The Problem

In the existing codebase, when a resource fails to create, the Terraform provider registers the resource in the terraform state.

Scenario Breakdown

The problem that occurs is as follows:

• user incorrectly specifies options for a Terraform resource
• Terraform executes provider logic, fails to create resource and stores resource ID in terraform state
• user fixes terraform, re-runs it and it fails

The terraform fails on the second run because the state claims a resource exists with the given ID. The issue is, though, the resource never got created on the first run. So the AquaSec API is queried, the resource is not found, and an error is returned.

Fix Proposal

To fix this issue, in all resources created, extend the error handling. In addition to bubbling up the error, the provider should only add the resource to the terraform state when the resource is successfully created. At this point, it is easiest to assume the API provided by AquaSec is idempotent. That means we can treat all resources the same.

Go into each resource that the Terraform creates and add additional logic to only add resources that successfully create to the terraform state. This prevents the error from impacting terraform users.

Example

In resource_registry.go:

` err := ac.CreateRegistry(registry)
if err != nil {
return err
}

d.SetId(d.Get("name").(string))

`

This should be modified to something more like:
err := ac.CreateRegistry(registry) if err != nil { return err } else { d.SetId(d.Get("name").(string)) }

Based on our assumption about the API's idempotency, a similar change should be implemented for all resources this provider supports. We must revisit the assumption later on, assuring that any APIs that violate that assumption and could produce partial state have more sophisticated logic.

Please change the below attributes in code for the aquasec_group_creation resource:

1. logical_name, gateways ==> make it optional instead of required values, should be able to pass as terraform vars.

2. container_activity_protection, network_protection ==> make it as an optional value instead of mandatory value

3. runtme_type, enforcer_image, syscall_enabled, sync_host_images, risk_explorer_auto_discovery ==> these values should be added and should be optional

4. Add an attribute for forcefully removing the enforcers before deletion of the aqua group.

Support Create/Update/Delete of Notification Feed (Administration -> Integrations -> Notification Feed)

• Slack
• PagerDuty

The api version used for the various calls in the client package is hard-coded. The version is inconsistent between some of the calls, such as between the firewall rules enforcer orchestration.

Proposal: If the API version should be consistent for all issued calls, pass in a version parameter to the Client struct. If they differ per endpoint due to functionality of the product, pass in versions for for each relevant product functionality to the Client struct.

This will decouple the API version from the provider logic, allowing good defaults and supporting customers in the future who may require calling different API versions.

Some of the providers have required fields that only accept one value

ie. in the Slack integration "name" is a field but can only be of value "Slack"

can we add that field to the provider logic to minimize confusion of which fields need configured values?

We would like to be able to create/update/delete Application Scope resources through the Terraform Provider.

Hi there,

Is it possible to use this terraform provider having Google SSO? I can't provide user/password when SSO is enabled.

Could anyone help me, please?

Thanks!

Create provider for Enforcer Group:

a. Support CRUD for Enforcer Group.
b. Ability to attach Enforcer to Enforcer Group

Add terraform provider management for Kubernetes Assurance policies

It is not currently possible to import existing aquasec_enforcer_groups resources. Attempting to use terraform import results in the attempted lookup of a <nil> enforcer group.

Terraform Version

v1.0.11

Affected Resource(s)

• aquasec_enforcer_groups

Expected Behavior

The terraform import command should enable an existing aquasec_enforcer_groups resource to be imported to the state.

Actual Behavior

The provider passes a <nil> value to the API when calling ac.GetEnforcerGroup. As a result, no Enforcer Group is found and the import fails.

Steps to Reproduce

1. Manually create an Enforcer Group via the Aqua Console UI
2. Create a corresponding Terraform resource config
3. Run terraform import aquasec_enforcer_groups.<resource_id> "<group_id>"
4. Notice that the import fails

Root Cause

In the function resourceEnforcerGroupRead (in the file aquasec/resource_enforcer_group.go), the provider is attempting to fetch the name of the Enforcer Group via the following line of code:

name := d.Get("group_id").(string)

Although this works fine when the function resourceEnforcerGroupRead is used to look up the group_id when reading the resource configuration for an existing resource, or when creating a new resource, it results in <nil> when used in the context of a resource import. This is because the terraform-plugin-sdk package's Importer.State method does not access the local resource configuration; rather, it is provided an empty resource configuration containing only the specified id string (ref: https://github.com/hashicorp/terraform-plugin-sdk/blob/v2.14.0/helper/schema/provider.go#L374-L375).

