From 06f41b7ad2eb39978bd007228c816be884f35fe9 Mon Sep 17 00:00:00 2001
From: Junio Cezar <jcezar@cyral.com>
Date: Mon, 25 Nov 2024 14:47:57 -0300
Subject: [PATCH 1/5] ENG-14573: Add knowledge of mask_all_occurrences config
 field

---
 cyral/internal/repository/confanalysis/model.go        |  3 +++
 cyral/internal/repository/confanalysis/resource.go     | 10 ++++++++++
 .../internal/repository/confanalysis/resource_test.go  |  2 ++
 docs/resources/repository_conf_analysis.md             |  2 ++
 4 files changed, 17 insertions(+)

diff --git a/cyral/internal/repository/confanalysis/model.go b/cyral/internal/repository/confanalysis/model.go
index e304c76a..23fe6204 100644
--- a/cyral/internal/repository/confanalysis/model.go
+++ b/cyral/internal/repository/confanalysis/model.go
@@ -20,6 +20,7 @@ type UserConfig struct {
 	DisableFilterAnalysis      bool     `json:"disableFilterAnalysis"`
 	DisablePreConfiguredAlerts bool     `json:"disablePreConfiguredAlerts"`
 	EnableDataMasking          bool     `json:"enableDataMasking"`
+	MaskAllOccurrences         bool     `json:"maskAllOccurrences"`
 	LogGroups                  []string `json:"logGroups,omitempty"`
 	Redact                     string   `json:"redact"`
 	EnableDatasetRewrites      bool     `json:"enableDatasetRewrites"`
@@ -49,6 +50,7 @@ func (r *UserConfig) WriteToSchema(d *schema.ResourceData) error {
 	d.Set("disable_filter_analysis", r.DisableFilterAnalysis)
 	d.Set("disable_pre_configured_alerts", r.DisablePreConfiguredAlerts)
 	d.Set("enable_data_masking", r.EnableDataMasking)
+	d.Set("mask_all_occurrences", r.MaskAllOccurrences)
 	d.Set("log_groups", logGroupsSet)
 	d.Set("redact", r.Redact)
 	d.Set("enable_dataset_rewrites", r.EnableDatasetRewrites)
@@ -80,6 +82,7 @@ func (r *UserConfig) ReadFromSchema(d *schema.ResourceData) error {
 	r.DisableFilterAnalysis = d.Get("disable_filter_analysis").(bool)
 	r.DisablePreConfiguredAlerts = d.Get("disable_pre_configured_alerts").(bool)
 	r.EnableDataMasking = d.Get("enable_data_masking").(bool)
+	r.MaskAllOccurrences = d.Get("mask_all_occurrences").(bool)
 	r.CommentAnnotationGroups = annotationGroups
 	r.LogGroups = logGroups
 	r.Redact = d.Get("redact").(string)
diff --git a/cyral/internal/repository/confanalysis/resource.go b/cyral/internal/repository/confanalysis/resource.go
index 044497a3..e1dc3c23 100644
--- a/cyral/internal/repository/confanalysis/resource.go
+++ b/cyral/internal/repository/confanalysis/resource.go
@@ -121,6 +121,16 @@ func repositoryConfAnalysisResourceSchemaV0() *schema.Resource {
 				Type:     schema.TypeBool,
 				Optional: true,
 			},
+			"mask_all_occurrences": {
+				Description: "If disabled (default behavior), masking is applicable to all returned values, " +
+					"ensuring users do not get any unmasked data, as defined by policies. (assuming enable_data_masking=true)" +
+					"When enabled, this flag also instructs sidecars that masking should be applied to all " +
+					"occurrences of the sensitive elements covered by masking policies, e.g occurrences in " +
+					"WHERE, HAVING or ON clauses. Enabling this may cause some performance degradation " +
+					"on large tables.",
+				Type:     schema.TypeBool,
+				Optional: true,
+			},
 			"block_on_violation": {
 				Description: "If set to `true` it will enable query blocking in case of a " +
 					"policy violation.",
diff --git a/cyral/internal/repository/confanalysis/resource_test.go b/cyral/internal/repository/confanalysis/resource_test.go
index c1e4a668..53049de6 100644
--- a/cyral/internal/repository/confanalysis/resource_test.go
+++ b/cyral/internal/repository/confanalysis/resource_test.go
@@ -136,6 +136,8 @@ func testAccRepoConfAnalysisCheck_DefaultValues() resource.TestCheckFunc {
 			"disable_pre_configured_alerts", "false"),
 		resource.TestCheckResourceAttr("cyral_repository_conf_analysis.test_conf_analysis",
 			"enable_data_masking", "false"),
+		resource.TestCheckResourceAttr("cyral_repository_conf_analysis.test_conf_analysis",
+			"mask_all_occurrences", "false"),
 		resource.TestCheckResourceAttr("cyral_repository_conf_analysis.test_conf_analysis",
 			"log_groups.#", "0"),
 		resource.TestCheckResourceAttr("cyral_repository_conf_analysis.test_conf_analysis",
diff --git a/docs/resources/repository_conf_analysis.md b/docs/resources/repository_conf_analysis.md
index 44086546..2dcf8385 100644
--- a/docs/resources/repository_conf_analysis.md
+++ b/docs/resources/repository_conf_analysis.md
@@ -23,6 +23,7 @@ resource "cyral_repository_conf_analysis" "all_conf_analysis_enabled" {
   disable_filter_analysis = false
   enable_dataset_rewrites = true
   enable_data_masking = true
+  mask_all_occurrences = true
   comment_annotation_groups = [ "identity" ]
   log_groups = [ "everything" ]
 }
@@ -37,6 +38,7 @@ resource "cyral_repository_conf_analysis" "all_conf_analysis_disabled" {
   disable_filter_analysis = true
   enable_dataset_rewrites = false
   enable_data_masking = false
+  mask_all_occurrences = false
   comment_annotation_groups = []
   log_groups = []
 }

