Merge pull request #377 from aquasecurity/katy-tf-prometheus-SLK-109399

SLK-109399: expose enforcer group Prometheus flag

Author: ErmanShani

aquasec/data_enforcer_group.go

@@ -97,6 +97,11 @@ func dataSourceEnforcerGroup() *schema.Resource {
 				Description: "When set to `True` applies User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUA_RUNC_INTERCEPTION environment variable set to 0 in order to use User Access Control Policies.",
 				Computed:    true,
 			},
+			"enable_enforcer_group_prometheus": {
+				Type:        schema.TypeBool,
+				Description: "Enable Prometheus metrics for the enforcer group.",
+				Computed:    true,
+			},
 			"image_assurance": {
 				Type:        schema.TypeBool,
 				Description: "When Set to `True` enables selected controls: Container Runtime Policy (`Block Non-Compliant Images`, `Block Unregistered Images`, and `Registries Allowed`) and Default Image Assurance Policy (`Images Blocked`).",
@@ -449,6 +454,7 @@ func dataEnforcerGroupRead(ctx context.Context, d *schema.ResourceData, m interf
 		d.Set("host_forensics_collection", group.HostForensicsCollection)
 		d.Set("host_network_protection", group.HostNetworkProtection)
 		d.Set("user_access_control", group.UserAccessControl)
+		d.Set("enable_enforcer_group_prometheus", group.EnableEnforcerGroupPrometheus)
 		d.Set("image_assurance", group.ImageAssurance)
 		d.Set("host_protection", group.HostProtection)
 		d.Set("audit_all", group.AuditAll)

aquasec/resource_enforcer_group.go

@@ -438,6 +438,11 @@ func resourceEnforcerGroup() *schema.Resource {
 				Description: "Set `True` to apply User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUA_RUNC_INTERCEPTION environment variable set to 0 in order to use User Access Control Policies.",
 				Optional:    true,
 			},
+			"enable_enforcer_group_prometheus": {
+				Type:        schema.TypeBool,
+				Description: "Enable Prometheus metrics for the enforcer group.",
+				Optional:    true,
+			},
 			"unified_mode": {
 				Type:        schema.TypeBool,
 				Description: "",
@@ -503,6 +508,7 @@ func resourceEnforcerGroupRead(ctx context.Context, d *schema.ResourceData, m in
 	d.Set("host_forensics_collection", r.HostForensicsCollection)
 	d.Set("host_network_protection", r.HostNetworkProtection)
 	d.Set("user_access_control", r.UserAccessControl)
+	d.Set("enable_enforcer_group_prometheus", r.EnableEnforcerGroupPrometheus)
 	d.Set("image_assurance", r.ImageAssurance)
 	d.Set("host_protection", r.HostProtection)
 	d.Set("audit_all", r.AuditAll)
@@ -594,6 +600,7 @@ func resourceEnforcerGroupUpdate(ctx context.Context, d *schema.ResourceData, m
 		"syscall_enabled",
 		"type",
 		"user_access_control",
+		"enable_enforcer_group_prometheus",
 		"orchestrator",
 		"schedule_scan_settings",
 		"unified_mode",
@@ -848,6 +855,11 @@ func expandEnforcerGroup(d *schema.ResourceData) client.EnforcerGroup {
 		enforcerGroup.UserAccessControl = userAccessControl.(bool)
 	}
 
+	enableEnforcerGroupPrometheus, ok := d.GetOk("enable_enforcer_group_prometheus")
+	if ok {
+		enforcerGroup.EnableEnforcerGroupPrometheus = enableEnforcerGroupPrometheus.(bool)
+	}
+
 	unifiedMode, ok := d.GetOk("unified_mode")
 	if ok {
 		enforcerGroup.UnifiedMode = unifiedMode.(bool)

client/enforcers.go

@@ -97,6 +97,7 @@ type EnforcerGroup struct {
 	AllowedLabels                             []string                     `json:"allowed_labels"`
 	AllowedRegistries                         []string                     `json:"allowed_registries"`
 	ScheduleScanSettings                      EnforcerScheduleScanSettings `json:"schedule_scan_settings"`
+	EnableEnforcerGroupPrometheus             bool                         `json:"enable_enforcer_group_prometheus"`
 	UnifiedMode                               bool                         `json:"unified_mode"`
 }
 

docs/data-sources/enforcer_groups.md

@@ -61,6 +61,7 @@ output "group_details" {
 - `description` (String) A description for the Aqua Enforcer group.
 - `disconnected_count` (Number) Number of disconnected enforcers in the enforcer group.
 - `enforce` (Boolean) Whether the enforce mode is enabled on the Enforcers.
+- `enable_enforcer_group_prometheus` (Boolean) Enable Prometheus metrics for the enforcer group.
 - `enforcer_image_name` (String) The specific Aqua Enforcer product image (with image tag) to be deployed.
 - `gateway_address` (String) Gateway Address
 - `gateway_name` (String) Gateway Name

docs/resources/enforcer_groups.md

@@ -43,6 +43,7 @@ description: |-
 - `container_activity_protection` (Boolean) Set `True` to apply Container Runtime Policies, Image Profiles, and Firewall Policies to containers.
 - `container_antivirus_protection` (Boolean) This setting is available only when you have license for `Advanced Malware Protection`. Send true to make use of the license and enable the `Real-time Malware Protection` control in the Container Runtime policies.
 - `description` (String) A description of the Aqua Enforcer group.
+- `enable_enforcer_group_prometheus` (Boolean) Enable Prometheus metrics for the enforcer group.
 - `enforce` (Boolean) Whether to enable enforce mode on the Enforcers, defaults to False.
 - `forensics` (Boolean) Select Enabled to send activity logs in your containers to the Aqua Server for forensics purposes.
 - `gateways` (List of String) List of Aqua gateway IDs for the Enforcers.

examples/resources/aquasec_enforcer_group/resource.tf

@@ -22,6 +22,8 @@ resource "aquasec_enforcer_groups" "group" {
   sync_host_images = true
   # Risk Explorer
   risk_explorer_auto_discovery = true
+  # Prometheus metrics
+  enable_enforcer_group_prometheus = true
   # host_forensics
   host_forensics_collection = true
   # forensics

examples/resources/main.tf

@@ -93,6 +93,7 @@ resource "aquasec_enforcer_groups" "new" {
   description  = "Created1"
   logical_name = "terraform-eg"
   enforce      = true
+  enable_enforcer_group_prometheus = true
   gateways = [
     "local-cluster"
   ]