ENG-14563: Policy Sets

[gengdahlCyral]

Description of the change

The pull request introduces a new Terraform resource and data source named cyral_policy_set to the Cyral Terraform provider.

This addition enables users to manage policy sets in the Cyral platform using the Policy Wizard V1 API through Terraform. The PR includes the implementation of the resource and data source, schema definitions, models, and accompanying tests. It also updates the provider's documentation and examples to reflect the new resource. Manual tests included in the PR confirm that users can successfully create, read, update, import, and delete policy sets using Terraform configurations with the new resource.

Type of change

• Bug fix (non-breaking change that fixes an issue)
• New feature (non-breaking change that adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)

Checklists

Development

• Lint rules pass locally
• The code changed/added as part of this pull request has been covered with tests
• All tests related to the changed code pass in development

Code review

• This pull request has a descriptive title and information useful to a reviewer. There may be a screenshot or screencast attached
• Jira issue referenced in commit message and/or PR title

Testing

Create a policy set and get it by curl

goran@goran-engdahl-ThinkPad-P1-Gen-6:~/work/terraform$ cat main.tf 
terraform {
  required_providers {
    cyral = {
      source = "local/terraform/cyral"
    }
  }
}


provider "cyral" {
    client_id = ""
    client_secret = ""
    control_plane = ""
}

goran@goran-engdahl-ThinkPad-P1-Gen-6:~/work/terraform$ cat create_policy_set.tf 
resource "cyral_policy_wizard_v1" "repo_lockdown_example" {
  wizard_id    = "repo-lockdown"
  name        = "no block"
  wizard_parameters    = jsonencode({
    denyByDefault = false
    failClosed = false
    })
}
goran@goran-engdahl-ThinkPad-P1-Gen-6:~/work/terraform$ terraform init
Initializing the backend...
Initializing provider plugins...
- Finding latest version of local/terraform/cyral...
- Installing local/terraform/cyral v4.14.1...
- Installed local/terraform/cyral v4.14.1 (unauthenticated)
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.

╷
│ Warning: Incomplete lock file information for providers
│ 
│ Due to your customized provider installation methods, Terraform was forced to calculate lock file checksums locally for the following providers:
│   - local/terraform/cyral
│ 
│ The current .terraform.lock.hcl file only includes checksums for linux_amd64, so Terraform running on another platform will fail to install these providers.
│ 
│ To calculate additional checksums for another platform, run:
│   terraform providers lock -platform=linux_amd64
│ (where linux_amd64 is the platform to generate)
╵
Terraform has been successfully initialized!

You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.

If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
goran@goran-engdahl-ThinkPad-P1-Gen-6:~/work/terraform$ terraform apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # cyral_policy_wizard_v1.repo_lockdown_example will be created
  + resource "cyral_policy_wizard_v1" "repo_lockdown_example" {
      + created           = (known after apply)
      + id                = (known after apply)
      + last_updated      = (known after apply)
      + name              = "no block"
      + policies          = (known after apply)
      + wizard_id         = "repo-lockdown"
      + wizard_parameters = jsonencode(
            {
              + denyByDefault = false
              + failClosed    = false
            }
        )
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

cyral_policy_wizard_v1.repo_lockdown_example: Creating...
cyral_policy_wizard_v1.repo_lockdown_example: Creation complete after 2s [id=9070b72b-88ba-4244-9c87-fb2d74e9026e]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
goran@goran-engdahl-ThinkPad-P1-Gen-6:~/work/terraform$ curl --location 'https://ge0805-main-a01.sandbox.owlsdev.net/v1/policyWizards/policySets/9070b72b-88ba-4244-9c87-fb2d74e9026e' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer xx'
{"id":"9070b72b-88ba-4244-9c87-fb2d74e9026e","wizardId":"repo-lockdown","name":"no block","description":"","tags":[],"scope":null,"wizardParameters":"{\"denyByDefault\":false,\"failClosed\":false}","enabled":false,"policies":[],"lastUpdated":{"actor":"###","actorType":"ACTOR_TYPE_API_CLIENT","timestamp":"2024-11-26T09:23:28.327218029Z"},"created":{"actor":"###","actorType":"ACTOR_TYPE_API_CLIENT","timestamp":"2024-11-26T09:23:28.327218029Z"}}goran@goran-engdahl-ThinkPad-P1-Gen-6:~/work/terraform$ 

