Updated service changes with local policies schema and example

aquasec/data_service_test.go

@@ -79,6 +79,23 @@ func TestDataSourceServiceComplex(t *testing.T) {
 					resource.TestCheckResourceAttrSet(rootRef, "lastupdate"),
 					resource.TestCheckResourceAttrSet(rootRef, "evaluated"),
 					resource.TestCheckResourceAttrSet(rootRef, "is_registered"),
+					resource.TestCheckResourceAttr(rootRef, "local_policies.#", fmt.Sprintf("%d", len(basicService.LocalPolicies))),
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.name", basicService.LocalPolicies[0].Name),
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.type", basicService.LocalPolicies[0].Type),
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.description", basicService.LocalPolicies[0].Description),
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.block_metadata_service", fmt.Sprintf("%t", basicService.LocalPolicies[0].BlockMetadataService)),
+
+					// Inbound Networks
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.inbound_networks.#", fmt.Sprintf("%d", len(basicService.LocalPolicies[0].InboundNetworks))),
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.inbound_networks.0.port_range", basicService.LocalPolicies[0].InboundNetworks[0].PortRange),
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.inbound_networks.0.resource_type", basicService.LocalPolicies[0].InboundNetworks[0].ResourceType),
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.inbound_networks.0.allow", fmt.Sprintf("%t", basicService.LocalPolicies[0].InboundNetworks[0].Allow)),
+
+					// Outbound Networks
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.outbound_networks.#", fmt.Sprintf("%d", len(basicService.LocalPolicies[0].OutboundNetworks))),
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.outbound_networks.0.port_range", basicService.LocalPolicies[0].OutboundNetworks[0].PortRange),
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.outbound_networks.0.resource_type", basicService.LocalPolicies[0].OutboundNetworks[0].ResourceType),
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.outbound_networks.0.allow", fmt.Sprintf("%t", basicService.LocalPolicies[0].OutboundNetworks[0].Allow)),
 				),
 			},
 		},

