From f95089c955e85fd10af57fbd48d0e008a98272d9 Mon Sep 17 00:00:00 2001 From: DanamoCP Date: Tue, 3 Sep 2024 15:27:40 +0300 Subject: [PATCH] AL-2552 - Add support to custom VPC (#221) --- dome9/common/providerconst/const.go | 1 + dome9/common/testing/variable/variable.go | 2 + dome9/data_source_dome9_awp_aws_onboarding.go | 34 ++------ ...ta_source_dome9_awp_aws_onboarding_test.go | 1 + .../data_source_dome9_awp_azure_onboarding.go | 35 ++------ dome9/resource_dome9_awp_aws_onboarding.go | 57 ++++-------- .../resource_dome9_awp_aws_onboarding_test.go | 4 + dome9/resource_dome9_awp_azure_onboarding.go | 86 ++++++------------- ...esource_dome9_awp_azure_onboarding_test.go | 4 + examples/awp/aws_onboarding/main.tf | 1 + examples/awp/azure_onboarding/main.tf | 1 + go.mod | 2 +- go.sum | 4 +- .../awp/aws_onboarding/aws_onboarding.go | 11 ++- .../awp/azure_onboarding/azure_onboarding.go | 11 ++- .../services/awp/onboarding_common.go | 19 ++-- vendor/modules.txt | 2 +- .../docs/d/awp_aws_onboarding.html.markdown | 1 - .../docs/d/awp_azure_onboarding.html.markdown | 1 - .../docs/r/awp_aws_onboarding.html.markdown | 5 +- .../docs/r/awp_azure_onboarding.html.markdown | 5 +- 21 files changed, 103 insertions(+), 184 deletions(-) diff --git a/dome9/common/providerconst/const.go b/dome9/common/providerconst/const.go index 4d111705..d8ffda58 100644 --- a/dome9/common/providerconst/const.go +++ b/dome9/common/providerconst/const.go @@ -212,4 +212,5 @@ const ( DefaultMaxConcurrentScansPerRegion = 20 MinMaxConcurrentScansPerRegion = 1 MaxScanMachineIntervalInHours = 1000 + DefaultInAccountScannerVPCMode = "ManagedByAWP" ) diff --git a/dome9/common/testing/variable/variable.go b/dome9/common/testing/variable/variable.go index 2f534ca7..a143eaee 100644 --- a/dome9/common/testing/variable/variable.go +++ b/dome9/common/testing/variable/variable.go @@ -269,6 +269,8 @@ const ( ScanMachineIntervalInHoursUpdate = "11" MaxConcurrentScansPerRegion = "4" MaxConcurrentScansPerRegionUpdate = "8" + InAccountScannerVPC = "ManagedByAWP" + InAccountScannerVPCUpdate = "ManagedByCustomer" CustomTags = `{ tag1 = "value1" tag2 = "value2" diff --git a/dome9/data_source_dome9_awp_aws_onboarding.go b/dome9/data_source_dome9_awp_aws_onboarding.go index 2dd2bc0b..248c6864 100644 --- a/dome9/data_source_dome9_awp_aws_onboarding.go +++ b/dome9/data_source_dome9_awp_aws_onboarding.go @@ -39,6 +39,10 @@ func dataSourceAwpAwsOnboarding() *schema.Resource { Type: schema.TypeInt, Computed: true, }, + "in_account_scanner_vpc": { + Type: schema.TypeString, + Computed: true, + }, "custom_tags": { Type: schema.TypeMap, Computed: true, @@ -54,30 +58,6 @@ func dataSourceAwpAwsOnboarding() *schema.Resource { Computed: true, Elem: &schema.Schema{Type: schema.TypeString}, }, - "account_issues": { - Type: schema.TypeList, - Computed: true, - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "regions": { - Type: schema.TypeMap, - Optional: true, - }, - "account": { - Type: schema.TypeMap, - Optional: true, - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "issue_type": { - Type: schema.TypeString, - Optional: true, - }, - }, - }, - }, - }, - }, - }, "cloud_account_id": { Type: schema.TypeString, Computed: true, @@ -133,10 +113,6 @@ func dataSourceAwpAwsOnboardingRead(d *schema.ResourceData, meta interface{}) er return err } } - if resp.AccountIssues != nil { - if err := d.Set("account_issues", flattenAccountIssues(resp.AccountIssues)); err != nil { - return err - } - } + return nil } diff --git a/dome9/data_source_dome9_awp_aws_onboarding_test.go b/dome9/data_source_dome9_awp_aws_onboarding_test.go index d45fb76c..9487635f 100644 --- a/dome9/data_source_dome9_awp_aws_onboarding_test.go +++ b/dome9/data_source_dome9_awp_aws_onboarding_test.go @@ -37,6 +37,7 @@ func TestAccDataSourceAwpAwsOnboardingBasic(t *testing.T) { resource.TestCheckResourceAttrPair(awpAwsOnboardingDataSourceTypeAndName, "agentless_account_settings.0.disabled_regions.1", awpAwsOnboardingResourceTypeAndName, "agentless_account_settings.0.disabled_regions.1"), resource.TestCheckResourceAttrPair(awpAwsOnboardingDataSourceTypeAndName, "agentless_account_settings.0.scan_machine_interval_in_hours", awpAwsOnboardingResourceTypeAndName, "agentless_account_settings.0.scan_machine_interval_in_hours"), resource.TestCheckResourceAttrPair(awpAwsOnboardingDataSourceTypeAndName, "agentless_account_settings.0.max_concurrent_scans_per_region", awpAwsOnboardingResourceTypeAndName, "agentless_account_settings.0.max_concurrent_scans_per_region"), + resource.TestCheckResourceAttrPair(awpAwsOnboardingDataSourceTypeAndName, "agentless_account_settings.0.in_account_scanner_vpc", awpAwsOnboardingResourceTypeAndName, "agentless_account_settings.0.in_account_scanner_vpc"), resource.TestCheckResourceAttrPair(awpAwsOnboardingDataSourceTypeAndName, "agentless_account_settings.0.custom_tags.