Fix firewall settings for Aqua Services

added optional "resource" field for being able to add custom CIDR's Resolves: SLK-90014
aquasecurity · Jan 16, 2025 · 82a54da · 82a54da
1 parent cb400a0
commit 82a54da
Show file tree

Hide file tree

Showing 8 changed files with 64 additions and 24 deletions.
diff --git a/aquasec/data_service.go b/aquasec/data_service.go
@@ -134,6 +134,11 @@ func dataSourceService() *schema.Resource {
 										Description: "The resource type for the inbound network rule (e.g., anywhere).",
 										Required:    true,
 									},
+									"resource": {
+										Type:        schema.TypeString,
+										Description: "Custom ip for the inbound network rule (e.g., 190.1.2.3/12).",
+										Optional:    true,
+									},
 									"allow": {
 										Type:        schema.TypeBool,
 										Description: "Whether the inbound network rule is allowed.",
@@ -158,6 +163,11 @@ func dataSourceService() *schema.Resource {
 										Description: "The resource type for the outbound network rule (e.g., anywhere).",
 										Required:    true,
 									},
+									"resource": {
+										Type:        schema.TypeString,
+										Description: "Custom ip for the outbound network rule (e.g., 190.1.2.3/12).",
+										Optional:    true,
+									},
 									"allow": {
 										Type:        schema.TypeBool,
 										Description: "Whether the outbound network rule is allowed.",
@@ -303,6 +313,7 @@ func flattenLocalPolicies(policies []client.LocalPolicy) []map[string]interface{
 			inboundNetworks = append(inboundNetworks, map[string]interface{}{
 				"port_range":    inbound.PortRange,
 				"resource_type": inbound.ResourceType,
+				"resource":      inbound.Resource,
 				"allow":         inbound.Allow,
 			})
 		}
@@ -314,6 +325,7 @@ func flattenLocalPolicies(policies []client.LocalPolicy) []map[string]interface{
 			outboundNetworks = append(outboundNetworks, map[string]interface{}{
 				"port_range":    outbound.PortRange,
 				"resource_type": outbound.ResourceType,
+				"resource":      outbound.Resource,
 				"allow":         outbound.Allow,
 			})
 		}

diff --git a/aquasec/data_service_test.go b/aquasec/data_service_test.go
@@ -84,12 +84,14 @@ func TestDataSourceServiceComplex(t *testing.T) {
 					resource.TestCheckResourceAttr(rootRef, "local_policies.0.inbound_networks.0.port_range", "22-80"),
 					resource.TestCheckResourceAttr(rootRef, "local_policies.0.inbound_networks.0.resource_type", "anywhere"),
 					resource.TestCheckResourceAttr(rootRef, "local_policies.0.inbound_networks.0.allow", "true"),
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.inbound_networks.0.resource", "192.168.1.0/24"),
 
 					// Outbound Networks
 					resource.TestCheckResourceAttr(rootRef, "local_policies.0.outbound_networks.#", "1"),
 					resource.TestCheckResourceAttr(rootRef, "local_policies.0.outbound_networks.0.port_range", "443"),
 					resource.TestCheckResourceAttr(rootRef, "local_policies.0.outbound_networks.0.resource_type", "anywhere"),
 					resource.TestCheckResourceAttr(rootRef, "local_policies.0.outbound_networks.0.allow", "false"),
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.outbound_networks.0.resource", "10.0.0.0/16"),
 
 					resource.TestCheckResourceAttr(rootRef, "priority", "1"),
 					resource.TestCheckResourceAttr(rootRef, "target", "container"),