Therefore, any attempt to execute the command terraform import aquasec_enforcer_groups.<resource_id> "<group_id>" results in the following error:

$ terraform import aquasec_enforcer_groups.demo1 demo1
[INFO]  Terraform version: 1.0.11
[INFO]  Go runtime version: go1.16.4
[INFO]  CLI args: []string{"/usr/local/bin/terraform", "import", "aquasec_enforcer_groups.demo1", "demo1"}
[INFO]  CLI command args: []string{"import", "aquasec_enforcer_groups.demo1", "demo1"}
...
[INFO]  provider.terraform-provider-aquasec_v0.8.9: 2022/04/22 10:54:46
[ERROR]  error calling ac.GetEnforcerGroup: <nil>: timestamp=2022-04-22T10:54:46.306+0300
╷
│ Error: enforcer group not found:

This error message is thrown by the following line of code (which immediately follows the line where name is set):

r, err := ac.GetEnforcerGroup(name)

Since the group_id key does not exist in the (mostly empty) resource configuration provided to the Importer.State method, the variable name gets set to <nil>; therefore, the call to GetEnforcerGroup returns no result, since an Enforcer Group with a <nil> name does not exist.

Proposed Solution

Retrieving the resource's ID value during a terraform import execution can be accomplished via the terraform-plugin-sdk package's method d.Id(). Unfortunately, this method call can't simply be used as a "drop in" replacement for d.Get("group_id").(string), because in the case of the creation of a new resource, the method d.Id() returns <nil> (since the method would be looking for the resource's ID in the state, which wouldn't exist yet). Therefore, it is necessary to set the value of name conditionally, depending on whether or not the key group_id exists in the resource configuration being processed:

var name string

groupId, ok := d.GetOk("group_id")

if ok {
    name = groupId.(string)
} else {
    name = d.Id()
}

The result is that:

• In the context of a "standard" terraform apply execution on an existing resource, or during the creation of a new resource, the d.GetOk("group_id") method returns the resource ID from the local resource configuration.
• In the context of a resource import, the d.Id() method returns the proper id string representing the Enforcer Group Name, which is provided via the terraform import aquasec_enforcer_groups.<resource_id> "<group_id>" command (via the passed group_id value).

Create provider for notification integration (Slack). Should include the following:

a. Channel Name
b. Token
c. User Name

We would like to be able to create/update/delete Roles through the Terraform Provider.

Add Terraform Provider API for Image Assurance Policies

Please change the below attributes in code for the aquasec_group_creation resource:

logical_name ==> make it optional instead of required values, should be able to pass as terraform vars.

Hi,
the login module structure is not aligned the to the USE login, it still use the CSP direct login
provider "aquasec" {
username = "[email protected]"
aqua_url = "https://AQUA_SERVER"
password = ""
}
for the new SaaS there is a different procedure. different structure (/v2/signin) which cannot be changed.

Hi there,

there seems to be an conversion error when using maximum_score?
https://github.com/aquasecurity/terraform-provider-aquasec/blob/main/aquasec/resource_image_assurance_policy.go#L869

terraform {
  required_version = ">= 0.13.7, < 2.0"
  required_providers {
    aquasec = {
      source  = "aquasecurity/aquasec"
      version = "0.8.5"
    }
  }
}

resource "aquasec_image_assurance_policy" "this" {
  application_scopes    = ["Global"]
  assurance_type        = "image"
  auto_scan_enabled     = true
  audit_on_failure      = true
  description           = "tf test image assurance CVE score greater then 8"
  name                  = "tf_test_image_assurance_CVE_score_greater_then_8"
  block_failed          = true
  fail_cicd             = true
  enabled               = true
  enforce               = true
  //maximum_score         = 8.0
  maximum_score         = 8
  maximum_score_enabled = true
  // custom_severity_enabled = true
  // cvss_severity           = "critical"
}

