diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md
index 784b1f5..3bf1e97 100644
--- a/DEVELOPMENT.md
+++ b/DEVELOPMENT.md
@@ -32,7 +32,7 @@ git clone https://github.com/aquasecurity/terraform-provider-aquasec.git
cd terraform-provider-aquasec
-git checkout v0.8.20
+git checkout v0.8.32
```
**Build and install the provider**
@@ -55,7 +55,7 @@ In order to test the provider installed locally, the provider block will have to
terraform {
required_providers {
aquasec = {
- version = "0.8.31"
+ version = "0.8.32"
source = "terraform-provider-aquasec/aquasec/aquasec"
}
}
diff --git a/GNUmakefile b/GNUmakefile
index fa6b31b..1541642 100644
--- a/GNUmakefile
+++ b/GNUmakefile
@@ -6,7 +6,7 @@ HOSTNAME := github.com
NAMESPACE := aquasec
NAME := aquasec
BINARY := terraform-provider-${NAME}
-VERSION := 0.8.31
+VERSION := 0.8.32
OS_ARCH := $(shell go env GOOS)_$(shell go env GOARCH)
default: build
diff --git a/README.md b/README.md
index dbbe6aa..d9d9cf5 100644
--- a/README.md
+++ b/README.md
@@ -43,7 +43,7 @@ To quickly get started using the Aquasec provider for Terraform, configure the p
terraform {
required_providers {
aquasec = {
- version = "0.8.31"
+ version = "0.8.32"
source = "aquasecurity/aquasec"
}
}
diff --git a/docs/data-sources/application_scope.md b/docs/data-sources/application_scope.md
index d7a682c..030b4b9 100644
--- a/docs/data-sources/application_scope.md
+++ b/docs/data-sources/application_scope.md
@@ -73,6 +73,7 @@ Optional:
Optional:
- `attribute` (String)
+- `name` (String)
- `value` (String)
@@ -91,6 +92,7 @@ Optional:
Optional:
- `attribute` (String)
+- `name` (String)
- `value` (String)
@@ -109,6 +111,7 @@ Optional:
Optional:
- `attribute` (String)
+- `name` (String)
- `value` (String)
@@ -128,6 +131,7 @@ Optional:
Optional:
- `attribute` (String)
+- `name` (String)
- `value` (String)
@@ -154,6 +158,7 @@ Optional:
Optional:
- `attribute` (String)
+- `name` (String)
- `value` (String)
@@ -172,6 +177,7 @@ Optional:
Optional:
- `attribute` (String)
+- `name` (String)
- `value` (String)
@@ -200,6 +206,7 @@ Optional:
Optional:
- `attribute` (String)
+- `name` (String)
- `value` (String)
@@ -218,6 +225,7 @@ Optional:
Optional:
- `attribute` (String)
+- `name` (String)
- `value` (String)
@@ -236,6 +244,7 @@ Optional:
Optional:
- `attribute` (String)
+- `name` (String)
- `value` (String)
diff --git a/docs/data-sources/service.md b/docs/data-sources/service.md
index 2fdc7cc..b4fec87 100644
--- a/docs/data-sources/service.md
+++ b/docs/data-sources/service.md
@@ -95,3 +95,5 @@ Read-Only:
- `attribute` (String)
- `name` (String)
- `value` (String)
+
+
diff --git a/docs/index.md b/docs/index.md
index 7eabe21..2d3de65 100644
--- a/docs/index.md
+++ b/docs/index.md
@@ -21,19 +21,19 @@ Use the navigation to the left to read about the available resources and data so
terraform {
required_providers {
aquasec = {
- version = "0.8.31"
+ version = "0.8.32"
source = "aquasecurity/aquasec"
}
}
}
provider "aquasec" {
-username = "IaC" // Alternatively sourced from $AQUA_USER
- aqua_url = "https://aquaurl.com" // Alternatively sourced from $AQUA_URL
- password = "@password" // Alternatively sourced from $AQUA_PASSWORD
+ username = "IaC" // Alternatively sourced from $AQUA_USER
+ aqua_url = "https://aquaurl.com" // Alternatively sourced from $AQUA_URL
+ password = "@password" // Alternatively sourced from $AQUA_PASSWORD
// If you are using unverifiable certificates (e.g. self-signed) you may need to disable certificate verification
- verify_tls = false // Alternatively sourced from $AQUA_TLS_VERIFY
+ verify_tls = false // Alternatively sourced from $AQUA_TLS_VERIFY
// Alternatively, you can provide these configurations from a config file, and configure the provider as below
// config_path = '/path/to/tf.config' // defaults to '~/.aqua/tf.config' -- Alternatively sourced from $AQUA_CONFIG
diff --git a/docs/resources/acknowledge.md b/docs/resources/acknowledge.md
index 0439211..c1149b7 100644
--- a/docs/resources/acknowledge.md
+++ b/docs/resources/acknowledge.md
@@ -14,32 +14,32 @@ description: |-
```terraform
resource "aquasec_acknowledge" "acknowledge" {
- comment = "comment"
- issues {
- docker_id = ""
- image_name = "image:latest"
- issue_name = "CVE-2022-1271"
- issue_type = "vulnerability"
- registry_name = "registry"
- resource_cpe = "cpe:/a:gnu:gzip:1.10"
- resource_name = "gzip"
- resource_path = "/usr/bin/gzip"
- resource_type = "executable"
- resource_version = "1.10"
- }
-
- issues {
- docker_id = "docker-id"
- image_name = "image-name"
- issue_name = "ALAS2-2021-1722"
- issue_type = "vulnerability"
- registry_name = "registry-name"
- resource_cpe = "pkg:/amzn:2:nss-softokn:3.44.0-8.amzn2"
- resource_name = "nss-softokn"
- resource_path = ""
- resource_type = "package"
- resource_version = "3.44.0-8.amzn2"
- }
+ comment = "comment"
+ issues {
+ docker_id = ""
+ image_name = "image:latest"
+ issue_name = "CVE-2022-1271"
+ issue_type = "vulnerability"
+ registry_name = "registry"
+ resource_cpe = "cpe:/a:gnu:gzip:1.10"
+ resource_name = "gzip"
+ resource_path = "/usr/bin/gzip"
+ resource_type = "executable"
+ resource_version = "1.10"
+ }
+
+ issues {
+ docker_id = "docker-id"
+ image_name = "image-name"
+ issue_name = "ALAS2-2021-1722"
+ issue_type = "vulnerability"
+ registry_name = "registry-name"
+ resource_cpe = "pkg:/amzn:2:nss-softokn:3.44.0-8.amzn2"
+ resource_name = "nss-softokn"
+ resource_path = ""
+ resource_type = "package"
+ resource_version = "3.44.0-8.amzn2"
+ }
}
```
diff --git a/docs/resources/application_scope.md b/docs/resources/application_scope.md
index 8c03832..9d87559 100644
--- a/docs/resources/application_scope.md
