support multi target (#517)

* support multi target * change names * change name field * fix set version constraints * add multi targets to docs * fix name field * fix * fix --------- Co-authored-by: hila1608 <[email protected]>
sysdiglabs · Aug 28, 2024 · da5b4b7 · da5b4b7
1 parent 844cffc
commit da5b4b7
Show file tree

Hide file tree

Showing 4 changed files with 196 additions and 81 deletions.
diff --git a/sysdig/common.go b/sysdig/common.go
@@ -27,9 +27,12 @@ const (
 	SchemaCreatedDateKey                = "date_created"
 	SchemaMinKubeVersionKey             = "min_kube_version"
 	SchemaMaxKubeVersionKey             = "max_kube_version"
+	SchemaMinVersionKey                 = "min_version"
+	SchemaMaxVersionKey                 = "max_version"
 	SchemaIsCustomKey                   = "is_custom"
 	SchemaIsActiveKey                   = "is_active"
 	SchemaPlatformKey                   = "platform"
+	SchemaTargetKey                     = "target"
 	SchemaZonesKey                      = "zones"
 	SchemaZonesIDsKey                   = "zone_ids"
 	SchemaAllZones                      = "all_zones"

diff --git a/sysdig/internal/client/v2/model.go b/sysdig/internal/client/v2/model.go
@@ -952,21 +952,29 @@ type PosturePolicy struct {
 }
 
 type FullPosturePolicy struct {
-	ID                string              `json:"id,omitempty"`
-	Name              string              `json:"name,omitempty"`
-	Type              string              `json:"type,omitempty"`
-	Description       string              `json:"description,omitempty"`
-	Version           string              `json:"version,omitempty"`
-	Link              string              `json:"link,omitempty"`
-	Authors           string              `json:"authors,omitempty"`
-	PublishedData     string              `json:"publishedDate,omitempty"`
-	RequirementsGroup []RequirementsGroup `json:"requirementFolders,omitempty"`
-	MinKubeVersion    float64             `json:"minKubeVersion,omitempty"`
-	MaxKubeVersion    float64             `json:"maxKubeVersion,omitempty"`
-	IsCustom          bool                `json:"isCustom,omitempty"`
-	IsActive          bool                `json:"isActive,omitempty"`
-	Platform          string              `json:"platform,omitempty"`
+	ID                 string              `json:"id,omitempty"`
+	Name               string              `json:"name,omitempty"`
+	Type               string              `json:"type,omitempty"`
+	Description        string              `json:"description,omitempty"`
+	Version            string              `json:"version,omitempty"`
+	Link               string              `json:"link,omitempty"`
+	Authors            string              `json:"authors,omitempty"`
+	PublishedData      string              `json:"publishedDate,omitempty"`
+	RequirementsGroup  []RequirementsGroup `json:"requirementFolders,omitempty"`
+	MinKubeVersion     float64             `json:"minKubeVersion,omitempty"`
+	MaxKubeVersion     float64             `json:"maxKubeVersion,omitempty"`
+	IsCustom           bool                `json:"isCustom,omitempty"`
+	IsActive           bool                `json:"isActive,omitempty"`
+	Platform           string              `json:"platform,omitempty"`
+	VersionConstraints []VersionConstraint `json:"targets,omitempty"`
+}
+
+type VersionConstraint struct {
+	Platform   string  `json:"platform"`
+	MinVersion float64 `json:"minVersion,omitempty"`
+	MaxVersion float64 `json:"maxVersion,omitempty"`
 }
+
 type RequirementsGroup struct {
 	ID                        string              `json:"id,omitempty"`
 	Name                      string              `json:"name,omitempty"`
@@ -992,17 +1000,18 @@ type Control struct {
 }
 