From 668a329ebd9485a04904e4e769dcf69493900fc4 Mon Sep 17 00:00:00 2001
From: Junio Cezar <jcezar@cyral.com>
Date: Tue, 26 Nov 2024 11:55:19 -0300
Subject: [PATCH 2/5] Update cyral/internal/repository/confanalysis/resource.go

Co-authored-by: Wilson de Carvalho <796900+wcmjunior@users.noreply.github.com>
---
 cyral/internal/repository/confanalysis/resource.go | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/cyral/internal/repository/confanalysis/resource.go b/cyral/internal/repository/confanalysis/resource.go
index e1dc3c23..ea117feb 100644
--- a/cyral/internal/repository/confanalysis/resource.go
+++ b/cyral/internal/repository/confanalysis/resource.go
@@ -130,6 +130,8 @@ func repositoryConfAnalysisResourceSchemaV0() *schema.Resource {
 					"on large tables.",
 				Type:     schema.TypeBool,
 				Optional: true,
+				Default:  false,
+				RequiredWith: []string{"enable_data_masking"}
 			},
 			"block_on_violation": {
 				Description: "If set to `true` it will enable query blocking in case of a " +

From dcf073287f880546729a72a1a3ba6f6c49347f2d Mon Sep 17 00:00:00 2001
From: Junio Cezar <jcezar@cyral.com>
Date: Tue, 26 Nov 2024 11:56:38 -0300
Subject: [PATCH 3/5] Update cyral/internal/repository/confanalysis/resource.go

Co-authored-by: Wilson de Carvalho <796900+wcmjunior@users.noreply.github.com>
---
 cyral/internal/repository/confanalysis/resource.go | 10 ++++------
 1 file changed, 4 insertions(+), 6 deletions(-)

diff --git a/cyral/internal/repository/confanalysis/resource.go b/cyral/internal/repository/confanalysis/resource.go
index ea117feb..5542818f 100644
--- a/cyral/internal/repository/confanalysis/resource.go
+++ b/cyral/internal/repository/confanalysis/resource.go
@@ -122,12 +122,10 @@ func repositoryConfAnalysisResourceSchemaV0() *schema.Resource {
 				Optional: true,
 			},
 			"mask_all_occurrences": {
-				Description: "If disabled (default behavior), masking is applicable to all returned values, " +
-					"ensuring users do not get any unmasked data, as defined by policies. (assuming enable_data_masking=true)" +
-					"When enabled, this flag also instructs sidecars that masking should be applied to all " +
-					"occurrences of the sensitive elements covered by masking policies, e.g occurrences in " +
-					"WHERE, HAVING or ON clauses. Enabling this may cause some performance degradation " +
-					"on large tables.",
+				Description: "If set to `true` it will also mask filtering conditions like in" +
+					" `WHERE`, `HAVING` or `ON` clauses. **Note**: Enabling this may cause some" +
+					" performance degradation on large tables. It is required to set" +
+					" `enable_data_masking=true` to use this feature."
 				Type:     schema.TypeBool,
 				Optional: true,
 				Default:  false,