+++ b/docs/resources/application_scope.md
@@ -14,52 +14,52 @@ description: |-
```terraform
resource "aquasec_application_scope" "terraformiap" {
- description = "test123"
- name = "test18"
- // Categories is a nested block of artifacts, workloads and infrastructure
- categories {
- // Artifacts is a nested block of Image, Function, CF
- artifacts {
- // Every object requires expression(logical combinations of variables v1, v2, v3...) and list of variables consists of attribute(pre-defined) and value
- image {
- expression = "v1 && v2"
- variables {
- attribute = "aqua.registry"
- value = "test-registry"
- }
- variables {
- attribute = "image.repo"
- value = "nginx"
- }
- }
+ description = "test123"
+ name = "test18"
+ // Categories is a nested block of artifacts, workloads and infrastructure
+ categories {
+ // Artifacts is a nested block of Image, Function, CF
+ artifacts {
+ // Every object requires expression(logical combinations of variables v1, v2, v3...) and list of variables consists of attribute(pre-defined) and value
+ image {
+ expression = "v1 && v2"
+ variables {
+ attribute = "aqua.registry"
+ value = "test-registry"
}
- // Workloads is a nested block of Kubernetes, OS, CF
- workloads {
- // Every object requires expression(logical combinations of variables v1, v2, v3...) and list of variables consists of attribute(pre-defined) and value
- kubernetes {
- expression = "v1 && v2"
- variables {
- attribute = "kubernetes.cluster"
- value = "aqua"
- }
- variables {
- attribute = "kubernetes.namespace"
- value = "aqua"
- }
- }
+ variables {
+ attribute = "image.repo"
+ value = "nginx"
}
- // Infrastructure is a nested block of Kubernetes, OS
- infrastructure {
- // Every object requires expression and list of variables consists of attribute(pre-defined) and value
- kubernetes {
- expression = "v1"
- variables {
- attribute = "kubernetes.cluster"
- value = "aqua"
- }
- }
+ }
+ }
+ // Workloads is a nested block of Kubernetes, OS, CF
+ workloads {
+ // Every object requires expression(logical combinations of variables v1, v2, v3...) and list of variables consists of attribute(pre-defined) and value
+ kubernetes {
+ expression = "v1 && v2"
+ variables {
+ attribute = "kubernetes.cluster"
+ value = "aqua"
+ }
+ variables {
+ attribute = "kubernetes.namespace"
+ value = "aqua"
+ }
+ }
+ }
+ // Infrastructure is a nested block of Kubernetes, OS
+ infrastructure {
+ // Every object requires expression and list of variables consists of attribute(pre-defined) and value
+ kubernetes {
+ expression = "v1"
+ variables {
+ attribute = "kubernetes.cluster"
+ value = "aqua"
}
+ }
}
+ }
}
```
@@ -117,6 +117,7 @@ Optional:
Optional:
- `attribute` (String)
+- `name` (String)
- `value` (String)
@@ -135,6 +136,7 @@ Optional:
Optional:
- `attribute` (String)
+- `name` (String)
- `value` (String)
@@ -153,6 +155,7 @@ Optional:
Optional:
- `attribute` (String)
+- `name` (String)
- `value` (String)
@@ -180,6 +183,7 @@ Optional:
Optional:
- `attribute` (String)
+- `name` (String)
- `value` (String)
@@ -198,6 +202,7 @@ Optional:
Optional:
- `attribute` (String)
+- `name` (String)
- `value` (String)
@@ -226,6 +231,7 @@ Optional:
Optional:
- `attribute` (String)
+- `name` (String)
- `value` (String)
@@ -244,6 +250,7 @@ Optional:
Optional:
- `attribute` (String)
+- `name` (String)
- `value` (String)
@@ -262,6 +269,7 @@ Optional:
Optional:
- `attribute` (String)
+- `name` (String)
- `value` (String)
@@ -281,6 +289,7 @@ Read-Only:
Read-Only:
- `attribute` (String)
+- `name` (String)
- `value` (String)
diff --git a/docs/resources/aqua_label.md b/docs/resources/aqua_label.md
index ca756ee..c60b305 100644
--- a/docs/resources/aqua_label.md
+++ b/docs/resources/aqua_label.md
@@ -10,7 +10,14 @@ description: |-
-
+## Example Usage
+
+```terraform
+resource "aquasec_aqua_label" "aqua_label" {
+ name = "example_label"
+ description = "example_description"
+}
+```
## Schema
diff --git a/docs/resources/container_runtime_policy.md b/docs/resources/container_runtime_policy.md
index 1180f6f..b3a61eb 100644
--- a/docs/resources/container_runtime_policy.md
+++ b/docs/resources/container_runtime_policy.md
@@ -14,33 +14,33 @@ description: |-
```terraform
resource "aquasec_container_runtime_policy" "container_runtime_policy" {
- name = "container_runtime_policy"
- description = "container_runtime_policy"
+ name = "container_runtime_policy"
+ description = "container_runtime_policy"
scope_expression = "v1 || v2"
scope_variables {
attribute = "kubernetes.cluster"
- value = "default"
+ value = "default"
}
scope_variables {
- attribute = "kubernetes.label"
- name = "app"
- value = "aqua"
+ attribute = "kubernetes.label"
+ name = "app"
+ value = "aqua"
}
application_scopes = [
"Global",
]
- enabled = true
- enforce = false
- block_container_exec = true
+ enabled = true
+ enforce = false
+ block_container_exec = true
container_exec_allowed_processes = [
"proc1",
"proc2"
]
- block_cryptocurrency_mining = true
- block_fileless_exec = true
+ block_cryptocurrency_mining = true
+ block_fileless_exec = true
block_non_compliant_workloads = true
- block_non_k8s_containers = true
+ block_non_k8s_containers = true
blocked_capabilities = [
"AUDIT_CONTROL",
"AUDIT_WRITE"
@@ -59,7 +59,7 @@ resource "aquasec_container_runtime_policy" "container_runtime_policy" {
]
malware_scan_options {
enabled = true
- action = "alert"
+ action = "alert"
#exclude_directories = [ "/var/run/" ]
}
file_integrity_monitoring {
@@ -75,21 +75,21 @@ resource "aquasec_container_runtime_policy" "container_runtime_policy" {
monitored_users = ["user"]
excluded_users = ["expuser"]
}
- audit_all_processes_activity = true
- audit_full_command_arguments = true
