[policies] add support for sysdig secure aws gaurdduty policies and rules (#603)

* add support for guardduty policy and rules

* fix test

* fix string formatting

Author: kmvachhani

sysdig/resource_sysdig_secure_policy.go

@@ -32,6 +32,7 @@ var validatePolicyType = validation.StringInSlice([]string{
 	"drift",
 	"aws_machine_learning",
 	"machine_learning",
+	"guardduty",
 }, false)
 
 func resourceSysdigSecurePolicy() *schema.Resource {

sysdig/resource_sysdig_secure_policy_test.go

@@ -56,6 +56,7 @@ func TestAccPolicy(t *testing.T) {
 				resource.TestStep{Config: policiesForFalcoCloudAWSCloudtrail(rText())},
 				resource.TestStep{Config: policiesForOkta(rText())},
 				resource.TestStep{Config: policiesForGithub(rText())},
+				resource.TestStep{Config: policiesForGuardDuty(rText())},
 			)
 		}
 	}
@@ -254,3 +255,14 @@ resource "sysdig_secure_policy" "sample9" {
 }
 `, name, name)
 }
+
+func policiesForGuardDuty(name string) string {
+	return fmt.Sprintf(`
+resource "sysdig_secure_policy" "sample10" {
+  name = "TERRAFORM TEST 4 %s"
+  description = "TERRAFORM TEST %s"
+  type = "guardduty"
+  actions {}
+}
+`, name, name)
+}

sysdig/resource_sysdig_secure_rule_falco.go

@@ -18,7 +18,7 @@ import (
 	"github.com/spf13/cast"
 )
 
-var validateFalcoRuleSource = validation.StringInSlice([]string{"syscall", "k8s_audit", "aws_cloudtrail", "gcp_auditlog", "azure_platformlogs", "awscloudtrail", "okta", "github"}, false)
+var validateFalcoRuleSource = validation.StringInSlice([]string{"syscall", "k8s_audit", "aws_cloudtrail", "gcp_auditlog", "azure_platformlogs", "awscloudtrail", "okta", "github", "guardduty"}, false)
 
 func resourceSysdigSecureRuleFalco() *schema.Resource {
 	timeout := 5 * time.Minute

sysdig/resource_sysdig_secure_rule_falco_test.go

@@ -285,6 +285,24 @@ func TestRuleGithubAppends(t *testing.T) {
 	runTest(steps, t)
 }
 
+func TestRuleGuardDuty(t *testing.T) {
+	steps := []resource.TestStep{
+		{
+			Config: ruleGuardDuty(randomString()),
+		},
+	}
+	runTest(steps, t)
+}
+
+func TestRuleGuardDutyAppends(t *testing.T) {
+	steps := []resource.TestStep{
+		{
+			Config: ruleGuardDutyWithAppend(),
+		},
+	}
+	runTest(steps, t)
+}
+
 func randomString() string { return acctest.RandStringFromCharSet(10, acctest.CharSetAlphaNum) }
 
 func runTest(steps []resource.TestStep, t *testing.T) {
@@ -564,3 +582,32 @@ resource "sysdig_secure_rule_falco" "github_append" {
    }
 }`
 }
+
+func ruleGuardDuty(name string) string {
+	return fmt.Sprintf(`
+	resource "sysdig_secure_rule_falco" "guardduty" {
+	  name = "TERRAFORM TEST %[1]s - GuardDuty"
+	  description = "TERRAFORM TEST %[1]s"
+	  tags = ["guardduty"]
+	
+	  condition = "guardduty.resourceType=\"Container\""
+	  output = "GuardDuty Event received (account ID=%%guardduty.accountId)"
+	  priority = "debug"
+	  source = "guardduty"
+	}`, name, name)
+}
+
+func ruleGuardDutyWithAppend() string {
+	return `
+	resource "sysdig_secure_rule_falco" "guardduty_append" {
+	  name = "GuardDuty High Severity Finding on Container"
+	  source = "guardduty"
+	  append = true
+	  exceptions {
+		name = "resource_type_tf"
+		fields = ["guardduty.resourceType"]
+		comps = ["="]
+		values = jsonencode([ ["Amazon S2"] ])
+	   }
+	}`
+}

website/docs/d/secure_custom_policy.md

@@ -26,7 +26,7 @@ data "sysdig_secure_custom_policy" "example" {
 * `name` - (Required) The name of the Secure custom policy.
 
