feat(secure-policies): support new fields in drift policy (#656)

* Add support for additional secure drift policy fields

* Address review comments

* Fixed spacing issue

---------

Co-authored-by: Fede Barcelona <[email protected]>

Author: ombellare

sysdig/data_source_sysdig_secure_drift_policy.go

@@ -47,15 +47,18 @@ func createDriftPolicyDataSourceSchema() map[string]*schema.Schema {
 			Computed: true,
 			Elem: &schema.Resource{
 				Schema: map[string]*schema.Schema{
-					"id":                           ReadOnlyIntSchema(),
-					"name":                         ReadOnlyStringSchema(),
-					"description":                  DescriptionComputedSchema(),
-					"tags":                         TagsSchema(),
-					"version":                      VersionSchema(),
-					"enabled":                      BoolComputedSchema(),
-					"exceptions":                   ExceptionsComputedSchema(),
-					"prohibited_binaries":          ExceptionsComputedSchema(),
-					"mounted_volume_drift_enabled": BoolComputedSchema(),
+					"id":                                ReadOnlyIntSchema(),
+					"name":                              ReadOnlyStringSchema(),
+					"description":                       DescriptionComputedSchema(),
+					"tags":                              TagsSchema(),
+					"version":                           VersionSchema(),
+					"enabled":                           BoolComputedSchema(),
+					"exceptions":                        ExceptionsComputedSchema(),
+					"prohibited_binaries":               ExceptionsComputedSchema(),
+					"process_based_exceptions":          ExceptionsComputedSchema(),
+					"process_based_prohibited_binaries": ExceptionsComputedSchema(),
+					"mounted_volume_drift_enabled":      BoolComputedSchema(),
+					"use_regex":                         BoolComputedSchema(),
 				},
 			},
 		},

sysdig/data_source_sysdig_secure_drift_policy_test.go

@@ -32,6 +32,12 @@ func TestAccDriftPolicyDataSource(t *testing.T) {
 			{
 				Config: driftPolicyDataSource(rText),
 			},
+			{
+				Config: driftPolicyWithUseRegexDataSource(rText),
+			},
+			{
+				Config: driftPolicyWithProcessExceptionsDataSource(rText),
+			},
 		},
 	})
 }
@@ -68,3 +74,78 @@ data "sysdig_secure_drift_policy" "policy_2" {
 }
 `, name, name)
 }
+
+func driftPolicyWithUseRegexDataSource(name string) string {
+	return fmt.Sprintf(`
+resource "sysdig_secure_drift_policy" "policy_1" {
+  name        = "Test Drift Policy %s"
+  description = "Test Drift Policy Description %s"
+  enabled     = true
+  severity    = 4
+
+  rule {
+    description = "Test Drift Rule Description"
+    enabled = true
+    mounted_volume_drift_enabled = true
+    use_regex = true
+
+    exceptions {
+      items = ["/usr/bin/sh"]
+    }
+    prohibited_binaries {
+      items = ["/usr/bin/curl"]
+    }
+    process_based_exceptions {
+      items = ["/usr/bin/curl"]
+    }
+    process_based_prohibited_binaries {
+      items = ["/usr/bin/sh"]
+    }
+  }
+
+  actions {
+    prevent_drift = true
+  }
+
+}
+	
+data "sysdig_secure_drift_policy" "policy_2" {
+  name       = sysdig_secure_drift_policy.policy_1.name
+  depends_on = [sysdig_secure_drift_policy.policy_1]
+}
+`, name, name)
+}
+
+func driftPolicyWithProcessExceptionsDataSource(name string) string {
+	return fmt.Sprintf(`
+resource "sysdig_secure_drift_policy" "policy_1" {	
+  name        = "Test Drift Policy %s"
+  description = "Test Drift Policy Description %s"
+  enabled     = true
+  severity    = 4
+
+  rule {
+    description = "Test Drift Rule Description"
+    enabled = true
+	mounted_volume_drift_enabled = true
+
+    process_based_exceptions {
+      items = ["/usr/bin/curl"]
+    }
+    process_based_prohibited_binaries {
+      items = ["/usr/bin/sh"]
+    }
+  }
+
+  actions {
+    prevent_drift = true
+  }
+
+}
+	
+data "sysdig_secure_drift_policy" "policy_2" {
+  name       = sysdig_secure_drift_policy.policy_1.name
+  depends_on = [sysdig_secure_drift_policy.policy_1]
+}
+`, name, name)
+}