- audit_all_network_activity = true
- enable_fork_guard = true
- fork_guard_process_limit = 13
- block_access_host_network = true
- block_adding_capabilities = true
- block_root_user = true
- block_privileged_containers = true
- block_use_ipc_namespace = true
- block_use_pid_namespace = true
- block_use_user_namespace = true
- block_use_uts_namespace = true
- block_low_port_binding = true
- limit_new_privileges = true
+ audit_all_processes_activity = true
+ audit_full_command_arguments = true
+ audit_all_network_activity = true
+ enable_fork_guard = true
+ fork_guard_process_limit = 13
+ block_access_host_network = true
+ block_adding_capabilities = true
+ block_root_user = true
+ block_privileged_containers = true
+ block_use_ipc_namespace = true
+ block_use_pid_namespace = true
+ block_use_user_namespace = true
+ block_use_uts_namespace = true
+ block_low_port_binding = true
+ limit_new_privileges = true
blocked_packages = [
"pkg",
"pkg2"
@@ -510,6 +510,10 @@ Required:
- `attribute` (String) Variable attribute.
- `value` (String) Variable value.
+Optional:
+
+- `name` (String)
+
diff --git a/docs/resources/enforcer_groups.md b/docs/resources/enforcer_groups.md
index fbf4ac8..7e1efe2 100644
--- a/docs/resources/enforcer_groups.md
+++ b/docs/resources/enforcer_groups.md
@@ -14,63 +14,63 @@ description: |-
```terraform
resource "aquasec_enforcer_groups" "group" {
- group_id = "tf-test-enforcer"
- type = "agent"
- enforce = true
- # Host Assurance
- host_assurance = true
- # Network Firewall (Host Protection)
- host_network_protection = true
- # Runtime Controls
- host_protection = true
- # Network Firewall (Container Protection)
- network_protection = true
- # Advanced Malware Protection (Container Protection)
- container_antivirus_protection = true
- # Runtime Controls
- container_activity_protection = true
- # Image Assurance
- image_assurance = true
- # Advanced Malware Protection (Host Protection)
- antivirus_protection = true
- # Host Images
- sync_host_images = true
- # Risk Explorer
- risk_explorer_auto_discovery = true
- # host_forensics
- host_forensics = true
- # forensics
- forensics = true
-
- orchestrator {}
+ group_id = "tf-test-enforcer"
+ type = "agent"
+ enforce = true
+ # Host Assurance
+ host_assurance = true
+ # Network Firewall (Host Protection)
+ host_network_protection = true
+ # Runtime Controls
+ host_protection = true
+ # Network Firewall (Container Protection)
+ network_protection = true
+ # Advanced Malware Protection (Container Protection)
+ container_antivirus_protection = true
+ # Runtime Controls
+ container_activity_protection = true
+ # Image Assurance
+ image_assurance = true
+ # Advanced Malware Protection (Host Protection)
+ antivirus_protection = true
+ # Host Images
+ sync_host_images = true
+ # Risk Explorer
+ risk_explorer_auto_discovery = true
+ # host_forensics
+ host_forensics = true
+ # forensics
+ forensics = true
+
+ orchestrator {}
}
resource "aquasec_enforcer_groups" "group-kube_enforcer" {
- group_id = "tf-test-kube_enforcer"
- type = "kube_enforcer"
- enforce = true
-
- # Enable admission control
- admission_control = true
- # Perform admission control if not connected to a gateway
- block_admission_control = true
- # Enable workload discovery
- auto_discovery_enabled = true
- # Register discovered pod images
- auto_scan_discovered_images_running_containers = true
- # Add discovered registries
- auto_discover_configure_registries = true
- # Kube-bench image path
- kube_bench_image_name = "registry.aquasec.com/kube-bench:v0.6.5"
- # Secret that holds the registry credentials for the Pod Enforcer and kube-bench
- micro_enforcer_secrets_name = "aqua-registry"
- # Auto copy these secrets to the Pod Enforcer namespace and container
- auto_copy_secrets = true
-
- orchestrator {
- type = "kubernetes"
- namespace = "aqua"
- }
+ group_id = "tf-test-kube_enforcer"
+ type = "kube_enforcer"
+ enforce = true
+
+ # Enable admission control
+ admission_control = true
+ # Perform admission control if not connected to a gateway
+ block_admission_control = true
+ # Enable workload discovery
+ auto_discovery_enabled = true
+ # Register discovered pod images
+ auto_scan_discovered_images_running_containers = true
+ # Add discovered registries
+ auto_discover_configure_registries = true
+ # Kube-bench image path
+ kube_bench_image_name = "registry.aquasec.com/kube-bench:v0.6.5"
+ # Secret that holds the registry credentials for the Pod Enforcer and kube-bench
+ micro_enforcer_secrets_name = "aqua-registry"
+ # Auto copy these secrets to the Pod Enforcer namespace and container
+ auto_copy_secrets = true
+
+ orchestrator {
+ type = "kubernetes"
+ namespace = "aqua"
+ }
}
```
diff --git a/docs/resources/firewall_policy.md b/docs/resources/firewall_policy.md
index f91c17a..de7d34b 100644
--- a/docs/resources/firewall_policy.md
+++ b/docs/resources/firewall_policy.md
@@ -10,7 +10,29 @@ description: |-
-
+## Example Usage
+
+```terraform
+resource "aquasec_firewall_policy" "example_firewall_policy" {
+ // Required values
+ name = "example_firewall_policy"
+
+ // Block ICMP and one inbound/outbound block
+ block_icmp_ping = true
+ inbound_networks {
+ allow = false
+ resource_type = "anywhere"
+ port_range = "0-1000"
+ }
+
+ outbound_networks {
+ allow = false
+ resource_type = "custom"
+ port_range = "0-1000"
+ resource = "192.168.1.5/32"
+ }
+}
+```
## Schema
diff --git a/docs/resources/function_assurance_policy.md b/docs/resources/function_assurance_policy.md
index 492d8f1..d5bcdc6 100644
--- a/docs/resources/function_assurance_policy.md
+++ b/docs/resources/function_assurance_policy.md
@@ -20,7 +20,27 @@ Checking function compliance with these policies.
