Merge pull request #12 from maxboynton/66-add-cloud-account

66 add cloud account

Author: maxboynton

internal/api/account/cloud_scan_rule.go

@@ -0,0 +1,88 @@
+package account
+
+import (
+	"fmt"
+	"net/http"
+
+	"github.com/PaloAltoNetworks/terraform-provider-prismacloudcompute/internal/api"
+	"github.com/PaloAltoNetworks/terraform-provider-prismacloudcompute/internal/api/auth"
+)
+
+const CloudScanRulesEndpoint = "api/v1/cloud-scan-rules"
+
+// Serverless scan specs struct
+type ServerLessScanSpec struct {
+	Enabled         bool `json:"enabled,omitempty"`
+	Cap             int  `json:"cap,omitempty"`
+	ScanAllVersions bool `json:"scanAllVersions,omitempty"`
+	ScanLayers      bool `json:"scanLayers,omitempty"`
+}
+
+type AgentlessScanSpec struct {
+	Enabled              bool     `json:"enabled,omitempty"`
+	HubAccount           bool     `json:"hubAccount,omitempty"`
+	ConsoleAddr          string   `json:"consoleAddr,omitempty"`
+	ScanNonRunning       bool     `json:"scanNonRunning,omitempty"`
+	ProxyAddress         string   `json:"proxyAddress,omitempty"`
+	ProxyCA              string   `json:"proxyCA,omitempty"`
+	SkipPermissionsCheck bool     `json:"skipPermissionsCheck,omitempty"`
+	AutoScale            bool     `json:"autoScale,omitempty"`
+	Scanners             int      `json:"scanners,omitempty"`
+	SecurityGroup        string   `json:"securityGroup,omitempty"`
+	SubNet               string   `json:"subnet,omitempty"`
+	Regions              []string `json:"regions,omitempty"`
+	CustomTags           []Tag    `json:"customTags,omitempty"`
+	IncludedTags         []Tag    `json:"includedTags,omitempty"`
+}
+
+type Tag struct {
+	Key   string `json:"key,omitempty"`
+	Value string `json:"value,omitempty"`
+}
+
+type CloudScanRule struct {
+	CredentialId                string             `json:"credentialId"`
+	Credential                  auth.Credential    `json:"credential,omitempty"`
+	DiscoveryEnabled            bool               `json:"discoveryEnabled,omitempty"`
+	ServerlessRadarEnabled      bool               `json:"serverlessRadarEnabled,omitempty"`
+	VmTagsEnabled               bool               `json:"vmTagsEnabled,omitempty"`
+	DiscoverAllFunctionVersions bool               `json:"discoverAllFunctionVersions,omitempty"`
+	ServerlessRadarCap          int                `json:"serverlessRadarCap,omitempty"`
+	AgentlessScanSpec           AgentlessScanSpec  `json:"agentlessScanSpec,omitempty"`
+	ServerlessScanSpec          ServerLessScanSpec `json:"serverlessScanSpec,omitempty"`
+	AwsRegionType               string             `json:"awsRegionType,omitempty"`
+}
+
+// Get all cloud can rules
+func ListCloudScanRules(c api.Client) ([]CloudScanRule, error) {
+	var ans []CloudScanRule
+	if err := c.Request(http.MethodGet, CloudScanRulesEndpoint, nil, nil, &ans); err != nil {
+		return nil, fmt.Errorf("error listing Cloud Scan Rules: %s", err)
+	}
+	return ans, nil
+}
+
+// Get a specific cloud scan rule
+func GetCloudScanRule(c api.Client, name string) (*CloudScanRule, error) {
+	var ans []CloudScanRule
+
+	if err := c.Request(http.MethodGet, CloudScanRulesEndpoint, map[string]string{"search": name}, nil, &ans); err != nil {
+		return nil, fmt.Errorf("error searching Cloud Scan Rules: %s", err)
+	}
+	for _, val := range ans {
+		if val.CredentialId == name {
+			return &val, nil
+		}
+	}
+	return nil, fmt.Errorf("Cloud Scan Rule '%s' not found", name)
+}
+
+// Create/Update cloud scan rules
+func UpdateCloudScanRule(c api.Client, rule []CloudScanRule) error {
+	return c.Request(http.MethodPut, CloudScanRulesEndpoint, nil, rule, nil)
+}
+
+// Delete an existing cloud scan rule
+func DeleteCloudScanRule(c api.Client, name string) error {
+	return c.Request(http.MethodDelete, fmt.Sprintf("%s/%s", CloudScanRulesEndpoint, name), nil, nil, nil)
+}

internal/api/auth/credential.go

@@ -9,38 +9,25 @@ import (
 
 const CredentialsEndpoint = "api/v1/credentials"
 
