terraform-provider-prismacloud icon indicating copy to clipboard operation
terraform-provider-prismacloud copied to clipboard

Published 20 hours ago verified publisher icon PaloAltoNetworks

Fixed #286 by forcing new a saved search resource if the name changes…

Open comrumino opened this issue 10 months ago • 0 comments

  1. Fixed #286 by forcing new a saved search resource if the name changes — copy & delete search as expected by user, but update would copy without deletion.
  2. Fixed #181 by introducing support for updating search queries and documenting the need for the lifecycle create_before_destroy to be true.

Description

Usability improvements around updating saved search name and updating the the underlying query.

Motivation and Context

The provider doesn't behave as expected.

How Has This Been Tested?

Used the script and module below to test various state changes.

#!/usr/bin/env zsh
outpath="$PWD/test-286.out"
mkdir -pv "$outpath" || exit 1
find "$outpath" -type f -exec rm {} \;
export TF_LOG=INFO

pushd "$HOME/repo/terraform-provider-prismacloud"
goreleaser build --clean --single-target --snapshot || exit 1
find dist -name 'terraform-provider-prismacloud_v1.5.5*' -execdir mv -f {} "$HOME/.terraform.d/plugins/terraform.local/comrumino/prismacloud/1.5.5/darwin_arm64/terraform-provider-prismacloud_v1.5.5" \;
popd
rm -rf "$PWD/.terraform/providers/terraform.local" "$PWD/.terraform.lock.hcl"
terraform init

function apply_with_name() {
    local name="$1"
    local query="$2"
    printf '{"saved_search_name":"%s","query":"%s"}' "$name" "$query" | jq -r . > "$PWD/terraform.tfvars.json"
    terraform graph -draw-cycles -type=plan | dot -Tpng > "$outpath/$name-graph.png"
    TF_LOG_PATH="$outpath/$name-apply-tf.log" terraform apply -var saved_search_name="$name" -auto-approve &>> "$outpath/stdout-$name-apply-tf.log"
}
apply_with_name "prototype" "config from cloud.resource where api.name = 'aws-guardduty-detector' AND json.rule = status equals \\\"ENABLED\\\""
apply_with_name "prototype" "config from cloud.resource where api.name = 'aws-guardduty-detector' AND json.rule = status equals \\\"DISABLED\\\""
apply_with_name "prototype2" "config from cloud.resource where api.name = 'aws-guardduty-detector' AND json.rule = status equals \\\"DISABLED\\\""
TF_LOG_PATH="$outpath/destroy-tf.log" terraform destroy -auto-approve &> "$outpath/stdout-destroy-tf.log"
printf '\n\nLogged to %s\n' "$outpath"


variable "saved_search_name" {
  type = string
}
variable "query" {
  type = string
}
locals { 
  search_query_name = "prototype"
}
data "aws_secretsmanager_secret" "redlock" {
  name = "redlock"
}
data "aws_secretsmanager_secret_version" "redlock" {
  secret_id = data.aws_secretsmanager_secret.redlock.id
}
locals {
  redlock = nonsensitive(jsondecode(data.aws_secretsmanager_secret_version.redlock.secret_string))
}

provider "prismacloud" {
  url      = substr(local.redlock["rest_api_url"], 8, -1)
  username = local.redlock["user"]
  password = local.redlock["password"]
  protocol = "https"
  logging = {
    action  = true
    path    = true
    send    = true
    receive = true
  }
  timeout = 300
}

resource "prismacloud_rql_search" "prototype" {
  search_type = "config"
  query       = var.query
  limit       = -1
  skip_result = true
  time_range {
    relative {
      unit   = "hour"
      amount = 24
    }
  }
}

resource "prismacloud_saved_search" "prototype" {
  name        = var.saved_search_name
  description = "prototype"
  search_id   = prismacloud_rql_search.prototype.search_id
  query       = prismacloud_rql_search.prototype.query
  cloud_type  = "aws"
  time_range {
    relative {
      unit   = prismacloud_rql_search.prototype.time_range[0].relative[0].unit
      amount = prismacloud_rql_search.prototype.time_range[0].relative[0].amount
    }
  }
  lifecycle {
    create_before_destroy = true
  }
}

resource "prismacloud_policy" "prototype" {
  count          = 1
  name           = local.search_query_name
  policy_type    = "config"
  description    = "prototype desc"
  severity       = "high"
  recommendation = "prototype recommendation"
  cloud_type     = "aws"
  enabled        = false
  rule {
    name = local.search_query_name
    parameters = {
      savedSearch = true
      withIac     = false
    }
    rule_type = "Config"
    criteria  = prismacloud_saved_search.prototype.id
  }
}

Types of changes

  • Bug fix (non-breaking change which fixes an issue)

Checklist

  • [x] I have updated the documentation accordingly.
  • [x] I have read the CONTRIBUTING document.
  • [x] I have added tests to cover my changes if appropriate.
  • [x] All new and existing tests passed.

comrumino avatar Apr 01 '24 03:04 comrumino