For AWS and Azure, implementing security actions, such as blocking execution of risky functions or failing the CI/CD pipeline.
Providing comprehensive audits of all security risks, viewable in Aqua Server or a SIEM system.
-
+## Example Usage
+
+```terraform
+resource "aquasec_function_assurance_policy" "example_function_assurance_policy" {
+ //Required values
+ application_scopes = ["Global"]
+ name = "example_function_assurance_policy"
+
+ //Values that default to true
+ audit_on_failure = true
+ block_failed = true
+ fail_cicd = true
+
+ function_integrity_enabled = true
+ enforce_excessive_permissions = true
+ scan_sensitive_data = true
+ cvss_severity = "critical"
+ cvss_severity_enabled = true
+
+}
+```
## Schema
diff --git a/docs/resources/function_runtime_policy.md b/docs/resources/function_runtime_policy.md
index 685bca1..701912a 100644
--- a/docs/resources/function_runtime_policy.md
+++ b/docs/resources/function_runtime_policy.md
@@ -14,24 +14,24 @@ description: |-
```terraform
resource "aquasec_function_runtime_policy" "function_runtime_policy" {
- name = "function_runtime_policys"
+ name = "function_runtime_policys"
description = "function_runtime_policy"
scope_variables {
attribute = "kubernetes.cluster"
- value = "default"
+ value = "default"
}
scope_variables {
- attribute = "kubernetes.label"
- name = "app"
- value = "aqua"
+ attribute = "kubernetes.label"
+ name = "app"
+ value = "aqua"
}
application_scopes = [
"Global",
]
- enabled = true
- enforce = false
- block_malicious_executables = true
+ enabled = true
+ enforce = false
+ block_malicious_executables = true
block_running_executables_in_tmp_folder = true
block_malicious_executables_allowed_processes = [
"proc1",
diff --git a/docs/resources/group.md b/docs/resources/group.md
index 06351a3..9725244 100644
--- a/docs/resources/group.md
+++ b/docs/resources/group.md
@@ -17,7 +17,7 @@ The Groups created must have at least one Role that is already present within Aq
```terraform
resource "aquasec_group" "group" {
- name = "IacGroup"
+ name = "IacGroup"
}
```
diff --git a/docs/resources/host_runtime_policy.md b/docs/resources/host_runtime_policy.md
index 67c83fc..5367682 100644
--- a/docs/resources/host_runtime_policy.md
+++ b/docs/resources/host_runtime_policy.md
@@ -14,25 +14,25 @@ description: |-
```terraform
resource "aquasec_host_runtime_policy" "host_runtime_policy" {
- name = "host_runtime_policy"
+ name = "host_runtime_policy"
description = "host_runtime_policy"
scope_variables {
attribute = "kubernetes.cluster"
- value = "default"
+ value = "default"
}
scope_variables {
- attribute = "kubernetes.label"
- name = "app"
- value = "aqua"
+ attribute = "kubernetes.label"
+ name = "app"
+ value = "aqua"
}
application_scopes = [
"Global",
]
- enabled = true
- enforce = false
+ enabled = true
+ enforce = false
block_cryptocurrency_mining = true
- audit_brute_force_login = true
+ audit_brute_force_login = true
blocked_files = [
"blocked",
]
@@ -49,11 +49,11 @@ resource "aquasec_host_runtime_policy" "host_runtime_policy" {
monitored_users = ["user"]
excluded_users = ["expuser"]
}
- audit_all_os_user_activity = true
- audit_full_command_arguments = true
+ audit_all_os_user_activity = true
+ audit_full_command_arguments = true
audit_host_successful_login_events = true
- audit_host_failed_login_events = true
- audit_user_account_management = true
+ audit_host_failed_login_events = true
+ audit_user_account_management = true
os_users_allowed = [
"user1",
]
@@ -69,8 +69,8 @@ resource "aquasec_host_runtime_policy" "host_runtime_policy" {
package_block = [
"package1"
]
- monitor_system_time_changes = true
- monitor_windows_services = true
+ monitor_system_time_changes = true
+ monitor_windows_services = true
monitor_system_log_integrity = true
}
```
diff --git a/docs/resources/image.md b/docs/resources/image.md
index 41a40bc..6a235a1 100644
--- a/docs/resources/image.md
+++ b/docs/resources/image.md
@@ -10,7 +10,17 @@ description: |-
+## Example Usage
+```terraform
+resource "aquasec_image" "example_aquasec_image" {
+ // Required values
+ registry = "ExampleRegistry"
+ repository = "ExampleRepository"
+ tag = "ExampleImageTag"
+
+}
+```
## Schema
diff --git a/docs/resources/image_assurance_policy.md b/docs/resources/image_assurance_policy.md
index 2aae99b..a31d25c 100644
--- a/docs/resources/image_assurance_policy.md
+++ b/docs/resources/image_assurance_policy.md
@@ -10,7 +10,28 @@ description: |-
Aqua Image Assurance covers the first part of the container lifecycle: image development. The Image Assurance subsystem detects, assesses, and reports security issues in your images.
