aquasecurity
diff --git a/‎.github/workflows/nightly.yml‎
Lines changed: 58 additions & 54 deletions b/‎.github/workflows/nightly.yml‎
Lines changed: 58 additions & 54 deletions
diff --git a/‎aquasec/data_container_runtime_policy_test.go‎
Lines changed: 6 additions & 31 deletions b/‎aquasec/data_container_runtime_policy_test.go‎
Lines changed: 6 additions & 31 deletions
diff --git a/‎aquasec/resource_container_runtime_policy_test.go‎
Lines changed: 8 additions & 50 deletions b/‎aquasec/resource_container_runtime_policy_test.go‎
Lines changed: 8 additions & 50 deletions
diff --git a/‎docs/data-sources/container_runtime_policy.md‎
Lines changed: 2 additions & 2 deletions b/‎docs/data-sources/container_runtime_policy.md‎
Lines changed: 2 additions & 2 deletions
diff --git a/‎docs/resources/container_runtime_policy.md‎
Lines changed: 2 additions & 3 deletions b/‎docs/resources/container_runtime_policy.md‎
Lines changed: 2 additions & 3 deletions
@@ -174,83 +174,87 @@ jobs:
           if-no-files-found: error
 
   notify:
-    name: "Notify via Power Automate Webhook"
+    name: "Notify via Teams Webhook"
     runs-on: ubuntu-latest
     needs:
       - drift
       - acceptance
     if: ${{ always() }}
     steps:
-      - name: Download all drift artifacts
-        uses: actions/download-artifact@v4
-        with:
-          path: drift-artifacts
-
       - name: Download all artifacts
         uses: actions/download-artifact@v4
         with:
           path: artifacts
 
-      - name: Build summary payload
-        id: build_payload
+      - name: Build and send Teams notification
+        env:
+          TEAMS_WEBHOOK_URL: ${{ secrets.TEAMS_WEBHOOK_URL }}
+          GITHUB_URL: ${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}
+          WORKFLOW_NAME: ${{ github.workflow }}
+          BRANCH_NAME: ${{ github.ref_name }}
         run: |
-          echo "PWD: $(pwd)"
-          ls -R artifacts
-
-          drift_summary="{"
-          acc_summary="{"
-          first=true
-
-          # Loop through drift artifacts
+          # Build drift summary
+          drift_text=""
           for file in artifacts/drift-results-*/result-drift-*.json; do
             version=$(jq -r .version < "$file")
             exitcode=$(jq -r .exitcode < "$file")
-            status="unknown"
             if [ "$exitcode" -eq 0 ]; then
-              status="no_drift"
+              drift_text+="✅ TF $version: No drift\n"
             elif [ "$exitcode" -eq 2 ]; then
-              status="drift_detected"
-            elif [ "$exitcode" -eq 1 ]; then
-              status="error"
+              drift_text+="⚠️ TF $version: Drift detected\n"
+            else
+              drift_text+="❌ TF $version: Error\n"
             fi
-
-            if [ "$first" = false ]; then
-              drift_summary+=", "
-            fi
-            drift_summary+="\"${version}\": \"${status}\""
-            first=false
           done
-          drift_summary+="}"
 
-          first=true
-          # Loop through acceptance artifacts
+          # Build acceptance summary
+          acc_text=""
+          all_passed=true
           for file in artifacts/acceptance-results-*/result-acceptance-*.json; do
             version=$(jq -r .version < "$file")
             result=$(jq -r .result < "$file")
-
-            if [ "$first" = false ]; then
-              acc_summary+=", "
+            if [ "$result" = "success" ]; then
+              acc_text+="✅ TF $version: Passed\n"
+            else
+              acc_text+="❌ TF $version: Failed\n"
+              all_passed=false
             fi
-            acc_summary+="\"${version}\": \"${result}\""
-            first=false
           done
-          acc_summary+="}"
 