%", awpAwsOnboardingResourceTypeAndName, "agentless_account_settings.0.custom_tags.%"), resource.TestCheckResourceAttrPair(awpAwsOnboardingDataSourceTypeAndName, "missing_awp_private_network_regions", awpAwsOnboardingResourceTypeAndName, "missing_awp_private_network_regions"), resource.TestCheckResourceAttrPair(awpAwsOnboardingDataSourceTypeAndName, "agentless_protection_enabled", awpAwsOnboardingResourceTypeAndName, "agentless_protection_enabled"), diff --git a/dome9/data_source_dome9_awp_azure_onboarding.go b/dome9/data_source_dome9_awp_azure_onboarding.go index b8660af4..0843fc63 100644 --- a/dome9/data_source_dome9_awp_azure_onboarding.go +++ b/dome9/data_source_dome9_awp_azure_onboarding.go @@ -43,6 +43,11 @@ func dataSourceAwpAzureOnboarding() *schema.Resource { Type: schema.TypeInt, Computed: true, }, + "in_account_scanner_vpc": { + Type: schema.TypeString, + Optional: true, + Default: "ManagedByAWP", + }, "custom_tags": { Type: schema.TypeMap, Computed: true, @@ -58,30 +63,6 @@ func dataSourceAwpAzureOnboarding() *schema.Resource { Computed: true, Elem: &schema.Schema{Type: schema.TypeString}, }, - "account_issues": { - Type: schema.TypeList, - Computed: true, - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "regions": { - Type: schema.TypeMap, - Optional: true, - }, - "account": { - Type: schema.TypeMap, - Optional: true, - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "issue_type": { - Type: schema.TypeString, - Optional: true, - }, - }, - }, - }, - }, - }, - }, "cloud_account_id": { Type: schema.TypeString, Computed: true, @@ -132,10 +113,6 @@ func dataSourceAwpAzureOnboardingRead(d *schema.ResourceData, meta interface{}) return err } } - if resp.AccountIssues != nil { - if err := d.Set("account_issues", flattenAccountIssuesAzure(resp.AccountIssues)); err != nil { - return err - } - } + return nil } diff --git a/dome9/resource_dome9_awp_aws_onboarding.go b/dome9/resource_dome9_awp_aws_onboarding.go index ba22c960..d43887e7 100644 --- a/dome9/resource_dome9_awp_aws_onboarding.go +++ b/dome9/resource_dome9_awp_aws_onboarding.go @@ -81,6 +81,11 @@ func resourceAwpAwsOnboarding() *schema.Resource { Optional: true, Default: 20, }, + "in_account_scanner_vpc": { + Type: schema.TypeString, + Optional: true, + Default: "ManagedByAWP", + }, "custom_tags": { Type: schema.TypeMap, Optional: true, @@ -96,30 +101,6 @@ func resourceAwpAwsOnboarding() *schema.Resource { Computed: true, Elem: &schema.Schema{Type: schema.TypeString}, }, - "account_issues": { - Type: schema.TypeList, - Computed: true, - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "regions": { - Type: schema.TypeMap, - Optional: true, - }, - "account": { - Type: schema.TypeMap, - Optional: true, - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "issue_type": { - Type: schema.TypeString, - Optional: true, - }, - }, - }, - }, - }, - }, - }, "cloud_account_id": { Type: schema.TypeString, Computed: true, @@ -193,7 +174,7 @@ func resourceAWPAWSOnboardingCreate(d *schema.ResourceData, meta interface{}) er func checkCentralized(d *schema.ResourceData, meta interface{}) (string, error) { scanMode := d.Get("scan_mode").(string) - if scanMode == "inAccountHub" || scanMode == "inAccountSub" { + if scanMode == "inAccountSub" { if _, ok := d.GetOk("agentless_account_settings"); ok { agentlessAccountSettingsList := d.Get("agentless_account_settings").([]interface{}) if len(agentlessAccountSettingsList) < 1 { @@ -248,12 +229,6 @@ func resourceAWPAWSOnboardingRead(d *schema.ResourceData, meta interface{}) erro return err } - if resp.AccountIssues != nil { - if err := d.Set("account_issues", flattenAccountIssues(resp.AccountIssues)); err != nil { - return err - } - } - return nil } @@ -295,6 +270,7 @@ func expandAgentlessAccountSettings(d *schema.ResourceData) (*awp_onboarding.Age DisabledRegions: make([]string, 0), CustomTags: make(map[string]string), ScanMachineIntervalInHours: scanMachineIntervalInHours, + InAccountScannerVPC: providerconst.DefaultInAccountScannerVPCMode, MaxConcurrenceScansPerRegion: providerconst.DefaultMaxConcurrentScansPerRegion, } @@ -327,6 +303,10 @@ func expandAgentlessAccountSettings(d *schema.ResourceData) (*awp_onboarding.Age agentlessAccountSettings.MaxConcurrenceScansPerRegion = maxConcurrentScans } + if inAccountScannerVPC, ok := agentlessAccountSettingsMap["in_account_scanner_vpc"].(string); ok { + agentlessAccountSettings.InAccountScannerVPC = inAccountScannerVPC + } + if customTagsInterface, ok := agentlessAccountSettingsMap["custom_tags"].