diff --git a/cyral/internal/repository/confanalysis/model.go b/cyral/internal/repository/confanalysis/model.go index e304c76a..23fe6204 100644 --- a/cyral/internal/repository/confanalysis/model.go +++ b/cyral/internal/repository/confanalysis/model.go @@ -20,6 +20,7 @@ type UserConfig struct { DisableFilterAnalysis bool `json:"disableFilterAnalysis"` DisablePreConfiguredAlerts bool `json:"disablePreConfiguredAlerts"` EnableDataMasking bool `json:"enableDataMasking"` + MaskAllOccurrences bool `json:"maskAllOccurrences"` LogGroups []string `json:"logGroups,omitempty"` Redact string `json:"redact"` EnableDatasetRewrites bool `json:"enableDatasetRewrites"` @@ -49,6 +50,7 @@ func (r *UserConfig) WriteToSchema(d *schema.ResourceData) error { d.Set("disable_filter_analysis", r.DisableFilterAnalysis) d.Set("disable_pre_configured_alerts", r.DisablePreConfiguredAlerts) d.Set("enable_data_masking", r.EnableDataMasking) + d.Set("mask_all_occurrences", r.MaskAllOccurrences) d.Set("log_groups", logGroupsSet) d.Set("redact", r.Redact) d.Set("enable_dataset_rewrites", r.EnableDatasetRewrites) @@ -80,6 +82,7 @@ func (r *UserConfig) ReadFromSchema(d *schema.ResourceData) error { r.DisableFilterAnalysis = d.Get("disable_filter_analysis").(bool) r.DisablePreConfiguredAlerts = d.Get("disable_pre_configured_alerts").(bool) r.EnableDataMasking = d.Get("enable_data_masking").(bool) + r.MaskAllOccurrences = d.Get("mask_all_occurrences").(bool) r.CommentAnnotationGroups = annotationGroups r.LogGroups = logGroups r.Redact = d.Get("redact").(string) diff --git a/cyral/internal/repository/confanalysis/resource.go b/cyral/internal/repository/confanalysis/resource.go index 044497a3..9e7ffee0 100644 --- a/cyral/internal/repository/confanalysis/resource.go +++ b/cyral/internal/repository/confanalysis/resource.go @@ -121,6 +121,16 @@ func repositoryConfAnalysisResourceSchemaV0() *schema.Resource { Type: schema.TypeBool, Optional: true, }, + "mask_all_occurrences": { + Description: "If set to `true` it will also mask filtering conditions like in" + + " `WHERE`, `HAVING` or `ON` clauses. **Note**: Enabling this may cause some" + + " performance degradation on large tables. It is required to set" + + " `enable_data_masking=true` to use this feature.", + Type: schema.TypeBool, + Optional: true, + Default: false, + RequiredWith: []string{"enable_data_masking"}, + }, "block_on_violation": { Description: "If set to `true` it will enable query blocking in case of a " + "policy violation.", diff --git a/cyral/internal/repository/confanalysis/resource_test.go b/cyral/internal/repository/confanalysis/resource_test.go index c1e4a668..53049de6 100644 --- a/cyral/internal/repository/confanalysis/resource_test.go +++ b/cyral/internal/repository/confanalysis/resource_test.go @@ -136,6 +136,8 @@ func testAccRepoConfAnalysisCheck_DefaultValues() resource.TestCheckFunc { "disable_pre_configured_alerts", "false"), resource.TestCheckResourceAttr("cyral_repository_conf_analysis.test_conf_analysis", "enable_data_masking", "false"), + resource.TestCheckResourceAttr("cyral_repository_conf_analysis.test_conf_analysis", + "mask_all_occurrences", "false"), resource.TestCheckResourceAttr("cyral_repository_conf_analysis.test_conf_analysis", "log_groups.#", "0"), resource.TestCheckResourceAttr("cyral_repository_conf_analysis.test_conf_analysis", diff --git a/docs/resources/repository_conf_analysis.md b/docs/resources/repository_conf_analysis.md old mode 100644 new mode 100755 index 44086546..31288005 --- a/docs/resources/repository_conf_analysis.md +++ b/docs/resources/repository_conf_analysis.md @@ -23,6 +23,7 @@ resource "cyral_repository_conf_analysis" "all_conf_analysis_enabled" { disable_filter_analysis = false enable_dataset_rewrites = true enable_data_masking = true + mask_all_occurrences = true comment_annotation_groups = [ "identity" ] log_groups = [ "everything" ] } @@ -37,6 +38,7 @@ resource "cyral_repository_conf_analysis" "all_conf_analysis_disabled" { disable_filter_analysis = true enable_dataset_rewrites = false enable_data_masking = false + mask_all_occurrences = false comment_annotation_groups = [] log_groups = [] } @@ -79,6 +81,7 @@ resource "cyral_repository_conf_analysis" "all_conf_analysis_disabled" { - `error` - Log analysis errors. - `new-connections` - Log new connections. - `closed-connections` - Log closed connections. +- `mask_all_occurrences` (Boolean) If set to `true` it will also mask filtering conditions like in `WHERE`, `HAVING` or `ON` clauses. **Note**: Enabling this may cause some performance degradation on large tables. It is required to set `enable_data_masking=true` to use this feature. - `redact` (String) Valid values are: `all`, `none` and `watched`. If set to `all` it will enable the redact of all literal values, `none` will disable it, and `watched` will only redact values from tracked fields set in the Datamap. ### Read-Only diff --git a/examples/resources/cyral_repository_conf_analysis/resource.tf b/examples/resources/cyral_repository_conf_analysis/resource.tf index a27248b3..7f10bbe4 100644 --- a/examples/resources/cyral_repository_conf_analysis/resource.tf +++ b/examples/resources/cyral_repository_conf_analysis/resource.tf @@ -9,6 +9,7 @@ resource "cyral_repository_conf_analysis" "all_conf_analysis_enabled" { disable_filter_analysis = false enable_dataset_rewrites = true enable_data_masking = true + mask_all_occurrences = true comment_annotation_groups = [ "identity" ] log_groups = [ "everything" ] } @@ -23,6 +24,7 @@ resource "cyral_repository_conf_analysis" "all_conf_analysis_disabled" { disable_filter_analysis = true enable_dataset_rewrites = false enable_data_masking = false + mask_all_occurrences = false comment_annotation_groups = [] log_groups = [] }