Merge pull request #71 from maxboynton/main

Requested Bug Fixes & Enhancements, version 0.8.0

Author: PANW-aharrell

examples/resources/prismacloudcompute_container_runtime_policy/resource.tf

@@ -1,40 +1,125 @@
+# This resource will work with the following provider stored in the following directory path
+# mkdir -p ~/.terraform.d/plugins/paloaltonetworks.com/prismacloud/prismacloudcompute/0.7.1-release/darwin_amd64
+# mv terraform-provider-prismacloudcompute ~/.terraform.d/plugins/paloaltonetworks.com/prismacloud/prismacloudcompute/0.7.1-release/darwin_amd64
+
+terraform {
+  required_providers {
+    prismacloudcompute = {
+      source  = "paloaltonetworks.com/prismacloud/prismacloudcompute"
+      version = "0.7.1-release"
+    }
+  }
+}
+
+provider "prismacloudcompute" {
+  console_url = ""
+  username    = ""
+  password    = ""
+}
+
 resource "prismacloudcompute_container_runtime_policy" "ruleset" {
   learning_disabled = false
   rule {
-    name                       = "Default - alert on suspicious runtime behavior"
-    collections                = ["All"]
-    advanced_protection        = true
-    cloud_metadata_enforcement = false
+    name                              = "string"
+    collections                       = ["string"]
+    advanced_protection_effect        = true
+    cloud_metadata_enforcement_effect = false
+    previous_name                     = "string" # Required if Renaming the Rule
+    skip_exec_sessions                = false    # true | false
+    wildfire_analysis                 = "alert"  # "block" | "prevent" | "alert" | "disable"
+    custom_rule {
+      id     = 0
+      action = "string"
+      effect = "string" # "allow" | "ban" | "block" | "prevent" | "alert" | "disable"
+    }
+    custom_rule {
+      id     = 1
+      action = "string"
+      effect = "string" # "allow" | "ban" | "block" | "prevent" | "alert" | "disable"
+    }
     dns {
-      allowed     = []
-      denied      = []
-      deny_effect = "disable"
+      default_effect = "alert" # "block" | "prevent" | "alert" | "disable"
+      disabled       = true
+      domain_list {
+        allowed = ["0.0.0.0"]
+        denied  = ["1.1.1.1"]
+        effect  = "disable"
+      }
     }
     filesystem {
-      allowed                 = []
-      backdoor_files          = true
-      check_new_files         = true
-      denied                  = []
-      deny_effect             = "alert"
-      skip_encrypted_binaries = false
-      suspicious_elf_headers  = true
+      allowed_list          = ["string"]
+      backdoor_files_effect = "disable" # "block" | "prevent" | "alert" | "disable"
+      default_effect        = "alert"   # "block" | "prevent" | "alert" | "disable"
+      denied_list {
+        effect = "disable" # "block" | "prevent" | "alert" | "disable"
+        paths  = ["string"]
+      }
+      disabled                      = true
+      encrypted_binaries_effect     = "disable"
+      new_files_effect              = "disable"
+      suspicious_elf_headers_effect = "disable"
     }
     kubernetes_enforcement = false
     network {
-      allowed_outbound_ips    = []
-      denied_outbound_ips     = []
-      deny_effect             = "alert"
-      detect_port_scan        = true
-      skip_modified_processes = false
-      skip_raw_sockets        = false
+      allowed_ips       = ["0.0.0.0"]
+      default_effect    = "alert"
+      denied_ips        = ["1.1.1.1"]
+      denied_ips_effect = "disable"
+      disabled          = true
+      listening_ports {
+        allowed {
+          deny  = true
+          end   = 333
+          start = 222
+        }
+        denied {
+          deny  = true
+          end   = 5000
+          start = 4000
+        }
+        denied {
+          deny  = true
+          end   = 222
+          start = 111
+        }
+        effect = "disable" # "block" | "prevent" | "alert" | "disable"
+      }
+      modified_proc_effect = "disable" # "block" | "prevent" | "alert" | "disable"
+      outbound_ports {
+        allowed {
+          deny  = true
+          end   = 300
+          start = 200
+        }
+        denied {
+          deny  = true
+          end   = 6000
+          start = 5000
+        }
+        denied {
+          deny  = true
+          end   = 222
+          start = 111
+        }
+        effect = "disable" # "block" | "prevent" | "alert" | "disable"
+      }
+      port_scan_effect   = "disable" # "block" | "prevent" | "alert" | "disable"
+      raw_sockets_effect = "disable" # "block" | "prevent" | "alert" | "disable"
     }
     processes {
-      allowed                = []
-      check_crypto_miners    = true
-      check_lateral_movement = true
-      denied                 = []
-      deny_effect            = "alert"
+      modified_process_effect = "disable" # "block" | "prevent" | "alert" | "disable"
+      crypto_miners_effect    = "disable" # "block" | "prevent" | "alert" | "disable"
+      lateral_movement_effect = "disable" # "block" | "prevent" | "alert" | "disable"
+      reverse_shell_effect    = "disable" # "block" | "prevent" | "alert" | "disable"
+      suid_binaries_effect    = "disable" # "block" | "prevent" | "alert" | "disable"
+      default_effect          = "alert"   # "block" | "prevent" | "alert" | "disable"
+      check_parent_child      = false
+      allowed_list            = []
+      disabled                = false
+      denied_list {
+        effect = "disable" # "block" | "prevent" | "alert" | "disable"
+        paths  = ["test"]
+      }
     }
-    wildfire_analysis = "alert"
   }
-}
+}

