-
Notifications
You must be signed in to change notification settings - Fork 14
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
feat(resource): add support for compliance policies (#492)
- Loading branch information
1 parent
b4bd948
commit 68b5cd8
Showing
6 changed files
with
542 additions
and
2 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,73 @@ | ||
terraform { | ||
required_providers { | ||
lacework = { | ||
source = "lacework/lacework" | ||
} | ||
} | ||
} | ||
|
||
resource "lacework_policy_compliance" "example" { | ||
title = var.title | ||
query_id = "LW_Global_AWS_Config_S3BucketLoggingNotEnabled" | ||
severity = var.severity | ||
description = var.description | ||
remediation = var.remediation | ||
enabled = true | ||
policy_id_suffix = var.policy_id_suffix | ||
tags = var.tags | ||
alerting_enabled = true | ||
} | ||
|
||
|
||
variable "title" { | ||
type = string | ||
default = "lql-terraform-policy" | ||
} | ||
|
||
variable "description" { | ||
type = string | ||
default = "Policy Created via Terraform" | ||
} | ||
|
||
variable "severity" { | ||
type = string | ||
default = "High" | ||
} | ||
|
||
variable "remediation" { | ||
type = string | ||
default = "Please Investigate" | ||
} | ||
|
||
variable "policy_id_suffix" { | ||
default = "" | ||
} | ||
|
||
variable "tags" { | ||
type = list(string) | ||
default = ["cloud_AWS", "custom"] | ||
} | ||
|
||
output "title" { | ||
value = lacework_policy_compliance.example.title | ||
} | ||
|
||
output "severity" { | ||
value = lacework_policy_compliance.example.severity | ||
} | ||
|
||
output "remediation" { | ||
value = lacework_policy_compliance.example.remediation | ||
} | ||
|
||
output "description" { | ||
value = lacework_policy_compliance.example.description | ||
} | ||
|
||
output "policy_id_suffix" { | ||
value = lacework_policy_compliance.example.policy_id_suffix | ||
} | ||
|
||
output "tags" { | ||
value = lacework_policy_compliance.example.tags | ||
} |
140 changes: 140 additions & 0 deletions
140
integration/resource_lacework_policy_compliance_test.go
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,140 @@ | ||
package integration | ||
|
||
import ( | ||
"fmt" | ||
"math/rand" | ||
"testing" | ||
"time" | ||
|
||
"github.com/gruntwork-io/terratest/modules/terraform" | ||
"github.com/stretchr/testify/assert" | ||
) | ||
|
||
// TestPolicyComplianceCreate applies integration terraform: | ||
// => '../examples/resource_lacework_policy_compliance' | ||
// | ||
// It uses the go-sdk to verify the created policy, | ||
// applies an update and destroys it | ||
// nolint | ||
func TestPolicyComplianceCreate(t *testing.T) { | ||
terraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{ | ||
TerraformDir: "../examples/resource_lacework_policy_compliance", | ||
EnvVars: tokenEnvVar, | ||
Vars: map[string]interface{}{ | ||
"title": "lql-terraform-policy", | ||
"severity": "High", | ||
"description": "Policy Created via Terraform", | ||
"remediation": "Please Investigate", | ||
"tags": []string{"cloud_AWS", "resource_S3_Bucket"}, | ||
}, | ||
}) | ||
defer terraform.Destroy(t, terraformOptions) | ||
|
||
// Create new Policy | ||
create := terraform.InitAndApplyAndIdempotent(t, terraformOptions) | ||
createProps := GetPolicyProps(create) | ||
|
||
actualTitle := terraform.Output(t, terraformOptions, "title") | ||
actualSeverity := terraform.Output(t, terraformOptions, "severity") | ||
actualDescription := terraform.Output(t, terraformOptions, "description") | ||
actualRemediation := terraform.Output(t, terraformOptions, "remediation") | ||
actualTags := terraform.Output(t, terraformOptions, "tags") | ||
|
||
assert.Contains(t, "lql-terraform-policy", createProps.Data.Title) | ||
assert.Contains(t, "high", createProps.Data.Severity) | ||
assert.Contains(t, "Compliance", createProps.Data.PolicyType) | ||
assert.Contains(t, "Policy Created via Terraform", createProps.Data.Description) | ||
assert.Contains(t, "Please Investigate", createProps.Data.Remediation) | ||
assert.NotContains(t, createProps.Data.Tags, "custom") | ||
assert.Contains(t, createProps.Data.Tags, "cloud_AWS") | ||
assert.Contains(t, createProps.Data.Tags, "resource_S3_Bucket") | ||