Update the policy set

goran@goran-engdahl-ThinkPad-P1-Gen-6:~/work/terraform$ cat create_policy_set.tf 
resource "cyral_repository" "myrepo" {
    type = "mongodb"
    name = "myrepo"

    repo_node {
        name = "node-1"
        host = "mongodb.cyral.com"
        port = 27017
    }

    mongodb_settings {
      server_type = "standalone"
    }
}

resource "cyral_policy_wizard_v1" "repo_lockdown_example" {
  wizard_id    = "repo-lockdown"
  name        = "no block"
  description = "This default policy will block by default all queries for myrepo"
  enabled = true
  tags = ["default block", "fail closed"]
    scope {
    repo_ids = [cyral_repository.myrepo.id]
  }
  wizard_parameters    = jsonencode({
    denyByDefault = true
    failClosed = true
    })
}
goran@goran-engdahl-ThinkPad-P1-Gen-6:~/work/terraform$ terraform apply
cyral_policy_wizard_v1.repo_lockdown_example: Refreshing state... [id=9070b72b-88ba-4244-9c87-fb2d74e9026e]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create
  ~ update in-place

Terraform will perform the following actions:

  # cyral_policy_wizard_v1.repo_lockdown_example will be updated in-place
  ~ resource "cyral_policy_wizard_v1" "repo_lockdown_example" {
      + description       = "This default policy will block by default all queries for myrepo"
      ~ enabled           = false -> true
        id                = "9070b72b-88ba-4244-9c87-fb2d74e9026e"
        name              = "no block"
      ~ tags              = [
          + "default block",
          + "fail closed",
        ]
      ~ wizard_parameters = jsonencode(
          ~ {
              ~ denyByDefault = false -> true
              ~ failClosed    = false -> true
            }
        )
        # (4 unchanged attributes hidden)

      + scope {
          + repo_ids = (known after apply)
        }
    }

  # cyral_repository.myrepo will be created
  + resource "cyral_repository" "myrepo" {
      + id   = (known after apply)
      + name = "myrepo"
      + type = "mongodb"

      + mongodb_settings {
          + server_type      = "standalone"
            # (3 unchanged attributes hidden)
        }

      + repo_node {
          + host = "mongodb.cyral.com"
          + name = "node-1"
          + port = 27017
        }
    }

Plan: 1 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

cyral_repository.myrepo: Creating...
cyral_repository.myrepo: Creation complete after 1s [id=2pNjdZrLumoRaDQWgxddxld3vmR]
cyral_policy_wizard_v1.repo_lockdown_example: Modifying... [id=9070b72b-88ba-4244-9c87-fb2d74e9026e]
cyral_policy_wizard_v1.repo_lockdown_example: Modifications complete after 1s [id=9070b72b-88ba-4244-9c87-fb2d74e9026e]

Apply complete! Resources: 1 added, 1 changed, 0 destroyed.
goran@goran-engdahl-ThinkPad-P1-Gen-6:~/work/terraform$ curl --location 'https://ge0805-main-a01.sandbox.owlsdev.net/v1/policyWizards/policySets/9070b72b-88ba-4244-9c87-fb2d74e9026e' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer xxx'
{"id":"9070b72b-88ba-4244-9c87-fb2d74e9026e","wizardId":"repo-lockdown","name":"no block","description":"This default policy will block by default all queries for myrepo","tags":["default block","fail closed"],"scope":{"repoIds":["2pNjdZrLumoRaDQWgxddxld3vmR"]},"wizardParameters":"{\"denyByDefault\":true,\"failClosed\":true}","enabled":true,"policies":[{"type":"POLICY_TYPE_REGO","id":"2pNjdeuPj6MaNWTArPsvYf3nA5N"},{"type":"POLICY_TYPE_REGO","id":"2pNjdacqKt4hdgigTNC65Ippc7r"},{"type":"POLICY_TYPE_LOCAL","id":"17ddef3a-6f7e-434f-b31b-a2ec8702c423"},{"type":"POLICY_TYPE_GLOBAL","id":"9518a7d9-d89c-4183-9a55-1c74561b531e"}],"lastUpdated":{"actor":"###","actorType":"ACTOR_TYPE_API_CLIENT","timestamp":"2024-11-26T09:31:55.293777121Z"},"created":{"actor":"###","actorType":"ACTOR_TYPE_API_CLIENT","timestamp":"2024-11-26T09:23:28.327218029Z"}}goran@goran-engdahl-ThinkPad-P1-Gen-6:~/work/terraform$