-          echo "payload="$(jq -n \
-            --arg wf "${{ github.workflow }}" \
-            --arg branch "${{ github.ref_name }}" \
-            --arg runid "${{ github.run_id }}" \
-            --arg url "${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}" \
-            --argjson tested_versions '["0.15.5","0.14.11","1.1.2","1.5.3"]' \
-            --argjson drift_summary "$drift_summary" \
-            --argjson acceptance_summary "$acc_summary" \
-            '{workflow: $wf, branch: $branch, run_id: $runid, github_url: $url, tested_versions: $tested_versions, drift_summary: $drift_summary, acceptance_summary: $acceptance_summary }') \
-            >> $GITHUB_OUTPUT
-      - name: Trigger Power Automate Flow
-        uses: fjogeleit/http-request-action@v1.16.3
-        with:
-          url: ${{ secrets.POWER_AUTOMATE_HOOK_URL }}
-          method: 'POST'
-          contentType: 'application/json'
-          data: |
-            ${{ steps.build_payload.outputs.payload }}
+          # Set title color based on results
+          if [ "$all_passed" = true ]; then
+            theme_color="00FF00"
+            title="✅ Nightly Tests Passed"
+          else
+            theme_color="FF0000"
+            title="❌ Nightly Tests Failed"
+          fi
+
+          # Send to Teams
+          curl -H "Content-Type: application/json" -d "{
+            \"@type\": \"MessageCard\",
+            \"@context\": \"http://schema.org/extensions\",
+            \"themeColor\": \"${theme_color}\",
+            \"summary\": \"${title}\",
+            \"sections\": [{
+              \"activityTitle\": \"${title}\",
+              \"facts\": [
+                { \"name\": \"Workflow\", \"value\": \"${WORKFLOW_NAME}\" },
+                { \"name\": \"Branch\", \"value\": \"${BRANCH_NAME}\" }
+              ],
+              \"markdown\": true
+            },
+            {
+              \"activityTitle\": \"Drift Detection\",
+              \"text\": \"${drift_text}\"
+            },
+            {
+              \"activityTitle\": \"Acceptance Tests\",
+              \"text\": \"${acc_text}\"
+            }],
+            \"potentialAction\": [{
+              \"@type\": \"OpenUri\",
+              \"name\": \"View in GitHub\",
+              \"targets\": [{ \"os\": \"default\", \"uri\": \"${GITHUB_URL}\" }]
+            }]
+          }" "${TEAMS_WEBHOOK_URL}"
@@ -46,11 +46,10 @@ func TestDataAquasecBasicContainerRuntimePolicy(t *testing.T) {
 func TestDataAquasecComplexContainerRuntimePolicy(t *testing.T) {
 	t.Parallel()
 	var complexRuntimePolicy = client.RuntimePolicy{
-		Name:                  acctest.RandomWithPrefix("test-container-runtime-policy"),
-		Description:           "This is a test description of container runtime policy",
-		Enabled:               true,
-		Enforce:               true,
-		ForkGuardProcessLimit: 13,
+		Name:        acctest.RandomWithPrefix("test-container-runtime-policy"),
+		Description: "This is a test description of container runtime policy",
+		Enabled:     true,
+		Enforce:     true,
 	}
 
 	rootRef := dataContainerRuntimePolicyRef("test")
@@ -108,10 +107,6 @@ func TestDataAquasecComplexContainerRuntimePolicy(t *testing.T) {
 					resource.TestCheckResourceAttr(rootRef, "auditing.0.audit_process_cmdline", "true"),
 					resource.TestCheckResourceAttr(rootRef, "auditing.0.audit_all_network", "true"),
 
-					// Fork guard
-					resource.TestCheckResourceAttr(rootRef, "enable_fork_guard", "true"),
-					resource.TestCheckResourceAttr(rootRef, "fork_guard_process_limit", fmt.Sprintf("%v", complexRuntimePolicy.ForkGuardProcessLimit)),
-
 					// Container privileges
 					resource.TestCheckResourceAttr(rootRef, "limit_container_privileges.0.enabled", "true"),
 					resource.TestCheckResourceAttr(rootRef, "limit_container_privileges.0.block_add_capabilities", "true"),
@@ -130,15 +125,6 @@ func TestDataAquasecComplexContainerRuntimePolicy(t *testing.T) {
 					resource.TestCheckResourceAttr(rootRef, "port_block.0.block_inbound_ports.0", "1-11"),
 					resource.TestCheckResourceAttr(rootRef, "port_block.0.block_outbound_ports.0", "1-11"),
 
-					// Readonly files
-					resource.TestCheckResourceAttr(rootRef, "readonly_files.0.enabled", "true"),
-					resource.TestCheckResourceAttr(rootRef, "readonly_files.0.readonly_files.#", "2"),
-					resource.TestCheckResourceAttr(rootRef, "readonly_files.0.exceptional_readonly_files.#", "2"),
-					resource.TestCheckResourceAttr(rootRef, "readonly_files.0.exceptional_readonly_files_processes.#", "1"),
-					resource.TestCheckResourceAttr(rootRef, "readonly_files.0.exceptional_readonly_files_users.#", "1"),
-					resource.TestCheckResourceAttr(rootRef, "readonly_files.0.readonly_files_processes.#", "1"),
-					resource.TestCheckResourceAttr(rootRef, "readonly_files.0.readonly_files_users.#", "1"),
-
 					// Allowed registries
 					resource.TestCheckResourceAttr(rootRef, "allowed_registries.0.enabled", "true"),
 					resource.TestCheckResourceAttr(rootRef, "allowed_registries.0.allowed_registries.#", "2"),
@@ -221,9 +207,6 @@ func getComplexContainerRuntimePolicyData(policy client.RuntimePolicy) string {
 			audit_all_network = true
 		}
 