(map[string]interface{}); ok { customTags := make(map[string]string) for k, v := range customTagsInterface { @@ -359,20 +339,12 @@ func flattenAgentlessAccountSettings(settings *awp_onboarding.AgentlessAccountSe "disabled_regions": settings.DisabledRegions, "scan_machine_interval_in_hours": settings.ScanMachineIntervalInHours, "max_concurrent_scans_per_region": settings.MaxConcurrenceScansPerRegion, + "in_account_scanner_vpc": settings.InAccountScannerVPC, "custom_tags": settings.CustomTags, } return []interface{}{m} } -func flattenAccountIssues(accountIssues *awp_onboarding.AccountIssues) []interface{} { - m := map[string]interface{}{ - "regions": accountIssues.Regions, - "account": accountIssues.Account, - } - - return []interface{}{m} -} - func resourceAWPAWSOnboardingUpdate(d *schema.ResourceData, meta interface{}) error { d9Client := meta.(*Client) log.Println("An update occurred") @@ -405,8 +377,11 @@ func resourceAWPAWSOnboardingUpdate(d *schema.ResourceData, meta interface{}) er if err != nil { return err } + + scanMode := d.Get("scan_mode").(string) + // Send the update request - _, err = d9Client.awpAwsOnboarding.UpdateAWPSettings(d.Id(), *newAgentlessAccountSettings) + _, err = d9Client.awpAwsOnboarding.UpdateAWPSettings(d.Id(), scanMode, *newAgentlessAccountSettings) if err != nil { return err } diff --git a/dome9/resource_dome9_awp_aws_onboarding_test.go b/dome9/resource_dome9_awp_aws_onboarding_test.go index 9bb1ad9b..1260efd4 100644 --- a/dome9/resource_dome9_awp_aws_onboarding_test.go +++ b/dome9/resource_dome9_awp_aws_onboarding_test.go @@ -49,6 +49,7 @@ func TestAccResourceAWPAWSOnboardingBasic(t *testing.T) { resource.TestCheckResourceAttr(resourceTypeAndName, "agentless_account_settings.0.disabled_regions.1", disabledRegion2), resource.TestCheckResourceAttr(resourceTypeAndName, "agentless_account_settings.0.scan_machine_interval_in_hours", variable.ScanMachineIntervalInHours), resource.TestCheckResourceAttr(resourceTypeAndName, "agentless_account_settings.0.max_concurrent_scans_per_region", variable.MaxConcurrentScansPerRegion), + resource.TestCheckResourceAttr(resourceTypeAndName, "agentless_account_settings.0.in_account_scanner_vpc", variable.InAccountScannerVPC), resource.TestCheckResourceAttr(resourceTypeAndName, "agentless_account_settings.0.custom_tags.%", "2"), resource.TestCheckResourceAttrSet(resourceTypeAndName, "id"), resource.TestCheckResourceAttr(resourceTypeAndName, "cloud_provider", "aws"), @@ -70,6 +71,7 @@ func TestAccResourceAWPAWSOnboardingBasic(t *testing.T) { resource.TestCheckResourceAttr(resourceTypeAndName, "agentless_account_settings.0.disabled_regions.3", disabledRegionUpdate4), resource.TestCheckResourceAttr(resourceTypeAndName, "agentless_account_settings.0.scan_machine_interval_in_hours", variable.ScanMachineIntervalInHoursUpdate), resource.TestCheckResourceAttr(resourceTypeAndName, "agentless_account_settings.0.max_concurrent_scans_per_region", variable.MaxConcurrentScansPerRegionUpdate), + resource.TestCheckResourceAttr(resourceTypeAndName, "agentless_account_settings.0.in_account_scanner_vpc", variable.InAccountScannerVPCUpdate), resource.TestCheckResourceAttr(resourceTypeAndName, "agentless_account_settings.0.custom_tags.%", "3"), resource.TestCheckResourceAttrSet(resourceTypeAndName, "id"), resource.TestCheckResourceAttr(resourceTypeAndName, "cloud_provider", "aws"), @@ -154,6 +156,7 @@ resource "%s" "%s" { disabled_regions = %s scan_machine_interval_in_hours = "%s" max_concurrent_scans_per_region = "%s" + in_account_scanner_vpc = "%s" custom_tags = %s } } @@ -167,6 +170,7 @@ resource "%s" "%s" { IfThenElse(updateAction, variable.DisabledRegionsUpdate, variable.DisabledRegions), IfThenElse(updateAction, variable.ScanMachineIntervalInHoursUpdate, variable.ScanMachineIntervalInHours), IfThenElse(updateAction, variable.MaxConcurrentScansPerRegionUpdate, variable.MaxConcurrentScansPerRegion), + IfThenElse(updateAction, variable.InAccountScannerVPCUpdate, variable.InAccountScannerVPC), IfThenElse(updateAction, variable.CustomTagsUpdate, variable.CustomTags), ) } diff --git a/dome9/resource_dome9_awp_azure_onboarding.go b/dome9/resource_dome9_awp_azure_onboarding.go index 1d7663a1..9063c83c 100644 --- a/dome9/resource_dome9_awp_azure_onboarding.go +++ b/dome9/resource_dome9_awp_azure_onboarding.go @@ -8,12 +8,12 @@ import ( "strings" "github.com/dome9/dome9-sdk-go/dome9/client" - "github.com/dome9/dome9-sdk-go/services/awp/azure_onboarding" "github.com/dome9/dome9-sdk-go/services/awp" + "github.com/dome9/dome9-sdk-go/services/awp/azure_onboarding" + "github.com/dome9/dome9-sdk-go/services/cloudaccounts" "github.com/hashicorp/terraform-plugin-sdk/helper/schema" "github.com/hashicorp/terraform-plugin-sdk/helper/validation" "github.com/terraform-providers/terraform-provider-dome9/dome9/common/providerconst" - "github.com/dome9/dome9-sdk-go/services/cloudaccounts" ) func resourceAwpAzureOnboarding() *schema.Resource { @@ -45,12 +45,12 @@ func resourceAwpAzureOnboarding() *schema.Resource { "centralized_cloud_account_id": { Type: