From 8a0538d3d03a3d9143f4f053d14aff31001ec763 Mon Sep 17 00:00:00 2001 From: rajcool Date: Fri, 3 Jan 2025 16:57:24 +0530 Subject: [PATCH] 0.8.32 | Update release version | fix docs --- DEVELOPMENT.md | 4 +- GNUmakefile | 2 +- README.md | 2 +- docs/data-sources/application_scope.md | 9 ++ docs/data-sources/service.md | 2 + docs/index.md | 10 +- docs/resources/acknowledge.md | 52 ++++---- docs/resources/application_scope.md | 93 +++++++------ docs/resources/aqua_label.md | 9 +- docs/resources/container_runtime_policy.md | 60 +++++---- docs/resources/enforcer_groups.md | 108 ++++++++-------- docs/resources/firewall_policy.md | 24 +++- docs/resources/function_assurance_policy.md | 22 +++- docs/resources/function_runtime_policy.md | 16 +-- docs/resources/group.md | 2 +- docs/resources/host_runtime_policy.md | 28 ++-- docs/resources/image.md | 10 ++ docs/resources/image_assurance_policy.md | 23 +++- docs/resources/integration_registry.md | 2 +- docs/resources/kubernetes_assurance_policy.md | 26 +++- docs/resources/notification.md | 122 +++++++++--------- docs/resources/permissions_sets.md | 54 ++++---- docs/resources/role.md | 8 +- docs/resources/role_mapping.md | 12 +- docs/resources/role_mapping_saas.md | 2 +- docs/resources/service.md | 2 + docs/resources/user.md | 20 +-- docs/resources/user_saas.md | 26 ++-- docs/resources/vmware_assurance_policy.md | 19 ++- examples/data-sources/main.tf | 2 +- examples/provider/provider.tf | 2 +- .../resources/aquasec_service/resource.tf | 34 ++--- examples/resources/main.tf | 87 ++++--------- 33 files changed, 500 insertions(+), 394 deletions(-) diff --git a/DEVELOPMENT.md b/DEVELOPMENT.md index 784b1f5..3bf1e97 100644 --- a/DEVELOPMENT.md +++ b/DEVELOPMENT.md @@ -32,7 +32,7 @@ git clone https://github.com/aquasecurity/terraform-provider-aquasec.git cd terraform-provider-aquasec -git checkout v0.8.20 +git checkout v0.8.32 ``` **Build and install the provider** @@ -55,7 +55,7 @@ In order to test the provider installed locally, the provider block will have to terraform { required_providers { aquasec = { - version = "0.8.31" + version = "0.8.32" source = "terraform-provider-aquasec/aquasec/aquasec" } } diff --git a/GNUmakefile b/GNUmakefile index fa6b31b..1541642 100644 --- a/GNUmakefile +++ b/GNUmakefile @@ -6,7 +6,7 @@ HOSTNAME := github.com NAMESPACE := aquasec NAME := aquasec BINARY := terraform-provider-${NAME} -VERSION := 0.8.31 +VERSION := 0.8.32 OS_ARCH := $(shell go env GOOS)_$(shell go env GOARCH) default: build diff --git a/README.md b/README.md index dbbe6aa..d9d9cf5 100644 --- a/README.md +++ b/README.md @@ -43,7 +43,7 @@ To quickly get started using the Aquasec provider for Terraform, configure the p terraform { required_providers { aquasec = { - version = "0.8.31" + version = "0.8.32" source = "aquasecurity/aquasec" } } diff --git a/docs/data-sources/application_scope.md b/docs/data-sources/application_scope.md index d7a682c..030b4b9 100644 --- a/docs/data-sources/application_scope.md +++ b/docs/data-sources/application_scope.md @@ -73,6 +73,7 @@ Optional: Optional: - `attribute` (String) +- `name` (String) - `value` (String) @@ -91,6 +92,7 @@ Optional: Optional: - `attribute` (String) +- `name` (String) - `value` (String) @@ -109,6 +111,7 @@ Optional: Optional: - `attribute` (String) +- `name` (String) - `value` (String) @@ -128,6 +131,7 @@ Optional: Optional: - `attribute` (String) +- `name` (String) - `value` (String) @@ -154,6 +158,7 @@ Optional: Optional: - `attribute` (String) +- `name` (String) - `value` (String) @@ -172,6 +177,7 @@ Optional: Optional: - `attribute` (String) +- `name` (String) - `value` (String) @@ -200,6 +206,7 @@ Optional: Optional: - `attribute` (String) +- `name` (String) - `value` (String) @@ -218,6 +225,7 @@ Optional: Optional: - `attribute` (String) +- `name` (String) - `value` (String) @@ -236,6 +244,7 @@ Optional: Optional: - `attribute` (String) +- `name` (String) - `value` (String) diff --git a/docs/data-sources/service.md b/docs/data-sources/service.md index 2fdc7cc..b4fec87 100644 --- a/docs/data-sources/service.md +++ b/docs/data-sources/service.md @@ -95,3 +95,5 @@ Read-Only: - `attribute` (String) - `name` (String) - `value` (String) + + diff --git a/docs/index.md b/docs/index.md index 7eabe21..2d3de65 100644 --- a/docs/index.md +++ b/docs/index.md @@ -21,19 +21,19 @@ Use the navigation to the left to read about the available resources and data so terraform { required_providers { aquasec = { - version = "0.8.31" + version = "0.8.32" source = "aquasecurity/aquasec" } } } provider "aquasec" { -username = "IaC" // Alternatively sourced from $AQUA_USER - aqua_url = "https://aquaurl.com" // Alternatively sourced from $AQUA_URL - password = "@password" // Alternatively sourced from $AQUA_PASSWORD + username = "IaC" // Alternatively sourced from $AQUA_USER + aqua_url = "https://aquaurl.com" // Alternatively sourced from $AQUA_URL + password = "@password" // Alternatively sourced from $AQUA_PASSWORD // If you are using unverifiable certificates (e.g. self-signed) you may need to disable certificate verification - verify_tls = false // Alternatively sourced from $AQUA_TLS_VERIFY + verify_tls = false // Alternatively sourced from $AQUA_TLS_VERIFY // Alternatively, you can provide these configurations from a config file, and configure the provider as below // config_path = '/path/to/tf.config' // defaults to '~/.aqua/tf.config' -- Alternatively sourced from $AQUA_CONFIG diff --git a/docs/resources/acknowledge.md b/docs/resources/acknowledge.md