Testing data source

data "cyral_policy_wizard_v1" "repo_lockdown_example" {
  id   = cyral_policy_wizard_v1.repo_lockdown_example.id
}

output "name" {
  value = data.cyral_policy_wizard_v1.repo_lockdown_example.name
}

output "description" {
  value = data.cyral_policy_wizard_v1.repo_lockdown_example.description
}

output "wizard_parameters" {
  value = data.cyral_policy_wizard_v1.repo_lockdown_example.wizard_parameters
}
terraform apply
cyral_repository.myrepo: Refreshing state... [id=2pNjdZrLumoRaDQWgxddxld3vmR]
cyral_policy_wizard_v1.repo_lockdown_example: Refreshing state... [id=9070b72b-88ba-4244-9c87-fb2d74e9026e]
data.cyral_policy_wizard_v1.repo_lockdown_example: Reading...
data.cyral_policy_wizard_v1.repo_lockdown_example: Read complete after 1s [id=9070b72b-88ba-4244-9c87-fb2d74e9026e]

Changes to Outputs:
  + description       = "This default policy will block by default all queries for myrepo"
  + name              = "no block"
  + wizard_parameters = jsonencode(
        {
          + denyByDefault = true
          + failClosed    = true
        }
    )

You can apply this plan to save these new output values to the Terraform state, without changing any real infrastructure.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes


Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Outputs:

description = "This default policy will block by default all queries for myrepo"
name = "no block"
wizard_parameters = "{\"denyByDefault\":true,\"failClosed\":true}"

Delete policy set

terraform apply
cyral_policy_wizard_v1.repo_lockdown_example: Refreshing state... [id=9070b72b-88ba-4244-9c87-fb2d74e9026e]
cyral_repository.myrepo: Refreshing state... [id=2pNjdZrLumoRaDQWgxddxld3vmR]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  - destroy

Terraform will perform the following actions:

  # cyral_policy_wizard_v1.repo_lockdown_example will be destroyed
  # (because cyral_policy_wizard_v1.repo_lockdown_example is not in configuration)
  - resource "cyral_policy_wizard_v1" "repo_lockdown_example" {
      - created           = {
          - "actor"      = "###"
          - "actor_type" = "ACTOR_TYPE_API_CLIENT"
          - "timestamp"  = "2024-11-26T09:23:28.327218029Z"
        } -> null
      - description       = "This default policy will block by default all queries for myrepo" -> null
      - enabled           = true -> null
      - id                = "9070b72b-88ba-4244-9c87-fb2d74e9026e" -> null
      - last_updated      = {
          - "actor"      = "###"
          - "actor_type" = "ACTOR_TYPE_API_CLIENT"
          - "timestamp"  = "2024-11-26T09:31:55.293777121Z"
        } -> null
      - name              = "no block" -> null
      - policies          = [
          - {
              - id   = "2pNjdeuPj6MaNWTArPsvYf3nA5N"
              - type = "POLICY_TYPE_REGO"
            },
          - {
              - id   = "2pNjdacqKt4hdgigTNC65Ippc7r"
              - type = "POLICY_TYPE_REGO"
            },
          - {
              - id   = "17ddef3a-6f7e-434f-b31b-a2ec8702c423"
              - type = "POLICY_TYPE_LOCAL"
            },
          - {
              - id   = "9518a7d9-d89c-4183-9a55-1c74561b531e"
              - type = "POLICY_TYPE_GLOBAL"
            },
        ] -> null
      - tags              = [
          - "default block",
          - "fail closed",
        ] -> null
      - wizard_id         = "repo-lockdown" -> null
      - wizard_parameters = jsonencode(
            {
              - denyByDefault = true
              - failClosed    = true
            }
        ) -> null

      - scope {
          - repo_ids = [
              - "2pNjdZrLumoRaDQWgxddxld3vmR",
            ] -> null
        }
    }

  # cyral_repository.myrepo will be destroyed
  # (because cyral_repository.myrepo is not in configuration)
  - resource "cyral_repository" "myrepo" {
      - id     = "2pNjdZrLumoRaDQWgxddxld3vmR" -> null
      - labels = [] -> null
      - name   = "myrepo" -> null
      - type   = "mongodb" -> null

      - mongodb_settings {
          - server_type      = "standalone" -> null
            # (3 unchanged attributes hidden)
        }

      - repo_node {
          - dynamic = false -> null
          - host    = "mongodb.cyral.com" -> null
          - name    = "node-1" -> null
          - port    = 27017 -> null
        }
    }

Plan: 0 to add, 0 to change, 2 to destroy.