schema.TypeString, Optional: true, - Default: nil, + Default: nil, }, - "management_group_id":{ + "management_group_id": { Type: schema.TypeString, Optional: true, - Default: nil, + Default: nil, }, "agentless_account_settings": { Type: schema.TypeList, @@ -69,7 +69,6 @@ func resourceAwpAzureOnboarding() *schema.Resource { Type: schema.TypeBool, Optional: true, Default: false, - }, "scan_machine_interval_in_hours": { Type: schema.TypeInt, @@ -81,6 +80,11 @@ func resourceAwpAzureOnboarding() *schema.Resource { Optional: true, Default: 20, }, + "in_account_scanner_vpc": { + Type: schema.TypeString, + Optional: true, + Default: "ManagedByAWP", + }, "custom_tags": { Type: schema.TypeMap, Optional: true, @@ -96,30 +100,6 @@ func resourceAwpAzureOnboarding() *schema.Resource { Computed: true, Elem: &schema.Schema{Type: schema.TypeString}, }, - "account_issues": { - Type: schema.TypeList, - Computed: true, - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "regions": { - Type: schema.TypeMap, - Optional: true, - }, - "account": { - Type: schema.TypeMap, - Optional: true, - Elem: &schema.Resource{ - Schema: map[string]*schema.Schema{ - "issue_type": { - Type: schema.TypeString, - Optional: true, - }, - }, - }, - }, - }, - }, - }, "cloud_account_id": { Type: schema.TypeString, Computed: true, @@ -177,25 +157,16 @@ func expandAWPOnboardingRequestAzure(d *schema.ResourceData, meta interface{}) ( return awp_azure_onboarding.CreateAWPOnboardingRequestAzure{}, err } return awp_azure_onboarding.CreateAWPOnboardingRequestAzure{ - ScanMode: d.Get("scan_mode").(string), - IsTerraform: true, - ManagementGroupId: d.Get("management_group_id").(string), - AgentlessAccountSettings: agentlessAccountSettings, - CentralizedCloudAccountId: cloudGuardHubAccountID, + ScanMode: d.Get("scan_mode").(string), + IsTerraform: true, + ManagementGroupId: d.Get("management_group_id").(string), + AgentlessAccountSettings: agentlessAccountSettings, + CentralizedCloudAccountId: cloudGuardHubAccountID, }, nil } func checkCentralizedAzure(d *schema.ResourceData, meta interface{}) (string, error) { scanMode := d.Get("scan_mode").(string) - if scanMode == "inAccountHub"{ - if _, ok := d.GetOk("agentless_account_settings"); ok { - agentlessAccountSettingsList := d.Get("agentless_account_settings").([]interface{}) - if len(agentlessAccountSettingsList) < 1 { - errorMsg := fmt.Sprintf("currently account settings not supported for centralized onboarding (%s)", scanMode) - return "", errors.New(errorMsg) - } - } - } if scanMode == "inAccountSub" { d9client := meta.(*Client) hubExternalAccountId, exist := d.Get("centralized_cloud_account_id").(string) @@ -203,7 +174,7 @@ func checkCentralizedAzure(d *schema.ResourceData, meta interface{}) (string, er errorMsg := fmt.Sprintf("centralized_cloud_account_id is required when scan_mode is inAccountSub, got '%s'", hubExternalAccountId) return "", errors.New(errorMsg) } - + getCloudAccountQueryParams := cloudaccounts.QueryParameters{ID: hubExternalAccountId} cloudAccountresp, _, err := d9client.cloudaccountAzure.Get(&getCloudAccountQueryParams) if err != nil { @@ -242,12 +213,6 @@ func resourceAWPAzureOnboardingRead(d *schema.ResourceData, meta interface{}) er return err } - if resp.AccountIssues != nil { - if err := d.Set("account_issues", flattenAccountIssuesAzure(resp.AccountIssues)); err != nil { - return err - } - } - return nil } @@ -284,6 +249,7 @@ func expandAgentlessAccountSettingsAzure(d *schema.ResourceData) (*awp_onboardin SkipFunctionAppsScan: false, CustomTags: make(map[string]string), ScanMachineIntervalInHours: scanMachineIntervalInHours, + InAccountScannerVPC: providerconst.DefaultInAccountScannerVPCMode, MaxConcurrenceScansPerRegion: providerconst.DefaultMaxConcurrentScansPerRegion, } @@ -316,6 +282,10 @@ func expandAgentlessAccountSettingsAzure(d *schema.ResourceData) (*awp_onboardin agentlessAccountSettings.MaxConcurrenceScansPerRegion = maxConcurrentScans } + if inAccountScannerVPC, ok := agentlessAccountSettingsMap["in_account_scanner_vpc"].(string); ok { + agentlessAccountSettings.InAccountScannerVPC = inAccountScannerVPC + } + if customTagsInterface, ok := agentlessAccountSettingsMap["custom_tags"].(map[string]interface{}); ok { customTags := make(map[string]string) for k, v := range customTagsInterface { @@ -353,20 +323,12 @@ func flattenAgentlessAccountSettingsAzure(settings *awp_onboarding.AgentlessAcco "skip_function_apps_scan": settings.SkipFunctionAppsScan, "scan_machine_interval_in_hours": settings.ScanMachineIntervalInHours, "max_concurrent_scans_per_region": settings.MaxConcurrenceScansPerRegion, + "in_account_scanner_vpc": settings.InAccountScannerVPC, "custom_tags": settings.CustomTags, } return []interface{}{m} } -func flattenAccountIssuesAzure(accountIssues *awp_onboarding.AccountIssues) []interface{} { - m := map[string]interface{}{ - "regions": accountIssues.Regions, - "account": accountIssues.Account, - } - - return []interface{}{m} -} - func resourceAWPAzureOnboardingUpdate(d *schema.ResourceData, meta interface{}) error { d9Client := meta.