ENG-14573: Add knowledge of mask_all_occurrences config field

cyral/internal/repository/confanalysis/model.go

@@ -20,6 +20,7 @@ type UserConfig struct {
 	DisableFilterAnalysis      bool     `json:"disableFilterAnalysis"`
 	DisablePreConfiguredAlerts bool     `json:"disablePreConfiguredAlerts"`
 	EnableDataMasking          bool     `json:"enableDataMasking"`
+	MaskAllOccurrences         bool     `json:"maskAllOccurrences"`
 	LogGroups                  []string `json:"logGroups,omitempty"`
 	Redact                     string   `json:"redact"`
 	EnableDatasetRewrites      bool     `json:"enableDatasetRewrites"`
@@ -49,6 +50,7 @@ func (r *UserConfig) WriteToSchema(d *schema.ResourceData) error {
 	d.Set("disable_filter_analysis", r.DisableFilterAnalysis)
 	d.Set("disable_pre_configured_alerts", r.DisablePreConfiguredAlerts)
 	d.Set("enable_data_masking", r.EnableDataMasking)
+	d.Set("mask_all_occurrences", r.MaskAllOccurrences)
 	d.Set("log_groups", logGroupsSet)
 	d.Set("redact", r.Redact)
 	d.Set("enable_dataset_rewrites", r.EnableDatasetRewrites)
@@ -80,6 +82,7 @@ func (r *UserConfig) ReadFromSchema(d *schema.ResourceData) error {
 	r.DisableFilterAnalysis = d.Get("disable_filter_analysis").(bool)
 	r.DisablePreConfiguredAlerts = d.Get("disable_pre_configured_alerts").(bool)
 	r.EnableDataMasking = d.Get("enable_data_masking").(bool)
+	r.MaskAllOccurrences = d.Get("mask_all_occurrences").(bool)
 	r.CommentAnnotationGroups = annotationGroups
 	r.LogGroups = logGroups
 	r.Redact = d.Get("redact").(string)

cyral/internal/repository/confanalysis/resource.go

@@ -121,6 +121,16 @@ func repositoryConfAnalysisResourceSchemaV0() *schema.Resource {
 				Type:     schema.TypeBool,
 				Optional: true,
 			},
+			"mask_all_occurrences": {
+				Description: "If disabled (default behavior), masking is applicable to all returned values, " +
+					"ensuring users do not get any unmasked data, as defined by policies. (assuming enable_data_masking=true)" +
+					"When enabled, this flag also instructs sidecars that masking should be applied to all " +
+					"occurrences of the sensitive elements covered by masking policies, e.g occurrences in " +
+					"WHERE, HAVING or ON clauses. Enabling this may cause some performance degradation " +
+					"on large tables.",
+				Type:     schema.TypeBool,
+				Optional: true,
+			},
 			"block_on_violation": {
 				Description: "If set to `true` it will enable query blocking in case of a " +
 					"policy violation.",

cyral/internal/repository/confanalysis/resource_test.go

@@ -136,6 +136,8 @@ func testAccRepoConfAnalysisCheck_DefaultValues() resource.TestCheckFunc {
 			"disable_pre_configured_alerts", "false"),
 		resource.TestCheckResourceAttr("cyral_repository_conf_analysis.test_conf_analysis",
 			"enable_data_masking", "false"),
+		resource.TestCheckResourceAttr("cyral_repository_conf_analysis.test_conf_analysis",
+			"mask_all_occurrences", "false"),
 		resource.TestCheckResourceAttr("cyral_repository_conf_analysis.test_conf_analysis",
 			"log_groups.#", "0"),
 		resource.TestCheckResourceAttr("cyral_repository_conf_analysis.test_conf_analysis",

docs/resources/repository_conf_analysis.md

@@ -23,6 +23,7 @@ resource "cyral_repository_conf_analysis" "all_conf_analysis_enabled" {
   disable_filter_analysis = false
   enable_dataset_rewrites = true
   enable_data_masking = true
+  mask_all_occurrences = true
   comment_annotation_groups = [ "identity" ]
   log_groups = [ "everything" ]
 }
@@ -37,6 +38,7 @@ resource "cyral_repository_conf_analysis" "all_conf_analysis_disabled" {
   disable_filter_analysis = true
   enable_dataset_rewrites = false
   enable_data_masking = false
+  mask_all_occurrences = false
   comment_annotation_groups = []
   log_groups = []
 }