From e65258f7f85eed641cc6a1be3258c8589a27da66 Mon Sep 17 00:00:00 2001 From: Wilson de Carvalho <796900+wcmjunior@users.noreply.github.com> Date: Thu, 18 Jan 2024 15:17:21 -0800 Subject: [PATCH] Adjust writing and style --- docs/guides/repo_level_policy.md | 127 ++++++++++----------- templates/guides/repo_level_policy.md.tmpl | 43 ++++--- 2 files changed, 84 insertions(+), 86 deletions(-) diff --git a/docs/guides/repo_level_policy.md b/docs/guides/repo_level_policy.md index ef82163d..c2c0f03c 100644 --- a/docs/guides/repo_level_policy.md +++ b/docs/guides/repo_level_policy.md @@ -13,44 +13,40 @@ We recommend further reading for more details: resource for more details about the [template parameters](https://registry.terraform.io/providers/cyralinc/cyral/latest/docs/resources/rego_policy_instance#template-parameters) and how to use the pre-built repo-level policies in Terraform. -## Dataset Protection policy - --> **Note** The Dataset Protection policy template is only enabled by default in control planes -`v4.13` and later. If you have a previous version, please reach out to our customer success -team to enable it. +## Data Firewall policy -Add a Dataset Protection policy to restrict access to -specific tables or schemas in the data repositories: +Limit which rows users can read from a table: ```terraform -# Creates pg data repository +# Creates MySQL data repository resource "cyral_repository" "repo" { - type = "postgresql" - name = "my_pg" + type = "mysql" + name = "my_mysql" repo_node { - host = "pg.cyral.com" - port = 5432 + host = "mysql.cyral.com" + port = 3306 } } # create policy instance from template resource "cyral_rego_policy_instance" "policy" { - name = "dataset-protection" + name = "data-firewall-policy" category = "SECURITY" - description = "Blocks reads and updates over schema 'finance' and dataset 'cyral.customers'." - template_id = "dataset-protection" - parameters = "{ \"block\": true, \"alertSeverity\": \"high\", \"monitorUpdates\": true, \"monitorReads\": true, \"datasets\": {\"disallowed\": [\"finance.*\", \"cyral.customers\"]}}" + description = "Filter 'finance.cards' when someone (except 'Admin' group) reads it" + template_id = "data-firewall" + parameters = "{ \"dataSet\": \"finance.cards\", \"dataFilter\": \" finance.cards.country = 'US' \", \"labels\": [\"CCN\"], \"excludedIdentities\": { \"groups\": [\"Admin\"] } }" enabled = true scope { repo_ids = [cyral_repository.repo.id] } + tags = ["tag1", "tag2"] } ``` ## Data Masking policy -Implement a repo-level policy to mask fields for specific users: +Mask fields for specific users: ```terraform # Creates MySQL data repository @@ -81,7 +77,7 @@ resource "cyral_rego_policy_instance" "policy" { ## Data Protection policy -Add a repo-level policy to guard against unauthorized updates: +Protect against unauthorized updates: ```terraform # Creates MySQL data repository @@ -110,71 +106,43 @@ resource "cyral_rego_policy_instance" "policy" { } ``` -## Data Firewall policy - -Set up a repo-level policy to limit which rows users can read from a table: - -```terraform -# Creates MySQL data repository -resource "cyral_repository" "repo" { - type = "mysql" - name = "my_mysql" - - repo_node { - host = "mysql.cyral.com" - port = 3306 - } -} - -# create policy instance from template -resource "cyral_rego_policy_instance" "policy" { - name = "data-firewall-policy" - category = "SECURITY" - description = "Filter 'finance.cards' when someone (except 'Admin' group) reads it" - template_id = "data-firewall" - parameters = "{ \"dataSet\": \"finance.cards\", \"dataFilter\": \" finance.cards.country = 'US' \", \"labels\": [\"CCN\"], \"excludedIdentities\": { \"groups\": [\"Admin\"] } }" - enabled = true - scope { - repo_ids = [cyral_repository.repo.id] - } - tags = ["tag1", "tag2"] -} -``` +## Dataset Protection policy -## User Segmentation policy +-> **Note** The Dataset Protection policy template is only enabled by default in control planes +`v4.13` and later. If you have a previous version, please reach out to our customer success +team to enable it. -Implement a repo-level policy to limit which rows a set of users can read from your database: +Restrict access to specific tables or schemas in the data repositories: ```terraform -# Creates MySQL data repository +# Creates pg data repository resource "cyral_repository" "repo" { - type = "mysql" - name = "my_mysql" + type = "postgresql" + name = "my_pg" repo_node { - host = "mysql.cyral.com" - port = 3306 + host = "pg.cyral.com" + port = 5432 } } # create policy instance from template resource "cyral_rego_policy_instance" "policy" { - name = "user-segmentation-policy" + name = "dataset-protection" category = "SECURITY" - description = "Applies a data filter in 'finance.cards' when someone from group 'Marketing' reads data labeled as 'CCN'" - template_id = "user-segmentation" - parameters = "{ \"dataSet\": \"finance.cards\", \"dataFilter\": \" finance.cards.country = 'US' \", \"labels\": [\"CCN\"], \"includedIdentities\": { \"groups\": [\"Marketing\"] } }" + description = "Blocks reads and updates over schema 'finance' and dataset 'cyral.customers'." + template_id = "dataset-protection" + parameters = "{ \"block\": true, \"alertSeverity\": \"high\", \"monitorUpdates\": true, \"monitorReads\": true, \"datasets\": {\"disallowed\": [\"finance.