-		enable_fork_guard = true
-		fork_guard_process_limit = %v
-
 		limit_container_privileges {
 			enabled = true
 			block_add_capabilities = true
@@ -242,15 +225,7 @@ func getComplexContainerRuntimePolicyData(policy client.RuntimePolicy) string {
 			block_outbound_ports = ["1-11"]
 		}
 
-		readonly_files {
-			enabled = true
-			readonly_files = ["readonly","/dir/"]
-			exceptional_readonly_files = ["readonly2","/dir2/"]
-			readonly_files_processes = ["test"]
-			exceptional_readonly_files_processes = ["test"]
-			readonly_files_users = ["test"]
-			exceptional_readonly_files_users = ["test"]
-		}
+		# Note: readonly_files is deprecated for container runtime policies
 
 		allowed_registries {
 			enabled = true
@@ -266,5 +241,5 @@ func getComplexContainerRuntimePolicyData(policy client.RuntimePolicy) string {
 	data "aquasec_container_runtime_policy" "test" {
 		name = aquasec_container_runtime_policy.test.id
 	}
-`, policy.Name, policy.Description, policy.Enabled, policy.Enforce, policy.EnforceAfterDays, policy.ForkGuardProcessLimit)
+`, policy.Name, policy.Description, policy.Enabled, policy.Enforce, policy.EnforceAfterDays)
 }
@@ -72,11 +72,10 @@ func TestResourceAquasecBasicContainerRuntimePolicyCreate(t *testing.T) {
 func TestResourceAquasecComplexContainerRuntimePolicyCreate(t *testing.T) {
 	t.Parallel()
 	var complexRuntimePolicy = client.RuntimePolicy{
-		Name:                  acctest.RandomWithPrefix("test-container-runtime-policy"),
-		Description:           "This is a test description of container runtime policy",
-		Enabled:               true,
-		Enforce:               true,
-		ForkGuardProcessLimit: 13,
+		Name:        acctest.RandomWithPrefix("test-container-runtime-policy"),
+		Description: "This is a test description of container runtime policy",
+		Enabled:     true,
+		Enforce:     true,
 	}
 
 	rootRef := containerRuntimePolicyRef("test")
@@ -134,9 +133,6 @@ func TestResourceAquasecComplexContainerRuntimePolicyCreate(t *testing.T) {
 					resource.TestCheckResourceAttr(rootRef, "auditing.0.audit_all_network", "true"),
 					resource.TestCheckResourceAttr(rootRef, "auditing.0.enabled", "true"),
 
-					resource.TestCheckResourceAttr(rootRef, "enable_fork_guard", "true"),
-					resource.TestCheckResourceAttr(rootRef, "fork_guard_process_limit", fmt.Sprintf("%v", complexRuntimePolicy.ForkGuardProcessLimit)),
-
 					resource.TestCheckResourceAttr(rootRef, "limit_container_privileges.0.enabled", "true"),
 					resource.TestCheckResourceAttr(rootRef, "limit_container_privileges.0.block_add_capabilities", "true"),
 					resource.TestCheckResourceAttr(rootRef, "limit_container_privileges.0.prevent_root_user", "true"),
@@ -154,13 +150,6 @@ func TestResourceAquasecComplexContainerRuntimePolicyCreate(t *testing.T) {
 					resource.TestCheckResourceAttr(rootRef, "port_block.0.block_outbound_ports.#", "1"),
 					resource.TestCheckResourceAttr(rootRef, "port_block.0.block_inbound_ports.0", "1-11"),
 					resource.TestCheckResourceAttr(rootRef, "port_block.0.block_outbound_ports.0", "1-11"),
-					resource.TestCheckResourceAttr(rootRef, "readonly_files.0.enabled", "true"),
-					resource.TestCheckResourceAttr(rootRef, "readonly_files.0.readonly_files.#", "2"),
-					resource.TestCheckResourceAttr(rootRef, "readonly_files.0.exceptional_readonly_files.#", "2"),
-					resource.TestCheckResourceAttr(rootRef, "readonly_files.0.exceptional_readonly_files_processes.#", "1"),
-					resource.TestCheckResourceAttr(rootRef, "readonly_files.0.exceptional_readonly_files_users.#", "1"),
-					resource.TestCheckResourceAttr(rootRef, "readonly_files.0.readonly_files_processes.#", "1"),
-					resource.TestCheckResourceAttr(rootRef, "readonly_files.0.readonly_files_users.#", "1"),
 
