CNAPP-11967-RBAC-NewSRLSupport (#225)

Co-authored-by: Yogev Ktuvim <[email protected]>

dome9/common/providerconst/const.go

@@ -73,10 +73,16 @@ const (
 
 // Azure security group
 const (
-	AWS                = "1"
-	Azure              = "2"
-	GCP                = "3"
-	OrganizationalUnit = "12"
+	AWS                      = "1"
+	Azure                    = "2"
+	GCP                      = "3"
+	OrganizationalUnit       = "12"
+	CloudGuardResources      = "200"
+	CSPMResources            = "201"
+	NetworkSecurityResources = "202"
+	CIEMResources            = "203"
+	CDRResources             = "204"
+	CodeSecurityResources    = "210"
 )
 
 // AWS regions
@@ -140,7 +146,7 @@ var AllAWSRegions = append(AWSGOVRegions, append(AWSRegions, AWSChinaRegions...)
 var CloudVendors = []string{"aws", "azure", "google", "kubernetesruntimeassurance", "imageassurance"}
 var ProtocolTypes = []string{"ALL", "HOPOPT", "ICMP", "IGMP", "GGP", "IPV4", "ST", "TCP", "CBT", "EGP", "IGP", "BBN_RCC_MON", "NVP2", "PUP", "ARGUS", "EMCON", "XNET", "CHAOS", "UDP", "MUX", "DCN_MEAS", "HMP", "PRM", "XNS_IDP", "TRUNK1", "TRUNK2", "LEAF1", "LEAF2", "RDP", "IRTP", "ISO_TP4", "NETBLT", "MFE_NSP", "MERIT_INP", "DCCP", "ThreePC", "IDPR", "XTP", "DDP", "IDPR_CMTP", "TPplusplus", "IL", "IPV6", "SDRP", "IPV6_ROUTE", "IPV6_FRAG", "IDRP", "RSVP", "GRE", "DSR", "BNA", "ESP", "AH", "I_NLSP", "SWIPE", "NARP", "MOBILE", "TLSP", "SKIP", "ICMPV6", "IPV6_NONXT", "IPV6_OPTS", "CFTP", "SAT_EXPAK", "KRYPTOLAN", "RVD", "IPPC", "SAT_MON", "VISA", "IPCV", "CPNX", "CPHB", "WSN", "PVP", "BR_SAT_MON", "SUN_ND", "WB_MON", "WB_EXPAK", "ISO_IP", "VMTP", "SECURE_VMTP", "VINES", "TTP", "NSFNET_IGP", "DGP", "TCF", "EIGRP", "OSPFIGP", "SPRITE_RPC", "LARP", "MTP", "AX25", "IPIP", "MICP", "SCC_SP", "ETHERIP", "ENCAP", "GMTP", "IFMP", "PNNI", "PIM", "ARIS", "SCPS", "QNX", "AN", "IPCOMP", "SNP", "COMPAQ_PEER", "IPX_IN_IP", "VRRP", "PGM", "L2TP", "DDX", "IATP", "STP", "SRP", "UTI", "SMP", "SM", "PTP", "ISIS", "FIRE", "CRTP", "CRUDP", "SSCOPMCE", "IPLT", "SPS", "PIPE", "SCTP", "FC", "RSVP_E2E_IGNORE", "MOBILITY_HEADER", "UDPLITE", "MPLS_IN_IP", "MANET", "HIP", "SHIM6", "WESP", "ROHC"}
 var OperationMode = []string{"Read", "Manage"}
-var SRLTypes = []string{"AWS", "Azure", "GCP", "OrganizationalUnit"}
+var SRLTypes = []string{"AWS", "Azure", "GCP", "OrganizationalUnit", "CloudGuardResources", "CSPMResources", "NetworkSecurityResources", "CIEMResources", "CDRResources", "CodeSecurityResources"}
 
 var IAMEntityProtectType = []string{IAMSafeEntityTypeUser, IAMSafeEntityTypeRole}
 var IAMEntityProtectionMode = []string{IAMSafeEntityProtect, IAMSafeEntityProtectWithElevation}
@@ -151,10 +157,16 @@ var SRLStructure = []string{"type", "main_id", "rg", "region", "sg", "security_g
 
