Skip to content

Commit

Permalink
feat(resource): add support for compliance policies (#492)
Browse files Browse the repository at this point in the history
  • Loading branch information
PengyuanZhao authored Jun 7, 2023
1 parent b4bd948 commit 68b5cd8
Show file tree
Hide file tree
Showing 6 changed files with 542 additions and 2 deletions.
73 changes: 73 additions & 0 deletions examples/resource_lacework_policy_compliance/main.tf
Original file line number Diff line number Diff line change
@@ -0,0 +1,73 @@
terraform {
required_providers {
lacework = {
source = "lacework/lacework"
}
}
}

resource "lacework_policy_compliance" "example" {
title = var.title
query_id = "LW_Global_AWS_Config_S3BucketLoggingNotEnabled"
severity = var.severity
description = var.description
remediation = var.remediation
enabled = true
policy_id_suffix = var.policy_id_suffix
tags = var.tags
alerting_enabled = true
}


variable "title" {
type = string
default = "lql-terraform-policy"
}

variable "description" {
type = string
default = "Policy Created via Terraform"
}

variable "severity" {
type = string
default = "High"
}

variable "remediation" {
type = string
default = "Please Investigate"
}

variable "policy_id_suffix" {
default = ""
}

variable "tags" {
type = list(string)
default = ["cloud_AWS", "custom"]
}

output "title" {
value = lacework_policy_compliance.example.title
}

output "severity" {
value = lacework_policy_compliance.example.severity
}

output "remediation" {
value = lacework_policy_compliance.example.remediation
}

output "description" {
value = lacework_policy_compliance.example.description
}

output "policy_id_suffix" {
value = lacework_policy_compliance.example.policy_id_suffix
}

output "tags" {
value = lacework_policy_compliance.example.tags
}
140 changes: 140 additions & 0 deletions integration/resource_lacework_policy_compliance_test.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,140 @@
package integration

import (
"fmt"
"math/rand"
"testing"
"time"

"github.com/gruntwork-io/terratest/modules/terraform"
"github.com/stretchr/testify/assert"
)

// TestPolicyComplianceCreate applies integration terraform:
// => '../examples/resource_lacework_policy_compliance'
//
// It uses the go-sdk to verify the created policy,
// applies an update and destroys it
// nolint
func TestPolicyComplianceCreate(t *testing.T) {
terraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{
TerraformDir: "../examples/resource_lacework_policy_compliance",
EnvVars: tokenEnvVar,
Vars: map[string]interface{}{
"title": "lql-terraform-policy",
"severity": "High",
"description": "Policy Created via Terraform",
"remediation": "Please Investigate",
"tags": []string{"cloud_AWS", "resource_S3_Bucket"},
},
})
defer terraform.Destroy(t, terraformOptions)

// Create new Policy
create := terraform.InitAndApplyAndIdempotent(t, terraformOptions)
createProps := GetPolicyProps(create)

actualTitle := terraform.Output(t, terraformOptions, "title")
actualSeverity := terraform.Output(t, terraformOptions, "severity")
actualDescription := terraform.Output(t, terraformOptions, "description")
actualRemediation := terraform.Output(t, terraformOptions, "remediation")
actualTags := terraform.Output(t, terraformOptions, "tags")

assert.Contains(t, "lql-terraform-policy", createProps.Data.Title)
assert.Contains(t, "high", createProps.Data.Severity)
assert.Contains(t, "Compliance", createProps.Data.PolicyType)
assert.Contains(t, "Policy Created via Terraform", createProps.Data.Description)
assert.Contains(t, "Please Investigate", createProps.Data.Remediation)
assert.NotContains(t, createProps.Data.Tags, "custom")
assert.Contains(t, createProps.Data.Tags, "cloud_AWS")
assert.Contains(t, createProps.Data.Tags, "resource_S3_Bucket")

assert.Equal(t, "lql-terraform-policy", actualTitle)
assert.Equal(t, "high", actualSeverity)
assert.Equal(t, "Policy Created via Terraform", actualDescription)
assert.Equal(t, "Please Investigate", actualRemediation)
assert.Equal(t, "[cloud_AWS resource_S3_Bucket]", actualTags)