From 5047ae446d45645f462c31803b5425664e27581d Mon Sep 17 00:00:00 2001
From: Junio Cezar <jcezar@cyral.com>
Date: Tue, 26 Nov 2024 12:12:30 -0300
Subject: [PATCH 4/5] Fix invalid code

---
 cyral/internal/repository/confanalysis/resource.go | 10 +++++-----
 1 file changed, 5 insertions(+), 5 deletions(-)

diff --git a/cyral/internal/repository/confanalysis/resource.go b/cyral/internal/repository/confanalysis/resource.go
index 5542818f..9e7ffee0 100644
--- a/cyral/internal/repository/confanalysis/resource.go
+++ b/cyral/internal/repository/confanalysis/resource.go
@@ -125,11 +125,11 @@ func repositoryConfAnalysisResourceSchemaV0() *schema.Resource {
 				Description: "If set to `true` it will also mask filtering conditions like in" +
 					" `WHERE`, `HAVING` or `ON` clauses. **Note**: Enabling this may cause some" +
 					" performance degradation on large tables. It is required to set" +
-					" `enable_data_masking=true` to use this feature."
-				Type:     schema.TypeBool,
-				Optional: true,
-				Default:  false,
-				RequiredWith: []string{"enable_data_masking"}
+					" `enable_data_masking=true` to use this feature.",
+				Type:         schema.TypeBool,
+				Optional:     true,
+				Default:      false,
+				RequiredWith: []string{"enable_data_masking"},
 			},
 			"block_on_violation": {
 				Description: "If set to `true` it will enable query blocking in case of a " +

From 8b75e8e62d8a88eb739057e822326c177e1ad801 Mon Sep 17 00:00:00 2001
From: Junio Cezar <jcezar@cyral.com>
Date: Tue, 26 Nov 2024 12:20:49 -0300
Subject: [PATCH 5/5] run make docker-compose/docs and pre-commit

---
 docs/resources/repository_conf_analysis.md                    | 1 +
 examples/resources/cyral_repository_conf_analysis/resource.tf | 2 ++
 2 files changed, 3 insertions(+)
 mode change 100644 => 100755 docs/resources/repository_conf_analysis.md

diff --git a/docs/resources/repository_conf_analysis.md b/docs/resources/repository_conf_analysis.md
old mode 100644
new mode 100755
index 2dcf8385..31288005
--- a/docs/resources/repository_conf_analysis.md
+++ b/docs/resources/repository_conf_analysis.md
@@ -81,6 +81,7 @@ resource "cyral_repository_conf_analysis" "all_conf_analysis_disabled" {
     -   `error` - Log analysis errors.
     -   `new-connections` - Log new connections.
     -   `closed-connections` - Log closed connections.
+-   `mask_all_occurrences` (Boolean) If set to `true` it will also mask filtering conditions like in `WHERE`, `HAVING` or `ON` clauses. **Note**: Enabling this may cause some performance degradation on large tables. It is required to set `enable_data_masking=true` to use this feature.
 -   `redact` (String) Valid values are: `all`, `none` and `watched`. If set to `all` it will enable the redact of all literal values, `none` will disable it, and `watched` will only redact values from tracked fields set in the Datamap.
 
 ### Read-Only
diff --git a/examples/resources/cyral_repository_conf_analysis/resource.tf b/examples/resources/cyral_repository_conf_analysis/resource.tf
index a27248b3..7f10bbe4 100644
--- a/examples/resources/cyral_repository_conf_analysis/resource.tf
+++ b/examples/resources/cyral_repository_conf_analysis/resource.tf
@@ -9,6 +9,7 @@ resource "cyral_repository_conf_analysis" "all_conf_analysis_enabled" {
   disable_filter_analysis = false
   enable_dataset_rewrites = true
   enable_data_masking = true
+  mask_all_occurrences = true
   comment_annotation_groups = [ "identity" ]
   log_groups = [ "everything" ]
 }
@@ -23,6 +24,7 @@ resource "cyral_repository_conf_analysis" "all_conf_analysis_disabled" {
   disable_filter_analysis = true
   enable_dataset_rewrites = false
   enable_data_masking = false
+  mask_all_occurrences = false
   comment_annotation_groups = []
   log_groups = []
 }