Merge pull request #176 from dome9/CON-8179-AWP-Onboarding-AWS

This pull request introduces changes related to the AWP AWS onboarding process in the Dome9 Terraform provider. Implementing AWP Onboarding API (https://github.com/dome9/dome9-sdk-go/releases/tag/v1.18.4) * **resource** - dome9_awp_aws_onboarding * **data** - dome9_awp_aws_onboarding * **data** - dome9_awp_aws_onboarding_data
dome9 · Apr 4, 2024 · 65a3a6f · 65a3a6f
2 parents f2b809f + fee5408
commit 65a3a6f
Show file tree

Hide file tree

Showing 38 changed files with 1,565 additions and 53 deletions.
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -45,4 +45,5 @@ jobs:
           OCI_TENANCY_ID: ${{ secrets.OCI_TENANCY_ID }}
           OCI_HOME_REGION: ${{ secrets.OCI_HOME_REGION }}
           OCI_USER_OCID: ${{ secrets.OCI_USER_OCID }}
+          AWP_EXTERNAL_ID: ${{ secrets.AWP_EXTERNAL_ID }}
         run: go test -v -timeout 2400s ./...
diff --git a/dome9/common/providerconst/const.go b/dome9/common/providerconst/const.go
@@ -109,13 +109,13 @@ const (
 	AF_SOUTH_1          = "26"
 	EU_SOUTH_1          = "27"
 	AP_NORTHEAST_3      = "28"
-	ME_CENTRAL_1	    = "29"
-	AP_SOUTH_2	    = "30"
-	AP_SOUTHEAST_3	    = "31"
-	AP_SOUTHEAST_4	    = "32"
-	EU_CENTRAL_2	    = "33"
-	EU_SOUTH_2	    = "34"
-	IL_CENTRAL_1 	    = "35"
+	ME_CENTRAL_1        = "29"
+	AP_SOUTH_2          = "30"
+	AP_SOUTHEAST_3      = "31"
+	AP_SOUTHEAST_4      = "32"
+	EU_CENTRAL_2        = "33"
+	EU_SOUTH_2          = "34"
+	IL_CENTRAL_1        = "35"
 )
 
 // Azure consts
@@ -185,11 +185,11 @@ var AWSRegionsEnum = map[string]string{
 	"af_south_1":          AF_SOUTH_1,
 	"eu_south_1":          EU_SOUTH_1,
 	"ap_northeast_3":      AP_NORTHEAST_3,
-	"me_central_1":        ME_CENTRAL_1,	
-	"ap_south_2":          AP_SOUTH_2,		
-	"ap_southeast_3":      AP_SOUTHEAST_3,	
-	"ap_southeast_4":      AP_SOUTHEAST_4,	
-	"eu_central_2":        EU_CENTRAL_2,	
+	"me_central_1":        ME_CENTRAL_1,
+	"ap_south_2":          AP_SOUTH_2,
+	"ap_southeast_3":      AP_SOUTHEAST_3,
+	"ap_southeast_4":      AP_SOUTHEAST_4,
+	"eu_central_2":        EU_CENTRAL_2,
 	"eu_south_2":          EU_SOUTH_2,
 	"il_central_1":        IL_CENTRAL_1,
 }
@@ -201,3 +201,12 @@ var PermissionTrafficType = map[string]string{
 