Changes to Outputs:
  - description       = "This default policy will block by default all queries for myrepo" -> null
  - name              = "no block" -> null
  - wizard_parameters = jsonencode(
        {
          - denyByDefault = true
          - failClosed    = true
        }
    ) -> null

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

cyral_policy_wizard_v1.repo_lockdown_example: Destroying... [id=9070b72b-88ba-4244-9c87-fb2d74e9026e]
cyral_policy_wizard_v1.repo_lockdown_example: Destruction complete after 1s
cyral_repository.myrepo: Destroying... [id=2pNjdZrLumoRaDQWgxddxld3vmR]
cyral_repository.myrepo: Destruction complete after 1s

Apply complete! Resources: 0 added, 0 changed, 2 destroyed.
goran@goran-engdahl-ThinkPad-P1-Gen-6:~/work/terraform$ curl --location 'https://ge0805-main-a01.sandbox.owlsdev.net/v1/policyWizards/policySets/9070b72b-88ba-4244-9c87-fb2d74e9026e' \
--header 'Accept: application/json' \
--header 'Authorization: Bearer xxx'
{"code":5,"message":"policy set with ID 9070b72b-88ba-4244-9c87-fb2d74e9026e not found","details":[]}goran@goran-engdahl-ThinkPad-P1-Gen-6:~/work/terraform$ 

Importing a policy set

goran@goran-engdahl-ThinkPad-P1-Gen-6:~/work/terraform$ cat import.tf 
# Local Policy
#resource "cyral_policy_v2" "imported_local_policy" {}

# Global Policy
#resource "cyral_policy_v2" "imported_global_policy" {}

# Approval Policy
#resource "cyral_policy_v2" "imported_approval_policy" {}

# Policy set
resource "cyral_policy_wizard_v1" "imported_policy_set" {}


# terraform import cyral_policy_v2.imported_local_policy POLICY_TYPE_LOCAL/a296e3e5-cdb9-496c-a7bd-3088921be32f
# terraform import cyral_policy_v2.imported_global_policy POLICY_TYPE_GLOBAL/abc123
# terraform import cyral_policy_v2.imported_approval_policy POLICY_TYPE_APPROVAL/abc123
# terraform import cyral_policy_wizard_v1.imported_policy_set 6f0ed502-192d-4421-8b36-a47431a77e66


goran@goran-engdahl-ThinkPad-P1-Gen-6:~/work/terraform$ terraform import cyral_policy_wizard_v1.imported_policy_set 000bd59a-0422-4467-b81e-837662fa1961
cyral_policy_wizard_v1.imported_policy_set: Importing from ID "000bd59a-0422-4467-b81e-837662fa1961"...
cyral_policy_wizard_v1.imported_policy_set: Import prepared!
  Prepared cyral_policy_wizard_v1 for import
cyral_policy_wizard_v1.imported_policy_set: Refreshing state... [id=000bd59a-0422-4467-b81e-837662fa1961]

Import successful!

The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.

goran@goran-engdahl-ThinkPad-P1-Gen-6:~/work/terraform$ ls
disabled  import.tf  main.tf  terraform.tfstate  terraform.tfstate.backup
goran@goran-engdahl-ThinkPad-P1-Gen-6:~/work/terraform$ cat terraform.tfstate
{
  "version": 4,
  "terraform_version": "1.9.8",
  "serial": 9,
  "lineage": "ea113b00-835c-9aa2-81e2-b50b535489d3",
  "outputs": {},
  "resources": [
    {
      "mode": "managed",
      "type": "cyral_policy_wizard_v1",
      "name": "imported_policy_set",
      "provider": "provider[\"local/terraform/cyral\"]",
      "instances": [
        {
          "schema_version": 0,
          "attributes": {
            "created": {
              "actor": "###",
              "actor_type": "ACTOR_TYPE_API_CLIENT",
              "timestamp": "2024-11-25T12:55:49.513809108Z"
            },
            "description": "Test description",
            "enabled": true,
            "id": "000bd59a-0422-4467-b81e-837662fa1961",
            "last_updated": {
              "actor": "###",
              "actor_type": "ACTOR_TYPE_API_CLIENT",
              "timestamp": "2024-11-25T12:55:49.513809108Z"
            },
            "name": "Test name",
            "policies": [
              {
                "id": "2pLJJM2YrCt63sINlsujzrFVONw",
                "type": "POLICY_TYPE_REGO"
              },
              {
                "id": "2pLJJS46O2FqvarfGx3SN6sYcz6",
                "type": "POLICY_TYPE_REGO"
              },
              {
                "id": "d274de7a-188b-4200-9f1a-6d39b272e22b",
                "type": "POLICY_TYPE_LOCAL"
              },
              {
                "id": "06e58a45-b6c5-4293-8d71-927cc6708b10",
                "type": "POLICY_TYPE_GLOBAL"
              }
            ],
            "scope": [
              {
                "repo_ids": []
              }
            ],
            "tags": [
              "atag",
              "btag"
            ],
            "wizard_id": "repo-lockdown",
            "wizard_parameters": "{\"failClosed\":true,\"denyByDefault\":true}"
          },
          "sensitive_attributes": [],
          "private": "eyJzY2hlbWFfdmVyc2lvbiI6IjAifQ=="
        }
      ]
    }
  ],
  "check_results": null
}
goran@goran-engdahl-ThinkPad-P1-Gen-6:~/work/terraform$ 

[yoursnerdly]

URLs should usually be created using the URL type to avoid any (potential) escaping issues etc.

