Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: add new lacework_managed_policies resource #516

Merged
merged 7 commits into from
Jul 25, 2023
Merged

feat: add new lacework_managed_policies resource #516

merged 7 commits into from
Jul 25, 2023

Conversation

PengyuanZhao
Copy link
Contributor

@PengyuanZhao PengyuanZhao commented Jul 17, 2023
edited
Loading

Description:

Create a new resource lacework_managed_policies to manage the state (enable/disable) and the severity of Lacework defined policies (policies that start with lacework-global)

Example Usage

resource "lacework_managed_policies" "example" {
  policy {
    id       = "lacework-global-1"
    enabled  = true
    severity = "High"
  }
  policy {
    id       = "lacework-global-2"
    enabled  = true
    severity = "Critical"
  }
  policy {
    id       = "lacework-global-10"
    enabled  = false
  }
}

Argument Reference

The following arguments are supported:

  • id - (Required) The Lacework defined policy id.
  • enabled - (Required) Whether the policy is enabled or disabled.
  • severity - (Optional) The list of the severities. Valid severities include:
    Critical, High, Medium, Low and Info.

Additional Info:

Run make integration-test regex=TestManagedPolicies to test.

Verify that the resource can update the data correctly via the following steps:

Screenshot 2023-07-19 at 2 00 30 PM

Screenshot 2023-07-19 at 2 18 17 PM

Screenshot 2023-07-19 at 2 02 20 PM

@PengyuanZhao PengyuanZhao requested a review from a team as a code owner July 17, 2023 12:06
djmctavish
djmctavish approved these changes Jul 17, 2023
View reviewed changes
Copy link
Contributor

@djmctavish djmctavish left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Checked out the code, and ran the integration tests - all passed!!

lacework-aaronscheiber
lacework-aaronscheiber suggested changes Jul 17, 2023
View reviewed changes
website/docs/r/managed_policies.html.markdown Outdated Show resolved Hide resolved
website/docs/r/managed_policies.html.markdown Outdated Show resolved Hide resolved
website/docs/r/managed_policies.html.markdown Outdated Show resolved Hide resolved
@afiune afiune changed the title feat(GROW-1211): add the lacework_managed_policies resource feat: add the lacework_managed_policies resource Jul 17, 2023
@afiune afiune changed the title feat: add the lacework_managed_policies resource feat: add new lacework_managed_policies resource Jul 17, 2023
@afiune @lacework-aaronscheiber
chore: apply suggestions from code review
aa0eb14 
Co-authored-by: lacework-aaronscheiber <54645734+lacework-aaronscheiber@users.noreply.github.com>
afiune
afiune suggested changes Jul 18, 2023
View reviewed changes
Copy link
Contributor

@afiune afiune left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The main use case is not fulfilled.

When changes happen outside of Terraform, this resource should detect them and apply the provider policy state and severity.

image

lacework/resource_lacework_managed_policies.go Outdated Show resolved Hide resolved
lacework/resource_lacework_managed_policies.go Show resolved Hide resolved
@PengyuanZhao PengyuanZhao requested a review from afiune July 19, 2023 21:55
afiune
afiune suggested changes Jul 24, 2023
View reviewed changes
lacework/resource_lacework_managed_policies.go Outdated Show resolved Hide resolved
lacework/resource_lacework_managed_policies.go
bulkUpdatePolicies, err := getBulkUpdatePolicies(d, meta)

if err != nil {
// Return nil so that `destroy` can succeed
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why is this necessary?

Copy link
Contributor Author

@PengyuanZhao PengyuanZhao Jul 24, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

destroy will call the read first which could throw errors. This makes sure destroy can delete the resource regardless of the errors.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I do not follow how this function getBulkUpdatePolicies() could throw errors on destroy. The function is not even accessing APIs.

What is the error you are seeing?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For the integration tests, getBulkUpdatePolicies will throw errors when destroying the state of TestManagedPoliciesWithDuplicateIDs. Then the old state persists and will fail TestManagedPoliciesWithCustomIDs.

lacework/resource_lacework_managed_policies.go Outdated Show resolved Hide resolved
lacework/resource_lacework_managed_policies.go Outdated Show resolved Hide resolved
lacework/resource_lacework_managed_policies.go Outdated Show resolved Hide resolved
lacework/resource_lacework_managed_policies.go Outdated Show resolved Hide resolved
website/docs/r/managed_policies.html.markdown Outdated Show resolved Hide resolved
website/docs/r/managed_policies.html.markdown Outdated Show resolved Hide resolved
website/docs/r/managed_policies.html.markdown Outdated Show resolved Hide resolved
@PengyuanZhao PengyuanZhao requested a review from afiune July 24, 2023 13:45
afiune
afiune reviewed Jul 24, 2023
View reviewed changes
lacework/resource_lacework_managed_policies.go
for _, v := range list {
val := v.(map[string]interface{})

if val["id"] == nil || val["id"] == "" {
Copy link
Contributor

@afiune afiune Jul 24, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

can ids be nil or empty? 🤔

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

When running the tests, entries with empty id are being added for some reason.

For example:
Screenshot 2023-07-24 at 3 12 25 PM

Could not figure out why this is happening. Any ideas?

afiune
afiune approved these changes Jul 24, 2023
View reviewed changes
Copy link
Contributor

@afiune afiune left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Talking with @PengyuanZhao we agreed that this is the best approach we can come up with.

@PengyuanZhao PengyuanZhao merged commit 5d4f495 into main Jul 25, 2023
@PengyuanZhao PengyuanZhao deleted the GROW-1211 branch July 25, 2023 00:20
@lacework-releng lacework-releng mentioned this pull request Jul 25, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dmurray-lacework dmurray-lacework dmurray-lacework left review comments

@djmctavish djmctavish djmctavish approved these changes

@lacework-aaronscheiber lacework-aaronscheiber lacework-aaronscheiber approved these changes

@afiune afiune afiune approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@PengyuanZhao @afiune @lacework-aaronscheiber @dmurray-lacework @djmctavish