(*Client) log.Println("An update occurred") @@ -386,7 +348,9 @@ func resourceAWPAzureOnboardingUpdate(d *schema.ResourceData, meta interface{}) return err } // Send the update request - _, err = d9Client.awpAzureOnboarding.UpdateAWPSettings(d.Id(), *newAgentlessAccountSettings) + scanMode := d.Get("scan_mode").(string) + + _, err = d9Client.awpAzureOnboarding.UpdateAWPSettings(d.Id(), scanMode, *newAgentlessAccountSettings) if err != nil { return err } diff --git a/dome9/resource_dome9_awp_azure_onboarding_test.go b/dome9/resource_dome9_awp_azure_onboarding_test.go index cd725ed2..6eb451cb 100644 --- a/dome9/resource_dome9_awp_azure_onboarding_test.go +++ b/dome9/resource_dome9_awp_azure_onboarding_test.go @@ -41,6 +41,7 @@ func TestAccResourceAWPAzureOnboardingBasic(t *testing.T) { resource.TestCheckResourceAttr(resourceTypeAndName, "agentless_account_settings.0.disabled_regions.1", disabledRegion2), resource.TestCheckResourceAttr(resourceTypeAndName, "agentless_account_settings.0.scan_machine_interval_in_hours", variable.ScanMachineIntervalInHours), resource.TestCheckResourceAttr(resourceTypeAndName, "agentless_account_settings.0.max_concurrent_scans_per_region", variable.MaxConcurrentScansPerRegion), + resource.TestCheckResourceAttr(resourceTypeAndName, "agentless_account_settings.0.in_account_scanner_vpc", variable.InAccountScannerVPC), resource.TestCheckResourceAttr(resourceTypeAndName, "agentless_account_settings.0.custom_tags.%", "2"), resource.TestCheckResourceAttrSet(resourceTypeAndName, "id"), resource.TestCheckResourceAttr(resourceTypeAndName, "cloud_provider", "azure"), @@ -59,6 +60,7 @@ func TestAccResourceAWPAzureOnboardingBasic(t *testing.T) { resource.TestCheckResourceAttr(resourceTypeAndName, "agentless_account_settings.0.disabled_regions.3", disabledRegionUpdate4), resource.TestCheckResourceAttr(resourceTypeAndName, "agentless_account_settings.0.scan_machine_interval_in_hours", variable.ScanMachineIntervalInHoursUpdate), resource.TestCheckResourceAttr(resourceTypeAndName, "agentless_account_settings.0.max_concurrent_scans_per_region", variable.MaxConcurrentScansPerRegionUpdate), + resource.TestCheckResourceAttr(resourceTypeAndName, "agentless_account_settings.0.in_account_scanner_vpc", variable.InAccountScannerVPCUpdate), resource.TestCheckResourceAttr(resourceTypeAndName, "agentless_account_settings.0.custom_tags.%", "3"), resource.TestCheckResourceAttrSet(resourceTypeAndName, "id"), resource.TestCheckResourceAttr(resourceTypeAndName, "cloud_provider", "azure"), @@ -119,6 +121,7 @@ resource "%s" "%s" { disabled_regions = %s scan_machine_interval_in_hours = "%s" max_concurrent_scans_per_region = "%s" + in_account_scanner_vpc = "%s" custom_tags = %s } } @@ -130,6 +133,7 @@ resource "%s" "%s" { IfThenElse(updateAction, variable.AzureDisabledRegionsUpdate, variable.AzureDisabledRegions), IfThenElse(updateAction, variable.ScanMachineIntervalInHoursUpdate, variable.ScanMachineIntervalInHours), IfThenElse(updateAction, variable.MaxConcurrentScansPerRegionUpdate, variable.MaxConcurrentScansPerRegion), + IfThenElse(updateAction, variable.InAccountScannerVPCUpdate, variable.InAccountScannerVPC), IfThenElse(updateAction, variable.CustomTagsUpdate, variable.CustomTags), ) } diff --git a/examples/awp/aws_onboarding/main.tf b/examples/awp/aws_onboarding/main.tf index 75e76685..9355ed73 100644 --- a/examples/awp/aws_onboarding/main.tf +++ b/examples/awp/aws_onboarding/main.tf @@ -65,6 +65,7 @@ module "terraform-dome9-awp-aws" { # scan_machine_interval_in_hours = 24 # disabled_regions = ["ap-northeast-1", "ap-northeast-2", ...] # List of regions to disable # max_concurrent_scans_per_region = 20 + # in_account_scanner_vpc = "ManagedByAWP" # custom_tags = { # tag1 = "value1" # tag2 = "value2" diff --git a/examples/awp/azure_onboarding/main.tf b/examples/awp/azure_onboarding/main.tf index 23d7d474..5beb91e2 100644 --- a/examples/awp/azure_onboarding/main.tf +++ b/examples/awp/azure_onboarding/main.tf @@ -45,6 +45,7 @@ module "terraform-dome9-awp-azure" { # skip_function_apps_scan = false # disabled_regions = ["eastus", "westus", ...] # List of regions to disable # max_concurrent_scans_per_region = 20 + # in_account_scanner_vpc = "ManagedByAWP" # custom_tags = { # tag1 = "value1" # tag2 = "value2" diff --git a/go.mod b/go.mod index de47bcca..f0c3fce7 100644 --- a/go.mod +++ b/go.mod @@ -3,7 +3,7 @@ module github.com/terraform-providers/terraform-provider-dome9 go 1.19 require ( - github.com/dome9/dome9-sdk-go v1.23.6 + github.com/dome9/dome9-sdk-go v1.23.7 github.com/google/uuid