 type CreatePosturePolicy struct {
-	ID                string                    `json:"id,omitempty"`
-	Name              string                    `json:"name,omitempty"`
-	Description       string                    `json:"description,omitempty"`
-	Type              string                    `json:"type,omitempty"`
-	Link              string                    `json:"link,omitempty"`
-	Version           string                    `json:"version,omitempty"`
-	RequirementGroups []CreateRequirementsGroup `json:"groups,omitempty"`
-	MinKubeVersion    float64                   `json:"minKubeVersion,omitempty"`
-	MaxKubeVersion    float64                   `json:"maxKubeVersion,omitempty"`
-	IsActive          bool                      `json:"isActive,omitempty"`
-	Platform          string                    `json:"platform,omitempty"`
+	ID                 string                    `json:"id,omitempty"`
+	Name               string                    `json:"name,omitempty"`
+	Description        string                    `json:"description,omitempty"`
+	Type               string                    `json:"type,omitempty"`
+	Link               string                    `json:"link,omitempty"`
+	Version            string                    `json:"version,omitempty"`
+	RequirementGroups  []CreateRequirementsGroup `json:"groups,omitempty"`
+	MinKubeVersion     float64                   `json:"minKubeVersion,omitempty"`
+	MaxKubeVersion     float64                   `json:"maxKubeVersion,omitempty"`
+	IsActive           bool                      `json:"isActive,omitempty"`
+	Platform           string                    `json:"platform,omitempty"`
+	VersionConstraints []VersionConstraint       `json:"targets,omitempty"`
 }
 
 type CreateRequirementsGroup struct {

diff --git a/sysdig/resource_sysdig_secure_posture_policy.go b/sysdig/resource_sysdig_secure_posture_policy.go
@@ -156,6 +156,7 @@ func resourceSysdigSecurePosturePolicy() *schema.Resource {
 			SchemaTypeKey: {
 				Type:     schema.TypeString,
 				Optional: true,
+				Default:  "Unknown",
 			},
 			SchemaLinkKey: {
 				Type:     schema.TypeString,
@@ -178,7 +179,26 @@ func resourceSysdigSecurePosturePolicy() *schema.Resource {
 			SchemaPlatformKey: {
 				Type:     schema.TypeString,
 				Optional: true,
-				Default:  "",
+			},
+			SchemaTargetKey: {
+				Type:     schema.TypeList,
+				Optional: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						SchemaMinVersionKey: {
+							Type:     schema.TypeFloat,
+							Optional: true,
+						},
+						SchemaMaxVersionKey: {
+							Type:     schema.TypeFloat,
+							Optional: true,
+						},
+						SchemaPlatformKey: {
+							Type:     schema.TypeString,
+							Optional: true,
+						},
+					},
+				},
 			},
 			SchemaGroupKey: {
 				Type:     schema.TypeList,
@@ -198,18 +218,21 @@ func resourceSysdigSecurePosturePolicyCreateOrUpdate(ctx context.Context, d *sch
 
 	groups := extractGroupsRecursive(d.Get(SchemaGroupKey))
 	req := &v2.CreatePosturePolicy{
-		ID:                getStringValue(d, SchemaIDKey),
-		Name:              getStringValue(d, SchemaNameKey),
-		Type:              getStringValue(d, SchemaTypeKey),
-		Description:       getStringValue(d, SchemaDescriptionKey),
-		MinKubeVersion:    getFloatValue(d, SchemaMinKubeVersionKey),
-		MaxKubeVersion:    getFloatValue(d, SchemaMaxKubeVersionKey),
-		IsActive:          getBoolValue(d, SchemaIsActiveKey),
-		Platform:          getStringValue(d, SchemaPlatformKey),
-		Link:              getStringValue(d, SchemaLinkKey),
-		RequirementGroups: groups,
+		ID:                 getStringValue(d, SchemaIDKey),
+		Name:               getStringValue(d, SchemaNameKey),
+		Type:               getStringValue(d, SchemaTypeKey),
+		Description:        getStringValue(d, SchemaDescriptionKey),
+		MinKubeVersion:     getFloatValue(d, SchemaMinKubeVersionKey),
+		MaxKubeVersion:     getFloatValue(d, SchemaMaxKubeVersionKey),
+		IsActive:           getBoolValue(d, SchemaIsActiveKey),
+		Platform:           getStringValue(d, SchemaPlatformKey),
+		VersionConstraints: getVersionConstraintsValue(d, SchemaTargetKey),
+		Link:               getStringValue(d, SchemaLinkKey),
+		RequirementGroups:  groups,
 	}
+
 	new, errStatus, err := client.CreateOrUpdatePosturePolicy(ctx, req)
+
 	if err != nil {
 		return diag.Errorf("Error creating new policy with groups. error status: %s err: %s", errStatus, err)
 	}
@@ -279,6 +302,11 @@ func resourceSysdigSecurePosturePolicyRead(ctx context.Context, d *schema.Resour
 		return diag.FromErr(err)
 	}
 
