feat:Service | added local policies (#279)

* SLK-88212:Updated service changes with local policies schema and example
aquasecurity · Jan 3, 2025 · 79e5518 · 79e5518
1 parent a96ea55
commit 79e5518
Show file tree

Hide file tree

Showing 8 changed files with 654 additions and 200 deletions.
diff --git a/aquasec/data_service.go b/aquasec/data_service.go
@@ -95,7 +95,84 @@ func dataSourceService() *schema.Resource {
 					Type: schema.TypeString,
 				},
 				Description: "The service's policies; an array of container firewall policy names.",
-				Computed:    true,
+				Required:    true,
+			},
+			"local_policies": {
+				Type:        schema.TypeList,
+				Description: "A list of local policies for the service, including inbound and outbound network rules.",
+				Optional:    true,
+				Elem: &schema.Resource{
+					Schema: map[string]*schema.Schema{
+						"name": {
+							Type:        schema.TypeString,
+							Description: "The name of the local policy.",
+							Required:    true,
+						},
+						"type": {
+							Type:        schema.TypeString,
+							Description: "The type of the local policy, e.g., access.control.",
+							Required:    true,
+						},
+						"description": {
+							Type:        schema.TypeString,
+							Description: "A description of the local policy.",
+							Optional:    true,
+						},
+						"inbound_networks": {
+							Type:        schema.TypeList,
+							Description: "Inbound network rules for the local policy.",
+							Optional:    true,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"port_range": {
+										Type:        schema.TypeString,
+										Description: "The port range for the inbound network rule.",
+										Required:    true,
+									},
+									"resource_type": {
+										Type:        schema.TypeString,
+										Description: "The resource type for the inbound network rule (e.g., anywhere).",
+										Required:    true,
+									},
+									"allow": {
+										Type:        schema.TypeBool,
+										Description: "Whether the inbound network rule is allowed.",
+										Required:    true,
+									},
+								},
+							},
+						},
+						"outbound_networks": {
+							Type:        schema.TypeList,
+							Description: "Outbound network rules for the local policy.",
+							Optional:    true,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									"port_range": {
+										Type:        schema.TypeString,
+										Description: "The port range for the outbound network rule.",
+										Required:    true,
+									},
+									"resource_type": {
+										Type:        schema.TypeString,
+										Description: "The resource type for the outbound network rule (e.g., anywhere).",
+										Required:    true,
+									},
+									"allow": {
+										Type:        schema.TypeBool,
+										Description: "Whether the outbound network rule is allowed.",
+										Required:    true,
+									},
+								},
+							},
+						},
+						"block_metadata_service": {
+							Type:        schema.TypeBool,
+							Description: "Whether to block access to the metadata service.",
+							Optional:    true,
+						},
+					},
+				},
 			},
 			"evaluated": {
 				Type:        schema.TypeBool,
@@ -196,11 +273,54 @@ func dataServiceRead(ctx context.Context, d *schema.ResourceData, m interface{})
 		d.Set("unregistered_count", service.UnregisteredCount)
 		d.Set("is_registered", service.IsRegistered)
 		d.Set("application_scopes", service.ApplicationScopes)
-
+		if err := d.Set("local_policies", flattenLocalPolicies(service.LocalPolicies)); err != nil {
+			return diag.FromErr(err)
+		}
 		d.SetId(name)
 	} else {
 		return diag.FromErr(err)
 	}
 
 	return nil
 }
+func flattenLocalPolicies(policies []client.LocalPolicy) []map[string]interface{} {
+	if policies == nil {
+		return []map[string]interface{}{}
+	}
+
+	var result []map[string]interface{}
+	for _, policy := range policies {
+		p := map[string]interface{}{
+			"name":                   policy.Name,
+			"type":                   policy.Type,
+			"description":            policy.Description,
+			"block_metadata_service": policy.BlockMetadataService,
+		}
+
+		// Flatten inbound_networks
+		var inboundNetworks []map[string]interface{}
+		for _, inbound := range policy.InboundNetworks {
+			inboundNetworks = append(inboundNetworks, map[string]interface{}{
+				"port_range":    inbound.PortRange,
+				"resource_type": inbound.ResourceType,
+				"allow":         inbound.Allow,
+			})
+		}
+		p["inbound_networks"] = inboundNetworks
+
+		// Flatten outbound_networks
+		var outboundNetworks []map[string]interface{}
+		for _, outbound := range policy.OutboundNetworks {
+			outboundNetworks = append(outboundNetworks, map[string]interface{}{
+				"port_range":    outbound.PortRange,
+				"resource_type": outbound.ResourceType,
+				"allow":         outbound.Allow,
+			})
+		}
+		p["outbound_networks"] = outboundNetworks
+
+		result = append(result, p)
+	}
+
+	return result
+}
diff --git a/aquasec/data_service_test.go b/aquasec/data_service_test.go
@@ -26,7 +26,7 @@ func TestDataSourceServiceBasic(t *testing.T) {
 					resource.TestCheckResourceAttr(rootRef, "policies.#", fmt.Sprintf("%d", len(basicService.Policies))),
 					resource.TestCheckResourceAttr(rootRef, "policies.0", basicService.Policies[0]),
 					resource.TestCheckResourceAttr(rootRef, "enforce", "false"),
-					resource.TestCheckResourceAttr(rootRef, "application_scopes.#", fmt.Sprintf("%v", len(basicService.ApplicationScopes))),
+					resource.TestCheckResourceAttr(rootRef, "application_scopes.#", fmt.Sprintf("%d", len(basicService.ApplicationScopes))),
 					resource.TestCheckResourceAttr(rootRef, "application_scopes.0", basicService.ApplicationScopes[0]),
 					resource.TestCheckResourceAttr(rootRef, "priority", "100"),
 					resource.TestCheckResourceAttr(rootRef, "target", basicService.MembershipRules.Target),
@@ -38,12 +38,23 @@ func TestDataSourceServiceBasic(t *testing.T) {
 					resource.TestCheckResourceAttrSet(rootRef, "lastupdate"),
 					resource.TestCheckResourceAttrSet(rootRef, "evaluated"),
 					resource.TestCheckResourceAttrSet(rootRef, "is_registered"),
+
+					// Assert no local policies
+					resource.TestCheckResourceAttr(rootRef, "local_policies.#", "0"),
 				),
 			},
 		},
 	})
 }
 