|
||
assert.Equal(t, "lql-terraform-policy", actualTitle) | ||
assert.Equal(t, "high", actualSeverity) | ||
assert.Equal(t, "Policy Created via Terraform", actualDescription) | ||
assert.Equal(t, "Please Investigate", actualRemediation) | ||
assert.Equal(t, "[cloud_AWS resource_S3_Bucket]", actualTags) | ||
|
||
// Update Policy | ||
terraformOptions.Vars = map[string]interface{}{ | ||
"title": "lql-terraform-policy-updated", | ||
"severity": "Low", | ||
"description": "Policy Created via Terraform Updated", | ||
"remediation": "Please Ignore", | ||
"tags": []string{"cloud_AWS", "resource_S3_Bucket", "custom"}, | ||
} | ||
|
||
update := terraform.ApplyAndIdempotent(t, terraformOptions) | ||
updateProps := GetPolicyProps(update) | ||
|
||
actualTitle = terraform.Output(t, terraformOptions, "title") | ||
actualSeverity = terraform.Output(t, terraformOptions, "severity") | ||
actualDescription = terraform.Output(t, terraformOptions, "description") | ||
actualRemediation = terraform.Output(t, terraformOptions, "remediation") | ||
actualTags = terraform.Output(t, terraformOptions, "tags") | ||
|
||
assert.Contains(t, "lql-terraform-policy-updated", updateProps.Data.Title) | ||
assert.Contains(t, "low", updateProps.Data.Severity) | ||
assert.Contains(t, "Policy Created via Terraform Updated", updateProps.Data.Description) | ||
assert.Contains(t, "Please Ignore", updateProps.Data.Remediation) | ||
assert.Contains(t, updateProps.Data.Tags, "custom") | ||
assert.Contains(t, updateProps.Data.Tags, "cloud_AWS") | ||
assert.Contains(t, updateProps.Data.Tags, "resource_S3_Bucket") | ||
|
||
assert.Equal(t, "lql-terraform-policy-updated", actualTitle) | ||
assert.Equal(t, "low", actualSeverity) | ||
assert.Equal(t, "Policy Created via Terraform Updated", actualDescription) | ||
assert.Equal(t, "Please Ignore", actualRemediation) | ||
} | ||
|
||
func TestPolicyComplianceCreateWithPolicyIDSuffix(t *testing.T) { | ||
rand.Seed(time.Now().UnixNano()) | ||
suffix := fmt.Sprintf("terraform-%d", rand.Intn(1000)) | ||
terraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{ | ||
TerraformDir: "../examples/resource_lacework_policy_compliance", | ||
Vars: map[string]interface{}{ | ||
"title": "lql-terraform-policy", | ||
"policy_id_suffix": suffix, | ||
"severity": "High", | ||
"description": "Policy Created via Terraform", | ||
"remediation": "Please Investigate", | ||
}, | ||
}) | ||
defer terraform.Destroy(t, terraformOptions) | ||
|
||
// Create new Policy | ||
create := terraform.InitAndApplyAndIdempotent(t, terraformOptions) | ||
createProps := GetPolicyProps(create) | ||
|
||
actualTitle := terraform.Output(t, terraformOptions, "title") | ||
actualSeverity := terraform.Output(t, terraformOptions, "severity") | ||
actualDescription := terraform.Output(t, terraformOptions, "description") | ||
actualRemediation := terraform.Output(t, terraformOptions, "remediation") | ||
actualSuffix := terraform.Output(t, terraformOptions, "policy_id_suffix") | ||
|
||
assert.Contains(t, "lql-terraform-policy", createProps.Data.Title) | ||
assert.Contains(t, "high", createProps.Data.Severity) | ||
assert.Contains(t, "Compliance", createProps.Data.PolicyType) | ||
assert.Contains(t, "Policy Created via Terraform", createProps.Data.Description) | ||
assert.Contains(t, "Please Investigate", createProps.Data.Remediation) | ||
|
||
assert.Equal(t, "lql-terraform-policy", actualTitle) | ||
assert.Equal(t, "high", actualSeverity) | ||
assert.Equal(t, "Policy Created via Terraform", actualDescription) | ||
assert.Equal(t, "Please Investigate", actualRemediation) | ||
assert.Contains(t, suffix, actualSuffix) | ||
|
||
// Update Policy | ||
terraformOptions.Vars = map[string]interface{}{ | ||
"title": "lql-terraform-policy-updated", | ||
"policy_id_suffix": "modified-id-suffix", | ||
"severity": "Low", | ||
"description": "Policy Created via Terraform Updated", | ||
"remediation": "Please Ignore", | ||
} | ||
|
||
msg, err := terraform.ApplyE(t, terraformOptions) | ||
|
||
assert.Error(t, err) | ||
assert.Contains(t, msg, "unable to change ID of an existing policy") | ||
} |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Oops, something went wrong.