From cf47e3dfa215b4a056b557fc419ac3fb727346cd Mon Sep 17 00:00:00 2001 From: hi-artem Date: Thu, 10 Nov 2022 14:57:27 -0800 Subject: [PATCH] fixup --- docs/data-sources/custom_rule.md | 115 ++++++++++++++++++ docs/index.md | 76 ++++++++++-- docs/resources/admission_policy.md | 46 +++++++ docs/resources/custom_malware.md | 16 ++- docs/resources/custom_rule.md | 26 +++- examples/README.md | 2 +- .../data-source.tf | 112 +++++++++++++++++ examples/defaults/main.tf | 14 ++- examples/provider/provider.tf | 16 +-- .../resource.tf | 43 +++++++ .../resource.tf | 11 ++ .../resource.tf | 21 ++++ templates/index.md.tmpl | 60 ++++++++- 13 files changed, 532 insertions(+), 26 deletions(-) create mode 100644 examples/data-sources/prismacloudcompute_custom_rule/data-source.tf create mode 100644 examples/resources/prismacloudcompute_admission_policy/resource.tf create mode 100644 examples/resources/prismacloudcompute_custom_malware/resource.tf create mode 100644 examples/resources/prismacloudcompute_custom_rule/resource.tf diff --git a/docs/data-sources/custom_rule.md b/docs/data-sources/custom_rule.md index dc58603..38f8490 100644 --- a/docs/data-sources/custom_rule.md +++ b/docs/data-sources/custom_rule.md @@ -10,7 +10,122 @@ description: |- Use this data source to retrieve ID of a custom rule. +## Example Usage +```terraform +# Some default rules coming with the Console +data "prismacloudcompute_custom_rule" "rule" { + name = "Twistlock Labs - Suspicious networking tool" +} + +data "prismacloudcompute_custom_rule" "another_rule" { + name = "Twistlock Labs - Running privileged process within container" +} + +data "prismacloudcompute_custom_rule" "yet_another_rule" { + name = "Twistlock Labs - Running cron app" +} + +# Add container policy using these custom rules +resource "prismacloudcompute_container_runtime_policy" "ruleset" { + learning_disabled = false + + rule { + advanced_protection = true + cloud_metadata_enforcement = true + collections = [ + "All", + ] + disabled = false + kubernetes_enforcement = true + name = "Demo runtime container policy" + wildfire_analysis = "block" + + custom_rule { + action = "audit" + effect = "block" + id = data.prismacloudcompute_custom_rule.rule.prisma_id + } + custom_rule { + action = "audit" + effect = "block" + id = data.prismacloudcompute_custom_rule.another_rule.prisma_id + } + + custom_rule { + action = "audit" + effect = "block" + id = data.prismacloudcompute_custom_rule.yet_another_rule.prisma_id + } + + dns { + allowed = [ + "amplitutude.com", + ] + denied = [ + "ru.com", + "cn.com", + "ir.com", + ] + deny_effect = "block" + } + + filesystem { + allowed = [ + "/etc", + "/usr/bin/", + "/var/app", + ] + backdoor_files = true + check_new_files = true + denied = [] + deny_effect = "prevent" + skip_encrypted_binaries = false + suspicious_elf_headers = true + } + + network { + allowed_outbound_ips = [] + denied_outbound_ips = [] + deny_effect = "alert" + detect_port_scan = true + skip_modified_processes = false + skip_raw_sockets = false + + allowed_listening_port { + deny = false + end = 443 + start = 443 + } + + allowed_outbound_port { + deny = false + end = 80 + start = 80 + } + allowed_outbound_port { + deny = false + end = 443 + start = 443 + } + } + + processes { + allowed = [ + "aws-cni", + ] + check_crypto_miners = true + check_lateral_movement = true + check_parent_child = false + check_suid_binaries = false + denied = [] + deny_effect = "block" + skip_modified = false + skip_reverse_shell = false + } + } +} +``` ## Schema diff --git a/docs/index.md b/docs/index.md index 87f52ef..3a248d4 100644 --- a/docs/index.md +++ b/docs/index.md @@ -2,32 +2,88 @@ # generated by https://github.com/hashicorp/terraform-plugin-docs page_title: "Prisma Cloud Compute Provider" description: |- - The Prisma Cloud Compute provider gives resources to interact with the Prisma Cloud Compute API. + This is a community-driven fork of the official Prisma Cloud Compute provider with some extra sauce. --- # Prisma