 // All Assessments Cloud Accounts Types
 var AssessmentCloudAccountType = []string{"Aws", "Azure", "GCP", "Kubernetes", "Terraform", "Generic", "KubernetesRuntimeAssurance", "ShiftLeft", "SourceCodeAssurance", "ImageAssurance", "Alibaba", "Cft", "ContainerRegistry", "Ers"}
+
+// AWP AWS Constants
+const (
+	DefaultScanMachineIntervalInHoursSaas      = 24
+	DefaultScanMachineIntervalInHoursInAccount = 4
+	DefaultMaxConcurrentScansPerRegion         = 20
+	MinMaxConcurrentScansPerRegion             = 1
+	MaxScanMachineIntervalInHours              = 1000
+)
diff --git a/dome9/common/resourcetype/resource_type.go b/dome9/common/resourcetype/resource_type.go
@@ -27,4 +27,6 @@ const (
 	AdmissionControlPolicy                       = "dome9_admission_control_policy"
 	Assessment                                   = "dome9_assessment"
 	ImageAssurancePolicy                         = "dome9_image_assurance_policy"
+	AwpAwsOnboardingData                         = "dome9_awp_aws_onboarding_data"
+	AwpAwsOnboarding                             = "dome9_awp_aws_onboarding"
 )
diff --git a/dome9/common/testing/environmentvariable/environment_variable.go b/dome9/common/testing/environmentvariable/environment_variable.go
@@ -20,9 +20,10 @@ const (
 
 // AWS environment variable
 const (
-	CloudAccountAWSEnvVarArn        = "ARN"
-	CloudAccountUpdatedAWSEnvVarArn = "ARN_UPDATE"
-	CloudAccountAWSEnvVarSecret     = "SECRET"
+	CloudAccountAWSEnvVarArn               = "ARN"
+	CloudAccountUpdatedAWSEnvVarArn        = "ARN_UPDATE"
+	CloudAccountAWSEnvVarSecret            = "SECRET"
+	AwpAwsCrossAccountRoleExternalIdEnvVar = "AWP_EXTERNAL_ID"
 )
 
 // Azure environment variable

diff --git a/dome9/common/testing/variable/variable.go b/dome9/common/testing/variable/variable.go
@@ -211,3 +211,25 @@ const (
 	HasErrors               = "false"
 	HasDataSyncStatusIssues = "false"
 )
+
+// awp aws onboarding data resource/data source
+const (
+	OnboardedAwsCloudGuardAccountID   = "36f79243-5456-4aa7-88c1-6637cad1f426"
+	AwpAwsCrossAccountRoleName        = "CloudGuardAWPCrossAccountRole"
+	ScanMode                          = "inAccount"
+	DisabledRegions                   = `["us-east-1", "us-west-1"]`
+	DisabledRegionsUpdate             = `["us-east-1", "us-west-1", "ap-northeast-1", "ap-southeast-2"]`
+	ScanMachineIntervalInHours        = "6"
+	ScanMachineIntervalInHoursUpdate  = "10"
+	MaxConcurrentScansPerRegion       = "4"
+	MaxConcurrentScansPerRegionUpdate = "8"
+	CustomTags                        = `{
+			tag1 = "value1"
+			tag2 = "value2"
+		}`
+	CustomTagsUpdate = `{
+			tag1 = "value1"
+			tag2 = "value2"
+			tag3 = "value3"
+		}`
+)
diff --git a/dome9/config.go b/dome9/config.go
@@ -2,6 +2,7 @@ package dome9
 
 import (
 	"github.com/dome9/dome9-sdk-go/services/assessment"
+	"github.com/dome9/dome9-sdk-go/services/awp_aws_onboarding"
 	"log"
 
 	"github.com/dome9/dome9-sdk-go/dome9"
@@ -52,6 +53,7 @@ type Client struct {
 	admissionControlPolicy           admission_policy.Service
 	imageAssurancePolicy             imageassurance_policy.Service
 	assessment                       assessment.Service
+	awpAwsOnboarding                 awp_aws_onboarding.Service
 }
 
 type Config struct {
@@ -87,6 +89,7 @@ func (c *Config) Client() (*Client, error) {
 		admissionControlPolicy:           *admission_policy.New(config),
 		imageAssurancePolicy:             *imageassurance_policy.New(config),
 		assessment:                       *assessment.New(config),
+		awpAwsOnboarding:                 *awp_aws_onboarding.New(config),
 	}
 
 	log.Println("[INFO] initialized Dome9 client")