Error: rpc error: code = Unavailable desc = transport is closing


panic: interface conversion: interface {} is int, not float64
2022-02-14T14:07:40.935+0100 [DEBUG] plugin.terraform-provider-aquasec_v0.8.5: 
2022-02-14T14:07:40.935+0100 [DEBUG] plugin.terraform-provider-aquasec_v0.8.5: goroutine 27 [running]:
2022-02-14T14:07:40.935+0100 [DEBUG] plugin.terraform-provider-aquasec_v0.8.5: github.com/aquasecurity/terraform-provider-aquasec/aquasec.expandImageAssurancePolicy(0xc0000f6e00, 0xc0006152d0)
2022-02-14T14:07:40.935+0100 [DEBUG] plugin.terraform-provider-aquasec_v0.8.5:  github.com/aquasecurity/terraform-provider-aquasec/aquasec/resource_image_assurance_policy.go:869 +0x4db3
2022-02-14T14:07:40.935+0100 [DEBUG] plugin.terraform-provider-aquasec_v0.8.5: github.com/aquasecurity/terraform-provider-aquasec/aquasec.resourceImageAssurancePolicyUpdate(0xc0000f6e00, 0xc9b1a0, 0xc0006d0240, 0x0, 0xffffffffffffffff)
2022-02-14T14:07:40.935+0100 [DEBUG] plugin.terraform-provider-aquasec_v0.8.5:  github.com/aquasecurity/terraform-provider-aquasec/aquasec/resource_image_assurance_policy.go:610 +0x10f
2022-02-14T14:07:40.936+0100 [DEBUG] plugin.terraform-provider-aquasec_v0.8.5: github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).update(0xc000333980, 0xda5358, 0xc0001a0340, 0xc0000f6e00, 0xc9b1a0, 0xc0006d0240, 0x0, 0x0, 0x0)
2022-02-14T14:07:40.936+0100 [DEBUG] plugin.terraform-provider-aquasec_v0.8.5:  github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:302 +0x88
2022-02-14T14:07:40.936+0100 [DEBUG] plugin.terraform-provider-aquasec_v0.8.5: github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).Apply(0xc000333980, 0xda5358, 0xc0001a0340, 0xc0001b6690, 0xc0007166c0, 0xc9b1a0, 0xc0006d0240, 0x0, 0x0, 0x0, ...)
2022-02-14T14:07:40.936+0100 [DEBUG] plugin.terraform-provider-aquasec_v0.8.5:  github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:404 +0x390
2022-02-14T14:07:40.936+0100 [DEBUG] plugin.terraform-provider-aquasec_v0.8.5: github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*GRPCProviderServer).ApplyResourceChange(0xc00030a0f0, 0xda5358, 0xc0001a0340, 0xc000318af0, 0xc0001a0340, 0xc6d9a0, 0xc00049e100)
2022-02-14T14:07:40.936+0100 [DEBUG] plugin.terraform-provider-aquasec_v0.8.5:  github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/grpc_provider.go:955 +0x8ef
2022-02-14T14:07:40.936+0100 [DEBUG] plugin.terraform-provider-aquasec_v0.8.5: github.com/hashicorp/terraform-plugin-go/tfprotov5/server.(*server).ApplyResourceChange(0xc000568040, 0xda5400, 0xc0001a0340, 0xc0005f6070, 0xc000568040, 0xc00049e1b0, 0xc0004adba0)
2022-02-14T14:07:40.936+0100 [DEBUG] plugin.terraform-provider-aquasec_v0.8.5:  github.com/hashicorp/[email protected]/tfprotov5/server/server.go:332 +0xb5
2022-02-14T14:07:40.936+0100 [DEBUG] plugin.terraform-provider-aquasec_v0.8.5: github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_ApplyResourceChange_Handler(0xc6d9a0, 0xc000568040, 0xda5400, 0xc00049e1b0, 0xc0002e8120, 0x0, 0xda5400, 0xc00049e1b0, 0xc00011b500, 0x13c9)
2022-02-14T14:07:40.936+0100 [DEBUG] plugin.terraform-provider-aquasec_v0.8.5:  github.com/hashicorp/[email protected]/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:380 +0x214
2022-02-14T14:07:40.936+0100 [DEBUG] plugin.terraform-provider-aquasec_v0.8.5: google.golang.org/grpc.(*Server).processUnaryRPC(0xc0003301c0, 0xdac958, 0xc0004c2900, 0xc0004a4000, 0xc000171620, 0x11b2c60, 0x0, 0x0, 0x0)
2022-02-14T14:07:40.936+0100 [DEBUG] plugin.terraform-provider-aquasec_v0.8.5:  google.golang.org/[email protected]/server.go:1194 +0x52b
2022-02-14T14:07:40.936+0100 [DEBUG] plugin.terraform-provider-aquasec_v0.8.5: google.golang.org/grpc.(*Server).handleStream(0xc0003301c0, 0xdac958, 0xc0004c2900, 0xc0004a4000, 0x0)
2022-02-14T14:07:40.936+0100 [DEBUG] plugin.terraform-provider-aquasec_v0.8.5:  google.golang.org/[email protected]/server.go:1517 +0xd0c
2022-02-14T14:07:40.936+0100 [DEBUG] plugin.terraform-provider-aquasec_v0.8.5: google.golang.org/grpc.(*Server).serveStreams.func1.2(0xc00028a1e0, 0xc0003301c0, 0xdac958, 0xc0004c2900, 0xc0004a4000)
2022-02-14T14:07:40.936+0100 [DEBUG] plugin.terraform-provider-aquasec_v0.8.5:  google.golang.org/[email protected]/server.go:859 +0xab
2022-02-14T14:07:40.936+0100 [DEBUG] plugin.terraform-provider-aquasec_v0.8.5: created by google.golang.org/grpc.(*Server).serveStreams.func1
2022-02-14T14:07:40.936+0100 [DEBUG] plugin.terraform-provider-aquasec_v0.8.5:  google.golang.org/[email protected]/server.go:857 +0x1fd
2022-02-14T14:07:40.938+0100 [WARN]  plugin.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2022-02-14T14:07:40.938+0100 [DEBUG] plugin: plugin process exited: path=.terraform/plugins/registry.terraform.io/aquasecurity/aquasec/0.8.5/linux_amd64/terraform-provider-aquasec_v0.8.5 pid=2306 error="exit status 2"
2022/02/14 14:07:40 [DEBUG] aquasec_image_assurance_policy.this: apply errored, but we're indicating that via the Error pointer rather than returning it: rpc error: code = Unavailable desc = transport is closing