+func getBasicServiceData() string {
+	return getBasicServiceResource() + `
+	data "aquasec_service" "test-svc" {
+		name     = aquasec_service.test-basic-svc.id
+		policies = aquasec_service.test-basic-svc.policies
+	}
+	`
+}
 func TestDataSourceServiceComplex(t *testing.T) {
 	t.Parallel()
 	rootRef := "data.aquasec_service.test-svc"
@@ -56,24 +67,32 @@ func TestDataSourceServiceComplex(t *testing.T) {
 			{
 				Config: getComplexServiceData(),
 				Check: resource.ComposeAggregateTestCheckFunc(
-					resource.TestCheckResourceAttr(rootRef, "name", complexService.Name),
-					resource.TestCheckResourceAttr(rootRef, "description", complexService.Description),
+					resource.TestCheckResourceAttr(rootRef, "name", "test-complex-svc"),
+					resource.TestCheckResourceAttr(rootRef, "description", "Test complex service"),
 					resource.TestCheckResourceAttr(rootRef, "monitoring", "false"),
-					resource.TestCheckResourceAttr(rootRef, "policies.#", fmt.Sprintf("%d", len(complexService.Policies))),
-					resource.TestCheckResourceAttr(rootRef, "policies.0", complexService.Policies[0]),
-					resource.TestCheckResourceAttr(rootRef, "enforce", fmt.Sprintf("%v", complexService.Enforce)),
-					resource.TestCheckResourceAttr(rootRef, "application_scopes.#", fmt.Sprintf("%d", len(complexService.ApplicationScopes))),
-					resource.TestCheckResourceAttr(rootRef, "application_scopes.0", complexService.ApplicationScopes[0]),
-					resource.TestCheckResourceAttr(rootRef, "priority", fmt.Sprintf("%d", complexService.MembershipRules.Priority)),
-					resource.TestCheckResourceAttr(rootRef, "target", complexService.MembershipRules.Target),
-					resource.TestCheckResourceAttr(rootRef, "scope_expression", complexService.MembershipRules.Scope.Expression),
-					resource.TestCheckResourceAttr(rootRef, "scope_variables.#", fmt.Sprintf("%v", len(complexService.MembershipRules.Scope.Variables))),
-					resource.TestCheckResourceAttr(rootRef, "scope_variables.0.attribute", complexService.MembershipRules.Scope.Variables[0].Attribute),
-					resource.TestCheckResourceAttr(rootRef, "scope_variables.0.value", complexService.MembershipRules.Scope.Variables[0].Value),
-					resource.TestCheckResourceAttr(rootRef, "scope_variables.1.attribute", complexService.MembershipRules.Scope.Variables[1].Attribute),
-					resource.TestCheckResourceAttr(rootRef, "scope_variables.1.value", complexService.MembershipRules.Scope.Variables[1].Value),
-					resource.TestCheckResourceAttr(rootRef, "scope_variables.2.attribute", complexService.MembershipRules.Scope.Variables[2].Attribute),
-					resource.TestCheckResourceAttr(rootRef, "scope_variables.2.value", complexService.MembershipRules.Scope.Variables[2].Value),
+					resource.TestCheckResourceAttr(rootRef, "policies.#", "2"),
+					resource.TestCheckResourceAttr(rootRef, "policies.0", "local-policy-1"),
+					resource.TestCheckResourceAttr(rootRef, "policies.1", "default"),
+					resource.TestCheckResourceAttr(rootRef, "local_policies.#", "1"),
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.name", "local-policy-1"),
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.type", "access.control"),
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.description", "Local policy for testing"),
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.block_metadata_service", "true"),
+
+					// Inbound Networks
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.inbound_networks.#", "1"),
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.inbound_networks.0.port_range", "22-80"),
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.inbound_networks.0.resource_type", "anywhere"),
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.inbound_networks.0.allow", "true"),
+
+					// Outbound Networks
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.outbound_networks.#", "1"),
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.outbound_networks.0.port_range", "443"),
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.outbound_networks.0.resource_type", "anywhere"),
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.outbound_networks.0.allow", "false"),
+
+					resource.TestCheckResourceAttr(rootRef, "priority", "1"),
+					resource.TestCheckResourceAttr(rootRef, "target", "container"),
 					resource.TestCheckResourceAttr(rootRef, "author", os.Getenv("AQUA_USER")),
 					resource.TestCheckResourceAttrSet(rootRef, "containers_count"),
 					resource.TestCheckResourceAttrSet(rootRef, "lastupdate"),
@@ -85,20 +104,11 @@ func TestDataSourceServiceComplex(t *testing.T) {
 	})
 }
 
-func getBasicServiceData() string {
-	return getBasicServiceResource() + fmt.Sprintf(`
-	
-	data "aquasec_service" "test-svc" {
-		name = aquasec_service.test-basic-svc.id
-	}
-`)
-}
-
 func getComplexServiceData() string {
 	return getComplexServiceResource() + fmt.Sprintf(`
-	
 	data "aquasec_service" "test-svc" {
 		name = aquasec_service.test-complex-svc.id
+		policies = aquasec_service.test-complex-svc.policies
 	}
 `)
 }