v1.1.2 github.com/hashicorp/terraform-plugin-sdk v1.17.2 ) diff --git a/go.sum b/go.sum index dbbc0a37..1f626e30 100644 --- a/go.sum +++ b/go.sum @@ -83,8 +83,8 @@ github.com/creack/pty v1.1.9/go.mod h1:oKZEueFk5CKHvIhNR5MUki03XCEU+Q6VDXinZuGJ3 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/dome9/dome9-sdk-go v1.23.6 h1:DT8bCfvSeKs19a9hDfoeMdAxqOvLKReOux8fvIK2CfI= -github.com/dome9/dome9-sdk-go v1.23.6/go.mod h1:mfA4+mIM0SmqGGBfbQSOhOi/KW0uV5WW7ozIHug4NKQ= +github.com/dome9/dome9-sdk-go v1.23.7 h1:omD6vUmLGvuq41a9gtimKRQVjSw2jXhmhPVtl/nd4nE= +github.com/dome9/dome9-sdk-go v1.23.7/go.mod h1:mfA4+mIM0SmqGGBfbQSOhOi/KW0uV5WW7ozIHug4NKQ= github.com/emirpasic/gods v1.12.0 h1:QAUIPSaCu4G+POclxeqb3F+WPpdKqFGlw36+yOzGlrg= github.com/emirpasic/gods v1.12.0/go.mod h1:YfzfFFoVP/catgzJb4IKIqXjX78Ha8FMSDh3ymbK86o= github.com/envoyproxy/go-control-plane v0.9.0/go.mod h1:YTl/9mNaCwkRvm6d1a2C3ymFceY/DCBVvsKhRF0iEA4= diff --git a/vendor/github.com/dome9/dome9-sdk-go/services/awp/aws_onboarding/aws_onboarding.go b/vendor/github.com/dome9/dome9-sdk-go/services/awp/aws_onboarding/aws_onboarding.go index b6e6d508..00ea46fd 100644 --- a/vendor/github.com/dome9/dome9-sdk-go/services/awp/aws_onboarding/aws_onboarding.go +++ b/vendor/github.com/dome9/dome9-sdk-go/services/awp/aws_onboarding/aws_onboarding.go @@ -55,8 +55,15 @@ func (service *Service) DeleteAWPOnboarding(id string, queryParams awp_onboardin return awp_onboarding.DeleteAWPOnboarding(service.Client, awp_onboarding.ProviderAWS, id, queryParams) } -func (service *Service) UpdateAWPSettings(id string, req awp_onboarding.AgentlessAccountSettings) (*http.Response, error) { - return awp_onboarding.UpdateAWPSettings(service.Client, awp_onboarding.ProviderAWS, id, req) +func (service *Service) UpdateAWPSettings(id string, scan_mode string, req awp_onboarding.AgentlessAccountSettings) (*http.Response, error) { + pathPostfix := awp_onboarding.UpdatePostfix + if scan_mode == awp_onboarding.ScanModeInAccountHub { + pathPostfix = awp_onboarding.UpdateHubPostfix + } + + path := fmt.Sprintf(awp_onboarding.OnboardingResourcePath, awp_onboarding.ProviderAWS, id) + + return awp_onboarding.UpdateAWPSettings(service.Client, fmt.Sprintf("%s/%s", path, pathPostfix), req) } func (service *Service) GetOnboardingData() (*AgentlessTerraformOnboardingDataResponseAws, *http.Response, error) { diff --git a/vendor/github.com/dome9/dome9-sdk-go/services/awp/azure_onboarding/azure_onboarding.go b/vendor/github.com/dome9/dome9-sdk-go/services/awp/azure_onboarding/azure_onboarding.go index c21ac059..78a38332 100644 --- a/vendor/github.com/dome9/dome9-sdk-go/services/awp/azure_onboarding/azure_onboarding.go +++ b/vendor/github.com/dome9/dome9-sdk-go/services/awp/azure_onboarding/azure_onboarding.go @@ -50,8 +50,15 @@ func (service *Service) DeleteAWPOnboarding(id string) (*http.Response, error) { return awp_onboarding.DeleteAWPOnboarding(service.Client, awp_onboarding.ProviderAzure, id, awp_onboarding.DeleteOptions{}) } -func (service *Service) UpdateAWPSettings(id string, req awp_onboarding.AgentlessAccountSettings) (*http.Response, error) { - return awp_onboarding.UpdateAWPSettings(service.Client, awp_onboarding.ProviderAzure, id, req) +func (service *Service) UpdateAWPSettings(id string, scan_mode string, req awp_onboarding.AgentlessAccountSettings) (*http.Response, error) { + pathPostfix := awp_onboarding.UpdatePostfix + if scan_mode == awp_onboarding.ScanModeInAccountHub { + pathPostfix = awp_onboarding.UpdateHubPostfix + } + + path := fmt.Sprintf(awp_onboarding.OnboardingResourcePath, awp_onboarding.ProviderAzure, id) + + return awp_onboarding.UpdateAWPSettings(service.Client, fmt.Sprintf("%s/%s", path, pathPostfix), req) } func (service *Service) GetOnboardingData(id string, req GetAWPOnboardingDataRequestAzure) (*AgentlessTerraformOnboardingDataResponseAzure, *http.Response, error) { diff --git a/vendor/github.com/dome9/dome9-sdk-go/services/awp/onboarding_common.go b/vendor/github.com/dome9/dome9-sdk-go/services/awp/onboarding_common.go index 9053b0d6..4f5fe689 100644 --- a/vendor/github.com/dome9/dome9-sdk-go/services/awp/onboarding_common.go +++ b/vendor/github.com/dome9/dome9-sdk-go/services/awp/onboarding_common.go @@ -17,6 +17,8 @@ const ( EnablePostfix = "enable" EnableSubPostfix = "enableSubAccount" EnableHubPostfix = "enableCentralizedAccount" + UpdatePostfix = "settings" + UpdateHubPostfix = "centralizedAccountSettings" ) const ( @@ -37,18 +39,13 @@ type AgentlessAccountSettings struct { ScanMachineIntervalInHours int `json:"scanMachineIntervalInHours"` MaxConcurrenceScansPerRegion int `json:"maxConcurrenceScansPerRegion"` SkipFunctionAppsScan bool `json:"skipFunctionAppsScan"` + InAccountScannerVPC string `json:"inAccountScannerVPC"` CustomTags map[string]string `json:"customTags"` } -type