+## Example Usage
+```terraform
+resource "aquasec_image_assurance_policy" "test_image_policy" {
+ // Required values
+ name = "test_image_assurance_policy"
+ application_scopes = ["Global"]
+
+ // Below options default to true:
+ block_failed = true
+ fail_cicd = true
+ audit_on_failure = true
+
+ // Simple policy looking for critical vulnerabilites,
+ // malware, and sensitive data
+ cvss_severity = "critical"
+ cvss_severity_enabled = true
+ disallow_malware = true
+ scan_sensitive_data = true
+
+}
+```
## Schema
@@ -44,7 +65,7 @@ Aqua Image Assurance covers the first part of the container lifecycle: image dev
- `cves_black_list_enabled` (Boolean) Indicates if CVEs blacklist is relevant.
- `cves_white_list` (List of String) List of cves whitelisted licenses
- `cves_white_list_enabled` (Boolean) Indicates if cves whitelist is relevant.
-- `cvss_severity` (String) Identifier of the cvss severity. Only applied if `cvss_severity_enabled` is set to `true`. Valid options: `critical`, `high`, `medium`, `low`.
+- `cvss_severity` (String) Identifier of the cvss severity.
- `cvss_severity_enabled` (Boolean) Indicates if the cvss severity is scanned.
- `cvss_severity_exclude_no_fix` (Boolean) Indicates that policy should ignore cvss cases that do not have a known fix.
- `description` (String)
diff --git a/docs/resources/integration_registry.md b/docs/resources/integration_registry.md
index cdbaa67..cdcc062 100644
--- a/docs/resources/integration_registry.md
+++ b/docs/resources/integration_registry.md
@@ -50,7 +50,7 @@ resource "aquasec_integration_registry" "integration_registry" {
pull_image_tag_pattern = [":Latest", ":latest"]
pull_repo_patterns_excluded = [":xyz", ":onlytest"]
- url = "us-east-1"
+ url = "us-east-1"
scanner_name = []
scanner_type = "any"
diff --git a/docs/resources/kubernetes_assurance_policy.md b/docs/resources/kubernetes_assurance_policy.md
index 7b00300..74c3c2e 100644
--- a/docs/resources/kubernetes_assurance_policy.md
+++ b/docs/resources/kubernetes_assurance_policy.md
@@ -10,7 +10,31 @@ description: |-
Kubernetes Assurance is responsible for checking the security of workload configurations at the pod level, with respect to your organization's security requirements.
-
+## Example Usage
+
+```terraform
+resource "aquasec_kubernetes_assurance_policy" "example_kubernetes_assurance_policy" {
+ // Values that are required
+ application_scopes = ["Global"]
+ name = "example_kubernetes_assurance_policy"
+
+ //Values that default to true
+ audit_on_failure = true
+ block_failed = true
+
+ kubernetes_controls {
+ avd_id = "AVD-KSV-0121"
+ description = "HostPath present many security risks and as a security practice it is better to avoid critical host paths mounts."
+ enabled = true
+ kind = "workload"
+ name = "Kubernetes resource with disallowed volumes mounted"
+ ootb = true
+ script_id = 104
+ severity = "high"
+ }
+
+}
+```
## Schema
diff --git a/docs/resources/notification.md b/docs/resources/notification.md
index 9d259be..d362d02 100644
--- a/docs/resources/notification.md
+++ b/docs/resources/notification.md
@@ -16,88 +16,88 @@ Provides a Aquasec Notification resource. This can be used to create and manage
# Please note that when importing an email\ jira notification, the password will not be imported. However, when running the apply command, the password will be updated and applied to the resource
resource "aquasec_notification" "teams" {
- name = "team-example"
- type = "teams"
- properties = {
- url = ""
- }
+ name = "team-example"
+ type = "teams"
+ properties = {
+ url = ""
+ }
}
resource "aquasec_notification" "slack" {
- name = "slack-example"
- type = "slack"
- properties = {
- url = ""
- }
+ name = "slack-example"
+ type = "slack"
+ properties = {
+ url = ""
+ }
}
resource "aquasec_notification" "webhook" {
- name = "webhook-example"
- type = "webhook"
- properties = {
- url = ""
- }
+ name = "webhook-example"
+ type = "webhook"
+ properties = {
+ url = ""
+ }
}
resource "aquasec_notification" "servicenow" {
- name = "servicenow-example"
- type = "serviceNow"
- properties = {
- user = ""
- password = ""
- url = ""
- instance_name = ""
- # board name (Table) - Optional
- board_name = ""
- }
+ name = "servicenow-example"
+ type = "serviceNow"
+ properties = {
+ user = ""
+ password = ""
+ url = ""
+ instance_name = ""
+ # board name (Table) - Optional
+ board_name = ""
+ }
}
resource "aquasec_notification" "jira_with_token" {
- name = "jira-example-with-token"
- type = "jira"
- properties = {
- url = ""
- token = ""
- project_key = ""
- summary = "SOME_TEXT"
- definition_of_done = "Done"
- }
+ name = "jira-example-with-token"
+ type = "jira"
+ properties = {
+ url = ""
+ token = ""
+ project_key = ""
+ summary = "SOME_TEXT"
+ definition_of_done = "Done"
+ }
}
resource "aquasec_notification" "jira_with_creds" {
- name = "jira-example-with-creds"
- type = "jira"
- properties = {
- url = ""
- user = ""
- password = ""
- project_key = ""
- summary = "SOME_TEXT"
- }
+ name = "jira-example-with-creds"
+ type = "jira"
+ properties = {
+ url = ""
+ user = ""
+ password = ""
+ project_key = ""
+ summary = "SOME_TEXT"
+ }
}
resource "aquasec_notification" "email_with_creds" {
- name = "email-example-with-creds"