internal/api/account/cloud_scan_rule.go

@@ -0,0 +1,88 @@
+package account
+
+import (
+	"fmt"
+	"net/http"
+
+	"github.com/PaloAltoNetworks/terraform-provider-prismacloudcompute/internal/api"
+	"github.com/PaloAltoNetworks/terraform-provider-prismacloudcompute/internal/api/auth"
+)
+
+const CloudScanRulesEndpoint = "api/v1/cloud-scan-rules"
+
+// Serverless scan specs struct
+type ServerLessScanSpec struct {
+	Enabled         bool `json:"enabled,omitempty"`
+	Cap             int  `json:"cap,omitempty"`
+	ScanAllVersions bool `json:"scanAllVersions,omitempty"`
+	ScanLayers      bool `json:"scanLayers,omitempty"`
+}
+
+type AgentlessScanSpec struct {
+	Enabled              bool     `json:"enabled,omitempty"`
+	HubAccount           bool     `json:"hubAccount,omitempty"`
+	ConsoleAddr          string   `json:"consoleAddr,omitempty"`
+	ScanNonRunning       bool     `json:"scanNonRunning,omitempty"`
+	ProxyAddress         string   `json:"proxyAddress,omitempty"`
+	ProxyCA              string   `json:"proxyCA,omitempty"`
+	SkipPermissionsCheck bool     `json:"skipPermissionsCheck,omitempty"`
+	AutoScale            bool     `json:"autoScale,omitempty"`
+	Scanners             int      `json:"scanners,omitempty"`
+	SecurityGroup        string   `json:"securityGroup,omitempty"`
+	SubNet               string   `json:"subnet,omitempty"`
+	Regions              []string `json:"regions,omitempty"`
+	CustomTags           []Tag    `json:"customTags,omitempty"`
+	IncludedTags         []Tag    `json:"includedTags,omitempty"`
+}
+
+type Tag struct {
+	Key   string `json:"key,omitempty"`
+	Value string `json:"value,omitempty"`
+}
+
+type CloudScanRule struct {
+	CredentialId                string             `json:"credentialId"`
+	Credential                  auth.Credential    `json:"credential,omitempty"`
+	DiscoveryEnabled            bool               `json:"discoveryEnabled,omitempty"`
+	ServerlessRadarEnabled      bool               `json:"serverlessRadarEnabled,omitempty"`
+	VmTagsEnabled               bool               `json:"vmTagsEnabled,omitempty"`
+	DiscoverAllFunctionVersions bool               `json:"discoverAllFunctionVersions,omitempty"`
+	ServerlessRadarCap          int                `json:"serverlessRadarCap,omitempty"`
+	AgentlessScanSpec           AgentlessScanSpec  `json:"agentlessScanSpec,omitempty"`
+	ServerlessScanSpec          ServerLessScanSpec `json:"serverlessScanSpec,omitempty"`
+	AwsRegionType               string             `json:"awsRegionType,omitempty"`
+}
+
+// Get all cloud can rules
+func ListCloudScanRules(c api.Client) ([]CloudScanRule, error) {
+	var ans []CloudScanRule
+	if err := c.Request(http.MethodGet, CloudScanRulesEndpoint, nil, nil, &ans); err != nil {
+		return nil, fmt.Errorf("error listing Cloud Scan Rules: %s", err)
+	}
+	return ans, nil
+}
+
+// Get a specific cloud scan rule
+func GetCloudScanRule(c api.Client, name string) (*CloudScanRule, error) {
+	var ans []CloudScanRule
+
+	if err := c.Request(http.MethodGet, CloudScanRulesEndpoint, map[string]string{"search": name}, nil, &ans); err != nil {
+		return nil, fmt.Errorf("error searching Cloud Scan Rules: %s", err)
+	}
+	for _, val := range ans {
+		if val.CredentialId == name {
+			return &val, nil
+		}
+	}
+	return nil, fmt.Errorf("Cloud Scan Rule '%s' not found", name)
+}
+
+// Create/Update cloud scan rules
+func UpdateCloudScanRule(c api.Client, rule []CloudScanRule) error {
+	return c.Request(http.MethodPut, CloudScanRulesEndpoint, nil, rule, nil)
+}
+
+// Delete an existing cloud scan rule
+func DeleteCloudScanRule(c api.Client, name string) error {
+	return c.Request(http.MethodDelete, fmt.Sprintf("%s/%s", CloudScanRulesEndpoint, name), nil, nil, nil)
+}