:"denylistProcess"`
-	ProhibitedBinaries     *RuntimePolicyRuleList `json:"prohibitedBinaries"`
-	Mode                   string                 `json:"mode"`
-	Details                `json:"-"`
+	RuleType                  ElementType            `json:"ruleType"`
+	Exceptions                *RuntimePolicyRuleList `json:"exceptionList"`
+	ProcessBasedExceptions    *RuntimePolicyRuleList `json:"allowlistProcess"`
+	ProcessBasedDenylist      *RuntimePolicyRuleList `json:"denylistProcess"`
+	ProhibitedBinaries        *RuntimePolicyRuleList `json:"prohibitedBinaries"`
+	Mode                      string                 `json:"mode"`
+	MountedVolumeDriftEnabled bool                   `json:"mountedVolumeDriftEnabled"`
+	Details                   `json:"-"`
 }
 
 func (p DriftRuleDetails) GetRuleType() ElementType {

sysdig/resource_sysdig_secure_drift_policy.go

@@ -66,6 +66,7 @@ func resourceSysdigSecureDriftPolicy() *schema.Resource {
 						"prohibited_binaries":               ExceptionsSchema(),
 						"process_based_exceptions":          ExceptionsSchema(),
 						"process_based_prohibited_binaries": ExceptionsSchema(),
+						"mounted_volume_drift_enabled":      BoolSchema(),
 					},
 				},
 			},

sysdig/resource_sysdig_secure_drift_policy_test.go

@@ -39,6 +39,9 @@ func TestAccDriftPolicy(t *testing.T) {
 			{
 				Config: driftPolicyWithoutExceptions(rText()),
 			},
+			{
+				Config: driftPolicyWithMountedVolumeDriftEnabled(rText()),
+			},
 		},
 	})
 }
@@ -212,3 +215,31 @@ resource "sysdig_secure_drift_policy" "sample" {
 
 `, secureNotificationChannelEmailWithName(name), name)
 }
+
+func driftPolicyWithMountedVolumeDriftEnabled(name string) string {
+	return fmt.Sprintf(`
+resource "sysdig_secure_drift_policy" "sample" {
+
+  name        = "Test Drift Policy %s"
+  description = "Test Drift Policy Description"
+  enabled     = true
+  severity    = 4
+
+  rule {
+    description = "Test Drift Rule Description"
+    mounted_volume_drift_enabled = true
+    enabled = true
+
+    exceptions {
+      items = ["/usr/bin/sh"]
+    }
+    prohibited_binaries {
+      items = ["/usr/bin/curl"]
+    }
+	  process_based_exceptions {
+      items = ["/usr/bin/curl"]
+    }
+	} 
+}
+  `, name)
+}

sysdig/tfresource.go

@@ -209,12 +209,13 @@ func setTFResourcePolicyRulesDrift(d *schema.ResourceData, policy v2.PolicyRules
 		enabled := (mode != "disabled")
 
 		ruleMap := map[string]interface{}{
-			"id":          rule.Id,
-			"name":        rule.Name,
-			"description": rule.Description,
-			"version":     rule.Version,
-			"tags":        rule.Tags,
-			"enabled":     enabled,
+			"id":                           rule.Id,
+			"name":                         rule.Name,
+			"description":                  rule.Description,
+			"version":                      rule.Version,
+			"tags":                         rule.Tags,
+			"enabled":                      enabled,
+			"mounted_volume_drift_enabled": driftDetails.MountedVolumeDriftEnabled,
 		}
 
 		if exceptionsBlock != nil {
@@ -495,18 +496,21 @@ func setPolicyRulesDrift(policy *v2.PolicyRulesComposite, d *schema.ResourceData
 			mode = "disabled"
 		}
 
+		mountedVolumeDriftEnabled := d.Get("rule.0.mounted_volume_drift_enabled").(bool)
+
 		rule := &v2.RuntimePolicyRule{
 			// TODO: Do not hardcode the indexes
 			Name:        d.Get("rule.0.name").(string),
 			Description: d.Get("rule.0.description").(string),
 			Tags:        tags,
 			Details: v2.DriftRuleDetails{
-				RuleType:               v2.ElementType(driftElementType), // TODO: Use const
-				Mode:                   mode,
-				Exceptions:             &exceptions,
-				ProhibitedBinaries:     &prohibitedBinaries,
-				ProcessBasedExceptions: &processBasedExceptions,
-				ProcessBasedDenylist:   &processBasedProhibitedBinaries,
+				RuleType:                  v2.ElementType(driftElementType), // TODO: Use const
+				Mode:                      mode,
+				Exceptions:                &exceptions,
+				ProhibitedBinaries:        &prohibitedBinaries,
+				ProcessBasedExceptions:    &processBasedExceptions,
+				ProcessBasedDenylist:      &processBasedProhibitedBinaries,
+				MountedVolumeDriftEnabled: mountedVolumeDriftEnabled,
 			},
 		}
 

website/docs/r/secure_drift_policy.md

@@ -122,6 +122,7 @@ The rule block is required and supports:
     * `items` - (Required) Specify comma separated list of processes, e.g. `/usr/bin/rm, /usr/bin/curl`.      
 * `process_based_prohibited_binaries` - (Optional) List of processes that will be prohibited to execute a drifted file
     * `items` - (Required) Specify comma separated list of processes, e.g. `/usr/bin/rm, /usr/bin/curl`.
+* `mounted_volume_drift_enabled` - (Optional) Treat all binaries from mounted volumes as drifted. Default value is false/disabled.