Cloud Compute provider -The Prisma Cloud Compute provider gives resources to interact with the Prisma Cloud Compute API. +This is a community-driven fork of the official Prisma Cloud Compute provider with some extra sauce. ## Example Usage ```terraform terraform { required_providers { prismacloudcompute = { - source = "PaloAltoNetworks/prismacloudcompute" - version = "0.4.0" + source = "hi-artem/prismacloudcompute" + version = "0.8.1" } } } provider "prismacloudcompute" { - # Configure provider with file + # Configure provider inline # - config_file = "creds.json" + console_url = "https://foo.bar.com" + username = "myUsername" + password = "myPassword" - # Alternatively, you can use variables + # Or you can use file # - # console_url = "https://foo.bar.com" - # username = "myUsername" - # password = "myPassword" + # config_file = "creds.json" +} +``` + +## Simplifying Policies +Resources representing policies can become really long. It is often helpful to simplify their structure using HCL `dynamic` blocks. + +```hcl +# First define your hosts variable +variable "hosts" { + default = [ + { + name: "ec2-develop, + compliance_check: [ + { id: 16 } + ] + }, + { + name: "ec2-staging, + compliance_check: [ + { id: 16, block: true } + ] + }, + { + name: "ec2-staging, + compliance_check: [ + { id: 16, block: true }, + { id: 18, block: false } + ] + } + ] +} + +# And then use dynamic blocks to create a rule for each host +resource "prismacloudcompute_host_compliance_policy" "ruleset" { + dynamic "rule" { + + for_each = var.hosts + content { + name = "${rule.value.name}-compliance-policy" + notes = "Compliance policy for ${rule.value.name} host" + collections = rule.value.collection_name + + disabled = false + effect = "alert" + show_passed_checks = true + verbose = true + + dynamic "compliance_check" { + for_each = rule.value.compliance_checks + content { + id = compliance_check.value.id + block = try(compliance_check.value.block, false) + } + } + } + } } ``` diff --git a/docs/resources/admission_policy.md b/docs/resources/admission_policy.md index 8e3089f..2a414c2 100644 --- a/docs/resources/admission_policy.md +++ b/docs/resources/admission_policy.md @@ -10,7 +10,53 @@ description: |- +## Example Usage +```terraform +resource "prismacloudcompute_admission_policy" "ruleset" { + rule { + name = "Block host PID and IPC sharing" + disabled = true + effect = "block" + description = "This rule is important, but disabled" + script = <<-EOT + match[{"msg": msg}] { + input.request.operation == "CREATE" + input.request.kind.kind == "Pod" + input.request.resource.resource == "pods" + input_share_hostnamespace(input.request.object) + msg := sprintf("Sharing the host namespace is not allowed, pod: %v", [input.request.object.metadata.name]) + } + + input_share_hostnamespace(o) { + o.spec.hostPID + } + + input_share_hostnamespace(o) { + o.spec.hostIPC + } + EOT + } + rule { + name = "Allow containers with non read only filesystem" + disabled = false + effect = "allow" + description = "This rule is important and enabled, but allowed" + script = <<-EOT + match[{"msg": msg}] { + operations := {"CREATE"} + operations[input.request.operation] + input.request.kind.kind == "Pod" + + containers := input.request.object.spec.containers[_] + + not containers.securityContext.readOnlyRootFilesystem + msg := sprintf("container '%v' does not have a read only root filesystem", [containers.name]) + } + EOT + } +} +``` ## Schema diff --git a/docs/resources/custom_malware.md b/docs/resources/custom_malware.md index 65c9c6a..68201b7 100644 --- a/docs/resources/custom_malware.md +++ b/docs/resources/custom_malware.md @@ -10,7 +10,21 @@ description: |- - +## Example Usage + +```terraform +resource "prismacloudcompute_custom_malware" "custom" { + feed { + md5 = "044003f961de0e52bdd6e561460cb05a" + name = "allowed" + } + feed { + md5 = "1447a3f961de0e52b086e561460cb05a" + name = "denied" + allowed = false + } +} +``` ## Schema diff --git a/docs/resources/custom_rule.md