Add terraform support to Okta ML Policy #676
Conversation
…patel-sysdig/terraform-provider-sysdig into feature-oktaml-terraform
harshampatel-sysdig
requested review from
airadier,
daniel-almeida,
ivanlysiuk-sysdig,
jbainbridgesysdig,
mateobur,
ombellare,
rosenbloomb-sysdig and
tembleking
as code owners
Changed threshold value descriptions from 'High/Medium/Low' to 'Default/High/Higher' for ML policies
tembleking
left a comment
tembleking
left a comment
There was a problem hiding this comment.
Hello @harshampatel-sysdig, thank you for this implementation, it's really nice.
I left you some comments to address before merging it, with some small improvements we can benefit from.
sysdig/tfresource.go
Outdated
| "enabled": rule.Details.(*v2.OktaMLRuleDetails).AnomalousConsoleLogin.Enabled, | ||
| "threshold": rule.Details.(*v2.OktaMLRuleDetails).AnomalousConsoleLogin.Threshold, |
There was a problem hiding this comment.
What happens if at some point rule.Details is not a *v2.OktaMLRuleDetails or AnomalousConsoleLogin is nil? We should check this for robustness.
For example
if d, ok := rule.Details.(*v2.OktaMLRuleDetails); ok && d.AnomalousConsoleLogin != nil {
enabled := d.AnomalousConsoleLogin.Enabled
threshold := int(d.AnomalousConsoleLogin.Threshold)
// ...
}
sysdig/tfresource.go
Outdated
| "enabled": rule.Details.(*v2.OktaMLRuleDetails).AnomalousConsoleLogin.Enabled, | ||
| "threshold": rule.Details.(*v2.OktaMLRuleDetails).AnomalousConsoleLogin.Threshold, |
There was a problem hiding this comment.
Here we are passing from Threshold (float64) to int, because in MLRuleThresholdAndSeveritySchema we are defining it as TypeInt.
"threshold": {
Type: schema.TypeInt,
Required: true,
},Either we define the Threshold as int in the model, or we transform it:
| "enabled": rule.Details.(*v2.OktaMLRuleDetails).AnomalousConsoleLogin.Enabled, | |
| "threshold": rule.Details.(*v2.OktaMLRuleDetails).AnomalousConsoleLogin.Threshold, | |
| "enabled": rule.Details.(*v2.OktaMLRuleDetails).AnomalousConsoleLogin.Enabled, | |
| "threshold": int(rule.Details.(*v2.OktaMLRuleDetails).AnomalousConsoleLogin.Threshold), |
I prefer the first solution, to define the Threshold as int because in the documentation you also specify:
`threshold` - Confidence level threshold for triggering alerts. Valid values are: 1 (Default), 2 (High), 3 (Higher).|
|
||
| # Resource: sysdig_secure_okta_ml_policy | ||
|
|
||
| Retrieves the information of an existing Sysdig Secure Okta ML Policy. |
There was a problem hiding this comment.
Resources not only retrieve info, they also manage.
| Retrieves the information of an existing Sysdig Secure Okta ML Policy. | |
| Manages a Sysdig Secure Okta ML Policy. |
| ```terraform | ||
| resource "sysdig_secure_okta_ml_policy" "policy" { | ||
| name = "Test Okta ML Policy 1" | ||
| description = "Test Okta ML Policy Description" | ||
| enabled = true | ||
| severity = 4 | ||
| rule { | ||
| description = "Test Okta ML Rule Description" | ||
| anomalous_console_login { | ||
| enabled = true | ||
| threshold = 1 | ||
| } | ||
| } | ||
| ``` |
There was a problem hiding this comment.