diff --git a/aquasec/resource_service.go b/aquasec/resource_service.go
@@ -146,6 +146,11 @@ func resourceService() *schema.Resource {
 										Description: "The resource type for the inbound network rule (e.g., anywhere).",
 										Required:    true,
 									},
+									"resource": {
+										Type:        schema.TypeString,
+										Description: "Custom ip for the inbound network rule (e.g., 190.1.2.3/12).",
+										Optional:    true,
+									},
 									"allow": {
 										Type:        schema.TypeBool,
 										Description: "Whether the inbound network rule is allowed.",
@@ -170,6 +175,11 @@ func resourceService() *schema.Resource {
 										Description: "The resource type for the outbound network rule (e.g., anywhere).",
 										Required:    true,
 									},
+									"resource": {
+										Type:        schema.TypeString,
+										Description: "Custom ip for the outbound network rule (e.g., 190.1.2.3/12).",
+										Optional:    true,
+									},
 									"allow": {
 										Type:        schema.TypeBool,
 										Description: "Whether the outbound network rule is allowed.",
@@ -333,6 +343,7 @@ func convertNetworkRulesToNetworks(networkRules []client.NetworkRule) []map[stri
 			"allow":         networkRule.Allow,
 			"port_range":    networkRule.PortRange,
 			"resource_type": networkRule.ResourceType,
+			"resource":      networkRule.Resource,
 		})
 	}
 	return networkMaps
@@ -539,6 +550,7 @@ func expandNetworks(networks []interface{}) []client.NetworkRule {
 		networkRules = append(networkRules, client.NetworkRule{
 			PortRange:    rule["port_range"].(string),
 			ResourceType: rule["resource_type"].(string),
+			Resource:     rule["resource"].(string),
 			Allow:        rule["allow"].(bool),
 		})
 	}

diff --git a/aquasec/resource_service_test.go b/aquasec/resource_service_test.go
@@ -141,12 +141,14 @@ func TestResourceAquasecServiceComplexCreate(t *testing.T) {
 					resource.TestCheckResourceAttr(rootRef, "local_policies.0.inbound_networks.0.port_range", "22-80"),
 					resource.TestCheckResourceAttr(rootRef, "local_policies.0.inbound_networks.0.resource_type", "anywhere"),
 					resource.TestCheckResourceAttr(rootRef, "local_policies.0.inbound_networks.0.allow", "true"),
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.inbound_networks.0.resource", "190.1.2.3/12"),
 
 					// Outbound Networks
 					resource.TestCheckResourceAttr(rootRef, "local_policies.0.outbound_networks.#", "1"),
 					resource.TestCheckResourceAttr(rootRef, "local_policies.0.outbound_networks.0.port_range", "443"),
 					resource.TestCheckResourceAttr(rootRef, "local_policies.0.outbound_networks.0.resource_type", "anywhere"),
 					resource.TestCheckResourceAttr(rootRef, "local_policies.0.outbound_networks.0.allow", "false"),
+					resource.TestCheckResourceAttr(rootRef, "local_policies.0.outbound_networks.0.resource", "190.1.2.3/12"),
 				),
 			},
 		},

diff --git a/client/service.go b/client/service.go
@@ -42,6 +42,7 @@ type LocalPolicy struct {
 type NetworkRule struct {
 	PortRange    string `json:"port_range"`
 	ResourceType string `json:"resource_type"`
+	Resource     string `json:"resource"`
 	Allow        bool   `json:"allow"`
 }
 type VulnerabilitiesTypes struct {

diff --git a/docs/data-sources/service.md b/docs/data-sources/service.md
@@ -73,6 +73,7 @@ Required:
 
 - `allow` (Boolean) Whether the inbound network rule is allowed.
 - `port_range` (String) The port range for the inbound network rule.
+- `resource` (String) Custom ip for the inbound network rule (e.g., 190.1.2.3/12).
 - `resource_type` (String) The resource type for the inbound network rule (e.g., anywhere).
 
 
@@ -83,6 +84,7 @@ Required:
 
 - `allow` (Boolean) Whether the outbound network rule is allowed.
 - `port_range` (String) The port range for the outbound network rule.
+- `resource` (String) Custom ip for the outbound network rule (e.g., 190.1.2.3/12).
 - `resource_type` (String) The resource type for the outbound network rule (e.g., anywhere).
 