sysdig/internal/client/v2/model.go

@@ -419,6 +419,7 @@ type DriftRuleDetails struct {
 	ProhibitedBinaries        *RuntimePolicyRuleList `json:"prohibitedBinaries"`
 	Mode                      string                 `json:"mode"`
 	MountedVolumeDriftEnabled bool                   `json:"mountedVolumeDriftEnabled"`
+	UseRegex                  bool                   `json:"useRegex"`
 	Details                   `json:"-"`
 }
 

sysdig/resource_sysdig_secure_drift_policy.go

@@ -67,6 +67,7 @@ func resourceSysdigSecureDriftPolicy() *schema.Resource {
 						"process_based_exceptions":          ExceptionsSchema(),
 						"process_based_prohibited_binaries": ExceptionsSchema(),
 						"mounted_volume_drift_enabled":      BoolSchema(),
+						"use_regex":                         BoolSchema(),
 					},
 				},
 			},

sysdig/resource_sysdig_secure_drift_policy_test.go

@@ -42,6 +42,9 @@ func TestAccDriftPolicy(t *testing.T) {
 			{
 				Config: driftPolicyWithMountedVolumeDriftEnabled(rText()),
 			},
+			{
+				Config: driftPolicyWithProcessBasedAndRegexEnabled(rText()),
+			},
 		},
 	})
 }
@@ -67,9 +70,9 @@ resource "sysdig_secure_drift_policy" "sample" {
     prohibited_binaries {
       items = ["/usr/bin/curl"]
     }
-	process_based_exceptions {
+    process_based_exceptions {
       items = ["/usr/bin/curl"]
-	} 
+    }
   }
 
   actions {
@@ -103,9 +106,9 @@ resource "sysdig_secure_drift_policy" "sample" {
     prohibited_binaries {
       items = ["/usr/bin/curl"]
     }
-	process_based_exceptions {
+    process_based_exceptions {
       items = ["/usr/bin/curl"]
-	} 
+    }
   }
 
   actions {
@@ -145,9 +148,9 @@ resource "sysdig_secure_drift_policy" "sample" {
     prohibited_binaries {
       items = ["/usr/bin/curl"]
     }
-	process_based_exceptions {
+    process_based_exceptions {
       items = ["/usr/bin/curl"]
-	} 
+    } 
   }
 
   actions {}
@@ -177,9 +180,9 @@ resource "sysdig_secure_drift_policy" "sample" {
     prohibited_binaries {
       items = ["/usr/bin/curl"]
     }
-	process_based_exceptions {
+    process_based_exceptions {
       items = ["/usr/bin/curl"]
-	} 
+    }
   }
 
   actions {
@@ -228,18 +231,52 @@ resource "sysdig_secure_drift_policy" "sample" {
   rule {
     description = "Test Drift Rule Description"
     mounted_volume_drift_enabled = true
+
     enabled = true
+    
+    exceptions {
+      items = ["/usr/bin/sh"]
+    }
+    prohibited_binaries {
+      items = ["/usr/bin/curl"]
+    }
+    process_based_exceptions {
+      items = ["/usr/bin/curl"]
+    }
+  }
+}
+  `, name)
+}
+
+func driftPolicyWithProcessBasedAndRegexEnabled(name string) string {
+	return fmt.Sprintf(`
+resource "sysdig_secure_drift_policy" "sample" {
+
+  name        = "Test Drift Policy %s"
+  description = "Test Drift Policy Description"
+  enabled     = true
+  severity    = 4
 