-// type Credential struct {
-// 	AccountGuid string           `json:"accountGUID,omitempty"`
-// 	AccountId   string           `json:"accountID,omitempty"`
-// 	Description string           `json:"description,omitempty"`
-// 	Name        string           `json:"_id,omitempty"`
-// 	Secret      CredentialSecret `json:"secret,omitempty"`
-// 	Type        string           `json:"type,omitempty"`
-// 	UseAwsRole  bool             `json:"useAWSRole,omitempty"`
-// }
-
-// type CredentialSecret struct {
-// 	Plain string `json:"plain,omitempty"`
-// }
-
 type Credential struct {
-	Id           string           `json:"_id,omitempty"`
-	AccountGUID  string           `json:"accountGUID,omitempty"`
-	AccountID    string           `json:"accountID,omitempty"`
-	ApiToken     Secret           `json:"apiToken,omitempty"`
-	CaCert       string           `json:"caCert,omitempty"`
-	Created      string           `json:"created,omitempty"`
-	Description  string           `json:"description,omitempty"`
-	External     bool             `json:"external,omitempty"`
-	LastModified string           `json:"lastModified,omitempty"`
-	Owner        string           `json:"owner,omitempty"`
-	RoleArn      string           `json:"roleArn,omitempty"`
-	Secret       Secret           `json:"secret,omitempty"`
-	SkipVerify   bool             `json:"skipVerify,omitempty"`
-	Tokens       []TemporaryToken `json:"tokens,omitempty"`
-	Type         string           `json:"type,omitempty"`
-	Url          string           `json:"url,omitempty"`
-	UseAWSRole   bool             `json:"useAWSRole,omitempty"`
+	Id                     string           `json:"_id,omitempty"`
+	AccountGUID            string           `json:"accountGUID,omitempty"`
+	AccountID              string           `json:"accountID,omitempty"`
+	ApiToken               Secret           `json:"apiToken,omitempty"`
+	CaCert                 string           `json:"caCert,omitempty"`
+	Created                string           `json:"created,omitempty"`
+	Description            string           `json:"description,omitempty"`
+	External               bool             `json:"external,omitempty"`
+	LastModified           string           `json:"lastModified,omitempty"`
+	Owner                  string           `json:"owner,omitempty"`
+	RoleArn                string           `json:"roleArn,omitempty"`
+	Secret                 Secret           `json:"secret,omitempty"`
+	SkipVerify             bool             `json:"skipVerify,omitempty"`
+	Tokens                 []TemporaryToken `json:"tokens,omitempty"`
+	Type                   string           `json:"type,omitempty"`
+	Url                    string           `json:"url,omitempty"`
+	UseAWSRole             bool             `json:"useAWSRole,omitempty"`
+	UseSTSRegionalEndpoint bool             `json:"useSTSRegionalEndpoint,omitempty"`
 }
 
 type Secret struct {

internal/api/client.go

@@ -100,9 +100,26 @@ func (c *Client) Request(method, endpoint string, query, data, response interfac
 	}
 	req.Header.Set("Authorization", "Bearer "+c.JWT)
 	req.Header.Set("Content-Type", "application/json")
+
+	// TODO: simplify logic
 	if c.Config.Project != "" {
 		queryParams := req.URL.Query()
 		queryParams.Set("project", c.Config.Project)
+		if query != nil {
+			if queryMap, ok := query.(map[string]string); ok {
+				for key, val := range queryMap {
+					queryParams.Add(key, val)
+				}
+			}
+		}
+		req.URL.RawQuery = queryParams.Encode()
+	} else if query != nil {
+		queryParams := req.URL.Query()
+		if queryMap, ok := query.(map[string]string); ok {
+			for key, val := range queryMap {
+				queryParams.Add(key, val)
+			}
+		}
 		req.URL.RawQuery = queryParams.Encode()
 	}
 

