Rollback operations supported by datasetprotection policy (#501)

* Rollback operations supported by datasetprotection policy * Remove dataset-protection reference * Actually delete the file
cyralinc · Jan 31, 2024 · 7f2ccec · 7f2ccec
1 parent c3e5bd7
commit 7f2ccec
Show file tree

Hide file tree

Showing 5 changed files with 0 additions and 111 deletions.
diff --git a/docs/guides/repo_level_policy.md b/docs/guides/repo_level_policy.md
@@ -110,42 +110,6 @@ resource "cyral_rego_policy_instance" "policy" {
 }
 ```
 
-## Example: dataset protection
-
--> **Note** The Dataset Protection policy template is only enabled by default in control planes
-`v4.13` and later. If you have a previous version, please reach out to our customer success
-team to enable it.
-
-Restrict access to specific tables or schemas in the data repositories:
-
-```terraform
-# Creates pg data repository
-resource "cyral_repository" "pg1" {
-  type = "postgresql"
-  name = "pg-1"
-
-  repo_node {
-    host = "pg.cyral.com"
-    port = 5432
-  }
-}
-
-# Creates a policy instance from template to raise a 'high' alert
-# and block updates and reads on schema 'finance' and dataset
-# 'cyral.customers'
-resource "cyral_rego_policy_instance" "policy" {
-  name        = "dataset-protection"
-  category    = "SECURITY"
-  description = "Raise a 'high' alert and block updates and reads on schema 'finance' and dataset 'cyral.customers'"
-  template_id = "dataset-protection"
-  parameters  = "{ \"block\": true, \"alertSeverity\": \"high\", \"monitorUpdates\": true, \"monitorReads\": true, \"datasets\": {\"disallowed\": [\"finance.*\", \"cyral.customers\"]}}"
-  enabled     = true
-  scope {
-    repo_ids = [cyral_repository.pg1.id]
-  }
-}
-```
-
 ## Example: rate limit
 
 Set up a threshold on sensitive data reads over time:

diff --git a/docs/resources/rego_policy_instance.md b/docs/resources/rego_policy_instance.md
@@ -151,22 +151,6 @@ All templates use parameters defined as JSON, below is a list of all the corresp
 - `includedIdentities` (Object) Identities that cannot see restricted records. See [identityList](#objects--identityList).
 - `includedDbAccounts` (Array) Database accounts cannot see restricted records.
 
-### Dataset Protection (dataset-protection)
-
-- `block` (Boolean) Policy action to enforce.
-- `monitorReads` (Boolean) Monitor read operations.
-- `monitorUpdates` (Boolean) Monitor update operations.
-- `monitorDeletes` (Boolean) Monitor delete operations.
-- `monitorInserts` (Boolean) Monitor insert operations.
-- `monitorAlters` (Boolean) Monitor alters operations.
-- `monitorDrops` (Boolean) Monitor drops operations.
-- `monitorDumps` (Boolean) Monitor dump operations.
-- `tags` (Array) Tags.
-- `datasets` (Object) Datasets associated to the policy. See [datasets](#objects--datasets).
-- `identities` (Object) Identities associated to the policy. If empty, the policy will be associated to all identities. See [identities](#objects--identities).
-- `dbAccounts` (Object) Database Accounts associated to the policy. If empty, the policy will be associated to any database account. See [dbAccounts](#objects--dbAccounts).
-- `alertSeverity` (String) Policy action to alert, using the respective severity. Allowed values are: `low`, `medium`, `high`.
-
 <a id="parameter-objects"></a>
 
 ### Objects
@@ -180,10 +164,6 @@ All templates use parameters defined as JSON, below is a list of all the corresp
 - `dbAccounts` (Object) Database Accounts. See properties below:
   - `included` (Array) Included Database Accounts.
   - `excluded` (Array) Excluded Database Accounts.
-    <a id="objects--datasets"></a>
-- `datasets` (Object) Datasets. See properties below:
-  - `allowed` (Array) Datasets allowed by the policy. Accepts wildcards such as `cyral.*`
-  - `disallowed` (Array) Datasets disallowed by the policy. Accepts wildcards such as `cyral.*`
     <a id="objects--identityList"></a>
 - `identityList` (Object) Identity List. See properties below:
   - `userNames` (Array) Identity Emails.

diff --git a/examples/guides/repo_level_policies/dataset_protection.tf b/examples/guides/repo_level_policies/dataset_protection.tf
diff --git a/templates/guides/repo_level_policy.md.tmpl b/templates/guides/repo_level_policy.md.tmpl
@@ -31,16 +31,6 @@ Protect against unauthorized updates:
 
 {{ tffile "examples/guides/repo_level_policies/data_protection.tf" }}
 
-## Example: dataset protection
-
--> **Note** The Dataset Protection policy template is only enabled by default in control planes
-`v4.13` and later. If you have a previous version, please reach out to our customer success
-team to enable it.
-
-Restrict access to specific tables or schemas in the data repositories:
-
-{{ tffile "examples/guides/repo_level_policies/dataset_protection.tf" }}
-
 ## Example: rate limit
 
 Set up a threshold on sensitive data reads over time:

diff --git a/templates/resources/rego_policy_instance.md.tmpl b/templates/resources/rego_policy_instance.md.tmpl
@@ -94,22 +94,6 @@ All templates use parameters defined as JSON, below is a list of all the corresp
 - `includedIdentities` (Object) Identities that cannot see restricted records. See [identityList](#objects--identityList).
 - `includedDbAccounts` (Array) Database accounts cannot see restricted records.
 
-### Dataset Protection (dataset-protection)
-
-- `block` (Boolean) Policy action to enforce.
-- `monitorReads` (Boolean) Monitor read operations.
-- `monitorUpdates` (Boolean) Monitor update operations.
-- `monitorDeletes` (Boolean) Monitor delete operations.
-- `monitorInserts` (Boolean) Monitor insert operations.
-- `monitorAlters` (Boolean) Monitor alters operations.
-- `monitorDrops` (Boolean) Monitor drops operations.
-- `monitorDumps` (Boolean) Monitor dump operations.
-- `tags` (Array) Tags.
-- `datasets` (Object) Datasets associated to the policy. See [datasets](#objects--datasets).
-- `identities` (Object) Identities associated to the policy. If empty, the policy will be associated to all identities. See [identities](#objects--identities).
-- `dbAccounts` (Object) Database Accounts associated to the policy. If empty, the policy will be associated to any database account. See [dbAccounts](#objects--dbAccounts).
-- `alertSeverity` (String) Policy action to alert, using the respective severity. Allowed values are: `low`, `medium`, `high`.
-
 <a id="parameter-objects"></a>
 ### Objects
 <a id="objects--identities"></a>
@@ -120,10 +104,6 @@ All templates use parameters defined as JSON, below is a list of all the corresp
 - `dbAccounts` (Object) Database Accounts. See properties below:
   - `included` (Array) Included Database Accounts.
   - `excluded` (Array) Excluded Database Accounts.
-<a id="objects--datasets"></a>
-- `datasets` (Object) Datasets. See properties below:
-  - `allowed` (Array) Datasets allowed by the policy. Accepts wildcards such as `cyral.*`
-  - `disallowed` (Array) Datasets disallowed by the policy. Accepts wildcards such as `cyral.*`
 <a id="objects--identityList"></a>
 - `identityList` (Object) Identity List. See properties below:
   - `userNames` (Array) Identity Emails.