 					resource.TestCheckResourceAttr(rootRef, "allowed_registries.0.allowed_registries.#", "2"),
 					resource.TestCheckResourceAttr(rootRef, "allowed_registries.0.enabled", "true"),
@@ -190,9 +179,7 @@ func TestResourceAquasecFullContainerRuntimePolicyCreate(t *testing.T) {
 		BlockFilelessExec:          true,
 		BlockNonCompliantWorkloads: true,
 		BlockNonK8sContainers:      true,
-		EnableForkGuard:            true,
-		ForkGuardProcessLimit:      0,
-		EnableIPReputation:         true,
+		EnableIPReputation: true,
 		EnableCryptoMiningDns:      true,
 		EnablePortScanProtection:   true,
 		OnlyRegisteredImages:       true,
@@ -293,15 +280,6 @@ func TestResourceAquasecFullContainerRuntimePolicyCreate(t *testing.T) {
 					resource.TestCheckResourceAttr(rootRef, "port_block.0.block_inbound_ports.0", "1-11"),
 					resource.TestCheckResourceAttr(rootRef, "port_block.0.block_outbound_ports.0", "1-11"),
 
-					// Readonly Files
-					resource.TestCheckResourceAttr(rootRef, "readonly_files.0.enabled", "true"),
-					resource.TestCheckResourceAttr(rootRef, "readonly_files.0.readonly_files.#", "2"),
-					resource.TestCheckResourceAttr(rootRef, "readonly_files.0.exceptional_readonly_files.#", "2"),
-					resource.TestCheckResourceAttr(rootRef, "readonly_files.0.exceptional_readonly_files_processes.#", "1"),
-					resource.TestCheckResourceAttr(rootRef, "readonly_files.0.exceptional_readonly_files_users.#", "1"),
-					resource.TestCheckResourceAttr(rootRef, "readonly_files.0.readonly_files_processes.#", "1"),
-					resource.TestCheckResourceAttr(rootRef, "readonly_files.0.readonly_files_users.#", "1"),
-
 					resource.TestCheckResourceAttr(rootRef, "allowed_registries.0.allowed_registries.#", "1"),
 					resource.TestCheckResourceAttr(rootRef, "allowed_registries.0.allowed_registries.0", "Docker Hub"),
 					resource.TestCheckResourceAttr(rootRef, "allowed_registries.0.enabled", "true"),
@@ -402,8 +380,6 @@ func getComplexContainerRuntimePolicyResource(policy client.RuntimePolicy) strin
 			audit_process_cmdline = true
 			audit_all_network   = true
 	    }
-		enable_fork_guard        = true
-		fork_guard_process_limit = %v
 		limit_container_privileges{
 			enabled = true
 			block_add_capabilities   = true
@@ -421,15 +397,7 @@ func getComplexContainerRuntimePolicyResource(policy client.RuntimePolicy) strin
 			block_outbound_ports = ["1-11"]
 		}
 		# enable_port_scan_detection = true
-		readonly_files{
-			enabled = true
-			readonly_files = ["readonly","/dir/"]
-			exceptional_readonly_files = ["readonly2","/dir2/"]
-			readonly_files_processes = ["test"]
-			exceptional_readonly_files_processes = ["test"]
-			readonly_files_users = ["test"]
-			exceptional_readonly_files_users = ["test"]
-		}
+		# Note: readonly_files is deprecated for container runtime policies
 		allowed_registries{
 			enabled = true
 			allowed_registries = ["registry1","registry2"]
@@ -447,8 +415,7 @@ func getComplexContainerRuntimePolicyResource(policy client.RuntimePolicy) strin
 		policy.Description,
 		policy.Enabled,
 		policy.Enforce,
-		policy.EnforceAfterDays,
-		policy.ForkGuardProcessLimit)
+		policy.EnforceAfterDays)
 }
 
 func getFullContainerRuntimePolicyResource(policy client.RuntimePolicy) string {
@@ -592,15 +559,7 @@ func getFullContainerRuntimePolicyResource(policy client.RuntimePolicy) string {
 			block_outbound_ports = ["1-11"]
 		}
 		