internal/convert/cloudaccount.go

@@ -0,0 +1,157 @@
+package convert
+
+import (
+	"github.com/PaloAltoNetworks/terraform-provider-prismacloudcompute/internal/api/account"
+	"github.com/PaloAltoNetworks/terraform-provider-prismacloudcompute/internal/api/auth"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+func SchemaToCloudAccountCredential(d *schema.ResourceData) (auth.Credential, error) {
+	var parsedCredential auth.Credential
+
+	if val, ok := d.GetOk("credential"); ok {
+		for _, val := range val.([]interface{}) {
+			parsedCredential.Id = val.(map[string]interface{})["name"].(string)
+			parsedCredential.AccountID = val.(map[string]interface{})["account_id"].(string)
+			if len(val.(map[string]interface{})["api_token"].([]interface{})) > 0 {
+				parsedCredential.ApiToken = schemaToCredentialSecret(val.(map[string]interface{})["api_token"].([]interface{}))
+			}
+			parsedCredential.CaCert = val.(map[string]interface{})["ca_cert"].(string)
+			parsedCredential.Description = val.(map[string]interface{})["description"].(string)
+			parsedCredential.External = val.(map[string]interface{})["external"].(bool)
+			//parsedCredential.AccountGUID = val.(map[string]interface{})["ibm_account_guide"].(string)
+			parsedCredential.RoleArn = val.(map[string]interface{})["role_arn"].(string)
+			parsedCredential.Id = val.(map[string]interface{})["id"].(string)
+			if len(val.(map[string]interface{})["secret"].([]interface{})) > 0 {
+				parsedCredential.Secret = schemaToCredentialSecret(val.(map[string]interface{})["secret"].([]interface{}))
+			}
+			parsedCredential.SkipVerify = val.(map[string]interface{})["skip_cert_verification"].(bool)
+			parsedCredential.Type = val.(map[string]interface{})["type"].(string)
+			parsedCredential.Url = val.(map[string]interface{})["url"].(string)
+			parsedCredential.UseAWSRole = val.(map[string]interface{})["use_aws_role"].(bool)
+			parsedCredential.UseSTSRegionalEndpoint = val.(map[string]interface{})["use_sts_regional_endpoint"].(bool)
+		}
+	}
+
+	return parsedCredential, nil
+}
+
+func SchemaToCloudScanRule(d *schema.ResourceData) (account.CloudScanRule, error) {
+	var parsedCloudScanRule account.CloudScanRule
+
+	if val, ok := d.GetOk("credential"); ok {
+		parsedCloudScanRule.CredentialId = val.([]interface{})[0].(map[string]interface{})["name"].(string)
+	}
+
+	if val, ok := d.GetOk("aws_region_type"); ok {
+		parsedCloudScanRule.AwsRegionType = val.(string)
+	}
+
+	if val, ok := d.GetOk("discovery_enabled"); ok {
+		parsedCloudScanRule.DiscoveryEnabled = val.(bool)
+	}
+
+	if val, ok := d.GetOk("serverless_radar_enabled"); ok {
+		parsedCloudScanRule.ServerlessRadarEnabled = val.(bool)
+	}
+
+	if val, ok := d.GetOk("vm_tags_enabled"); ok {
+		parsedCloudScanRule.VmTagsEnabled = val.(bool)
+	}
+
+	if val, ok := d.GetOk("discover_all_function_versions"); ok {
+		parsedCloudScanRule.DiscoverAllFunctionVersions = val.(bool)
+	}
+
+	if val, ok := d.GetOk("serverless_radar_cap"); ok {
+		parsedCloudScanRule.ServerlessRadarCap = val.(int)
+	}
+
+	if val, ok := d.GetOk("agentless_scan_spec"); ok {
+		specs := val.(map[string]interface{})
+		parsedCloudScanRule.AgentlessScanSpec.Enabled = specs["enabled"].(bool)
+		parsedCloudScanRule.AgentlessScanSpec.HubAccount = specs["hub_account"].(bool)
+		parsedCloudScanRule.AgentlessScanSpec.ConsoleAddr = specs["console_addr"].(string)
+		parsedCloudScanRule.AgentlessScanSpec.ScanNonRunning = specs["scan_non_running"].(bool)
+		parsedCloudScanRule.AgentlessScanSpec.ProxyAddress = specs["proxy_address"].(string)
+		parsedCloudScanRule.AgentlessScanSpec.ProxyCA = specs["proxy_ca"].(string)
+		parsedCloudScanRule.AgentlessScanSpec.SkipPermissionsCheck = specs["skip_permissions_check"].(bool)
+		parsedCloudScanRule.AgentlessScanSpec.AutoScale = specs["auto_scale"].(bool)
+		parsedCloudScanRule.AgentlessScanSpec.Scanners = specs["scanners"].(int)
+		parsedCloudScanRule.AgentlessScanSpec.SecurityGroup = specs["security_group"].(string)
+		parsedCloudScanRule.AgentlessScanSpec.SubNet = specs["subnet"].(string)
+		parsedCloudScanRule.AgentlessScanSpec.Regions = SchemaToStringSlice(specs["regions"].([]interface{}))
+
+		presentCustomTags := specs["custom_tags"].([]interface{})
+		parsedCustomTags := make([]account.Tag, 0, len(presentCustomTags))
+		for _, val := range presentCustomTags {
+			presentCustomTag := val.(map[string]interface{})
+			parsedCustomTags = append(parsedCustomTags, account.Tag{
+				Key:   presentCustomTag["key"].(string),
+				Value: presentCustomTag["value"].(string),
+			})
+		}
+		parsedCloudScanRule.AgentlessScanSpec.CustomTags = parsedCustomTags
+
+		presentIncludedTags := specs["included_tags"].([]interface{})
+		parsedIncludedTags := make([]account.Tag, 0, len(presentIncludedTags))
+		for _, val := range presentIncludedTags {
+			presentIncludedTag := val.(map[string]interface{})
+			parsedIncludedTags = append(parsedIncludedTags, account.Tag{
+				Key:   presentIncludedTag["key"].(string),
+				Value: presentIncludedTag["value"].(string),
+			})
+		}
+		parsedCloudScanRule.AgentlessScanSpec.IncludedTags = parsedIncludedTags
+	}
+
+	if val, ok := d.GetOk("aws_region_type"); ok {
+		parsedCloudScanRule.AwsRegionType = val.(string)
+	}
+
+	return parsedCloudScanRule, nil
+}
+
+func ServerlessScanSpecToSchema(d *account.ServerLessScanSpec) []interface{} {
+	ans := make([]interface{}, 0, 1)
+	serverlessScanSpec := make(map[string]interface{})
+	serverlessScanSpec["enabled"] = d.Enabled
+	serverlessScanSpec["cap"] = d.Cap
+	serverlessScanSpec["scan_all_versions"] = d.ScanAllVersions
+	serverlessScanSpec["scan_layers"] = d.ScanLayers
+	ans = append(ans, serverlessScanSpec)
+	return ans
+}
+
+func AgentlessScanSpecToSchema(d *account.AgentlessScanSpec) []interface{} {
+	ans := make([]interface{}, 0, 1)
+	agentlessScanSpec := make(map[string]interface{})
+	agentlessScanSpec["enabled"] = d.Enabled
+	agentlessScanSpec["hub_account"] = d.HubAccount
+	agentlessScanSpec["console_addr"] = d.ConsoleAddr
+	agentlessScanSpec["scan_non_running"] = d.ScanNonRunning
+	agentlessScanSpec["proxy_address"] = d.ProxyAddress
+	agentlessScanSpec["proxy_ca"] = d.ProxyCA
+	agentlessScanSpec["skip_permissions_check"] = d.SkipPermissionsCheck
+	agentlessScanSpec["auto_scale"] = d.AutoScale
+	agentlessScanSpec["scanners"] = d.Scanners
+	agentlessScanSpec["security_group"] = d.SecurityGroup
+	agentlessScanSpec["subnet"] = d.SubNet
+	agentlessScanSpec["regions"] = d.Regions
+	ans = append(ans, agentlessScanSpec)
+	return ans
+}
+
+func CloudAccountCredentialToSchema(d auth.Credential) []interface{} {
+	ans := make([]interface{}, 0, 1)
+	credential := make(map[string]interface{})
+	credential["id"] = d.Id
+	credential["type"] = d.Type
+	credential["account_id"] = d.AccountID
+	credential["account_guid"] = d.AccountGUID
+	credential["secret"] = CredentialSecretToSchema(d.Secret)
+	credential["api_token"] = CredentialSecretToSchema(d.ApiToken)
+	credential["use_aws_role"] = d.UseAWSRole
+	ans = append(ans, credential)
+	return ans
+}