aquasec/resource_service_test.go

@@ -41,6 +41,13 @@ var basicService = client.Service{
 					Allow:        true,
 				},
 			},
+			OutboundNetworks: []client.NetworkRule{
+				{
+					PortRange:    "443",
+					ResourceType: "internet",
+					Allow:        true,
+				},
+			},
 		},
 	},
 }
@@ -89,6 +96,13 @@ var complexService = client.Service{
 					Allow:        true,
 				},
 			},
+			OutboundNetworks: []client.NetworkRule{
+				{
+					PortRange:    "443",
+					ResourceType: "internet",
+					Allow:        true,
+				},
+			},
 		},
 	},
 }
@@ -130,14 +144,12 @@ func TestResourceAquasecServiceBasicCreate(t *testing.T) {
 					resource.TestCheckResourceAttr(rootRef, "local_policies.0.inbound_networks.0.port_range", basicService.LocalPolicies[0].InboundNetworks[0].PortRange),
 					resource.TestCheckResourceAttr(rootRef, "local_policies.0.inbound_networks.0.resource_type", basicService.LocalPolicies[0].InboundNetworks[0].ResourceType),
 					resource.TestCheckResourceAttr(rootRef, "local_policies.0.inbound_networks.0.allow", fmt.Sprintf("%v", basicService.LocalPolicies[0].InboundNetworks[0].Allow)),
-					resource.TestCheckResourceAttrSet(rootRef, "is_registered"),
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.outbound_networks.#", fmt.Sprintf("%d", len(basicService.LocalPolicies[0].OutboundNetworks))),
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.outbound_networks.0.port_range", basicService.LocalPolicies[0].OutboundNetworks[0].PortRange),
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.outbound_networks.0.resource_type", basicService.LocalPolicies[0].OutboundNetworks[0].ResourceType),
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.outbound_networks.0.allow", fmt.Sprintf("%v", basicService.LocalPolicies[0].OutboundNetworks[0].Allow)),
 				),
 			},
-			{
-				ResourceName:      "aquasec_service.test-basic-svc",
-				ImportState:       true,
-				ImportStateVerify: true,
-			},
 		},
 	})
 }
@@ -181,6 +193,10 @@ func TestResourceAquasecServiceComplexCreate(t *testing.T) {
 					resource.TestCheckResourceAttr(rootRef, "local_policies.0.inbound_networks.0.port_range", complexService.LocalPolicies[0].InboundNetworks[0].PortRange),
 					resource.TestCheckResourceAttr(rootRef, "local_policies.0.inbound_networks.0.resource_type", complexService.LocalPolicies[0].InboundNetworks[0].ResourceType),
 					resource.TestCheckResourceAttr(rootRef, "local_policies.0.inbound_networks.0.allow", fmt.Sprintf("%v", complexService.LocalPolicies[0].InboundNetworks[0].Allow)),
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.outbound_networks.#", fmt.Sprintf("%d", len(basicService.LocalPolicies[0].OutboundNetworks))),
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.outbound_networks.0.port_range", basicService.LocalPolicies[0].OutboundNetworks[0].PortRange),
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.outbound_networks.0.resource_type", basicService.LocalPolicies[0].OutboundNetworks[0].ResourceType),
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.outbound_networks.0.allow", fmt.Sprintf("%v", basicService.LocalPolicies[0].OutboundNetworks[0].Allow)),
 					resource.TestCheckResourceAttrSet(rootRef, "containers_count"),
 					resource.TestCheckResourceAttrSet(rootRef, "lastupdate"),
 					resource.TestCheckResourceAttrSet(rootRef, "evaluated"),
@@ -250,6 +266,10 @@ func TestResourceAquasecServiceUpdate(t *testing.T) {
 					resource.TestCheckResourceAttr(rootRef, "local_policies.1.inbound_networks.0.port_range", updatedService.LocalPolicies[1].InboundNetworks[0].PortRange),
 					resource.TestCheckResourceAttr(rootRef, "local_policies.1.inbound_networks.0.resource_type", updatedService.LocalPolicies[1].InboundNetworks[0].ResourceType),
 					resource.TestCheckResourceAttr(rootRef, "local_policies.1.inbound_networks.0.allow", fmt.Sprintf("%v", updatedService.LocalPolicies[1].InboundNetworks[0].Allow)),
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.outbound_networks.#", fmt.Sprintf("%d", len(basicService.LocalPolicies[0].OutboundNetworks))),
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.outbound_networks.0.port_range", basicService.LocalPolicies[0].OutboundNetworks[0].PortRange),
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.outbound_networks.0.resource_type", basicService.LocalPolicies[0].OutboundNetworks[0].ResourceType),
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.outbound_networks.0.allow", fmt.Sprintf("%v", basicService.LocalPolicies[0].OutboundNetworks[0].Allow)),
 					resource.TestCheckResourceAttrSet(rootRef, "is_registered"),
 				),
 			},
@@ -284,6 +304,10 @@ func TestResourceAquasecServiceUpdate(t *testing.T) {
 					resource.TestCheckResourceAttr(rootRef, "local_policies.1.inbound_networks.0.port_range", updatedService.LocalPolicies[1].InboundNetworks[0].PortRange),
 					resource.TestCheckResourceAttr(rootRef, "local_policies.1.inbound_networks.0.resource_type", updatedService.LocalPolicies[1].InboundNetworks[0].ResourceType),
 					resource.TestCheckResourceAttr(rootRef, "local_policies.1.inbound_networks.0.allow", fmt.Sprintf("%v", updatedService.LocalPolicies[1].InboundNetworks[0].Allow)),
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.outbound_networks.#", fmt.Sprintf("%d", len(basicService.LocalPolicies[0].OutboundNetworks))),
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.outbound_networks.0.port_range", basicService.LocalPolicies[0].OutboundNetworks[0].PortRange),
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.outbound_networks.0.resource_type", basicService.LocalPolicies[0].OutboundNetworks[0].ResourceType),
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.outbound_networks.0.allow", fmt.Sprintf("%v", basicService.LocalPolicies[0].OutboundNetworks[0].Allow)),
 					resource.TestCheckResourceAttrSet(rootRef, "is_registered"),
 				),
 			},
@@ -297,33 +321,44 @@ func serviceResourceRef(name string) string {
 