index 0439211..c1149b7 100644 --- a/docs/resources/acknowledge.md +++ b/docs/resources/acknowledge.md @@ -14,32 +14,32 @@ description: |- ```terraform resource "aquasec_acknowledge" "acknowledge" { - comment = "comment" - issues { - docker_id = "" - image_name = "image:latest" - issue_name = "CVE-2022-1271" - issue_type = "vulnerability" - registry_name = "registry" - resource_cpe = "cpe:/a:gnu:gzip:1.10" - resource_name = "gzip" - resource_path = "/usr/bin/gzip" - resource_type = "executable" - resource_version = "1.10" - } - - issues { - docker_id = "docker-id" - image_name = "image-name" - issue_name = "ALAS2-2021-1722" - issue_type = "vulnerability" - registry_name = "registry-name" - resource_cpe = "pkg:/amzn:2:nss-softokn:3.44.0-8.amzn2" - resource_name = "nss-softokn" - resource_path = "" - resource_type = "package" - resource_version = "3.44.0-8.amzn2" - } + comment = "comment" + issues { + docker_id = "" + image_name = "image:latest" + issue_name = "CVE-2022-1271" + issue_type = "vulnerability" + registry_name = "registry" + resource_cpe = "cpe:/a:gnu:gzip:1.10" + resource_name = "gzip" + resource_path = "/usr/bin/gzip" + resource_type = "executable" + resource_version = "1.10" + } + + issues { + docker_id = "docker-id" + image_name = "image-name" + issue_name = "ALAS2-2021-1722" + issue_type = "vulnerability" + registry_name = "registry-name" + resource_cpe = "pkg:/amzn:2:nss-softokn:3.44.0-8.amzn2" + resource_name = "nss-softokn" + resource_path = "" + resource_type = "package" + resource_version = "3.44.0-8.amzn2" + } } ``` diff --git a/docs/resources/application_scope.md b/docs/resources/application_scope.md index 8c03832..9d87559 100644 --- a/docs/resources/application_scope.md +++ b/docs/resources/application_scope.md @@ -14,52 +14,52 @@ description: |- ```terraform resource "aquasec_application_scope" "terraformiap" { - description = "test123" - name = "test18" - // Categories is a nested block of artifacts, workloads and infrastructure - categories { - // Artifacts is a nested block of Image, Function, CF - artifacts { - // Every object requires expression(logical combinations of variables v1, v2, v3...) and list of variables consists of attribute(pre-defined) and value - image { - expression = "v1 && v2" - variables { - attribute = "aqua.registry" - value = "test-registry" - } - variables { - attribute = "image.repo" - value = "nginx" - } - } + description = "test123" + name = "test18" + // Categories is a nested block of artifacts, workloads and infrastructure + categories { + // Artifacts is a nested block of Image, Function, CF + artifacts { + // Every object requires expression(logical combinations of variables v1, v2, v3...) and list of variables consists of attribute(pre-defined) and value + image { + expression = "v1 && v2" + variables { + attribute = "aqua.registry" + value = "test-registry" } - // Workloads is a nested block of Kubernetes, OS, CF - workloads { - // Every object requires expression(logical combinations of variables v1, v2, v3...) and list of variables consists of attribute(pre-defined) and value - kubernetes { - expression = "v1 && v2" - variables { - attribute = "kubernetes.cluster" - value = "aqua" - } - variables { - attribute = "kubernetes.namespace" - value = "aqua" - } - } + variables { + attribute = "image.repo" + value = "nginx" } - // Infrastructure is a nested block of Kubernetes, OS - infrastructure { - // Every object requires expression and list of variables consists of attribute(pre-defined) and value - kubernetes { - expression = "v1" - variables { - attribute = "kubernetes.cluster" - value = "aqua" - } - } + } + } + // Workloads is a nested block of Kubernetes, OS, CF + workloads { + // Every object requires expression(logical combinations of variables v1, v2, v3...) and list of variables consists of attribute(pre-defined) and value + kubernetes { + expression = "v1 && v2" + variables { + attribute = "kubernetes.cluster" + value = "aqua" + } + variables { + attribute = "kubernetes.namespace" + value = "aqua" + } + } + } + // Infrastructure is a nested block of Kubernetes, OS + infrastructure { + // Every object requires expression and list of variables consists of attribute(pre-defined) and value + kubernetes { + expression = "v1" + variables { + attribute = "kubernetes.cluster" + value = "aqua" } + } } + } } ``` @@ -117,6 +117,7 @@ Optional: Optional: - `attribute` (String) +- `name` (String) - `value` (String) @@ -135,6 +136,7 @@ Optional: Optional: - `attribute` (String) +- `name` (String) - `value` (String) @@ -153,6 +155,7 @@ Optional: Optional: - `attribute` (String) +- `name` (String) - `value` (String) @@ -180,6 +183,7 @@ Optional: Optional: - `attribute` (String) +- `name` (String) - `value` (String) @@ -198,6 +202,7 @@ Optional: Optional: - `attribute` (String) +- `name` (String) - `value` (String) @@ -226,6 +231,7 @@ Optional: Optional: - `attribute` (String) +- `name` (String) - `value` (String) @@ -244,6 +250,7 @@ Optional: Optional: - `attribute` (String) +- `name` (String) - `value` (String) @@ -262,6 +269,7 @@ Optional: Optional: - `attribute` (String) +- `name` (String) - `value` (String) @@ -281,6 +289,7 @@ Read-Only: Read-Only: - `attribute` (String) +- `name` (String) - `value` (String) diff --git a/docs/resources/aqua_label.md b/docs/resources/aqua_label.md index ca756ee..c60b305 100644 --- a/docs/resources/aqua_label.md +++ b/docs/resources/aqua_label.md @@ -10,7 +10,14 @@ description: |- - +## Example Usage + +```terraform +resource "aquasec_aqua_label" "aqua_label" { + name = "example_label" + description = "example_description" +} +``` ## Schema diff --git a/docs/resources/container_runtime_policy.md b/docs/resources/container_runtime_policy.md index 1180f6f..b3a61eb 100644 --- a/docs/resources/container_runtime_policy.md +++ b/docs/resources/container_runtime_policy.md @@ -14,33 +14,33 @@ description: |- ```terraform resource "aquasec_container_runtime_policy" "container_runtime_policy" { - name = "container_runtime_policy" - description = "container_runtime_policy" + name = "container_runtime_policy" + description = "container_runtime_policy" scope_expression = "v1 || v2" scope_variables { attribute = "kubernetes.cluster" - value = "default" + value = "default" } scope_variables { - attribute = "kubernetes.label" - name = "app" - value = "aqua" + attribute = "kubernetes.label" + name = "app" + value = "aqua" } application_scopes = [ "Global", ] - enabled = true - enforce = false - block_container_exec = true + enabled = true + enforce = false + block_container_exec = true container_exec_allowed_processes = [ "proc1", "proc2" ] - block_cryptocurrency_mining = true - block_fileless_exec = true + block_cryptocurrency_mining = true + block_fileless_exec = true block_non_compliant_workloads = true - block_non_k8s_containers = true + block_non_k8s_containers = true blocked_capabilities = [ "AUDIT_CONTROL", "AUDIT_WRITE" @@ -59,7 +59,7 @@ resource "aquasec_container_runtime_policy" "container_runtime_policy" { ] malware_scan_options { enabled = true - action = "alert" + action = "alert" #exclude_directories = [ "/var/run/" ] } file_integrity_monitoring { @@ -75,21 +75,21 @@ resource "aquasec_container_runtime_policy" "container_runtime_policy" { monitored_users = ["user"] excluded_users = ["expuser"] } - audit_all_processes_activity = true - audit_full_command_arguments = true - audit_all_network_activity = true - enable_fork_guard = true - fork_guard_process_limit = 13 - block_access_host_network = true - block_adding_capabilities = true - block_root_user = true - block_privileged_containers = true - block_use_ipc_namespace = true - block_use_pid_namespace = true - block_use_user_namespace = true - block_use_uts_namespace = true - block_low_port_binding = true - limit_new_privileges = true + audit_all_processes_activity = true + audit_full_command_arguments = true + audit_all_network_activity = true + enable_fork_guard = true + fork_guard_process_limit = 13 + block_access_host_network = true + block_adding_capabilities = true + block_root_user = true + block_privileged_containers = true + block_use_ipc_namespace = true + block_use_pid_namespace = true + block_use_user_namespace = true + block_use_uts_namespace = true + block_low_port_binding = true + limit_new_privileges = true blocked_packages = [ "pkg", "pkg2" @@ -510,6 +510,10 @@ Required: - `attribute` (String) Variable attribute. - `value` (String) Variable value. +Optional: + +- `name` (String) + diff --git a/docs/resources/enforcer_groups.md b/docs/resources/enforcer_groups.md index fbf4ac8..7e1efe2 100644 --- a/docs/resources/enforcer_groups.md +++ b/docs/resources/enforcer_groups.md @@ -14,63 +14,63 @@ description: |- ```terraform resource "aquasec_enforcer_groups" "group" { - group_id = "tf-test-enforcer" - type = "agent" - enforce = true - # Host Assurance - host_assurance = true - # Network Firewall (Host Protection) - host_network_protection = true - # Runtime Controls - host_protection = true - # Network Firewall (Container Protection) - network_protection = true - # Advanced Malware Protection (Container Protection) - container_antivirus_protection = true - # Runtime Controls - container_activity_protection = true - # Image Assurance - image_assurance = true - # Advanced Malware Protection (Host Protection) - antivirus_protection = true - # Host Images - sync_host_images = true - # Risk Explorer - risk_explorer_auto_discovery = true - # host_forensics - host_forensics = true - # forensics - forensics = true - - orchestrator {} + group_id = "tf-test-enforcer" + type = "agent" + enforce = true + # Host Assurance + host_assurance = true + # Network Firewall (Host Protection) + host_network_protection = true + # Runtime Controls + host_protection = true + # Network Firewall (Container Protection) + network_protection = true + # Advanced Malware Protection (Container Protection) + container_antivirus_protection = true + # Runtime Controls + container_activity_protection = true + # Image Assurance + image_assurance = true + # Advanced Malware Protection (Host Protection) + antivirus_protection = true + # Host Images + sync_host_images = true + # Risk Explorer + risk_explorer_auto_discovery = true + # host_forensics + host_forensics = true + # forensics + forensics = true + + orchestrator {} } resource "aquasec_enforcer_groups" "group-kube_enforcer" { - group_id = "tf-test-kube_enforcer" - type = "kube_enforcer" - enforce = true - - # Enable admission control - admission_control = true - # Perform admission control if not connected to a gateway - block_admission_control = true - # Enable workload discovery - auto_discovery_enabled = true - # Register discovered pod images - auto_scan_discovered_images_running_containers = true - # Add discovered registries - auto_discover_configure_registries = true - # Kube-bench image path - kube_bench_image_name = "registry.aquasec.com/kube-bench:v0.6.5" - # Secret that holds the registry credentials for the Pod Enforcer