Skip to content

Commit

Permalink
Merge pull request #71 from maxboynton/main
Browse files Browse the repository at this point in the history 
Requested Bug Fixes & Enhancements, version 0.8.0
  • Loading branch information
@PANW-aharrell
PANW-aharrell committed Jul 5, 2023
2 parents fdb5eb5 + 4750ae6 commit dd54d0b
Show file tree
Hide file tree
Showing 45 changed files with 3,668 additions and 1,693 deletions.
139 changes: 112 additions & 27 deletions examples/resources/prismacloudcompute_container_runtime_policy/resource.tf
View file
Original file line number Diff line number Diff line change
@@ -1,40 +1,125 @@
# This resource will work with the following provider stored in the following directory path
# mkdir -p ~/.terraform.d/plugins/paloaltonetworks.com/prismacloud/prismacloudcompute/0.7.1-release/darwin_amd64
# mv terraform-provider-prismacloudcompute ~/.terraform.d/plugins/paloaltonetworks.com/prismacloud/prismacloudcompute/0.7.1-release/darwin_amd64

terraform {
required_providers {
prismacloudcompute = {
source = "paloaltonetworks.com/prismacloud/prismacloudcompute"
version = "0.7.1-release"
}
}
}

provider "prismacloudcompute" {
console_url = ""
username = ""
password = ""
}

resource "prismacloudcompute_container_runtime_policy" "ruleset" {
learning_disabled = false
rule {
name = "Default - alert on suspicious runtime behavior"
collections = ["All"]
advanced_protection = true
cloud_metadata_enforcement = false
name = "string"
collections = ["string"]
advanced_protection_effect = true
cloud_metadata_enforcement_effect = false
previous_name = "string" # Required if Renaming the Rule
skip_exec_sessions = false # true | false
wildfire_analysis = "alert" # "block" | "prevent" | "alert" | "disable"
custom_rule {
id = 0
action = "string"
effect = "string" # "allow" | "ban" | "block" | "prevent" | "alert" | "disable"
}
custom_rule {
id = 1
action = "string"
effect = "string" # "allow" | "ban" | "block" | "prevent" | "alert" | "disable"
}
dns {
allowed = []
denied = []
deny_effect = "disable"
default_effect = "alert" # "block" | "prevent" | "alert" | "disable"
disabled = true
domain_list {
allowed = ["0.0.0.0"]
denied = ["1.1.1.1"]
effect = "disable"
}
}
filesystem {
allowed = []
backdoor_files = true
check_new_files = true
denied = []
deny_effect = "alert"
skip_encrypted_binaries = false
suspicious_elf_headers = true
allowed_list = ["string"]
backdoor_files_effect = "disable" # "block" | "prevent" | "alert" | "disable"
default_effect = "alert" # "block" | "prevent" | "alert" | "disable"
denied_list {
effect = "disable" # "block" | "prevent" | "alert" | "disable"
paths = ["string"]
}
disabled = true
encrypted_binaries_effect = "disable"
new_files_effect = "disable"
suspicious_elf_headers_effect = "disable"
}
kubernetes_enforcement = false
network {
allowed_outbound_ips = []
denied_outbound_ips = []
deny_effect = "alert"
detect_port_scan = true
skip_modified_processes = false
skip_raw_sockets = false
allowed_ips = ["0.0.0.0"]
default_effect = "alert"
denied_ips = ["1.1.1.1"]
denied_ips_effect = "disable"
disabled = true
listening_ports {
allowed {
deny = true
end = 333
start = 222
}
denied {
deny = true
end = 5000
start = 4000
}
denied {
deny = true
end = 222
start = 111
}
effect = "disable" # "block" | "prevent" | "alert" | "disable"
}
modified_proc_effect = "disable" # "block" | "prevent" | "alert" | "disable"
outbound_ports {
allowed {
deny = true
end = 300
start = 200
}
denied {
deny = true
end = 6000
start = 5000
}
denied {
deny = true
end = 222
start = 111
}
effect = "disable" # "block" | "prevent" | "alert" | "disable"
}
port_scan_effect = "disable" # "block" | "prevent" | "alert" | "disable"
raw_sockets_effect = "disable" # "block" | "prevent" | "alert" | "disable"
}
processes {
allowed = []
check_crypto_miners = true
check_lateral_movement = true
denied = []
deny_effect = "alert"
modified_process_effect = "disable" # "block" | "prevent" | "alert" | "disable"
crypto_miners_effect = "disable" # "block" | "prevent" | "alert" | "disable"
lateral_movement_effect = "disable" # "block" | "prevent" | "alert" | "disable"
reverse_shell_effect = "disable" # "block" | "prevent" | "alert" | "disable"
suid_binaries_effect = "disable" # "block" | "prevent" | "alert" | "disable"
default_effect = "alert" # "block" | "prevent" | "alert" | "disable"
check_parent_child = false
allowed_list = []
disabled = false
denied_list {
effect = "disable" # "block" | "prevent" | "alert" | "disable"
paths = ["test"]
}
}
wildfire_analysis = "alert"
}
}
}
88 changes: 88 additions & 0 deletions internal/api/account/cloud_scan_rule.go
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,88 @@
package account

import (
"fmt"
"net/http"