 // SRL construction variables
 var SRlType = map[string]string{
-	"AWS":                AWS,
-	"Azure":              Azure,
-	"GCP":                GCP,
-	"OrganizationalUnit": OrganizationalUnit,
+	"AWS":                      AWS,
+	"Azure":                    Azure,
+	"GCP":                      GCP,
+	"OrganizationalUnit":       OrganizationalUnit,
+	"CloudGuardResources":      CloudGuardResources,
+	"CSPMResources":            CSPMResources,
+	"NetworkSecurityResources": NetworkSecurityResources,
+	"CIEMResources":            CIEMResources,
+	"CDRResources":             CDRResources,
+	"CodeSecurityResources":    CodeSecurityResources,
 }
 
 var AWSRegionsEnum = map[string]string{

examples/role/main.tf

@@ -1,40 +1,49 @@
-resource "dome9_role" "role_rs" {
-  name        = "ROLE_NAME"
-  description = "ROLE_DESC"
-  access {
-    type              = "AWS"
-    main_id           = "MAIN_ID"
-    region            = "us_east_1"
-    security_group_id = "SECURITY_GROUP_ID"
-    traffic           = "All Traffic"
-  }
-  access {
-    type    = "OrganizationalUnit"
-    main_id = "00000000-0000-0000-0000-000000000000"
-  }
-
-  permit_notifications = false
-  permit_rulesets      = false
-  permit_policies      = false
-  permit_alert_actions = false
-  permit_on_boarding   = false
-  create               = []
-  cross_account_access = []
-}
-
-
-data "dome9_role" "data" {
-  id = "${dome9_role.role_rs.id}"
-}
-
-output "getId" {
-  value = "${data.dome9_role.data.id}"
-}
-
-output "getDescription" {
-  value = "${data.dome9_role.data.description}"
-}
-
-output "getItems" {
-  value = "${data.dome9_role.data.access}"
-}
+resource "dome9_role" "role_rs" {
+  name        = "ROLE_NAME"
+  description = "ROLE_DESC"
+  access {
+    type              = "AWS"
+    main_id           = "MAIN_ID"
+    region            = "us_east_1"
+    security_group_id = "SECURITY_GROUP_ID"
+    traffic           = "All Traffic"
+  }
+  access {
+    type    = "OrganizationalUnit"
+    main_id = "00000000-0000-0000-0000-000000000000"
+  }
+
+  manage {
+      type = "CodeSecurityResources"
+      main_id = "Member"
+    }
+
+  view {
+      type = "CloudGuardResources"
+  }
+
+  permit_notifications = false
+  permit_rulesets      = false
+  permit_policies      = false
+  permit_alert_actions = false
+  permit_on_boarding   = false
+  create               = []
+  cross_account_access = []
+}
+
+
+data "dome9_role" "data" {
+  id = "${dome9_role.role_rs.id}"
+}
+
+output "getId" {
+  value = "${data.dome9_role.data.id}"
+}
+
+output "getDescription" {
+  value = "${data.dome9_role.data.description}"
+}
+
+output "getItems" {
+  value = "${data.dome9_role.data.access}"
+}

website/docs/d/role.html.markdown

@@ -8,7 +8,7 @@ description: |-
 
 # Data Source: dome9_role
 
-Use this data source to get information about a role in Dome9.
+Use this data source to get information about a role in CloudGuard.
 
 ## Example Usage
 
@@ -29,22 +29,22 @@ The following arguments are supported:
 
 In addition to all arguments above, the following attributes are exported:
 
-* `name` - (Required) Dome9 role name.
-* `description` - (Required) Dome9 role description. 
+* `name` - (Required) CloudGuard role name.
+* `description` - (Required) CloudGuard role description. 
 * `permit_rulesets` - Is permitted permit rulesets (Optional) .
 * `permit_notifications` - Is permitted permit notifications (Optional) .
 * `permit_policies` - Is permitted permit policies (Optional) .
 * `permit_alert_actions` - Is permitted permit alert actions (Optional) .
-* `permit_on_boarding` - Is permitted permit on boarding (Optional)  .
+* `permit_on_boarding` - Is permitted permit onboarding (Optional)  .
 * `cross_account_access` - (Optional) Cross account access.
 * `create` - (Optional) Create permission list.
 * `access` - (Optional) Access permission list ([SRL](#SRL) Type).
 * `view` - (Optional) View permission list ([SRL](#SRL) Type).
 * `manage` - (Optional) Manage permission list ([SRL](#SRL) Type).
 