diff --git a/dome9/data_source_dome9_assessment.go b/dome9/data_source_dome9_assessment.go
@@ -8,7 +8,7 @@ import (
 
 func dataSourceAssessment() *schema.Resource {
 	return &schema.Resource{
-		Read:   dataSourceAssessmentRead,
+		Read: dataSourceAssessmentRead,
 		Importer: &schema.ResourceImporter{
 			State: schema.ImportStatePassthrough,
 		},
@@ -31,7 +31,7 @@ func dataSourceAssessment() *schema.Resource {
 				Computed: true,
 			},
 			"cloud_account_type": {
-				Type:         schema.TypeString,
+				Type:     schema.TypeString,
 				Computed: true,
 			},
 			"should_minimize_result": {
@@ -720,4 +720,3 @@ func dataSourceAssessmentRead(d *schema.ResourceData, meta interface{}) error {
 
 	return nil
 }
-
diff --git a/dome9/data_source_dome9_awp_aws_onboarding.go b/dome9/data_source_dome9_awp_aws_onboarding.go
@@ -0,0 +1,136 @@
+package dome9
+
+import (
+	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+	"log"
+)
+
+func dataSourceAwpAwsOnboarding() *schema.Resource {
+	return &schema.Resource{
+		Read: dataSourceAwpAwsOnboardingRead,
+
+		Schema: map[string]*schema.Schema{
+			"id": {
+				Type:     schema.TypeString,
+				Required: true,
+			},
+			"scan_mode": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"agentless_account_settings": {
+				Type:     schema.TypeSet,
+				Computed: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"disabled_regions": {
+							Type:     schema.TypeList,
+							Computed: true,
+							Elem: &schema.Schema{
+								Type: schema.TypeString,
+							},
+						},
+						"scan_machine_interval_in_hours": {
+							Type:     schema.TypeInt,
+							Computed: true,
+						},
+						"max_concurrent_scans_per_region": {
+							Type:     schema.TypeInt,
+							Computed: true,
+						},
+						"custom_tags": {
+							Type:     schema.TypeMap,
+							Computed: true,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{},
+							},
+						},
+					},
+				},
+			},
+			"missing_awp_private_network_regions": {
+				Type:     schema.TypeList,
+				Computed: true,
+				Elem:     &schema.Schema{Type: schema.TypeString},
+			},
+			"account_issues": {
+				Type:     schema.TypeList,
+				Computed: true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"regions": {
+							Type:     schema.TypeMap,
+							Optional: true,
+						},
+						"account": {
+							Type:     schema.TypeMap,
+							Optional: true,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"issue_type": {
+										Type:     schema.TypeString,
+										Optional: true,
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+			"cloud_account_id": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"agentless_protection_enabled": {
+				Type:     schema.TypeBool,
+				Computed: true,
+			},
+			"cloud_provider": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"should_update": {
+				Type:     schema.TypeBool,
+				Computed: true,
+			},
+			"is_org_onboarding": {
+				Type:     schema.TypeBool,
+				Computed: true,
+			},
+		},
+	}
+}
+
+func dataSourceAwpAwsOnboardingRead(d *schema.ResourceData, meta interface{}) error {
+	d9Client := meta.(*Client)
+
+	cloudguardAccountId := d.Get("id").(string)
+	log.Printf("Getting data for AWP AWS Onboarding id: %s\n", cloudguardAccountId)
+
+	resp, _, err := d9Client.awpAwsOnboarding.GetAWPOnboarding("aws", cloudguardAccountId)
+	if err != nil {
+		return err
+	}
+
+	d.SetId(resp.CloudAccountId)
+	// Set other schema fields here
+	_ = d.Set("scan_mode", resp.ScanMode)
+	_ = d.Set("missing_awp_private_network_regions", resp.MissingAwpPrivateNetworkRegions)