AccountIssues struct { - Regions map[string]interface{} `json:"regions"` - Account *map[string]interface{} `json:"account"` -} - type GetAWPOnboardingResponse struct { AgentlessAccountSettings *AgentlessAccountSettings `json:"agentlessAccountSettings"` MissingAwpPrivateNetworkRegions *[]string `json:"missingAwpPrivateNetworkRegions"` - AccountIssues *AccountIssues `json:"accountIssues"` CloudAccountId string `json:"cloudAccountId"` AgentlessProtectionEnabled bool `json:"agentlessProtectionEnabled"` ScanMode string `json:"scanMode"` @@ -88,11 +85,9 @@ func DeleteAWPOnboarding(client *client.Client, cloudProvider string, id string, return resp, nil } -func UpdateAWPSettings(client *client.Client, cloudProvider string, id string, req AgentlessAccountSettings) (*http.Response, error) { - // Construct the URL path - path := fmt.Sprintf(OnboardingResourcePath, cloudProvider, id) +func UpdateAWPSettings(client *client.Client, path string, req AgentlessAccountSettings) (*http.Response, error) { // Make a PATCH request with the JSON body - resp, err := client.NewRequestDoRetry("PATCH", fmt.Sprintf("%s/settings", path), nil, req, nil, shouldRetry) + resp, err := client.NewRequestDoRetry("PATCH", path, nil, req, nil, shouldRetry) if err != nil { return nil, err } @@ -100,5 +95,5 @@ func UpdateAWPSettings(client *client.Client, cloudProvider string, id string, r } func shouldRetry(resp *http.Response) bool { - return resp != nil && resp.StatusCode >= 400 && resp.StatusCode < 600 -} \ No newline at end of file + return resp != nil && resp.StatusCode >= 400 && resp.StatusCode < 600 +} diff --git a/vendor/modules.txt b/vendor/modules.txt index af19afed..7f2f7ae0 100644 --- a/vendor/modules.txt +++ b/vendor/modules.txt @@ -94,7 +94,7 @@ github.com/bgentry/speakeasy # github.com/davecgh/go-spew v1.1.1 ## explicit github.com/davecgh/go-spew/spew -# github.com/dome9/dome9-sdk-go v1.23.6 +# github.com/dome9/dome9-sdk-go v1.23.7 ## explicit; go 1.19 github.com/dome9/dome9-sdk-go/dome9 github.com/dome9/dome9-sdk-go/dome9/client diff --git a/website/docs/d/awp_aws_onboarding.html.markdown b/website/docs/d/awp_aws_onboarding.html.markdown index eb99329b..90c99db1 100644 --- a/website/docs/d/awp_aws_onboarding.html.markdown +++ b/website/docs/d/awp_aws_onboarding.html.markdown @@ -33,7 +33,6 @@ In addition to all arguments above, the following attributes exported: * `scan_mode` - The scan mode of the onboarding process * `agentless_account_settings` - The settings for the agentless account that the awp scanner will be configured with. * `missing_awp_private_network_regions` - The regions missing AWP private network. -* `account_issues` - The issues related to the awp account. * `cloud_account_id` - The CloudGuard account ID. * `agentless_protection_enabled` - Whether agentless protection is enabled or not. * `cloud_provider` - The cloud provider for the onboarding process. diff --git a/website/docs/d/awp_azure_onboarding.html.markdown b/website/docs/d/awp_azure_onboarding.html.markdown index 08836e3a..5f549613 100644 --- a/website/docs/d/awp_azure_onboarding.html.markdown +++ b/website/docs/d/awp_azure_onboarding.html.markdown @@ -33,7 +33,6 @@ In addition to all arguments above, the following attributes exported: * `scan_mode` - The scan mode of the onboarding process * `agentless_account_settings` - The settings for the agentless account that the awp scanner will be configured with. * `missing_awp_private_network_regions` - The regions missing AWP private network. -* `account_issues` - The issues related to the awp account. * `cloud_account_id` - The CloudGuard account ID. * `agentless_protection_enabled` - Whether agentless protection is enabled or not. * `cloud_provider` - The cloud provider for the onboarding process. diff --git a/website/docs/r/awp_aws_onboarding.html.markdown b/website/docs/r/awp_aws_onboarding.html.markdown index ef58436e..3601b5b4 100644 --- a/website/docs/r/awp_aws_onboarding.html.markdown +++ b/website/docs/r/awp_aws_onboarding.html.markdown @@ -50,6 +50,7 @@ module "terraform-dome9-awp-aws" { # scan_machine_interval_in_hours = 24 # disabled_regions = ["ap-northeast-1", "ap-northeast-2", ...] # List of regions to disable # max_concurrent_scans_per_region = 20 + # in_account_scanner_vpc = "ManagedByAWP" # custom_tags = { # tag1 = "value1" # tag2 = "value2" @@ -69,6 +70,7 @@ module "terraform-dome9-awp-aws" { # The disabled_regions attribute is used to specify the disabled regions of the agentless account settings of the Dome9 AWP AWS Onboarding. # The scan_machine_interval_in_hours attribute is used to specify the scan machine interval in hours of the agentless account settings of the Dome9 AWP AWS Onboarding. # The max_concurrent_scans_per_region attribute is used to specify the max concurrent scans per region of the