You are missing a } in the example:
| ```terraform | |
| resource "sysdig_secure_okta_ml_policy" "policy" { | |
| name = "Test Okta ML Policy 1" | |
| description = "Test Okta ML Policy Description" | |
| enabled = true | |
| severity = 4 | |
| rule { | |
| description = "Test Okta ML Rule Description" | |
| anomalous_console_login { | |
| enabled = true | |
| threshold = 1 | |
| } | |
| } | |
| ``` | |
| ```terraform | |
| resource "sysdig_secure_okta_ml_policy" "policy" { | |
| name = "Test Okta ML Policy 1" | |
| description = "Test Okta ML Policy Description" | |
| enabled = true | |
| severity = 4 | |
| rule { | |
| description = "Test Okta ML Rule Description" | |
| anomalous_console_login { | |
| enabled = true | |
| threshold = 1 | |
| } | |
| } | |
| } |
| * `description` - (Required) Rule description. | ||
| * `anomalous_console_login` - (Required) This attribute allows you to activate anomaly detection for logins and adjust its settings. | ||
| * `enabled` - (Optional) Whether anomaly detection is enabled. Defaults to `true`. | ||
| * `threshold` - (Required) Trigger at or above confidence level. Valid values are: 1 (Default), 2 (High), 3 (Higher). |
There was a problem hiding this comment.
Since threshold can only be 3 values, we should validate it in the Terraform schema with something like:
validation.IntInSlice([]int{1,2,3})| if _, ok := d.GetOk("rule"); ok { | ||
|
|
||
| anomalousLogin := &v2.MLRuleThresholdAndSeverity{} | ||
| if _, ok := d.GetOk("rule.0.anomalous_console_login"); ok { // TODO: Do not hardcode the indexes |
There was a problem hiding this comment.
Only one rule can be created for this policy type? If so, then rule.0.* is fine here 👍 We can change it if we start supporting multiple rules.
Nevertheless, please add a MaxItems: 1 to the block:
"rule": {
Type: schema.TypeList,
Required: true,
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"id": ReadOnlyIntSchema(),
"name": ReadOnlyStringSchema(),
// Do not allow switching off individual rules
// "enabled": EnabledSchema(),
"description": DescriptionSchema(),
"tags": TagsSchema(),
"version": VersionSchema(),
"anomalous_console_login": MLRuleThresholdAndSeveritySchema(),
},
},
},| return diag.FromErr(err) | ||
| } | ||
|
|
||
| policy, err := oktaMLPolicyFromResourceData(d) |
There was a problem hiding this comment.
Do we need to construct a whole policy from the resource data just to grab the ID? Maybe we can just read d.Id().
| }) | ||
| } | ||
|
|
||
| func oktaOktaMLPolicyDataSource(name string) string { |
There was a problem hiding this comment.
Weird name here 😄 did you meant oktaMLPolicyDataSource?
| func oktaOktaMLPolicyDataSource(name string) string { | |
| func oktaMLPolicyDataSource(name string) string { |
| { | ||
| Config: oktaOktaMLPolicyDataSource(rText), | ||
| }, |
There was a problem hiding this comment.
This test is not checking that the parameters are correctly received and assigned to the data source.
| { | |
| Config: oktaOktaMLPolicyDataSource(rText), | |
| }, | |
| { | |
| Config: oktaOktaMLPolicyDataSource(rText), | |
| Check: resource.ComposeTestCheckFunc( | |
| resource.TestCheckResourceAttr("data.sysdig_secure_okta_ml_policy.policy_2", "name", fmt.Sprintf("Test Okta ML Policy %s", rText)), | |
| resource.TestCheckResourceAttr("data.sysdig_secure_okta_ml_policy.policy_2", "description", fmt.Sprintf("Test Okta ML Policy Description %s", rText)), | |
| resource.TestCheckResourceAttr("data.sysdig_secure_okta_ml_policy.policy_2", "enabled", "true"), | |
| resource.TestCheckResourceAttr("data.sysdig_secure_okta_ml_policy.policy_2", "severity", "4"), | |
| ), | |
| }, |
|
Thank you Fede for reviewing and providing valuable feedback. I have pushed changes to cover feedback points. Seems like my commits aren't taking secrets and failing same common test cases. Could you please push empty commit from your end? |
Key changes:
Similar open PR: #675 (I'll close this once new one merged)