 func getBasicServiceResource() string {
 	return fmt.Sprintf(`
-	resource "aquasec_service" "test-basic-svc" {
-		name = "%s"
-		description = "%s"
-		application_scopes = [
-			"%s",
-		]
-		policies = [
-			"%s"
-		]
-		# Add local policy definition here
-        local_policies {
+    resource "aquasec_service" "test-basic-svc" {
+        name = "%s"
+        description = "%s"
+        application_scopes = [
+            "%s"
+        ]
+        policies = [
+            "%s"
+        ]
+
+        local_policies = [{
             name = "%s"  
             type = "%s"
             description = "%s"
-            inbound_networks {
-                port_range = "%s"
-                resource_type = "%s"
-                allow = "%t"
-            }
-        }
-		target = "%s"
-		scope_expression = "%s"
-		scope_variables {
-			attribute = "%s"
-			value = "%s"
-		}
-	}`,
+            inbound_networks = [
+                {
+                    port_range = "%s"
+                    resource_type = "%s"
+                    allow = %t
+                }
+            ]
+            outbound_networks = [
+                {
+                    port_range = "%s"
+                    resource_type = "%s"
+                    allow = %t
+                }
+            ]
+        }]
+
+        target = "%s"
+        scope_expression = "%s"
+        scope_variables = [{
+            attribute = "%s"
+            value = "%s"
+        }]
+    }
+    `,
 		basicService.Name,
 		basicService.Description,
 		basicService.ApplicationScopes[0],
@@ -334,6 +369,9 @@ func getBasicServiceResource() string {
 		basicService.LocalPolicies[0].InboundNetworks[0].PortRange,
 		basicService.LocalPolicies[0].InboundNetworks[0].ResourceType,
 		basicService.LocalPolicies[0].InboundNetworks[0].Allow,
+		basicService.LocalPolicies[0].OutboundNetworks[0].PortRange,
+		basicService.LocalPolicies[0].OutboundNetworks[0].ResourceType,
+		basicService.LocalPolicies[0].OutboundNetworks[0].Allow,
 		basicService.MembershipRules.Target,
 		basicService.MembershipRules.Scope.Expression,
 		basicService.MembershipRules.Scope.Variables[0].Attribute,
@@ -375,15 +413,25 @@ func getComplexServiceResource() string {
 			value = "%s"
 		}
 		# Local policy definition
-        local_policies {
-            name = "%s"
+         local_policies = [{
+            name = "%s"  
             type = "%s"
             description = "%s"
-            inbound_networks {
-                port_range = "%s"
-                resource_type = "%s"
-                allow = %t
-            }
+            inbound_networks = [
+                {
+                    port_range = "%s"
+                    resource_type = "%s"
+                    allow = %t
+                }
+            ]
+            outbound_networks = [
+                {
+                    port_range = "%s"
+                    resource_type = "%s"
+                    allow = %t
+                }
+            ]
+        }]
         }
 	}`,
 		complexService.Policies[1],
@@ -407,6 +455,9 @@ func getComplexServiceResource() string {
 		basicService.LocalPolicies[0].InboundNetworks[0].PortRange,
 		basicService.LocalPolicies[0].InboundNetworks[0].ResourceType,
 		basicService.LocalPolicies[0].InboundNetworks[0].Allow,
+		basicService.LocalPolicies[0].OutboundNetworks[0].PortRange,
+		basicService.LocalPolicies[0].OutboundNetworks[0].ResourceType,
+		basicService.LocalPolicies[0].OutboundNetworks[0].Allow,
 	)
 }
 
@@ -438,6 +489,25 @@ func getServiceResourceUpdate(updatedService *client.Service) string {
 			attribute = "%s"
 			value = "%s"
 		}
+			        local_policies = [{
+            name = "%s"  
+            type = "%s"
+            description = "%s"
+            inbound_networks = [
+                {
+                    port_range = "%s"
+                    resource_type = "%s"
+                    allow = %t
+                }
+            ]
+            outbound_networks = [
+                {
+                    port_range = "%s"
+                    resource_type = "%s"
+                    allow = %t
+                }
+            ]
+        }]
 	}`,
 		updatedService.Policies[1],
 		updatedService.Name,
@@ -451,5 +521,14 @@ func getServiceResourceUpdate(updatedService *client.Service) string {
 		updatedService.MembershipRules.Scope.Variables[0].Value,
 		updatedService.MembershipRules.Scope.Variables[1].Attribute,
 		updatedService.MembershipRules.Scope.Variables[1].Value,
+		basicService.LocalPolicies[0].Name,
+		basicService.LocalPolicies[0].Type,
+		basicService.LocalPolicies[0].Description,
+		basicService.LocalPolicies[0].InboundNetworks[0].PortRange,
+		basicService.LocalPolicies[0].InboundNetworks[0].ResourceType,
+		basicService.LocalPolicies[0].InboundNetworks[0].Allow,
+		basicService.LocalPolicies[0].OutboundNetworks[0].PortRange,
+		basicService.LocalPolicies[0].OutboundNetworks[0].ResourceType,
+		basicService.LocalPolicies[0].OutboundNetworks[0].Allow,
 	)
 }

docs/resources/service.md

@@ -10,7 +10,63 @@ description: |-
 
 
 