+	_ = d.Set("cloud_account_id", resp.CloudAccountId)
+	_ = d.Set("agentless_protection_enabled", resp.AgentlessProtectionEnabled)
+	_ = d.Set("cloud_provider", resp.Provider)
+	_ = d.Set("should_update", resp.ShouldUpdate)
+	_ = d.Set("is_org_onboarding", resp.IsOrgOnboarding)
+
+	if resp.AgentlessAccountSettings != nil {
+		if err := d.Set("agentless_account_settings", flattenAgentlessAccountSettings(resp.AgentlessAccountSettings)); err != nil {
+			return err
+		}
+	}
+	if resp.AccountIssues != nil {
+		if err := d.Set("account_issues", flattenAccountIssues(resp.AccountIssues)); err != nil {
+			return err
+		}
+	}
+	return nil
+}
diff --git a/dome9/data_source_dome9_awp_aws_onboarding_data.go b/dome9/data_source_dome9_awp_aws_onboarding_data.go
@@ -0,0 +1,93 @@
+package dome9
+
+import (
+	"encoding/base64"
+	"github.com/hashicorp/terraform-plugin-sdk/helper/schema"
+)
+
+func dataSourceAwpAwsOnboardingData() *schema.Resource {
+	return &schema.Resource{
+		Read: dataSourceAwpAwsOnboardingDataRead,
+
+		Schema: map[string]*schema.Schema{
+			"cloud_account_id": {
+				Type:     schema.TypeString,
+				Required: true,
+			},
+			"stage": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"region": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"cloud_guard_backend_account_id": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"agentless_bucket_name": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"remote_functions_prefix_key": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"remote_snapshots_utils_function_name": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"remote_snapshots_utils_function_run_time": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"remote_snapshots_utils_function_time_out": {
+				Type:     schema.TypeInt,
+				Computed: true,
+			},
+			"awp_client_side_security_group_name": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"cross_account_role_external_id": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+			"remote_snapshots_utils_function_s3_pre_signed_url": {
+				Type:     schema.TypeString,
+				Computed: true,
+			},
+		},
+	}
+}
+
+func dataSourceAwpAwsOnboardingDataRead(d *schema.ResourceData, meta interface{}) error {
+	d9Client := meta.(*Client)
+
+	resp, _, err := d9Client.awpAwsOnboarding.Get()
+	if err != nil {
+		return err
+	}
+
+	d.SetId(resp.CloudGuardBackendAccountId)
+	_ = d.Set("stage", resp.Stage)
+	_ = d.Set("region", resp.Region)
+	_ = d.Set("cloud_guard_backend_account_id", resp.CloudGuardBackendAccountId)
+	_ = d.Set("agentless_bucket_name", resp.AgentlessBucketName)
+	_ = d.Set("remote_functions_prefix_key", resp.RemoteFunctionsPrefixKey)
+	_ = d.Set("remote_snapshots_utils_function_name", resp.RemoteSnapshotsUtilsFunctionName)
+	_ = d.Set("remote_snapshots_utils_function_run_time", resp.RemoteSnapshotsUtilsFunctionRunTime)
+	_ = d.Set("remote_snapshots_utils_function_time_out", resp.RemoteSnapshotsUtilsFunctionTimeOut)
+	_ = d.Set("awp_client_side_security_group_name", resp.AwpClientSideSecurityGroupName)
+	cloudAccountID, _, err := d9Client.awpAwsOnboarding.GetCloudAccountId(d.Get("cloud_account_id").(string))
+	if err != nil {
+		return err
+	}
+	combinedString := resp.CloudGuardBackendAccountId + "-" + cloudAccountID
+	encodedString := base64.StdEncoding.EncodeToString([]byte(combinedString))
+	_ = d.Set("cross_account_role_external_id", encodedString)
+	_ = d.Set("remote_snapshots_utils_function_s3_pre_signed_url", resp.RemoteSnapshotsUtilsFunctionS3PreSignedUrl)
+
+	return nil
+}