 ### SRL 
-* `type` - (Optional) Accepted values: AWS, Azure, GCP, OrganizationalUnit.
-* `main_id` - (Optional) Cloud Account or Organizational Unit ID.
+* `type` - (Optional) Accepted values: AWS, Azure, GCP, OrganizationalUnit, CloudGuardResources, CodeSecurityResources.
+* `main_id` - (Optional) Cloud Account, Organizational Unit ID or CodeSecurity Access Level (Admin, Member).
 * `region` - (Optional) Accepted values: "us_east_1", "us_west_1", "eu_west_1", "ap_southeast_1", "ap_northeast_1", "us_west_2", "sa_east_1", "ap_southeast_2", "eu_central_1", "ap_northeast_2", "ap_south_1", "us_east_2", "ca_central_1", "eu_west_2", "eu_west_3", "eu_north_1", "ap_east_1", "me_south_1", "af_south_1", "eu_south_1", "ap_northeast_3", "me_central_1", "ap_south_2", "ap_southeast_3", "ap_southeast_4", "eu_central_2", "eu_south_2", "il_central_1", "ca_west_1".
 * `security_group_id` - (Optional) AWS Security Group ID.
 * `traffic` - (Optional) Accepted values: "All Traffic", "All Services".

website/docs/r/role.html.markdown

@@ -8,7 +8,7 @@ description: |-
 
 # dome9_role
 
-The Role resource is used to create and manage Dome9 roles. Roles are used to manage access permissions for Dome9 users.
+The Role resource is used to create and manage CloudGuard roles. Roles are used to manage access permissions for CloudGuard users.
 
 ## Example Usage
 
@@ -45,22 +45,22 @@ resource "dome9_role" "role_rs" {
 
 The following arguments are supported:
 
-* `name` - (Required) Dome9 role name.
-* `description` - (Required) Dome9 role description. 
+* `name` - (Required) CloudGuard role name.
+* `description` - (Required) CloudGuard role description. 
 * `permit_rulesets` - Is permitted permit rulesets (Optional) .
 * `permit_notifications` - Is permitted permit notifications (Optional) .
 * `permit_policies` - Is permitted permit policies (Optional) .
 * `permit_alert_actions` - Is permitted permit alert actions (Optional) .
-* `permit_on_boarding` - Is permitted permit on boarding (Optional)  .
+* `permit_on_boarding` - Is permitted permit onboarding (Optional)  .
 * `cross_account_access` - (Optional) Cross account access.
 * `create` - (Optional) Create permission list.
 * `access` - (Optional) Access permission list ([SRL](#SRL) Type).
 * `view` - (Optional) View permission list ([SRL](#SRL) Type).
 * `manage` - (Optional) Manage permission list ([SRL](#SRL) Type).
 
 ### SRL 
-* `type` - (Optional) Accepted values: AWS, Azure, GCP, OrganizationalUnit.
-* `main_id` - (Optional) Cloud Account or Organizational Unit ID.
+* `type` - (Optional) Accepted values: AWS, Azure, GCP, OrganizationalUnit, CloudGuardResources, CodeSecurityResources.
+* `main_id` - (Optional) Cloud Account, Organizational Unit ID or CodeSecurity Access Level (Admin, Member).
 * `region` - (Optional) Accepted values: "us_east_1", "us_west_1", "eu_west_1", "ap_southeast_1", "ap_northeast_1", "us_west_2", "sa_east_1", "ap_southeast_2", "eu_central_1", "ap_northeast_2", "ap_south_1", "us_east_2", "ca_central_1", "eu_west_2", "eu_west_3", "eu_north_1", "il_central_1", "ca_west_1".
 * `security_group_id` - (Optional) AWS Security Group ID.
 * `traffic` - (Optional) Accepted values: "All Traffic", "All Services".