-
+## Example Usage
+
+```terraform
+resource "aquasec_service" "example_service" {
+  name               = "svc_example"
+  description        = "Example service with global and local policies"
+  target             = "container"
+  priority           = 90
+  application_scopes = ["Global"]
+  enforce            = true
+
+  // Global policies applied to this service
+  policies = ["default", "policy1", "policy2"]
+
+  // Local policy 1
+  local_policies {
+    name        = "policy1"
+    type        = "access.control"
+    description = "Local policy 1 for inbound and outbound control"
+    
+    inbound_networks {
+      port_range   = "22/22"           # Allow SSH traffic
+      resource_type = "anywhere"       # Allow from any source
+      allow         = true             # Permit traffic
+    }
+    
+    outbound_networks {
+      port_range   = "80/80"           # Allow HTTP traffic
+      resource_type = "anywhere"       # Allow to any destination
+      allow         = true             # Permit traffic
+    }
+
+    block_metadata_service = false      # Do not block metadata service
+  }
+
+  // Local policy 2
+  local_policies {
+    name        = "policy2"
+    type        = "access.control"
+    description = "Local policy 2 with stricter outbound control"
+    
+    inbound_networks {
+      port_range   = "443/443"         # Allow HTTPS traffic
+      resource_type = "anywhere"       # Allow from any source
+      allow         = true             # Permit traffic
+    }
+
+    outbound_networks {
+      port_range   = "8080/8080"       # Allow specific application traffic
+      resource_type = "specific"       # Allow only to specific destinations
+      allow         = false            # Block traffic to unspecified destinations
+    }
+
+    block_metadata_service = true       # Block metadata service access for security
+  }
+}
+```
 
 <!-- schema generated by tfplugindocs -->
 ## Schema
@@ -26,6 +82,7 @@ description: |-
 
 - `description` (String) A textual description of the service record; maximum 500 characters.
 - `enforce` (Boolean) Enforcement status of the service.
+- `local_policies` (Block List) A list of local policies for the service, including inbound and outbound network rules. (see [below for nested schema](#nestedblock--local_policies))
 - `monitoring` (Boolean) Indicates if monitoring is enabled or not
 - `priority` (Number) Rules priority, must be between 1-100.
 - `scope_expression` (String) Logical expression of how to compute the dependency of the scope variables.
@@ -50,6 +107,42 @@ description: |-
 - `vulnerabilities_sensitive` (Number) Number of sensitive vulnerabilities.
 - `vulnerabilities_total` (Number) Total number of vulnerabilities.
 
+<a id="nestedblock--local_policies"></a>
+### Nested Schema for `local_policies`
+
+Required:
+
+- `name` (String) The name of the local policy.
+- `type` (String) The type of the local policy, e.g., access.control.
+
+Optional:
+
+- `block_metadata_service` (Boolean) Whether to block access to the metadata service.
+- `description` (String) A description of the local policy.
+- `inbound_networks` (Block List) Inbound network rules for the local policy. (see [below for nested schema](#nestedblock--local_policies--inbound_networks))
+- `outbound_networks` (Block List) Outbound network rules for the local policy. (see [below for nested schema](#nestedblock--local_policies--outbound_networks))
+
+<a id="nestedblock--local_policies--inbound_networks"></a>
+### Nested Schema for `local_policies.inbound_networks`
+
+Required:
+
+- `allow` (Boolean) Whether the inbound network rule is allowed.
+- `port_range` (String) The port range for the inbound network rule.
+- `resource_type` (String) The resource type for the inbound network rule (e.g., anywhere).
+
+
+<a id="nestedblock--local_policies--outbound_networks"></a>
+### Nested Schema for `local_policies.outbound_networks`
+
+Required:
+
+- `allow` (Boolean) Whether the outbound network rule is allowed.
+- `port_range` (String) The port range for the outbound network rule.
+- `resource_type` (String) The resource type for the outbound network rule (e.g., anywhere).
+
+
+
 <a id="nestedblock--scope_variables"></a>
 ### Nested Schema for `scope_variables`
 
@@ -58,5 +151,3 @@ Optional:
 - `attribute` (String) Class of supported scope.
 - `name` (String) Name assigned to the attribute.
 - `value` (String) Value assigned to the attribute.
-
-