[gengdahlCyral]

Please see this change that introduce use of URL type b95bd0b

[yoursnerdly]

Question about type for the scope in the schema, otherwise looks fine to me.

I'm not too familiar with terraform, @wcmjunior is likely to have more feedback.

[yoursnerdly]

Should this not be TypeMap?

[yoursnerdly]

In line with my question on schema definition: I'm confused. Why should the scope be represented as a list of maps (the map containing a single key repo_ids for which the value is a list of strings)?

[gengdahlCyral]

Policy uses list, rego policies set, I think I had a discussion on this with Pedro but can't recall. Right now it's aligned with other resources we have, not sure we want to change this?
@wcmjunior any input here?

Here is a test I did.
Both the resource and the dataset use type list (as policy resource/datasource also does).
And it works as expected on create, eg you do:

resource "cyral_policy_set" "repo_lockdown_example" {
  wizard_id    = "repo-lockdown"
  name        = "no block"
  description = "This default policy will block by default all queries for myrepo"
  enabled = true
  tags = ["default block", "fail closed"]
    scope {
    repo_ids = [cyral_repository.myrepo.id,cyral_repository.myrepo.id]
  }
  wizard_parameters    = jsonencode({
    denyByDefault = true
    failClosed = true
    })
}

which will create a set with those two repos in scope. Reading it back gives you this.

terraform apply
cyral_repository.myrepo2: Refreshing state... [id=2pRnxNKLVIvEnn2t5ZRRRfTICwO]
cyral_repository.myrepo: Refreshing state... [id=2pRnxKQivus0V1W884De2Bb9shX]
cyral_policy_set.repo_lockdown_example: Refreshing state... [id=eba9157f-ff97-4abc-ae9e-9c48d4eedb03]
data.cyral_policy_set.repo_lockdown_example: Reading...
data.cyral_policy_set.repo_lockdown_example: Read complete after 0s [id=eba9157f-ff97-4abc-ae9e-9c48d4eedb03]

Changes to Outputs:
  + description       = "This default policy will block by default all queries for myrepo"
  + name              = "no block"
  + scope             = [
      + {
          + repo_ids = [
              + "2pRnxKQivus0V1W884De2Bb9shX",
              + "2pRnxKQivus0V1W884De2Bb9shX",
            ]
        },
    ]
  + wizard_parameters = jsonencode(
        {
          + denyByDefault = true
          + failClosed    = true
        }
    )

You can apply this plan to save these new output values to the Terraform state, without changing any real infrastructure.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes


Apply complete! Resources: 0 added, 0 changed, 0 destroyed.

Outputs:

description = "This default policy will block by default all queries for myrepo"
name = "no block"
scope = tolist([
  {
    "repo_ids" = tolist([
      "2pRnxKQivus0V1W884De2Bb9shX",
      "2pRnxKQivus0V1W884De2Bb9shX",
    ])
  },
])
wizard_parameters = "{\"denyByDefault\":true,\"failClosed\":true}"

[gengdahlCyral]

The SDK does not support defining a TypeMap with an Elem of *schema.Resource{}. Attempting to do so results in an error:
TypeMap with Elem *Resource not supported, use TypeList/TypeSet with Elem *Resource or TypeMap with Elem *Schema
The scope field represents a nested block that can contain multiple attributes and potentially be extended in the future. Using a TypeList with an Elem of *schema.Resource{} allows us to define a complex nested structure and is therefore what we need to do here (or possibly go with set).

[yoursnerdly]

Would TypeMap with Elem *Schema work? Sorry this may be a dumb question, I don't quite understand the difference between Resource and Schema in this context.

[wcmjunior]

There is no need for v1.

[gengdahlCyral]

eaaf902

[wcmjunior]

Same unnecessary v1.

[gengdahlCyral]

eaaf902

[yoursnerdly]

Ran acceptance and manual tests again, and everything appears to be working as expected.

[yoursnerdly]

LGTM

[yoursnerdly]

This is unused and was inadvertently left over in the previous PR.

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
26.5% Duplication on New Code

See analysis details on SonarQube Cloud

[gengdahlCyral]

LGTM