internal/convert/credential.go

@@ -47,6 +47,9 @@ func SchemaToCredential(d *schema.ResourceData) (auth.Credential, error) {
 	if val, ok := d.GetOk("use_aws_role"); ok {
 		parsedCredential.UseAWSRole = val.(bool)
 	}
+	if val, ok := d.GetOk("use_sts_regional_endpoint"); ok {
+		parsedCredential.UseSTSRegionalEndpoint = val.(bool)
+	}
 
 	return parsedCredential, nil
 }

internal/provider/provider.go

@@ -76,6 +76,7 @@ func Provider() *schema.Provider {
 			"prismacloudcompute_role":                             resourceRbacRoles(),
 			"prismacloudcompute_credential":                       resourceCredentials(),
 			"prismacloudcompute_custom_compliance":                resourceCustomCompliance(),
+			"prismacloudcompute_cloud_account":                    resourceCloudAccount(),
 		},
 
 		DataSourcesMap: map[string]*schema.Resource{

internal/provider/resource_alertprofile_test.go

@@ -90,13 +90,7 @@ func testAccCheckAlertProfileDestroy(s *terraform.State) error {
 }
 
 func testAccAlertProfileConfig(name string) string {
-	return fmt.Sprintf(`
-	provider "prismacloudcompute" {
-		console_url = "https://us-east1.cloud.twistlock.com/us-1-111573457"
-		username    = "17aa4ffa-417c-4c5f-95c7-4cbae38bab53"
-		password    = "PvloZv58MSlPebdCECZ1HI5crPo="
-	}
-	
+	return fmt.Sprintf(`	
 	resource "prismacloudcompute_alertprofile" "test" {
 		name               = "%s"
 		enable_immediate_vulnerabilities_alerts = false