agentless account settings of the Dome9 AWP AWS Onboarding. +# The in_account_scanner_vpc attribute is used to specify the scanner VPC mode of the agentless account settings of the Dome9 AWP AWS Onboarding. # The custom_tags attribute is used to specify the custom tags of the agentless account settings of the Dome9 AWP AWS Onboarding. resource "dome9_awp_aws_onboarding" "awp_aws_onboarding_test" { cloudguard_account_id = "dome9_cloudaccount_aws.aws_onboarding_account_test.id | | " @@ -83,6 +85,7 @@ resource "dome9_awp_aws_onboarding" "awp_aws_onboarding_test" { disabled_regions = ["us-east-1", "us-west-1", "ap-northeast-1", "ap-southeast-2"] scan_machine_interval_in_hours = 24 max_concurrent_scans_per_region = 20 + in_account_scanner_vpc = "ManagedByAWP" custom_tags = { tag1 = "value1" tag2 = "value2" @@ -110,13 +113,13 @@ The following arguments are supported: * `disabled_regions` - (Optional) The disabled regions. valid values are "af-south-1", "ap-south-1", "eu-north-1", "eu-west-3", "eu-south-1", "eu-west-2", "eu-west-1", "ap-northeast-3", "ap-northeast-2", "me-south-1", "ap-northeast-1", "me-central-1", "ca-central-1", "sa-east-1", "ap-east-1", "ap-southeast-1", "ap-southeast-2", "eu-central-1", "ap-southeast-3", "us-east-1", "us-east-2", "us-west-1", "us-west-2" * `scan_machine_interval_in_hours` - (Optional) The scan machine interval in hours * `max_concurrent_scans_per_region` - (Optional) The max concurrent scans per region + * `in_account_scanner_vpc` - (Optional) The VPC mode. Valid values are "ManagedByAWP" or "ManagedByCustomer". * `custom_tags` - (Optional) The custom tags. * `should_create_policy` - (Optional) Whether to create a policy. Default is true. ## Attributes Reference * `missing_awp_private_network_regions` - The missing AWP private network regions. -* `account_issues` - The account issues. * `cloud_account_id` - The cloud guard account id. * `agentless_protection_enabled` - Whether agentless protection is enabled. * `cloud_provider` - The cloud provider. diff --git a/website/docs/r/awp_azure_onboarding.html.markdown b/website/docs/r/awp_azure_onboarding.html.markdown index 71623a21..0169fb1b 100644 --- a/website/docs/r/awp_azure_onboarding.html.markdown +++ b/website/docs/r/awp_azure_onboarding.html.markdown @@ -45,6 +45,7 @@ module "terraform-dome9-awp-azure" { # skip_function_apps_scan = false # disabled_regions = ["eastus", "westus", ...] # List of regions to disable # max_concurrent_scans_per_region = 20 + # in_account_scanner_vpc = "ManagedByAWP" # custom_tags = { # tag1 = "value1" # tag2 = "value2" @@ -64,6 +65,7 @@ module "terraform-dome9-awp-azure" { # The skip_function_apps_scan attribute is used to specify if skip Azure Function Apps scan in the agentless account settings of the Dome9 AWP Azure Onboarding. # The scan_machine_interval_in_hours attribute is used to specify the scan machine interval in hours of the agentless account settings of the Dome9 AWP Azure Onboarding. # The max_concurrent_scans_per_region attribute is used to specify the max concurrent scans per region of the agentless account settings of the Dome9 AWP Azure Onboarding. +# The in_account_scanner_vpc attribute is used to specify the scanner VPC mode of the agentless account settings of the Dome9 AWP AWS Onboarding. # The custom_tags attribute is used to specify the custom tags of the agentless account settings of the Dome9 AWP Azure Onboarding. resource "dome9_awp_azure_onboarding" "awp_azure_onboarding_test" { cloudguard_account_id = "dome9_cloudaccount_azure.azure_onboarding_account_test.id | | " @@ -77,6 +79,7 @@ resource "dome9_awp_azure_onboarding" "awp_azure_onboarding_test" { skip_function_apps_scan = false scan_machine_interval_in_hours = 24 max_concurrent_scans_per_region = 20 + in_account_scanner_vpc = "ManagedByAWP" custom_tags = { tag1 = "value1" tag2 = "value2" @@ -104,13 +107,13 @@ The following arguments are supported: * `scan_machine_interval_in_hours` - (Optional) The scan machine interval in hours * `skip_function_apps_scan` - (Optional) Skip Azure Function Apps scan (supported for inAccount and inAccountSub scan modes) * `max_concurrent_scans_per_region` - (Optional) The max concurrent scans per region + * `in_account_scanner_vpc` = optional(string) # The VPC Mode. Valid values: "ManagedByAWP", "ManagedByCustomer" (supported for inAccount and inAccountHub scan modes) * `custom_tags` - (Optional) The custom tags. * `should_create_policy` - (Optional) Whether to create a policy. Default is true. ## Attributes Reference * `missing_awp_private_network_regions` - The missing AWP private network regions. -* `account_issues` - The account issues. * `cloud_account_id` - The cloud guard account id. * `agentless_protection_enabled` - Whether agentless protection is enabled. * `cloud_provider` - The cloud provider.