Thank you

We would like to be able to create/update/delete permission sets through the Terraform Provider.

The client is subject to man-in-the-middle certificate spoofing, as the TLS checking is hard-coded as disabled here.

Consider driving this option via environment variable such as AQUA_TLS_VERIFY=0, defaulting the option to true and enabling TLS verification by default.

Hi there,

The resource aquasec_enforcer_groups is not setting all parameters properly.
If one sets the following parameters for a enforcer group of type 'agent':

  host_assurance = true
  host_protection = true
  host_network_protection = true
  host_user_protection = false
  antivirus_protection = false

and performs terraform apply, the command succeed, but the host_network_protection parameter is not set correctly.

The GUI would show the following values:

Another evidence that something is wrong is that whenever one runs terraform plan, even without doing any changes to the code, it will always show the following pending changes:

Terraform will perform the following actions:

  # aquasec_enforcer_groups.group-name will be updated in-place
  ~ resource "aquasec_enforcer_groups" "group-name" {
      ~ container_activity_protection                  = false -> true
      ~ host_network_protection                        = false -> true
      ~ host_protection                                = false -> true
        id                                             = "..."
      + logical_name                                   = "..."
        # (46 unchanged attributes hidden)

        # (1 unchanged block hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

terraform plan always shows pending changes because the provider is simply not able to update some of the fields according to the code, therefore there is always a discrepancy between the terraform code and what comes from the Aqua API.

Terraform Version

% terraform -v
Terraform v1.1.5
on darwin_arm64
+ provider registry.terraform.io/aquasecurity/aquasec v0.8.9

Affected Resource(s)

Please list the resources as a list, for example:

• aquasec_enforcer_groups

The EnforcerGroup struct (in the file client/enforcers.go) defines the request and response format for an Enforcer Group (via the hostsbatch API call to the Aqua Server). Currently, this struct includes the following line of code:

NetworkActivityProtection                 bool                 `json:"network_activity_protection"` 

However, a call to the hostsbatch API does not actually return any JSON result for the key network_activity_protection. Since this unused field is very similar to network_protection and host_network_protection (both of which are used), this can lead to confusion.