and kube-bench - micro_enforcer_secrets_name = "aqua-registry" - # Auto copy these secrets to the Pod Enforcer namespace and container - auto_copy_secrets = true - - orchestrator { - type = "kubernetes" - namespace = "aqua" - } + group_id = "tf-test-kube_enforcer" + type = "kube_enforcer" + enforce = true + + # Enable admission control + admission_control = true + # Perform admission control if not connected to a gateway + block_admission_control = true + # Enable workload discovery + auto_discovery_enabled = true + # Register discovered pod images + auto_scan_discovered_images_running_containers = true + # Add discovered registries + auto_discover_configure_registries = true + # Kube-bench image path + kube_bench_image_name = "registry.aquasec.com/kube-bench:v0.6.5" + # Secret that holds the registry credentials for the Pod Enforcer and kube-bench + micro_enforcer_secrets_name = "aqua-registry" + # Auto copy these secrets to the Pod Enforcer namespace and container + auto_copy_secrets = true + + orchestrator { + type = "kubernetes" + namespace = "aqua" + } } ``` diff --git a/docs/resources/firewall_policy.md b/docs/resources/firewall_policy.md index f91c17a..de7d34b 100644 --- a/docs/resources/firewall_policy.md +++ b/docs/resources/firewall_policy.md @@ -10,7 +10,29 @@ description: |- - +## Example Usage + +```terraform +resource "aquasec_firewall_policy" "example_firewall_policy" { + // Required values + name = "example_firewall_policy" + + // Block ICMP and one inbound/outbound block + block_icmp_ping = true + inbound_networks { + allow = false + resource_type = "anywhere" + port_range = "0-1000" + } + + outbound_networks { + allow = false + resource_type = "custom" + port_range = "0-1000" + resource = "192.168.1.5/32" + } +} +``` ## Schema diff --git a/docs/resources/function_assurance_policy.md b/docs/resources/function_assurance_policy.md index 492d8f1..d5bcdc6 100644 --- a/docs/resources/function_assurance_policy.md +++ b/docs/resources/function_assurance_policy.md @@ -20,7 +20,27 @@ Checking function compliance with these policies. For AWS and Azure, implementing security actions, such as blocking execution of risky functions or failing the CI/CD pipeline. Providing comprehensive audits of all security risks, viewable in Aqua Server or a SIEM system. - +## Example Usage + +```terraform +resource "aquasec_function_assurance_policy" "example_function_assurance_policy" { + //Required values + application_scopes = ["Global"] + name = "example_function_assurance_policy" + + //Values that default to true + audit_on_failure = true + block_failed = true + fail_cicd = true + + function_integrity_enabled = true + enforce_excessive_permissions = true + scan_sensitive_data = true + cvss_severity = "critical" + cvss_severity_enabled = true + +} +``` ## Schema diff --git a/docs/resources/function_runtime_policy.md b/docs/resources/function_runtime_policy.md index 685bca1..701912a 100644 --- a/docs/resources/function_runtime_policy.md +++ b/docs/resources/function_runtime_policy.md @@ -14,24 +14,24 @@ description: |- ```terraform resource "aquasec_function_runtime_policy" "function_runtime_policy" { - name = "function_runtime_policys" + name = "function_runtime_policys" description = "function_runtime_policy" scope_variables { attribute = "kubernetes.cluster" - value = "default" + value = "default" } scope_variables { - attribute = "kubernetes.label" - name = "app" - value = "aqua" + attribute = "kubernetes.label" + name = "app" + value = "aqua" } application_scopes = [ "Global", ] - enabled = true - enforce = false - block_malicious_executables = true + enabled = true + enforce = false + block_malicious_executables = true block_running_executables_in_tmp_folder = true block_malicious_executables_allowed_processes = [ "proc1", diff --git a/docs/resources/group.md b/docs/resources/group.md index 06351a3..9725244 100644 --- a/docs/resources/group.md +++ b/docs/resources/group.md @@ -17,7 +17,7 @@ The Groups created must have at least one Role that is already present within Aq ```terraform resource "aquasec_group" "group" { - name = "IacGroup" + name = "IacGroup" } ``` diff --git a/docs/resources/host_runtime_policy.md b/docs/resources/host_runtime_policy.md index 67c83fc..5367682 100644 --- a/docs/resources/host_runtime_policy.md +++ b/docs/resources/host_runtime_policy.md @@ -14,25 +14,25 @@ description: |- ```terraform resource "aquasec_host_runtime_policy" "host_runtime_policy" { - name = "host_runtime_policy" + name = "host_runtime_policy" description = "host_runtime_policy" scope_variables { attribute = "kubernetes.cluster" - value = "default" + value = "default" } scope_variables { - attribute = "kubernetes.label" - name = "app" - value = "aqua" + attribute = "kubernetes.label" + name = "app" + value = "aqua" } application_scopes = [ "Global", ] - enabled = true - enforce = false + enabled = true + enforce = false block_cryptocurrency_mining = true - audit_brute_force_login = true + audit_brute_force_login = true blocked_files = [ "blocked", ] @@ -49,11 +49,11 @@ resource "aquasec_host_runtime_policy" "host_runtime_policy" { monitored_users = ["user"] excluded_users = ["expuser"] } - audit_all_os_user_activity = true - audit_full_command_arguments = true + audit_all_os_user_activity = true + audit_full_command_arguments = true audit_host_successful_login_events = true - audit_host_failed_login_events = true - audit_user_account_management = true + audit_host_failed_login_events = true + audit_user_account_management = true os_users_allowed = [ "user1", ] @@ -69,8 +69,8 @@ resource "aquasec_host_runtime_policy" "host_runtime_policy" { package_block = [ "package1" ] - monitor_system_time_changes = true - monitor_windows_services = true + monitor_system_time_changes = true + monitor_windows_services = true monitor_system_log_integrity = true } ``` diff --git a/docs/resources/image.md b/docs/resources/image.md index 41a40bc..6a235a1 100644 --- a/docs/resources/image.md +++ b/docs/resources/image.md @@ -10,7 +10,17 @@ description: |- +## Example Usage +```terraform +resource "aquasec_image" "example_aquasec_image" { + // Required values + registry = "ExampleRegistry" + repository = "ExampleRepository" + tag = "ExampleImageTag" + +} +``` ## Schema diff --git a/docs/resources/image_assurance_policy.md b/docs/resources/image_assurance_policy.md index 2aae99b..a31d25c 100644 --- a/docs/resources/image_assurance_policy.md +++ b/docs/resources/image_assurance_policy.md @@ -10,7 +10,28 @@ description: |- Aqua Image Assurance covers the first part of the container lifecycle: image development. The Image Assurance subsystem detects, assesses, and reports security issues in your images. +## Example Usage +```terraform +resource "aquasec_image_assurance_policy" "test_image_policy" { + // Required values + name = "test_image_assurance_policy" + application_scopes = ["Global"] + + // Below options default to true: + block_failed = true + fail_cicd = true + audit_on_failure = true + + // Simple policy looking for critical vulnerabilites, + // malware, and sensitive data + cvss_severity = "critical" + cvss_severity_enabled = true + disallow_malware = true + scan_sensitive_data = true + +} +``` ## Schema @@ -44,7 +65,7 @@ Aqua Image Assurance covers the first part of the container lifecycle: image dev - `cves_black_list_enabled` (Boolean) Indicates if CVEs blacklist is relevant. - `cves_white_list` (List of String) List of cves whitelisted licenses - `cves_white_list_enabled` (Boolean) Indicates if cves whitelist is relevant. -- `cvss_severity` (String) Identifier of the cvss severity. Only applied if `cvss_severity_enabled` is set to `true`. Valid options: `critical`, `high`, `medium`, `low`. +- `cvss_severity` (String) Identifier of the cvss severity. - `cvss_severity_enabled` (Boolean) Indicates if the cvss severity is scanned. - `cvss_severity_exclude_no_fix` (Boolean) Indicates that policy should ignore cvss cases that do not have a known fix. - `description` (String) diff --git a/docs/resources/integration_registry.md b/docs/resources/integration_registry.md index cdbaa67..cdcc062 100644 --- a/docs/resources/integration_registry.md +++ b/docs/resources/integration_registry.md @@ -50,7 +50,7 @@ resource "aquasec_integration_registry" "integration_registry" { pull_image_tag_pattern = [":Latest", ":latest"] pull_repo_patterns_excluded = [":xyz", ":onlytest"] - url = "us-east-1" + url = "us-east-1" scanner_name = [] scanner_type = "any" diff --git a/docs/resources/kubernetes_assurance_policy.md b/docs/resources/kubernetes_assurance_policy.md index 7b00300..74c3c2e 100644 --- a/docs/resources/kubernetes_assurance_policy.md +++ b/docs/resources/kubernetes_assurance_policy.md @@ -10,7 +10,31 @@ description: |- Kubernetes Assurance is responsible for checking the security of workload configurations at the pod level, with respect to your organization's security requirements. - +## Example Usage + +```terraform +resource "aquasec_kubernetes_assurance_policy" "example_kubernetes_assurance_policy" { + // Values that are required + application_scopes = ["Global"] + name = "example_kubernetes_assurance_policy" + + //Values that default to true + audit_on_failure = true + block_failed = true + + kubernetes_controls { + avd_id = "AVD-KSV-0121" + description = "HostPath present many security risks and as a security practice it is better to avoid critical host paths mounts." + enabled = true + kind = "workload" + name = "Kubernetes resource with disallowed volumes mounted" + ootb = true + script_id = 104 + severity = "high" + } + +} +``` ## Schema diff --git a/docs/resources/notification.md b/docs/resources/notification.md index 9d259be..d362d02 100644 --- a/docs/resources/notification.md +++ b/docs/resources/notification.md @@ -16,88 +16,88 @@ Provides a Aquasec Notification resource. This can be used to create and manage # Please note that when importing an email\ jira notification, the password will not be imported. However, when running the apply command, the password will be updated and applied to the resource resource "aquasec_notification" "teams" { - name = "team-example" - type = "teams" - properties = { - url = "" - } + name = "team-example" + type = "teams" + properties = { + url = "" + } } resource "aquasec_notification" "slack" { - name = "slack-example" - type = "slack" - properties = { - url = "" - } + name = "slack-example" + type = "slack" + properties = { + url = "" + } } resource "aquasec_notification" "webhook" { - name = "webhook-example" - type = "webhook" - properties = { - url = "" - } + name = "webhook-example" + type = "webhook" + properties = { + url = "" + } } resource "aquasec_notification" "servicenow" { - name = "servicenow-example" - type = "serviceNow" - properties = { - user = "" - password = "" - url = "" - instance_name = "" - # board name (Table) - Optional - board_name = "" - } + name = "servicenow-example" + type = "serviceNow" + properties = { + user = "" + password = "" + url = "" + instance_name = "" + # board name (Table) - Optional + board_name = "" + } } resource "aquasec_notification" "jira_with_token" { - name = "jira-example-with-token" - type = "jira" - properties = { - url = "" - token = "" - project_key = "" - summary = "SOME_TEXT" - definition_of_done = "Done" - } + name = "jira-example-with-token" + type = "jira" + properties = { + url = "" + token = "" + project_key = "" + summary = "SOME_TEXT" + definition_of_done = "Done" + } } resource "aquasec_notification" "jira_with_creds" { - name = "jira-example-with-creds" - type = "jira" - properties = { - url = "" - user = "" - password = "" - project_key = "" - summary = "SOME_TEXT" - } + name = "jira-example-with-creds" + type = "jira" + properties = { + url = "" + user = "" + password = "" + project_key = "" + summary = "SOME_TEXT" + } } resource "aquasec_notification" "email_with_creds" { - name = "email-example-with-creds" - type = "email" - properties = { - user = "" - password = "" - host = "" - port = "" # example 25 - sender = "" - recipients = "" # "example1@example.com,example2@example.com" - } + name = "email-example-with-creds" + type = "email" + properties = { + user = "" + password = "" + host = "" + port = "" # example 25 + sender = "" + recipients = "" # "example1@example.com,example2@example.com" + } } resource "aquasec_notification" "email_with_mx" { - name = "email-example-with-mx" - type = "email" - properties = { - use_mx = true - port = "" # example 25 - sender = "" - recipients = "" # "example1@example.com,example2@example.com" - } + name = "email-example-with-mx" + type = "email" + properties = { + use_mx = true + port = "" # example 25 + sender = "" + recipients = "" # "example1@example.com,example2@example.com" + } } ``` diff --git a/docs/resources/permissions_sets.md b/docs/resources/permissions_sets.md index 8e768c4..148ea62 100644 --- a/docs/resources/permissions_sets.md +++ b/docs/resources/permissions_sets.md @@ -14,29 +14,29 @@ The `aquasec_permissions_sets` resource manages your Permission Set within Aqua. ```terraform resource "aquasec_permissions_sets" "my_terraform_perm_set" { - name = "my_terraform_perm_set" - description = "Test Permissions Sets created by Terraform" - ui_access = true - is_super = false - actions = [ - ################# + name = "my_terraform_perm_set" + description = "Test Permissions Sets created by Terraform" + ui_access = true + is_super = false + actions = [ + ################# # Policies ################# # Assurance Policies - "acl_policies.read", # Removed from version 2022.4 - "acl_policies.write", # Removed from version 2022.4 + "acl_policies.read", # Removed from version 2022.4 + "acl_policies.write", # Removed from version 2022.4 # Image Profiles "image_profiles.read", - "image_profiles.write", # Only for version 2022.4 + "image_profiles.write", # Only for version 2022.4 # Firewall Policies "network_policies.read", - "network_policies.write", # Only for version 2022.4 + "network_policies.write", # Only for version 2022.4 # Runtime Policies "runtime_policies.read", "runtime_policies.write", # Response Policies # Only for version 2022.4 - "response_policies.read", # Only for version 2022.4 - "response_policies.write", # Only for version 2022.4 + "response_policies.read", # Only for version 2022.4 + "response_policies.write", # Only for version 2022.4 # User Access Control Policies "image_assurance.read", "image_assurance.write", @@ -46,29 +46,29 @@ resource "aquasec_permissions_sets" "my_terraform_perm_set" { ################# # Dashboard "dashboard.read", - "dashboard.write", # Only for version 2022.4 + "dashboard.write", # Only for version 2022.4 # Risk Explorer "risk_explorer.read", # Images "images.read", - "images.write", # Only for version 2022.4 + "images.write", # Only for version 2022.4 # Host Images "risks.host_images.read", - "risks.host_images.write", # Only for version 2022.4 + "risks.host_images.write", # Only for version 2022.4 # Functions "functions.read", - "functions.write", # Only for version 2022.4 + "functions.write", # Only for version 2022.4 # Enforcers "enforcers.read", - "enforcers.write", # Only for version 2022.4 + "enforcers.write", # Only for version 2022.4 # Containers "containers.read", # Services "services.read", - "services.write", # Only for version 2022.4 + "services.write", # Only for version 2022.4 # Infrastructure "infrastructure.read", - "infrastructure.write", # Only for version 2022.4 + "infrastructure.write", # Only for version 2022.4 ################# # Compliance @@ -78,7 +78,7 @@ resource "aquasec_permissions_sets" "my_terraform_perm_set" { "risks.vulnerabilities.write", # CIS Benchmarks "risks.benchmark.read", - "risks.benchmark.write", # Only for version 2022.4 + "risks.benchmark.write", # Only for version 2022.4 ################# # System @@ -87,28 +87,28 @@ resource "aquasec_permissions_sets" "my_terraform_perm_set" { "audits.read", # Secrets "secrets.read", - "secrets.write", # Only for version 2022.4 + "secrets.write", # Only for version 2022.4 # Settings "settings.read", - "settings.write", # Only for version 2022.4 + "settings.write", # Only for version 2022.4 # Integrations "integrations.read", - "integrations.write", # Only for version 2022.4 + "integrations.write", # Only for version 2022.4 # Image Registry Integrations "registries_integrations.read", - "registries_integrations.write", # Only for version 2022.4 + "registries_integrations.write", # Only for version 2022.4 # Scanner CLI # Only for version 2022.4 - "scan.read", # Only for version 2022.4 + "scan.read", # Only for version 2022.4 # Gateways "gateways.read", - "gateways.write", # Only for version 2022.4 + "gateways.write", # Only for version 2022.4 # Consoles "consoles.read", # Webhook authorization API "web_hook.read", # Incidents "incidents.read" - ] + ] } ``` diff --git a/docs/resources/role.md b/docs/resources/role.md index 6a423fc..ab0d21a 100644 --- a/docs/resources/role.md +++ b/docs/resources/role.md @@ -17,10 +17,10 @@ The roles created must have permission set and at least one Role Application Sco ```terraform resource "aquasec_role" "IaC" { - role_name = "RoleIaC" - description = "RoleIaC" - permission = "PermissionIaC" - scopes = ["Global"] + role_name = "RoleIaC" + description = "RoleIaC" + permission = "PermissionIaC" + scopes = ["Global"] } ``` diff --git a/docs/resources/role_mapping.md b/docs/resources/role_mapping.md index 7bd5de6..82a365d 100644 --- a/docs/resources/role_mapping.md +++ b/docs/resources/role_mapping.md @@ -14,16 +14,16 @@ description: |- ```terraform resource "aquasec_role_mapping" "role_mapping" { - saml { - role_mapping = { - Administrator = "group1" - Scanner = "group2|group3" - } + saml { + role_mapping = { + Administrator = "group1" + Scanner = "group2|group3" } + } } output "role_mapping" { - value = aquasec_role_mapping.role_mapping + value = aquasec_role_mapping.role_mapping } ``` diff --git a/docs/resources/role_mapping_saas.md b/docs/resources/role_mapping_saas.md index eb0a0b4..1c64b13 100644 --- a/docs/resources/role_mapping_saas.md +++ b/docs/resources/role_mapping_saas.md @@ -15,7 +15,7 @@ description: |- ```terraform resource "aquasec_role_mapping_saas" "roles_mapping_saas" { saml_groups = ["group1", "group2"] - csp_role = "Administrator" + csp_role = "Administrator" } output "roles_mapping_saas" { diff --git a/docs/resources/service.md b/docs/resources/service.md index 1233334..899d1aa 100644 --- a/docs/resources/service.md +++ b/docs/resources/service.md @@ -151,3 +151,5 @@ Optional: - `attribute` (String) Class of supported scope. - `name` (String) Name assigned to the attribute. - `value` (String) Value assigned to the attribute. + + diff --git a/docs/resources/user.md b/docs/resources/user.md index 7e72804..b1e684b 100644 --- a/docs/resources/user.md +++ b/docs/resources/user.md @@ -17,16 +17,16 @@ The users created must have at least one Role that is already present within Aqu ```terraform resource "aquasec_user" "IaC" { - user_id = "IaC" - password = var.password - roles = [ - "infrastructure" - ] - - //optional fields - email = "infrastructure@example.com" - first_time = true // Require password reset upon initial login - name = "Infrastructure as Code" // Display name for this user + user_id = "IaC" + password = var.password + roles = [ + "infrastructure" + ] + + //optional fields + email = "infrastructure@example.com" + first_time = true // Require password reset upon initial login + name = "Infrastructure as Code" // Display name for this user } ``` diff --git a/docs/resources/user_saas.md b/docs/resources/user_saas.md index ca83965..6ead6ab 100644 --- a/docs/resources/user_saas.md +++ b/docs/resources/user_saas.md @@ -17,22 +17,22 @@ The users created must have at least one Csp Role that is already present within ```terraform resource "aquasec_user_saas" "IaC1" { - email = "infrastructure1@example.com" - csp_roles = [] - account_admin = true + email = "infrastructure1@example.com" + csp_roles = [] + account_admin = true } resource "aquasec_user_saas" "IaC2" { - email = "infrastructure2@example.com" - csp_roles = [ - "Default" - ] - account_admin = false - //optional - groups { - name = "IacGroupName" - group_admin = false - } + email = "infrastructure2@example.com" + csp_roles = [ + "Default" + ] + account_admin = false + //optional + groups { + name = "IacGroupName" + group_admin = false + } } ``` diff --git a/docs/resources/vmware_assurance_policy.md b/docs/resources/vmware_assurance_policy.md index 73a1ed9..e8847c8 100644 --- a/docs/resources/vmware_assurance_policy.md +++ b/docs/resources/vmware_assurance_policy.md @@ -10,7 +10,24 @@ description: |- - +## Example Usage + +```terraform +resource "aquasec_vmware_assurance_policy" "example_vmware_assurance_policy" { + // Required values + application_scopes = ["Global"] + name = "example_vmware_assurance_policy" + + // Values default to true + audit_on_failure = true + block_failed = true + fail_cicd = true + + scan_sensitive_data = true + cvss_severity_enabled = true + cvss_severity = "critical" +} +``` ## Schema diff --git a/examples/data-sources/main.tf b/examples/data-sources/main.tf index a2f730f..854620c 100644 --- a/examples/data-sources/main.tf +++ b/examples/data-sources/main.tf @@ -1,7 +1,7 @@ terraform { required_providers { aquasec = { - // version = "0.8.31" + // version = "0.8.32" source = "aquasecurity/aquasec" } } diff --git a/examples/provider/provider.tf b/examples/provider/provider.tf index 0e618ee..6dbae2e 100644 --- a/examples/provider/provider.tf +++ b/examples/provider/provider.tf @@ -1,7 +1,7 @@ terraform { required_providers { aquasec = { - version = "0.8.31" + version = "0.8.32" source = "aquasecurity/aquasec" } } diff --git a/examples/resources/aquasec_service/resource.tf b/examples/resources/aquasec_service/resource.tf index 7f72dfc..3b42fd3 100644 --- a/examples/resources/aquasec_service/resource.tf +++ b/examples/resources/aquasec_service/resource.tf @@ -14,20 +14,20 @@ resource "aquasec_service" "example_service" { name = "policy1" type = "access.control" description = "Local policy 1 for inbound and outbound control" - + inbound_networks { - port_range = "22/22" # Allow SSH traffic - resource_type = "anywhere" # Allow from any source - allow = true # Permit traffic + port_range = "22/22" # Allow SSH traffic + resource_type = "anywhere" # Allow from any source + allow = true # Permit traffic } - + outbound_networks { - port_range = "80/80" # Allow HTTP traffic - resource_type = "anywhere" # Allow to any destination - allow = true # Permit traffic + port_range = "80/80" # Allow HTTP traffic + resource_type = "anywhere" # Allow to any destination + allow = true # Permit traffic } - block_metadata_service = false # Do not block metadata service + block_metadata_service = false # Do not block metadata service } // Local policy 2 @@ -35,19 +35,19 @@ resource "aquasec_service" "example_service" { name = "policy2" type = "access.control" description = "Local policy 2 with stricter outbound control" - + inbound_networks { - port_range = "443/443" # Allow HTTPS traffic - resource_type = "anywhere" # Allow from any source - allow = true # Permit traffic + port_range = "443/443" # Allow HTTPS traffic + resource_type = "anywhere" # Allow from any source + allow = true # Permit traffic } outbound_networks { - port_range = "8080/8080" # Allow specific application traffic - resource_type = "specific" # Allow only to specific destinations - allow = false # Block traffic to unspecified destinations + port_range = "8080/8080" # Allow specific application traffic + resource_type = "specific" # Allow only to specific destinations + allow = false # Block traffic to unspecified destinations } - block_metadata_service = true # Block metadata service access for security + block_metadata_service = true # Block metadata service access for security } } diff --git a/examples/resources/main.tf b/examples/resources/main.tf index f1e50a4..6fa351d 100644 --- a/examples/resources/main.tf +++ b/examples/resources/main.tf @@ -1,7 +1,7 @@ terraform { required_providers { aquasec = { - // version = "0.8.31" + //version = "0.8.32" source = "aquasecurity/aquasec" } } @@ -117,15 +117,15 @@ resource "aquasec_container_runtime_policy" "test" { description = "This is a container runtime policy" enforce = true enforce_after_days = 9 - block_non_compliant_images = true block_non_compliant_workloads = true block_container_exec = true - block_unregistered_images = true - enable_drift_prevention = true - allowed_executables = [ - "test", - "exe", - ] + allowed_executables { + enabled = true + allow_executables = [ + "pkg", + "txt" + ] + } blocked_executables = [ "test1", "exe1", @@ -142,7 +142,6 @@ resource "aquasec_container_runtime_policy" "test" { enable_fork_guard = true fork_guard_process_limit = 12 - enable_ip_reputation_security = true malware_scan_options { enabled = true @@ -160,19 +159,10 @@ resource "aquasec_container_runtime_policy" "test" { "90", "9090" ] - enable_port_scan_detection = true blocked_volumes = [ "blocked", "vol" ] - readonly_files_and_directories = [ - "readonly", - "/dir/" - ] - exceptional_readonly_files_and_directories = [ - "readonly2", - "/dir2/" - ] block_access_host_network = true block_adding_capabilities = true block_use_pid_namespace = true @@ -189,15 +179,9 @@ resource "aquasec_container_runtime_policy" "test" { } resource "aquasec_function_runtime_policy" "test" { - name = "test-function-terraform" - description = "This is a test description." - enforce = true - block_malicious_executables = true - - blocked_executables = [ - "bin", - "exe", - ] + name = "test-function-terraform" + description = "This is a test description." + enforce = true } resource "aquasec_host_runtime_policy" "test" { @@ -209,9 +193,7 @@ resource "aquasec_host_runtime_policy" "test" { blocked_files = [ "blocked", ] - audit_all_os_user_activity = true - audit_full_command_arguments = true - enable_ip_reputation_security = true + audit_full_command_arguments = true os_users_allowed = [ "user1", ] @@ -227,41 +209,18 @@ resource "aquasec_host_runtime_policy" "test" { monitor_system_time_changes = true monitor_windows_services = true - windows_registry_monitoring { - monitor_create = true - monitor_read = true - monitor_modify = true - monitor_delete = true - monitor_attributes = true - monitored_paths = ["paths"] - excluded_paths = ["expaths"] - monitored_processes = ["process"] - excluded_processes = ["exprocess"] - monitored_users = ["user"] - excluded_users = ["expuser"] - } - - windows_registry_protection { - protected_paths = ["paths"] - excluded_paths = ["expaths"] - protected_processes = ["process"] - excluded_processes = ["exprocess"] - protected_users = ["user"] - excluded_users = ["expuser"] - } - file_integrity_monitoring { - monitor_create = true - monitor_read = true - monitor_modify = true - monitor_delete = true - monitor_attributes = true - monitored_paths = ["paths"] - excluded_paths = ["expaths"] - monitored_processes = ["process"] - excluded_processes = ["exprocess"] - monitored_users = ["user"] - excluded_users = ["expuser"] + monitored_files_create = true + monitored_files_read = true + monitored_files_modify = true + monitored_files_delete = true + monitored_files_attributes = true + monitored_files = ["paths"] + exceptional_monitored_files = ["expaths"] + monitored_files_processes = ["process"] + exceptional_monitored_files_processes = ["exprocess"] + monitored_files_users = ["user"] + exceptional_monitored_files_users = ["expuser"] } }