 

diff --git a/docs/resources/service.md b/docs/resources/service.md
@@ -29,41 +29,41 @@ resource "aquasec_service" "example_service" {
     name        = "policy1"
     type        = "access.control"
     description = "Local policy 1 for inbound and outbound control"
-    
+
     inbound_networks {
-      port_range   = "22/22"           # Allow SSH traffic
-      resource_type = "anywhere"       # Allow from any source
-      allow         = true             # Permit traffic
+      port_range    = "22/22"    # Allow SSH traffic
+      resource_type = "anywhere" # Allow from any source
+      allow         = true       # Permit traffic
     }
-    
+
     outbound_networks {
-      port_range   = "80/80"           # Allow HTTP traffic
-      resource_type = "anywhere"       # Allow to any destination
-      allow         = true             # Permit traffic
+      port_range    = "80/80"    # Allow HTTP traffic
+      resource_type = "anywhere" # Allow to any destination
+      allow         = true       # Permit traffic
     }
 
-    block_metadata_service = false      # Do not block metadata service
+    block_metadata_service = false # Do not block metadata service
   }
 
   // Local policy 2
   local_policies {
     name        = "policy2"
     type        = "access.control"
     description = "Local policy 2 with stricter outbound control"
-    
+
     inbound_networks {
-      port_range   = "443/443"         # Allow HTTPS traffic
-      resource_type = "anywhere"       # Allow from any source
-      allow         = true             # Permit traffic
+      port_range    = "443/443"  # Allow HTTPS traffic
+      resource_type = "anywhere" # Allow from any source
+      allow         = true       # Permit traffic
     }
 
     outbound_networks {
-      port_range   = "8080/8080"       # Allow specific application traffic
-      resource_type = "specific"       # Allow only to specific destinations
-      allow         = false            # Block traffic to unspecified destinations
+      port_range    = "8080/8080" # Allow specific application traffic
+      resource_type = "specific"  # Allow only to specific destinations
+      allow         = false       # Block traffic to unspecified destinations
     }
 
-    block_metadata_service = true       # Block metadata service access for security
+    block_metadata_service = true # Block metadata service access for security
   }
 }
 ```
@@ -129,8 +129,12 @@ Required:
 
 - `allow` (Boolean) Whether the inbound network rule is allowed.
 - `port_range` (String) The port range for the inbound network rule.
+- `resource` (String) Custom ip for the inbound network rule (e.g., 190.1.2.3/12).
 - `resource_type` (String) The resource type for the inbound network rule (e.g., anywhere).
-
+    * "anywhere" (equivalent to Anywhere in the UI)
+    * "custom" (equivalent to Custom IP in the UI)
+    * "application" (equivalent to Service in the UI)
+    * "domain" (equivalent to Domain in the UI)
 
 <a id="nestedblock--local_policies--outbound_networks"></a>
 ### Nested Schema for `local_policies.outbound_networks`
@@ -139,9 +143,12 @@ Required:
 
 - `allow` (Boolean) Whether the outbound network rule is allowed.
 - `port_range` (String) The port range for the outbound network rule.
+- `resource` (String) Custom ip for the outbound network rule (e.g., 190.1.2.3/12).
 - `resource_type` (String) The resource type for the outbound network rule (e.g., anywhere).
-
-
+    * "anywhere" (equivalent to Anywhere in the UI)
+    * "custom" (equivalent to Custom IP in the UI)
+    * "application" (equivalent to Service in the UI)
+    * "domain" (equivalent to Domain in the UI)
 
 <a id="nestedblock--scope_variables"></a>
 ### Nested Schema for `scope_variables`

diff --git a/examples/resources/aquasec_service/resource.tf b/examples/resources/aquasec_service/resource.tf
@@ -37,14 +37,16 @@ resource "aquasec_service" "example_service" {
     description = "Local policy 2 with stricter outbound control"
 
     inbound_networks {
-      port_range    = "443/443"  # Allow HTTPS traffic
-      resource_type = "anywhere" # Allow from any source
-      allow         = true       # Permit traffic
+      port_range    = "443/443"      # Allow HTTPS traffic
+      resource_type = "custom"      # Allow from specific source
+      resource      = "190.1.2.3/12" # Specific source
+      allow         = true           # Permit traffic
     }
 
     outbound_networks {
       port_range    = "8080/8080" # Allow specific application traffic
-      resource_type = "specific"  # Allow only to specific destinations
+      resource_type = "custom"      # Allow from specific source
+      resource      = "190.1.2.3/12" # Specific source
       allow         = false       # Block traffic to unspecified destinations
     }