+	err = setVersionConstraints(d, SchemaTargetKey, policy.VersionConstraints)
+
+	if err != nil {
+		return diag.FromErr(err)
+	}
 	// Set groups
 	groupsData, err := setGroups(d, policy.RequirementsGroup)
 	if err != nil {
@@ -378,6 +406,33 @@ func getStringValue(d *schema.ResourceData, key string) string {
 	return ""
 }
 
+// Helper function to retrieve version constraints value from ResourceData and handle nil case
+func getVersionConstraintsValue(d *schema.ResourceData, key string) []v2.VersionConstraint {
+	pvc := []v2.VersionConstraint{}
+	versionContraintsMap, ok := d.Get(key).([]interface{})
+	if !ok {
+		return nil
+	}
+	for _, vc := range versionContraintsMap {
+		vcMap := vc.(map[string]interface{})
+		minVersion := 0.0
+		maxVersion := 0.0
+		if vcMap["min_version"] != nil {
+			minVersion = vcMap["min_version"].(float64)
+		}
+		if vcMap["max_version"] != nil {
+			maxVersion = vcMap["max_version"].(float64)
+		}
+		versionConstraint := v2.VersionConstraint{
+			MinVersion: minVersion,
+			MaxVersion: maxVersion,
+			Platform:   vcMap["platform"].(string),
+		}
+		pvc = append(pvc, versionConstraint)
+	}
+	return pvc
+}
+
 // Helper function to retrieve float64 value from ResourceData and handle nil case
 func getFloatValue(d *schema.ResourceData, key string) float64 {
 	if value, ok := d.GetOk(key); ok {
@@ -442,3 +497,20 @@ func extractGroupsRecursive(data interface{}) []v2.CreateRequirementsGroup {
 
 	return groups
 }
+
+// Helper function to set version constraints in the Terraform schema
+func setVersionConstraints(d *schema.ResourceData, key string, constraints []v2.VersionConstraint) error {
+	var constraintsData []interface{}
+	for _, vc := range constraints {
+		constraint := map[string]interface{}{
+			"min_version": vc.MinVersion,
+			"max_version": vc.MaxVersion,
+			"platform":    vc.Platform,
+		}
+		constraintsData = append(constraintsData, constraint)
+	}
+	if err := d.Set(key, constraintsData); err != nil {
+		return err
+	}
+	return nil
+}
diff --git a/website/docs/r/secure_posture_policy.md b/website/docs/r/secure_posture_policy.md
@@ -16,41 +16,59 @@ Creates a Sysdig Secure Posture Policy.
 
 ```terraform
 resource "sysdig_secure_posture_policy" "example" {
-    name = "demo policy"
-    type = "kubernetes"
-    platform = "vanilla"
-    max_kube_version = 2.0
-    description = "demo create policy from terraform"
-      group {
-        name = "Security"
-        description = "Security description"
-        requirement{
-          name = "Security Enforce access control"
-          description = "Enforce description"
-          control {
-              name = "Create Pods"
-              enabled = false
-          }
-          control {
-              name = "Kubelet - Disabled AlwaysAllowed Authorization"
-          }
-        }
+  name             = "demo policy"
+  type             = "kubernetes"
+  platform         = "Vanilla" // Currently supported, but will be deprecated in the future
+  min_kube_version = 1.5       // Currently supported, but will be deprecated in the future
+  max_kube_version = 2.0       // Currently supported, but will be deprecated in the future
+  description      = "demo create policy from terraform"
+
+  // New targets field to specify version constraints
+  target
+    {
+      platform   = "Vanilla"
+      minVersion = 1.5
+      maxVersion = 2.0
+    }
+
+  group {
+    name        = "Security"
+    description = "Security description"
+
+    requirement {
+      name        = "Security Enforce access control"
+      description = "Enforce description"
+
+      control {
+        name    = "Create Pods"
+        enabled = false
       }
-      group {
-          name = "Data protection"
-          description = "Data protection description"
-          requirement{
-            name = "Enforce access control"
-            description = "Enforce description"
-            control {
-                name = "Create Pods"
-            }
-            control {
-                name = "Kubelet - Disabled AlwaysAllowed Authorization"
-            }
-          }     
+
+      control {
+        name = "Kubelet - Disabled AlwaysAllowed Authorization"
+      }
+    }
+  }
+
+  group {
+    name        = "Data protection"
+    description = "Data protection description"
+
+    requirement {
+      name        = "Enforce access control"
+      description = "Enforce description"
+
+      control {
+        name = "Create Pods"
+      }
+
+      control {
+        name = "Kubelet - Disabled AlwaysAllowed Authorization"
       }
+    }
+  }
 }
+
 ```
 