- type = "email"
- properties = {
- user = ""
- password = ""
- host = ""
- port = "" # example 25
- sender = ""
- recipients = "" # "example1@example.com,example2@example.com"
- }
+ name = "email-example-with-creds"
+ type = "email"
+ properties = {
+ user = ""
+ password = ""
+ host = ""
+ port = "" # example 25
+ sender = ""
+ recipients = "" # "example1@example.com,example2@example.com"
+ }
}
resource "aquasec_notification" "email_with_mx" {
- name = "email-example-with-mx"
- type = "email"
- properties = {
- use_mx = true
- port = "" # example 25
- sender = ""
- recipients = "" # "example1@example.com,example2@example.com"
- }
+ name = "email-example-with-mx"
+ type = "email"
+ properties = {
+ use_mx = true
+ port = "" # example 25
+ sender = ""
+ recipients = "" # "example1@example.com,example2@example.com"
+ }
}
```
diff --git a/docs/resources/permissions_sets.md b/docs/resources/permissions_sets.md
index 8e768c4..148ea62 100644
--- a/docs/resources/permissions_sets.md
+++ b/docs/resources/permissions_sets.md
@@ -14,29 +14,29 @@ The `aquasec_permissions_sets` resource manages your Permission Set within Aqua.
```terraform
resource "aquasec_permissions_sets" "my_terraform_perm_set" {
- name = "my_terraform_perm_set"
- description = "Test Permissions Sets created by Terraform"
- ui_access = true
- is_super = false
- actions = [
- #################
+ name = "my_terraform_perm_set"
+ description = "Test Permissions Sets created by Terraform"
+ ui_access = true
+ is_super = false
+ actions = [
+ #################
# Policies
#################
# Assurance Policies
- "acl_policies.read", # Removed from version 2022.4
- "acl_policies.write", # Removed from version 2022.4
+ "acl_policies.read", # Removed from version 2022.4
+ "acl_policies.write", # Removed from version 2022.4
# Image Profiles
"image_profiles.read",
- "image_profiles.write", # Only for version 2022.4
+ "image_profiles.write", # Only for version 2022.4
# Firewall Policies
"network_policies.read",
- "network_policies.write", # Only for version 2022.4
+ "network_policies.write", # Only for version 2022.4
# Runtime Policies
"runtime_policies.read",
"runtime_policies.write",
# Response Policies # Only for version 2022.4
- "response_policies.read", # Only for version 2022.4
- "response_policies.write", # Only for version 2022.4
+ "response_policies.read", # Only for version 2022.4
+ "response_policies.write", # Only for version 2022.4
# User Access Control Policies
"image_assurance.read",
"image_assurance.write",
@@ -46,29 +46,29 @@ resource "aquasec_permissions_sets" "my_terraform_perm_set" {
#################
# Dashboard
"dashboard.read",
- "dashboard.write", # Only for version 2022.4
+ "dashboard.write", # Only for version 2022.4
# Risk Explorer
"risk_explorer.read",
# Images
"images.read",
- "images.write", # Only for version 2022.4
+ "images.write", # Only for version 2022.4
# Host Images
"risks.host_images.read",
- "risks.host_images.write", # Only for version 2022.4
+ "risks.host_images.write", # Only for version 2022.4
# Functions
"functions.read",
- "functions.write", # Only for version 2022.4
+ "functions.write", # Only for version 2022.4
# Enforcers
"enforcers.read",
- "enforcers.write", # Only for version 2022.4
+ "enforcers.write", # Only for version 2022.4
# Containers
"containers.read",
# Services
"services.read",
- "services.write", # Only for version 2022.4
+ "services.write", # Only for version 2022.4
# Infrastructure
"infrastructure.read",
- "infrastructure.write", # Only for version 2022.4
+ "infrastructure.write", # Only for version 2022.4
#################
# Compliance
@@ -78,7 +78,7 @@ resource "aquasec_permissions_sets" "my_terraform_perm_set" {
"risks.vulnerabilities.write",
# CIS Benchmarks
"risks.benchmark.read",
- "risks.benchmark.write", # Only for version 2022.4
+ "risks.benchmark.write", # Only for version 2022.4
#################
# System
@@ -87,28 +87,28 @@ resource "aquasec_permissions_sets" "my_terraform_perm_set" {
"audits.read",
# Secrets
"secrets.read",
- "secrets.write", # Only for version 2022.4
+ "secrets.write", # Only for version 2022.4
# Settings
"settings.read",
- "settings.write", # Only for version 2022.4
+ "settings.write", # Only for version 2022.4
# Integrations
"integrations.read",
- "integrations.write", # Only for version 2022.4
+ "integrations.write", # Only for version 2022.4
# Image Registry Integrations
"registries_integrations.read",
- "registries_integrations.write", # Only for version 2022.4
+ "registries_integrations.write", # Only for version 2022.4
# Scanner CLI # Only for version 2022.4
- "scan.read", # Only for version 2022.4
+ "scan.read", # Only for version 2022.4
# Gateways
"gateways.read",
- "gateways.write", # Only for version 2022.4
+ "gateways.write", # Only for version 2022.4
# Consoles
"consoles.read",
# Webhook authorization API
"web_hook.read",
# Incidents
"incidents.read"
- ]
+ ]
}
```
diff --git a/docs/resources/role.md b/docs/resources/role.md
index 6a423fc..ab0d21a 100644
--- a/docs/resources/role.md
+++ b/docs/resources/role.md
@@ -17,10 +17,10 @@ The roles created must have permission set and at least one Role Application Sco
```terraform
resource "aquasec_role" "IaC" {