-		readonly_files {
-			enabled = true
-			readonly_files = ["readonly","/dir/"]
-			exceptional_readonly_files = ["readonly2","/dir2/"]
-			readonly_files_processes = ["test"]
-			exceptional_readonly_files_processes = ["test"]
-			readonly_files_users = ["test"]
-			exceptional_readonly_files_users = ["test"]
-		}
+		# Note: readonly_files is deprecated for container runtime policies
 		
 		malware_scan_options {
 			enabled = true
@@ -623,7 +582,6 @@ func getFullContainerRuntimePolicyResource(policy client.RuntimePolicy) string {
 			failed_checks = ["CVE-2021-25741", "CVE-2022-0185"]
 		}
 		
-		enable_fork_guard = true
 		enable_ip_reputation = true
 		enable_crypto_mining_dns = true
 		enable_port_scan_protection = true
 
@@ -82,7 +82,7 @@ output "container_runtime_policy_details" {
 - `drift_prevention` (List of Object) Drift prevention configuration. (see [below for nested schema](#nestedatt--drift_prevention))
 - `enable_crypto_mining_dns` (Boolean)
 - `enable_drift_prevention` (Boolean) If true, executables that are not in the original image is prevented from running.
-- `enable_fork_guard` (Boolean) If true, fork bombs are prevented in the containers.
+- `enable_fork_guard` (Boolean, **Deprecated**) Fork Guard is no longer supported for container runtime policies. This attribute will be removed in a future version.
 - `enable_ip_reputation` (Boolean)
 - `enable_ip_reputation_security` (Boolean) If true, detect and prevent communication from containers to IP addresses known to have a bad reputation.
 - `enable_port_scan_detection` (Boolean) If true, detects port scanning behavior in the container.
@@ -95,7 +95,7 @@ output "container_runtime_policy_details" {
 - `exclude_application_scopes` (List of String) List of excluded application scopes.
 - `exec_lockdown_white_list` (List of String) Specify processes that will be allowed
 - `failed_kubernetes_checks` (List of Object) Failed Kubernetes checks configuration. (see [below for nested schema](#nestedatt--failed_kubernetes_checks))
-- `fork_guard_process_limit` (Number) Process limit for the fork guard.
+- `fork_guard_process_limit` (Number, **Deprecated**) Fork Guard is no longer supported for container runtime policies. This attribute will be removed in a future version.
 - `id` (String) The ID of this resource.
 - `image_name` (String)
 - `is_audit_checked` (Boolean)
 
@@ -250,7 +250,6 @@ resource "aquasec_container_runtime_policy" "container_runtime_policy" {
   }
 
   # Additional security features
-  enable_fork_guard           = true
   enable_ip_reputation        = true
   enable_crypto_mining_dns    = true
   enable_port_scan_protection = true
@@ -308,7 +307,7 @@ resource "aquasec_container_runtime_policy" "container_runtime_policy" {
 - `digest` (String)
 - `drift_prevention` (Block List) Drift prevention configuration. (see [below for nested schema](#nestedblock--drift_prevention))
 - `enable_crypto_mining_dns` (Boolean)
-- `enable_fork_guard` (Boolean) If true, fork bombs are prevented in the containers.
+- `enable_fork_guard` (Boolean, **Deprecated**) Fork Guard is no longer supported for container runtime policies. This attribute is ignored and will be removed in a future version.
 - `enable_ip_reputation` (Boolean)
 - `enable_port_scan_protection` (Boolean)
 - `enabled` (Boolean) Indicates if the runtime policy is enabled or not.
@@ -320,7 +319,7 @@ resource "aquasec_container_runtime_policy" "container_runtime_policy" {
 - `failed_kubernetes_checks` (Block List, Max: 1) (see [below for nested schema](#nestedblock--failed_kubernetes_checks))
 - `file_block` (Block List, Max: 1) (see [below for nested schema](#nestedblock--file_block))
 - `file_integrity_monitoring` (Block List) Configuration for file integrity monitoring. (see [below for nested schema](#nestedblock--file_integrity_monitoring))
-- `fork_guard_process_limit` (Number) Process limit for the fork guard.
+- `fork_guard_process_limit` (Number, **Deprecated**) Fork Guard is no longer supported for container runtime policies. This attribute is ignored and will be removed in a future version.
 - `image_name` (String)
 - `is_audit_checked` (Boolean)
 - `is_auto_generated` (Boolean)