lacework · afiune · Mar 2, 2022 · Mar 2, 2022 · afiune · Mar 2, 2022
@@ -19,7 +19,7 @@ variable "query_id" {
 variable "query" {
   type    = string
   default = <<EOT
-  Lql_Terraform_Query {
+  {
       source {
           CloudTrailRawEvents
       }

@@ -120,8 +120,63 @@ func TestQueryCreate(t *testing.T) {
 	assert.Equal(t, queryStringK8, actualQuery)
 }
 
+func TestQueryDeprecatedSytaxWithID(t *testing.T) {
+	terraformOptions := terraform.WithDefaultRetryableErrors(t, &terraform.Options{
+		TerraformDir: "../examples/resource_lacework_query",
+		Vars: map[string]interface{}{
+			"query_id": "Lql_Terraform_Query",
+			"query":    queryDeprecatedSyntaxWithID},
+	})
+	defer terraform.Destroy(t, terraformOptions)
+
+	// Create new Query
+	create := terraform.InitAndApplyAndIdempotent(t, terraformOptions)
+	createProps := GetQueryProps(create)
+
+	actualQueryID := terraform.Output(t, terraformOptions, "query_id")
+	actualQuery := terraform.Output(t, terraformOptions, "query")
+
+	assert.Equal(t, "Lql_Terraform_Query", createProps.Data.QueryID)
+	assert.Equal(t, queryDeprecatedSyntaxWithID, createProps.Data.QueryText)
+
+	assert.Equal(t, "Lql_Terraform_Query", actualQueryID)
+	assert.Equal(t, queryDeprecatedSyntaxWithID, actualQuery)
+
+	// Update Query
+	terraformOptions.Vars = map[string]interface{}{
+		"query_id": "Lql_Terraform_Query",
+		"query":    updateQueryDeprecatedSyntaxWithID,
+	}
+
+	update := terraform.ApplyAndIdempotent(t, terraformOptions)
+	updateProps := GetQueryProps(update)
+
+	actualQueryID = terraform.Output(t, terraformOptions, "query_id")
+	actualQuery = terraform.Output(t, terraformOptions, "query")
+
+	assert.Equal(t, "Lql_Terraform_Query", updateProps.Data.QueryID)
+	assert.Equal(t, updateQueryDeprecatedSyntaxWithID, updateProps.Data.QueryText)
+
+	assert.Equal(t, "Lql_Terraform_Query", actualQueryID)
+	assert.Equal(t, updateQueryDeprecatedSyntaxWithID, actualQuery)
+
+	// Run apply again
+	thirdApply := terraform.ApplyAndIdempotent(t, terraformOptions)
+
+	thirdApplyProps := GetQueryProps(thirdApply)
+
+	actualQueryID = terraform.Output(t, terraformOptions, "query_id")
+	actualQuery = terraform.Output(t, terraformOptions, "query")
+
+	assert.Equal(t, "Lql_Terraform_Query", thirdApplyProps.Data.QueryID)
+	assert.Equal(t, updateQueryDeprecatedSyntaxWithID, thirdApplyProps.Data.QueryText)
+
+	assert.Equal(t, "Lql_Terraform_Query", actualQueryID)
+	assert.Equal(t, updateQueryDeprecatedSyntaxWithID, actualQuery)
+}
+
 var (
-	queryString = `Lql_Terraform_Query {
+	queryString = `{
     source {
         CloudTrailRawEvents
     }
@@ -139,7 +194,7 @@ var (
         EVENT
     }
 }`
-	queryStringK8 = `Lql_Terraform_Query {
+	queryStringK8 = `{
       source {
           LW_ACT_K8S_AUDIT
       }
@@ -157,7 +212,7 @@ var (
       }
   }`
 
-	updatedQueryString = `Lql_Terraform_Query {
+	updatedQueryString = `{
     source {
         CloudTrailRawEvents
     }
@@ -176,4 +231,22 @@ var (
         EVENT
     }        
 }`
+
+	queryDeprecatedSyntaxWithID = `Lql_Terraform_Query {
+    source {
+        CloudTrailRawEvents
+    }
+    filter {
+        ERROR_CODE is null
+    }
+    return distinct {
+        EVENT
+    }
+}`
+
+	updateQueryDeprecatedSyntaxWithID = `Lql_Terraform_Query{
+    source { CloudTrailRawEvents }
+    filter { ERROR_CODE is null }
+    return distinct { EVENT }
+}`
 )
@@ -21,7 +21,7 @@ Create a Lacework Policy to check for a change of password from an RDS cluster.
 resource "lacework_query" "AWS_CTA_AuroraPasswordChange" {
   query_id = "TF_AWS_CTA_AuroraPasswordChange"
   query    = <<EOT
-  TF_AWS_CTA_AuroraPasswordChange {
+  {
       source {
           CloudTrailRawEvents
       }

@@ -22,7 +22,7 @@ Query all EC2 instances with public IP addresses.
 resource "lacework_query" "example" {
   query_id = "TF_AWS_Config_EC2InstanceWithPublicIPAddress"
   query    = <<EOT
-  TF_AWS_Config_EC2InstanceWithPublicIPAddress {
+  {
       source {
           LW_CFG_AWS_EC2_INSTANCES
       }
@@ -50,7 +50,7 @@ Query CloutTrail events and filter only S3 buckets with ACL 'public-read', 'publ
 resource "lacework_query" "example" {
   query_id       = "TF_AWS_CTA_S3PublicACLCreated"
   query          = <<EOT
-  TF_AWS_CTA_S3PublicACLCreated {
+  {
       source {
           CloudTrailRawEvents
       }