- role_name = "RoleIaC"
- description = "RoleIaC"
- permission = "PermissionIaC"
- scopes = ["Global"]
+ role_name = "RoleIaC"
+ description = "RoleIaC"
+ permission = "PermissionIaC"
+ scopes = ["Global"]
}
```
diff --git a/docs/resources/role_mapping.md b/docs/resources/role_mapping.md
index 7bd5de6..82a365d 100644
--- a/docs/resources/role_mapping.md
+++ b/docs/resources/role_mapping.md
@@ -14,16 +14,16 @@ description: |-
```terraform
resource "aquasec_role_mapping" "role_mapping" {
- saml {
- role_mapping = {
- Administrator = "group1"
- Scanner = "group2|group3"
- }
+ saml {
+ role_mapping = {
+ Administrator = "group1"
+ Scanner = "group2|group3"
}
+ }
}
output "role_mapping" {
- value = aquasec_role_mapping.role_mapping
+ value = aquasec_role_mapping.role_mapping
}
```
diff --git a/docs/resources/role_mapping_saas.md b/docs/resources/role_mapping_saas.md
index eb0a0b4..1c64b13 100644
--- a/docs/resources/role_mapping_saas.md
+++ b/docs/resources/role_mapping_saas.md
@@ -15,7 +15,7 @@ description: |-
```terraform
resource "aquasec_role_mapping_saas" "roles_mapping_saas" {
saml_groups = ["group1", "group2"]
- csp_role = "Administrator"
+ csp_role = "Administrator"
}
output "roles_mapping_saas" {
diff --git a/docs/resources/service.md b/docs/resources/service.md
index 1233334..899d1aa 100644
--- a/docs/resources/service.md
+++ b/docs/resources/service.md
@@ -151,3 +151,5 @@ Optional:
- `attribute` (String) Class of supported scope.
- `name` (String) Name assigned to the attribute.
- `value` (String) Value assigned to the attribute.
+
+
diff --git a/docs/resources/user.md b/docs/resources/user.md
index 7e72804..b1e684b 100644
--- a/docs/resources/user.md
+++ b/docs/resources/user.md
@@ -17,16 +17,16 @@ The users created must have at least one Role that is already present within Aqu
```terraform
resource "aquasec_user" "IaC" {
- user_id = "IaC"
- password = var.password
- roles = [
- "infrastructure"
- ]
-
- //optional fields
- email = "infrastructure@example.com"
- first_time = true // Require password reset upon initial login
- name = "Infrastructure as Code" // Display name for this user
+ user_id = "IaC"
+ password = var.password
+ roles = [
+ "infrastructure"
+ ]
+
+ //optional fields
+ email = "infrastructure@example.com"
+ first_time = true // Require password reset upon initial login
+ name = "Infrastructure as Code" // Display name for this user
}
```
diff --git a/docs/resources/user_saas.md b/docs/resources/user_saas.md
index ca83965..6ead6ab 100644
--- a/docs/resources/user_saas.md
+++ b/docs/resources/user_saas.md
@@ -17,22 +17,22 @@ The users created must have at least one Csp Role that is already present within
```terraform
resource "aquasec_user_saas" "IaC1" {
- email = "infrastructure1@example.com"
- csp_roles = []
- account_admin = true
+ email = "infrastructure1@example.com"
+ csp_roles = []
+ account_admin = true
}
resource "aquasec_user_saas" "IaC2" {
- email = "infrastructure2@example.com"
- csp_roles = [
- "Default"
- ]
- account_admin = false
- //optional
- groups {
- name = "IacGroupName"
- group_admin = false
- }
+ email = "infrastructure2@example.com"
+ csp_roles = [
+ "Default"
+ ]
+ account_admin = false
+ //optional
+ groups {
+ name = "IacGroupName"
+ group_admin = false
+ }
}
```
diff --git a/docs/resources/vmware_assurance_policy.md b/docs/resources/vmware_assurance_policy.md
index 73a1ed9..e8847c8 100644
--- a/docs/resources/vmware_assurance_policy.md
+++ b/docs/resources/vmware_assurance_policy.md
@@ -10,7 +10,24 @@ description: |-
-
+## Example Usage
+
+```terraform
+resource "aquasec_vmware_assurance_policy" "example_vmware_assurance_policy" {
+ // Required values
+ application_scopes = ["Global"]
+ name = "example_vmware_assurance_policy"
+
+ // Values default to true
+ audit_on_failure = true
+ block_failed = true
+ fail_cicd = true
+
+ scan_sensitive_data = true
+ cvss_severity_enabled = true
+ cvss_severity = "critical"
+}
+```
## Schema
diff --git a/examples/data-sources/main.tf b/examples/data-sources/main.tf
index a2f730f..854620c 100644
--- a/examples/data-sources/main.tf
+++ b/examples/data-sources/main.tf
@@ -1,7 +1,7 @@
terraform {
required_providers {
aquasec = {
- // version = "0.8.31"
+ // version = "0.8.32"
source = "aquasecurity/aquasec"
}
}
diff --git a/examples/provider/provider.tf b/examples/provider/provider.tf
index 0e618ee..6dbae2e 100644
--- a/examples/provider/provider.tf
+++ b/examples/provider/provider.tf
@@ -1,7 +1,7 @@
terraform {
required_providers {
aquasec = {
- version = "0.8.31"
+ version = "0.8.32"
source = "aquasecurity/aquasec"
}
}
diff --git a/examples/resources/aquasec_service/resource.tf b/examples/resources/aquasec_service/resource.tf
index 7f72dfc..3b42fd3 100644
--- a/examples/resources/aquasec_service/resource.tf
+++ b/examples/resources/aquasec_service/resource.tf
@@ -14,20 +14,20 @@ resource "aquasec_service" "example_service" {
name = "policy1"
type = "access.control"
description = "Local policy 1 for inbound and outbound control"
-
+
inbound_networks {
- port_range = "22/22" # Allow SSH traffic
- resource_type = "anywhere" # Allow from any source
- allow = true # Permit traffic
+ port_range = "22/22" # Allow SSH traffic