To reduce the likelihood of misuse/confusion, all references to NetworkActivityProtection and network_activity_protection should be removed from Enforcer Group-related type definitions and functions.

Similarly, there is an unnecessary inclusion of hostname in the schema.Resource object returned by the function resourceEnforcerGroup (in the file aquasec/resource_enforcer_group.go), which should also be removed.

Hi all, I have tried to create an enforcer group of type kube-enforcer with the code below. However the provider fails with the following error:

Error: {"message":"Currently container runtime is not supported, supported container runtime is only docker for kube enforcer","code":400}

As can be seen in the code, I am not even trying to set the 'container runtime' parameter. Maybe this parameter is hardcoded somewhere?

resource "aquasec_enforcer_groups" "kube-enforcer-group" {
  group_id = "kube-enforcer-group"
  type = "kube_enforcer"
  orchestrator {
    type = "kubernetes"
    master = false
    namespace = "aqua"
  }
  logical_name = "kube-enforcer-group"
  gateways = [ "aqua-gateway-csp" ]

  micro_enforcer_image_name = "registry.aquasec.com/microenforcer:6.5.22093"
  kube_bench_image_name = "aquasec/kube-bench:0.6.3"
  auto_copy_secrets = false
  micro_enforcer_secrets_name = "aqua-registry"

  enforce = false
  admission_control = true
  block_admission_control = false
  micro_enforcer_injection = false
  auto_discovery_enabled = true
  auto_scan_discovered_images_running_containers = true
  auto_discover_configure_registries = true
}

Terraform Version

terraform -v
Terraform v1.1.5
on darwin_arm64
+ provider registry.terraform.io/aquasecurity/aquasec v0.8.10

Affected Resource(s)

• aquasec_enforcer_groups

When declaring the provider "aquasec" - aqua_url - which resolves to an https URI and the server certificate is self signed. The server certificate used does not have a SANS for the requesting URI - as the error shows.

terraform plan goes like this

2021-07-16T15:37:18.809+0100 [INFO] Terraform version: 1.0.1
2021-07-16T15:37:18.809+0100 [INFO] Go runtime version: go1.16.5
2021-07-16T15:37:18.809+0100 [INFO] CLI args: []string{"/usr/local/bin/terraform", "plan"}
2021-07-16T15:37:18.810+0100 [WARN] local provider path "/Users/daniel/.terraform.d/plugins/0.8.1/darwin_amd64/terraform-provider-aquasec_v0.8.1" contains invalid namespace "darwin_amd64"; ignoring
2021-07-16T15:37:18.811+0100 [INFO] CLI command args: []string{"plan"}
2021-07-16T15:37:18.853+0100 [INFO] Failed to read plugin lock file .terraform/plugins/darwin_amd64/lock.json: open .terraform/plugins/darwin_amd64/lock.json: no such file or directory
2021-07-16T15:37:18.853+0100 [INFO] backend/local: starting Plan operation
2021-07-16T15:37:18.855+0100 [INFO] provider: configuring client automatic mTLS
2021-07-16T15:37:18.898+0100 [INFO] provider.terraform-provider-aquasec_v0.8.1: configuring server automatic mTLS: timestamp=2021-07-16T15:37:18.898+0100
2021-07-16T15:37:18.973+0100 [INFO] terraform: building graph: GraphTypeValidate
2021-07-16T15:37:18.977+0100 [INFO] provider: configuring client automatic mTLS
2021-07-16T15:37:19.020+0100 [INFO] provider.terraform-provider-aquasec_v0.8.1: configuring server automatic mTLS: timestamp=2021-07-16T15:37:19.019+0100
2021-07-16T15:37:19.095+0100 [INFO] provider.terraform-provider-aquasec_v0.8.1: 2021/07/16 15:37:19 [WARN] Truncating attribute path of 0 diagnostics for TypeSet: timestamp=2021-07-16T15:37:19.095+0100
2021-07-16T15:37:19.098+0100 [INFO] backend/local: plan calling Plan
2021-07-16T15:37:19.098+0100 [INFO] terraform: building graph: GraphTypePlan
2021-07-16T15:37:19.100+0100 [INFO] provider: configuring client automatic mTLS
2021-07-16T15:37:19.143+0100 [INFO] provider.terraform-provider-aquasec_v0.8.1: configuring server automatic mTLS: timestamp=2021-07-16T15:37:19.143+0100
2021-07-16T15:37:19.216+0100 [WARN] ValidateProviderConfig from "provider["registry.terraform.io/aquasecurity/aquasec"]" changed the config value, but that value is unused
2021-07-16T15:37:19.390+0100 [INFO] backend/local: plan operation completed
╷
│ Error: Unable to fetch token
│
│ with provider["registry.terraform.io/aquasecurity/aquasec"],
│ on main.tf line 16, in provider "aquasec":
│ 16: provider "aquasec" {
│
│ Post "https://xx.105.240.174/api/v1/login?abilities=1": x509: certificate is valid for 172.18.0.3, not xx.105.240.174