"github.com/PaloAltoNetworks/terraform-provider-prismacloudcompute/internal/api"
"github.com/PaloAltoNetworks/terraform-provider-prismacloudcompute/internal/api/auth"
)

const CloudScanRulesEndpoint = "api/v1/cloud-scan-rules"

// Serverless scan specs struct
type ServerLessScanSpec struct {
Enabled bool `json:"enabled,omitempty"`
Cap int `json:"cap,omitempty"`
ScanAllVersions bool `json:"scanAllVersions,omitempty"`
ScanLayers bool `json:"scanLayers,omitempty"`
}

type AgentlessScanSpec struct {
Enabled bool `json:"enabled,omitempty"`
HubAccount bool `json:"hubAccount,omitempty"`
ConsoleAddr string `json:"consoleAddr,omitempty"`
ScanNonRunning bool `json:"scanNonRunning,omitempty"`
ProxyAddress string `json:"proxyAddress,omitempty"`
ProxyCA string `json:"proxyCA,omitempty"`
SkipPermissionsCheck bool `json:"skipPermissionsCheck,omitempty"`
AutoScale bool `json:"autoScale,omitempty"`
Scanners int `json:"scanners,omitempty"`
SecurityGroup string `json:"securityGroup,omitempty"`
SubNet string `json:"subnet,omitempty"`
Regions []string `json:"regions,omitempty"`
CustomTags []Tag `json:"customTags,omitempty"`
IncludedTags []Tag `json:"includedTags,omitempty"`
}

type Tag struct {
Key string `json:"key,omitempty"`
Value string `json:"value,omitempty"`
}

type CloudScanRule struct {
CredentialId string `json:"credentialId"`
Credential auth.Credential `json:"credential,omitempty"`
DiscoveryEnabled bool `json:"discoveryEnabled,omitempty"`
ServerlessRadarEnabled bool `json:"serverlessRadarEnabled,omitempty"`
VmTagsEnabled bool `json:"vmTagsEnabled,omitempty"`
DiscoverAllFunctionVersions bool `json:"discoverAllFunctionVersions,omitempty"`
ServerlessRadarCap int `json:"serverlessRadarCap,omitempty"`
AgentlessScanSpec AgentlessScanSpec `json:"agentlessScanSpec,omitempty"`
ServerlessScanSpec ServerLessScanSpec `json:"serverlessScanSpec,omitempty"`
AwsRegionType string `json:"awsRegionType,omitempty"`
}

// Get all cloud can rules
func ListCloudScanRules(c api.Client) ([]CloudScanRule, error) {
var ans []CloudScanRule
if err := c.Request(http.MethodGet, CloudScanRulesEndpoint, nil, nil, &ans); err != nil {
return nil, fmt.Errorf("error listing Cloud Scan Rules: %s", err)
}
return ans, nil
}

// Get a specific cloud scan rule
func GetCloudScanRule(c api.Client, name string) (*CloudScanRule, error) {
var ans []CloudScanRule

if err := c.Request(http.MethodGet, CloudScanRulesEndpoint, map[string]string{"search": name}, nil, &ans); err != nil {
return nil, fmt.Errorf("error searching Cloud Scan Rules: %s", err)
}
for _, val := range ans {
if val.CredentialId == name {
return &val, nil
}
}
return nil, fmt.Errorf("Cloud Scan Rule '%s' not found", name)
}

// Create/Update cloud scan rules
func UpdateCloudScanRule(c api.Client, rule []CloudScanRule) error {
return c.Request(http.MethodPut, CloudScanRulesEndpoint, nil, rule, nil)
}

// Delete an existing cloud scan rule
func DeleteCloudScanRule(c api.Client, name string) error {
return c.Request(http.MethodDelete, fmt.Sprintf("%s/%s", CloudScanRulesEndpoint, name), nil, nil, nil)
}
Loading

0 comments on commit dd54d0b

Please sign in to comment.