// Update Policy
terraformOptions.Vars = map[string]interface{}{
"title": "lql-terraform-policy-updated",
"severity": "Low",
"description": "Policy Created via Terraform Updated",
"remediation": "Please Ignore",
"tags": []string{"cloud_AWS", "resource_S3_Bucket", "custom"},
}

update := terraform.ApplyAndIdempotent(t, terraformOptions)
updateProps := GetPolicyProps(update)

actualTitle = terraform.Output(t, terraformOptions, "title")
actualSeverity = terraform.Output(t, terraformOptions, "severity")
actualDescription = terraform.Output(t, terraformOptions, "description")
actualRemediation = terraform.Output(t, terraformOptions, "remediation")
actualTags = terraform.Output(t, terraformOptions, "tags")

assert.Contains(t, "lql-terraform-policy-updated", updateProps.Data.Title)
assert.Contains(t, "low", updateProps.Data.Severity)
assert.Contains(t, "Policy Created via Terraform Updated", updateProps.Data.Description)
assert.Contains(t, "Please Ignore", updateProps.Data.Remediation)
assert.Contains(t, updateProps.Data.Tags, "custom")
assert.Contains(t, updateProps.Data.Tags, "cloud_AWS")
assert.Contains(t, updateProps.Data.Tags, "resource_S3_Bucket")

assert.Equal(t, "lql-terraform-policy-updated", actualTitle)
assert.Equal(t, "low", actualSeverity)
assert.Equal(t, "Policy Created via Terraform Updated", actualDescription)
assert.Equal(t, "Please Ignore", actualRemediation)
}

func TestPolicyComplianceCreateWithPolicyIDSuffix(t *testing.T) {
rand.Seed(time.Now().UnixNano())
suffix := fmt.Sprintf("terraform-%d", rand.Intn(1000))
terraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{
TerraformDir: "../examples/resource_lacework_policy_compliance",
Vars: map[string]interface{}{
"title": "lql-terraform-policy",
"policy_id_suffix": suffix,
"severity": "High",
"description": "Policy Created via Terraform",
"remediation": "Please Investigate",
},
})
defer terraform.Destroy(t, terraformOptions)

// Create new Policy
create := terraform.InitAndApplyAndIdempotent(t, terraformOptions)
createProps := GetPolicyProps(create)

actualTitle := terraform.Output(t, terraformOptions, "title")
actualSeverity := terraform.Output(t, terraformOptions, "severity")
actualDescription := terraform.Output(t, terraformOptions, "description")
actualRemediation := terraform.Output(t, terraformOptions, "remediation")
actualSuffix := terraform.Output(t, terraformOptions, "policy_id_suffix")

assert.Contains(t, "lql-terraform-policy", createProps.Data.Title)
assert.Contains(t, "high", createProps.Data.Severity)
assert.Contains(t, "Compliance", createProps.Data.PolicyType)
assert.Contains(t, "Policy Created via Terraform", createProps.Data.Description)
assert.Contains(t, "Please Investigate", createProps.Data.Remediation)

assert.Equal(t, "lql-terraform-policy", actualTitle)
assert.Equal(t, "high", actualSeverity)
assert.Equal(t, "Policy Created via Terraform", actualDescription)
assert.Equal(t, "Please Investigate", actualRemediation)
assert.Contains(t, suffix, actualSuffix)

// Update Policy
terraformOptions.Vars = map[string]interface{}{
"title": "lql-terraform-policy-updated",
"policy_id_suffix": "modified-id-suffix",
"severity": "Low",
"description": "Policy Created via Terraform Updated",
"remediation": "Please Ignore",
}

msg, err := terraform.ApplyE(t, terraformOptions)

assert.Error(t, err)
assert.Contains(t, msg, "unable to change ID of an existing policy")
}
1 change: 1 addition & 0 deletions lacework/provider.go
Original file line number Diff line number Diff line change
Expand Up @@ -111,6 +111,7 @@ func Provider() *schema.Provider {
"lacework_integration_proxy_scanner": resourceLaceworkIntegrationProxyScanner(),
"lacework_query": resourceLaceworkQuery(),
"lacework_policy": resourceLaceworkPolicy(),
"lacework_policy_compliance": resourceLaceworkPolicyCompliance(),
"lacework_policy_exception": resourceLaceworkPolicyException(),
"lacework_report_rule": resourceLaceworkReportRule(),
"lacework_resource_group_account": resourceLaceworkResourceGroupLwAccount(),
Expand Down
Loading

0 comments on commit 68b5cd8

Please sign in to comment.