+ resource_type = "anywhere" # Allow from any source
+ allow = true # Permit traffic
}
-
+
outbound_networks {
- port_range = "80/80" # Allow HTTP traffic
- resource_type = "anywhere" # Allow to any destination
- allow = true # Permit traffic
+ port_range = "80/80" # Allow HTTP traffic
+ resource_type = "anywhere" # Allow to any destination
+ allow = true # Permit traffic
}
- block_metadata_service = false # Do not block metadata service
+ block_metadata_service = false # Do not block metadata service
}
// Local policy 2
@@ -35,19 +35,19 @@ resource "aquasec_service" "example_service" {
name = "policy2"
type = "access.control"
description = "Local policy 2 with stricter outbound control"
-
+
inbound_networks {
- port_range = "443/443" # Allow HTTPS traffic
- resource_type = "anywhere" # Allow from any source
- allow = true # Permit traffic
+ port_range = "443/443" # Allow HTTPS traffic
+ resource_type = "anywhere" # Allow from any source
+ allow = true # Permit traffic
}
outbound_networks {
- port_range = "8080/8080" # Allow specific application traffic
- resource_type = "specific" # Allow only to specific destinations
- allow = false # Block traffic to unspecified destinations
+ port_range = "8080/8080" # Allow specific application traffic
+ resource_type = "specific" # Allow only to specific destinations
+ allow = false # Block traffic to unspecified destinations
}
- block_metadata_service = true # Block metadata service access for security
+ block_metadata_service = true # Block metadata service access for security
}
}
diff --git a/examples/resources/main.tf b/examples/resources/main.tf
index f1e50a4..6fa351d 100644
--- a/examples/resources/main.tf
+++ b/examples/resources/main.tf
@@ -1,7 +1,7 @@
terraform {
required_providers {
aquasec = {
- // version = "0.8.31"
+ //version = "0.8.32"
source = "aquasecurity/aquasec"
}
}
@@ -117,15 +117,15 @@ resource "aquasec_container_runtime_policy" "test" {
description = "This is a container runtime policy"
enforce = true
enforce_after_days = 9
- block_non_compliant_images = true
block_non_compliant_workloads = true
block_container_exec = true
- block_unregistered_images = true
- enable_drift_prevention = true
- allowed_executables = [
- "test",
- "exe",
- ]
+ allowed_executables {
+ enabled = true
+ allow_executables = [
+ "pkg",
+ "txt"
+ ]
+ }
blocked_executables = [
"test1",
"exe1",
@@ -142,7 +142,6 @@ resource "aquasec_container_runtime_policy" "test" {
enable_fork_guard = true
fork_guard_process_limit = 12
- enable_ip_reputation_security = true
malware_scan_options {
enabled = true
@@ -160,19 +159,10 @@ resource "aquasec_container_runtime_policy" "test" {
"90",
"9090"
]
- enable_port_scan_detection = true
blocked_volumes = [
"blocked",
"vol"
]
- readonly_files_and_directories = [
- "readonly",
- "/dir/"
- ]
- exceptional_readonly_files_and_directories = [
- "readonly2",
- "/dir2/"
- ]
block_access_host_network = true
block_adding_capabilities = true
block_use_pid_namespace = true
@@ -189,15 +179,9 @@ resource "aquasec_container_runtime_policy" "test" {
}
resource "aquasec_function_runtime_policy" "test" {
- name = "test-function-terraform"
- description = "This is a test description."
- enforce = true
- block_malicious_executables = true
-
- blocked_executables = [
- "bin",
- "exe",
- ]
+ name = "test-function-terraform"
+ description = "This is a test description."
+ enforce = true
}
resource "aquasec_host_runtime_policy" "test" {
@@ -209,9 +193,7 @@ resource "aquasec_host_runtime_policy" "test" {
blocked_files = [
"blocked",
]
- audit_all_os_user_activity = true
- audit_full_command_arguments = true
- enable_ip_reputation_security = true
+ audit_full_command_arguments = true
os_users_allowed = [
"user1",
]
@@ -227,41 +209,18 @@ resource "aquasec_host_runtime_policy" "test" {
monitor_system_time_changes = true
monitor_windows_services = true
- windows_registry_monitoring {
- monitor_create = true
- monitor_read = true
- monitor_modify = true
- monitor_delete = true
- monitor_attributes = true
- monitored_paths = ["paths"]
- excluded_paths = ["expaths"]
- monitored_processes = ["process"]
- excluded_processes = ["exprocess"]
- monitored_users = ["user"]
- excluded_users = ["expuser"]
- }
-
- windows_registry_protection {
- protected_paths = ["paths"]
- excluded_paths = ["expaths"]
- protected_processes = ["process"]
- excluded_processes = ["exprocess"]
- protected_users = ["user"]
- excluded_users = ["expuser"]
- }
-
file_integrity_monitoring {
- monitor_create = true
- monitor_read = true
- monitor_modify = true
- monitor_delete = true
- monitor_attributes = true
- monitored_paths = ["paths"]
- excluded_paths = ["expaths"]
- monitored_processes = ["process"]
- excluded_processes = ["exprocess"]
- monitored_users = ["user"]
- excluded_users = ["expuser"]
+ monitored_files_create = true
+ monitored_files_read = true
+ monitored_files_modify = true
+ monitored_files_delete = true
+ monitored_files_attributes = true
+ monitored_files = ["paths"]
+ exceptional_monitored_files = ["expaths"]
+ monitored_files_processes = ["process"]
+ exceptional_monitored_files_processes = ["exprocess"]
+ monitored_files_users = ["user"]
+ exceptional_monitored_files_users = ["expuser"]
}
}