 * `type` - (Optional) Specifies the type of the runtime policy. Must be one of: `falco`, `list_matching`, `k8s_audit`,
-  `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`, `awscloudtrail`, `okta`, `github`. By default it is `falco`.
+  `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`, `awscloudtrail`, `okta`, `github`, `guardduty`. By default it is `falco`.
 
 ## Attributes Reference
 

website/docs/d/secure_managed_policy.md

@@ -26,7 +26,7 @@ data "sysdig_secure_managed_policy" "example" {
 * `name` - (Required) The name of the Secure managed policy.
 
 * `type` - (Optional) Specifies the type of the runtime policy. Must be one of: `falco`, `list_matching`, `k8s_audit`,
-  `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`, `awscloudtrail`, `okta`, `github`. By default it is `falco`.
+  `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`, `awscloudtrail`, `okta`, `github`, `guardduty`. By default it is `falco`.
 
 ## Attributes Reference
 

website/docs/d/secure_managed_ruleset.md

@@ -26,7 +26,7 @@ data "sysdig_secure_managed_ruleset" "example" {
 * `name` - (Required) The name of the Secure managed ruleset.
 
 * `type` - (Optional) Specifies the type of the runtime policy. Must be one of: `falco`, `list_matching`, `k8s_audit`,
-  `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`, `awscloudtrail`, `okta`, `github`. By default it is `falco`.
+  `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`, `awscloudtrail`, `okta`, `github`, `guardduty`. By default it is `falco`.
 
 ## Attributes Reference
 

website/docs/r/secure_custom_policy.md

@@ -60,7 +60,7 @@ resource "sysdig_secure_custom_policy" "write_apt_database" {
 * `enabled` - (Optional) Will secure process with this rule?. By default this is true.
 
 * `type` - (Optional) Specifies the type of the runtime policy. Must be one of: `falco`, `list_matching`, `k8s_audit`,
-  `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`, `awscloudtrail`, `okta`, `github`. By default it is `falco`.
+  `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`, `awscloudtrail`, `okta`, `github`, `guardduty`. By default it is `falco`.
 
 * `runbook` - (Optional) Customer provided url that provides a runbook for a given policy. 
 - - -

website/docs/r/secure_managed_policy.md

@@ -51,7 +51,7 @@ resource "sysdig_secure_managed_policy" "sysdig_runtime_threat_detection" {
 * `name` - (Required) The name of the Secure managed policy. It must match the name of an existing managed policy.
 
 * `type` - (Optional) Specifies the type of the runtime policy. Must be one of: `falco`, `list_matching`, `k8s_audit`,
-  `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`, `awscloudtrail`, `okta`, `github`. By default it is `falco`.
+  `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`, `awscloudtrail`, `okta`, `github`, `guardduty`. By default it is `falco`.
 
 * `enabled` - (Optional) Will secure process with this policy?. By default this is true.
 

website/docs/r/secure_managed_ruleset.md

@@ -59,7 +59,7 @@ resource "sysdig_secure_managed_ruleset" "sysdig_runtime_threat_detection_manage
 
 * `enabled` - (Optional) Will secure process with this rule?. By default this is true.
 
-* `type` - (Optional) Specifies the type of the runtime policy. Must be one of: `falco`, `list_matching`, `k8s_audit`, `aws_cloudtrail`, `awscloudtrail`, `okta`, `github`. By default it is `falco`.
+* `type` - (Optional) Specifies the type of the runtime policy. Must be one of: `falco`, `list_matching`, `k8s_audit`, `aws_cloudtrail`, `awscloudtrail`, `okta`, `github`, `guardduty`. By default it is `falco`.
 
 * `runbook` - (Optional) Customer provided url that provides a runbook for a given policy. 
 - - -
@@ -70,7 +70,7 @@ The `inherited_from` block is required and identifies the managed policy that th
 
 * `name` - (Required) The name of the Secure managed policy. It must match the name of an existing managed policy.
 
-* `type` - (Optional) Specifies the type of the runtime policy. Must be one of: `falco`, `list_matching`, `k8s_audit`, `aws_cloudtrail`, `awscloudtrail`, `okta`, `github`. By default it is `falco`.
+* `type` - (Optional) Specifies the type of the runtime policy. Must be one of: `falco`, `list_matching`, `k8s_audit`, `aws_cloudtrail`, `awscloudtrail`, `okta`, `github`, `guardduty`. By default it is `falco`.
 
 - - -