b/docs/resources/custom_rule.md index 4def52c..212cb61 100644 --- a/docs/resources/custom_rule.md +++ b/docs/resources/custom_rule.md @@ -10,7 +10,31 @@ description: |- - +## Example Usage + +```terraform +resource "prismacloudcompute_custom_rule" "test" { + name = "basic-rule" + description = "this is basic rule" + message = "%proc.name doing stuff" + type = "processes" + script = "proc.name = \"cat\"" +} + +resource "prismacloudcompute_custom_rule" "test_heredoc" { + name = "less-basic-rule" + description = "this is less basic rule" + message = "%proc.name wrote to path" + type = "filesystem" + script = < ## Schema diff --git a/examples/README.md b/examples/README.md index 5380cc2..74b4443 100644 --- a/examples/README.md +++ b/examples/README.md @@ -8,4 +8,4 @@ The document generation tool looks for files in the following locations by defau * `data-sources/data_source_name/data-source.tf` example file for the named data source page * `resources/resource_name/resource.tf` example file for the named data source page -The files in the `defaults/` directory are for Prisma Cloud Compute default configurations. +The files in the `defaults/` directory are for Prisma Cloud Compute default configurations. This configuration is a subject to change, depending on the Compute version. diff --git a/examples/data-sources/prismacloudcompute_custom_rule/data-source.tf b/examples/data-sources/prismacloudcompute_custom_rule/data-source.tf new file mode 100644 index 0000000..c29dfde --- /dev/null +++ b/examples/data-sources/prismacloudcompute_custom_rule/data-source.tf @@ -0,0 +1,112 @@ +# Some default rules coming with the Console +data "prismacloudcompute_custom_rule" "rule" { + name = "Twistlock Labs - Suspicious networking tool" +} + +data "prismacloudcompute_custom_rule" "another_rule" { + name = "Twistlock Labs - Running privileged process within container" +} + +data "prismacloudcompute_custom_rule" "yet_another_rule" { + name = "Twistlock Labs - Running cron app" +} + +# Add container policy using these custom rules +resource "prismacloudcompute_container_runtime_policy" "ruleset" { + learning_disabled = false + + rule { + advanced_protection = true + cloud_metadata_enforcement = true + collections = [ + "All", + ] + disabled = false + kubernetes_enforcement = true + name = "Demo runtime container policy" + wildfire_analysis = "block" + + custom_rule { + action = "audit" + effect = "block" + id = data.prismacloudcompute_custom_rule.rule.prisma_id + } + custom_rule { + action = "audit" + effect = "block" + id = data.prismacloudcompute_custom_rule.another_rule.prisma_id + } + + custom_rule { + action = "audit" + effect = "block" + id = data.prismacloudcompute_custom_rule.yet_another_rule.prisma_id + } + + dns { + allowed = [ + "amplitutude.com", + ] + denied = [ + "ru.com", + "cn.com", + "ir.com", + ] + deny_effect = "block" + } + + filesystem { + allowed = [ + "/etc", + "/usr/bin/", + "/var/app", + ] + backdoor_files = true + check_new_files = true + denied = [] + deny_effect = "prevent" + skip_encrypted_binaries = false + suspicious_elf_headers = true + } + + network { + allowed_outbound_ips = [] + denied_outbound_ips = [] + deny_effect = "alert" + detect_port_scan = true + skip_modified_processes = false + skip_raw_sockets = false + + allowed_listening_port { + deny = false + end = 443 + start = 443 + } + + allowed_outbound_port { + deny = false + end = 80 + start = 80 + } + allowed_outbound_port { + deny = false + end = 443 + start = 443 + } + } + + processes { + allowed = [ + "aws-cni", + ] + check_crypto_miners = true + check_lateral_movement = true + check_parent_child = false + check_suid_binaries = false + denied = [] + deny_effect = "block" + skip_modified = false + skip_reverse_shell = false + } + } +} diff --git a/examples/defaults/main.tf b/examples/defaults/main.tf index 7753db4..9913105 100644 --- a/examples/defaults/main.tf +++ b/examples/defaults/main.tf @@ -1,14 +1,22 @@ terraform { required_providers { prismacloudcompute = { - source = "PaloAltoNetworks/prismacloudcompute" - version = "0.0.1" + source = "hi-artem/prismacloudcompute" + version = "0.8.1" } } } +variable "pcc_console_url" {} + +variable "pcc_console_url" {} + +variable "pcc_console_url" {} + provider "prismacloudcompute" { - config_file = "creds.json" + console_url = var.pcc_console_url + username = var.pcc_username + password = var.pcc_password } # These policy resources represent the default values for Prisma Cloud Compute. diff --git a/examples/provider/provider.tf b/examples/provider/provider.tf index f796b73..443caf2 100644 --- a/examples/provider/provider.tf +++ b/examples/provider/provider.tf @@ -1,20 +1,20 @@ terraform { required_providers { prismacloudcompute = { - source = "PaloAltoNetworks/prismacloudcompute" - version = "0.4.0" + source = "hi-artem/prismacloudcompute" + version = "0.8.1" } } } provider "prismacloudcompute" { - # Configure provider with file + # Configure provider inline # - config_file = "creds.json" + console_url = "https://foo.bar.com" + username = "myUsername" + password = "myPassword" - # Alternatively, you can use variables + # Or you can use file # - # console_url = "https://foo.bar.com" - # username = "myUsername" - # password = "myPassword" + # config_file = "creds.json" } diff --git a/examples/resources/prismacloudcompute_admission_policy/resource.tf b/examples/resources/prismacloudcompute_admission_policy/resource.tf new file mode 100644 index 0000000..0e002cf --- /dev/null +++ b/examples/resources/prismacloudcompute_admission_policy/resource.tf @@ -0,0 +1,43 @@ +resource "prismacloudcompute_admission_policy" "ruleset" { + rule { + name = "Block host PID and IPC sharing" + disabled = true + effect = "block" + description = "This rule is important, but disabled" + script = <<-EOT + match[{"msg": msg}] { + input.request.operation == "CREATE" + input.request.kind.kind == "Pod" + input.request.resource.resource == "pods" + input_share_hostnamespace(input.request.object) + msg := sprintf("Sharing the host namespace is not allowed, pod: %v", [input.request.object.metadata.name]) + } + + input_share_hostnamespace(o) { + o.spec.hostPID + } + + input_share_hostnamespace(o) { + o.spec.hostIPC + } + EOT + } + rule { + name = "Allow containers with non read only filesystem" + disabled = false + effect = "allow" + description = "This rule is important and enabled, but allowed" + script = <<-EOT + match[{"msg": msg}] { + operations := {"CREATE"} + operations[input.request.operation] + input.request.kind.kind == "Pod" + + containers := input.request.object.spec.containers[_] + + not containers.securityContext.readOnlyRootFilesystem + msg := sprintf("container '%v' does not have a read only root filesystem", [containers.name]) + } + EOT + } +} diff --git a/examples/resources/prismacloudcompute_custom_malware/resource.tf b/examples/resources/prismacloudcompute_custom_malware/resource.tf new file mode 100644 index 0000000..bd3eaa0 --- /dev/null +++ b/examples/resources/prismacloudcompute_custom_malware/resource.tf @@ -0,0 +1,11 @@ +resource "prismacloudcompute_custom_malware" "custom" { + feed { + md5 = "044003f961de0e52bdd6e561460cb05a" + name = "allowed" + } + feed { + md5 = "1447a3f961de0e52b086e561460cb05a" + name = "denied" + allowed = false + } +} diff --git a/examples/resources/prismacloudcompute_custom_rule/resource.tf b/examples/resources/prismacloudcompute_custom_rule/resource.tf new file mode 100644 index 0000000..adb2254 --- /dev/null +++ b/examples/resources/prismacloudcompute_custom_rule/resource.tf @@ -0,0 +1,21 @@ +resource "prismacloudcompute_custom_rule" "test" { + name = "basic-rule" + description = "this is basic rule" + message = "%proc.name doing stuff" + type = "processes" + script = "proc.name = \"cat\"" +} + +resource "prismacloudcompute_custom_rule" "test_heredoc" { + name = "less-basic-rule" + description = "this is less basic rule" + message = "%proc.name wrote to path" + type = "filesystem" + script = <