+  rule {
+    description = "Test Drift Rule Description"
+    mounted_volume_drift_enabled = true
+
+    enabled = true
+    use_regex = true
+    
     exceptions {
       items = ["/usr/bin/sh"]
     }
     prohibited_binaries {
       items = ["/usr/bin/curl"]
     }
-	  process_based_exceptions {
+    process_based_exceptions {
       items = ["/usr/bin/curl"]
     }
-	} 
+    process_based_prohibited_binaries {
+      items = ["/usr/bin/sh"]
+    }
+  }
 }
   `, name)
 }

sysdig/tfresource.go

@@ -216,6 +216,7 @@ func setTFResourcePolicyRulesDrift(d *schema.ResourceData, policy v2.PolicyRules
 			"tags":                         rule.Tags,
 			"enabled":                      enabled,
 			"mounted_volume_drift_enabled": driftDetails.MountedVolumeDriftEnabled,
+			"use_regex":                    driftDetails.UseRegex,
 		}
 
 		if exceptionsBlock != nil {
@@ -498,6 +499,7 @@ func setPolicyRulesDrift(policy *v2.PolicyRulesComposite, d *schema.ResourceData
 		}
 
 		mountedVolumeDriftEnabled := d.Get("rule.0.mounted_volume_drift_enabled").(bool)
+		useRegex := d.Get("rule.0.use_regex").(bool)
 
 		rule := &v2.RuntimePolicyRule{
 			// TODO: Do not hardcode the indexes
@@ -512,6 +514,7 @@ func setPolicyRulesDrift(policy *v2.PolicyRulesComposite, d *schema.ResourceData
 				ProcessBasedExceptions:    &processBasedExceptions,
 				ProcessBasedDenylist:      &processBasedProhibitedBinaries,
 				MountedVolumeDriftEnabled: mountedVolumeDriftEnabled,
+				UseRegex:                  useRegex,
 			},
 		}
 

website/docs/d/secure_drift_policy.md

@@ -78,5 +78,9 @@ The rule block is required and supports:
     * `items` - (Required) Specify comma separated list of exceptions, e.g. `/usr/bin/rm, /usr/bin/curl`.
 * `prohibited_binaries` - (Optional) A prohibited binary can be a known harmful binary or one that facilitates discovery of your environment.
     * `items` - (Required) Specify comma separated list of prohibited binaries, e.g. `/usr/bin/rm, /usr/bin/curl`.
-
-
+* `process_based_exceptions` - (Optional) List of processes that will be able to execute a drifted file 
+    * `items` - (Required) Specify comma separated list of processes, e.g. `/usr/bin/rm, /usr/bin/curl`.
+* `process_based_prohibited_binaries` - (Optional) List of processes that will be prohibited to execute a drifted file
+    * `items` - (Required) Specify comma separated list of processes, e.g. `/usr/bin/rm, /usr/bin/curl`.
+* `mounted_volume_drift_enabled` - (Optional) Treat all binaries from mounted volumes as drifted. Default value is false/disabled.
+* `use_regex` - (Optional) Pass exceptions and prohibited binaries as regex strings. Requires agent version 13.2.0 and above

website/docs/r/secure_drift_policy.md

@@ -123,6 +123,4 @@ The rule block is required and supports:
 * `process_based_prohibited_binaries` - (Optional) List of processes that will be prohibited to execute a drifted file
     * `items` - (Required) Specify comma separated list of processes, e.g. `/usr/bin/rm, /usr/bin/curl`.
 * `mounted_volume_drift_enabled` - (Optional) Treat all binaries from mounted volumes as drifted. Default value is false/disabled.
-
-
-
+* `use_regex` - (Optional) Pass exceptions and prohibited binaries as regex strings. Requires agent version 13.2.0 and above