*\", \"cyral.customers\"]}}" enabled = true scope { repo_ids = [cyral_repository.repo.id] } - tags = ["tag1", "tag2"] } ``` ## Rate Limit policy -Add a repo-level policy to implement a threshold on sensitive data reads over time: +Set up a threshold on sensitive data reads over time: ```terraform # Creates pg data repository @@ -205,7 +173,7 @@ resource "cyral_rego_policy_instance" "policy" { ## Read Limit policy -Implement a repo-level policy to prevent certain records from being read beyond a specified limit: +Prevent certain records from being read beyond a specified limit: ```terraform # Creates pg data repository @@ -235,7 +203,7 @@ resource "cyral_rego_policy_instance" "policy" { ## Repository Protection policy -Set up a repo-level policy to alert when more than a specified number of records are updated or deleted: +Alert when more than a specified number of records are updated or deleted: ```terraform # Creates MySQL data repository @@ -265,7 +233,7 @@ resource "cyral_rego_policy_instance" "policy" { ## Service Account Abuse policy -Implement a repo-level policy to ensure service accounts can only be used by intended applications: +Ensure service accounts can only be used by intended applications: ```terraform # Creates pg data repository @@ -292,3 +260,34 @@ resource "cyral_rego_policy_instance" "policy" { } } ``` + +## User Segmentation policy + +Limit which rows a set of users can read from your database: + +```terraform +# Creates MySQL data repository +resource "cyral_repository" "repo" { + type = "mysql" + name = "my_mysql" + + repo_node { + host = "mysql.cyral.com" + port = 3306 + } +} + +# create policy instance from template +resource "cyral_rego_policy_instance" "policy" { + name = "user-segmentation-policy" + category = "SECURITY" + description = "Applies a data filter in 'finance.cards' when someone from group 'Marketing' reads data labeled as 'CCN'" + template_id = "user-segmentation" + parameters = "{ \"dataSet\": \"finance.cards\", \"dataFilter\": \" finance.cards.country = 'US' \", \"labels\": [\"CCN\"], \"includedIdentities\": { \"groups\": [\"Marketing\"] } }" + enabled = true + scope { + repo_ids = [cyral_repository.repo.id] + } + tags = ["tag1", "tag2"] +} +``` diff --git a/templates/guides/repo_level_policy.md.tmpl b/templates/guides/repo_level_policy.md.tmpl index 571ee3f1..073abebd 100644 --- a/templates/guides/repo_level_policy.md.tmpl +++ b/templates/guides/repo_level_policy.md.tmpl @@ -13,61 +13,60 @@ docs for a complete documentation about the Cyral policy framework. resource for more details about the [template parameters](https://registry.terraform.io/providers/cyralinc/cyral/latest/docs/resources/rego_policy_instance#template-parameters) and how to use the pre-built repo-level policies in Terraform. -## Dataset Protection policy - --> **Note** The Dataset Protection policy template is only enabled by default in control planes -`v4.13` and later. If you have a previous version, please reach out to our customer success -team to enable it. +## Data Firewall policy -Add a Dataset Protection policy to restrict access to -specific tables or schemas in the data repositories: +Limit which rows users can read from a table: -{{ tffile "examples/guides/repo_level_policy_dataset_protection.tf" }} +{{ tffile "examples/guides/repo_level_policy_data_firewall.tf" }} ## Data Masking policy -Implement a repo-level policy to mask fields for specific users: +Mask fields for specific users: {{ tffile "examples/guides/repo_level_policy_data_masking.tf" }} ## Data Protection policy -Add a repo-level policy to guard against unauthorized updates: +Protect against unauthorized updates: {{ tffile "examples/guides/repo_level_policy_data_protection.tf" }} -## Data Firewall policy - -Set up a repo-level policy to limit which rows users can read from a table: - -{{ tffile "examples/guides/repo_level_policy_data_firewall.tf" }} +## Dataset Protection policy -## User Segmentation policy +-> **Note** The Dataset Protection policy template is only enabled by default in control planes +`v4.13` and later. If you have a previous version, please reach out to our customer success +team to enable it. -Implement a repo-level policy to limit which rows a set of users can read from your database: +Restrict access to specific tables or schemas in the data repositories: -{{ tffile "examples/guides/repo_level_policy_user_segmentation.tf" }} +{{ tffile "examples/guides/repo_level_policy_dataset_protection.tf" }} ## Rate Limit policy -Add a repo-level policy to implement a threshold on sensitive data reads over time: +Set up a threshold on sensitive data reads over time: {{ tffile "examples/guides/repo_level_policy_rate_limit.tf" }} ## Read Limit policy -Implement a repo-level policy to prevent certain records from being read beyond a specified limit: +Prevent certain records from being read beyond a specified limit: {{ tffile "examples/guides/repo_level_policy_read_limit.tf" }} ## Repository Protection policy -Set up a repo-level policy to alert when more than a specified number of records are updated or deleted: +Alert when more than a specified number of records are updated or deleted: {{ tffile "examples/guides/repo_level_policy_repository_protection.tf" }} ## Service Account Abuse policy -Implement a repo-level policy to ensure service accounts can only be used by intended applications: +Ensure service accounts can only be used by intended applications: {{ tffile "examples/guides/repo_level_policy_service_account_abuse.tf" }} + +## User Segmentation policy + +Limit which rows a set of users can read from your database: + +{{ tffile "examples/guides/repo_level_policy_user_segmentation.tf" }}