 ## Argument Reference
@@ -66,19 +84,32 @@ resource "sysdig_secure_posture_policy" "example" {
   - Linux - `linux`
   - Docker - `docker`
   - OCI - `oci`
-* `min_kube_version` -  (Optional) Policy minimum Kubernetes version, eg. `1.24`
-* `max_kube_version` -  (Optional) Policy maximum Kubernetes version, eg. `1.26`
-* `is_active` -  (Optional) Policy is active flag (active means policy is published, not active means policy is draft). by default is true.
-* `platform` - (Optional) Policy platform: 
-    - IKS -     `iks`,
-    - GKE -     `gke`,
-    - Vanilla -  `vanilla`,
-    - AKS -     `aks`,
-    - RKE2 -     `rke2`,
-    - OCP4  -     `ocp4`,
-    - MKE  -      `mke`,
-    - EKS  -     `eks`,
-* `groups` - (Optional) Group block defines list of groups attached to Policy
+ * `platform`: (Optional) Platform for which the policy applies. This field will be deprecated in the future, and you should use the targets field instead to describe policy platform and version. Supported platforms include:
+
+    IKS - iks
+    GKE - gke
+    Vanilla - vanilla
+    AKS - aks
+    RKE2 - rke2
+    OCP4 - ocp4
+    MKE - mke
+    EKS - eks
+    OCI - oci
+
+* `minKubeVersion`: (Optional) Policy minimum Kubernetes version, e.g., 1.24. This field will be deprecated in the future, and you should use the targets field instead to describe policy platform and version.
+
+* `maxKubeVersion`: (Optional) Policy maximum Kubernetes version, e.g., 1.26. This field will be deprecated in the future, and you should use the targets field instead to describe policy platform and version.
+
+* `target`:(Optional) Specifies target platforms and version ranges. This field should replace Platform, MinKubeVersion, and MaxKubeVersion for more flexible and detailed policy descriptions.
+
+  Note: The fields Platform, MinKubeVersion, and MaxKubeVersion will be deprecated in the future. We recommend using the targets field now to describe policy platform and version constraints
+
+* `group` - (Optional) Group block defines list of groups attached to Policy
+
+### Targets block
+ - `platform` (Optional): Name of the target platform (e.g., IKS, AWS).
+ - `minVersion` (Optional): Minimum version of the platform.(e.g., 1.24)
+ - `maxVersion` (Optional): Maximum version of the platform. (e.g., 1.26)
 
 ### Groups block
 - `name` - (Required) The name of the Posture Policy Group.