feat(application_scope_saas): SLK-88697-aquasec-application-scope-saas

[MosenzonTal]

SLK-88697

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

---

Tal Mosenzon seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[smorodin2024]

@semyonm0r I tried this branch and did not find the fix for Additional Scope Criteria from a Runtime Policy. Terraform provider can't update this field.
My Terraform script tried to update the additional scope from kubernetes.cluster.initial_cluster_name to kubernetes.cluster.new_cluster_name and was not able to do so. Terraform apply returns success, but Aquasec Web UI shows old value initial_cluster_name.

[semyonm0r]

@smorodin2024 this branch not supposed to solve the runtime policy. We not managed to reproduce your issue, will try to use details from your comment and reproduce it today.
if you can share with me example (tf code) will help us.
@MosenzonTal let’s try to check it today

[MosenzonTal]

@semyonm0r I tried this branch and did not find the fix for Additional Scope Criteria from a Runtime Policy. Terraform provider can't update this field. My Terraform script tried to update the additional scope from kubernetes.cluster.initial_cluster_name to kubernetes.cluster.new_cluster_name and was not able to do so. Terraform apply returns success, but Aquasec Web UI shows old value initial_cluster_name.

you need to use “scope { }” instead of “scope_expression & scope_variables”.

as mentioned in the example ofCreate Runtime Policy POST /runtime_policies in the API Docs:
https://docs.aquasec.com/saas/api-reference/workload-protection-api/v2-api/runtime-policies/runtime-policy-create-new/#/Runtime Policies/Runtime_policy_create_new
attaching working code example:

resource "aquasec_container_runtime_policy" "container_runtime_policy_praveen" {
  name             = "container_runtime_policy_praveen2"
  description      = "container_runtime_policy"
  scope {
    expression = "v1 && v2"

    variables {
      attribute = "kubernetes.cluster"
      value     = "default"
    }
    variables {
      attribute = "kubernetes.label"
      name      = "app"     
      value     = "aqua"    
    }
  }
  application_scopes = [
    "app_scope",
  ]
  enabled              = true
  enforce              = false
  block_container_exec = true
  container_exec_allowed_processes = [
    "proc1",
    "proc2"
  ]
  block_cryptocurrency_mining   = true
  block_fileless_exec           = true
  block_non_compliant_workloads = true
  block_non_k8s_containers      = true
  blocked_capabilities = [
    "AUDIT_CONTROL",
    "AUDIT_WRITE"
  ]

  blocked_executables = [
    "exe1",
    "exe2",
  ]
  blocked_files = [
    "test1",
    "test2"
  ]
  malware_scan_options {
    enabled = true
    action  = "alert"
    #exclude_directories = [ "/var/run/" ]
  }

  audit_all_processes_activity = true
  audit_full_command_arguments = true
  audit_all_network_activity   = true
  enable_fork_guard            = true
  fork_guard_process_limit     = 13
  block_access_host_network    = true
  block_adding_capabilities    = true
  block_root_user              = true
  block_privileged_containers  = true
  block_use_ipc_namespace      = true
  block_use_pid_namespace      = true
  block_use_user_namespace     = true
  block_use_uts_namespace      = true
  block_low_port_binding       = true
  limit_new_privileges         = true
  blocked_packages = [
    "pkg",
    "pkg2"
  ]
  blocked_inbound_ports = [
    "80",
    "8080"
  ]
  blocked_outbound_ports = [
    "90",
    "9090"
  ]

  monitor_system_time_changes = "true"
  blocked_volumes = [
    "blocked",
    "vol"
  ]
}