Is there a way to bypass the mutual TLS auth between the provider module and url - similar to curl -k https://fqdn-selfsigned-cert.

Version of terraform:

 $ terraform version
Terraform v1.0.1
on darwin_amd64

Support CURD of an image.

Creating an image means adding it / scanning it.
Deleting an image means removing it.
Updating an image will rescan the image.
Retrieving and image will retrieve image information, including its vulnerabilities.

Support Create/Update/Delete of Role Mapping object (Administration -> Integrations -> SSO Authentication)

We should add support for gateways as a data source, to query the server for connected gateways for use in other resources such as enforcer groups.

On the documentation for the aquasec_enforcer_groups resource, there are no description for the parameters.

Although some of the parameters are obvious, some of them are not. For example, what does group group_id mean?

It would be helpful to describe each of the parameters and ideally provide some examples of use.

Setting the type parameter for an Enforcer Group (via an aquasec_enforcer_groups resource) does not create the expected Enforcer Group type. Instead, regardless of what value is set for the type parameter, the resulting Enforcer Group is an "Aqua Enforcer" Enforcer Group.

Terraform Version

v1.0.11

Affected Resource(s)

• aquasec_enforcer_groups

Expected Behavior

• Setting the type parameter to host_enforcer should create a "VM Enforcer" Enforcer Group.
• Setting the type parameter to kube_enforcer should create a "Kube Enforcer" Enforcer Group.
• Setting the type parameter to micro_enforcer should create a "Micro Enforcer" Enforcer Group.
• Setting the type parameter to nano_enforcer should create a "Nano Enforcer" Enforcer Group.

Actual Behavior

An "Aqua Enforcer" Enforcer Group is always created.

Root Cause

Although the type parameter is defined in the associated schema (in the file aquasec/resource_enforcer_group.go) as a Required field, and therefore must be specified in the Terraform resource configuration, the provided value is not actually included in the JSON that gets passed to the hostsbatch API; instead, the passed value of type is an empty string:

{"id":"demo1", "logicalname":"demo1", "type":"", ...}

This is because there is no mechanism in the expandEnforcerGroup function to set enforcerGroup.Type. As a result, any new Enforcer Group that gets created, regardless of the provided value of the type parameter, will automatically be an "Aqua Enforcer" Enforcer Group (with type="agent"), since that is apparently the Aqua Server's default. This is not only unexpected, but in the case of trying to create a different Enforcer Group type, can result in a permanent "diff" in the Terraform state.

Limitation

Currently, the parameter host_os cannot be set when creating an Enforcer Group (via an aquasec_enforcer_groups resource), since it is defined as a Computed parameter rather than an Optional parameter. When an Enforcer Group is created without a "Host OS" value having been specified, it defaults to Linux (allowed values, when creating via the UI, are Linux and Windows). The inability to explicitly set the parameter host_os in the configuration means that only Linux Enforcer Groups can currently be created via the provider.

Suggestion

It is possible to enable the ability to explicitly set the parameter host_os, while also accounting for the fact that it may be omitted from the configuration (and therefore receive a default value from the Aqua Server; no default needs to be set within the provider code). Per the terraform-plugin-sdk package, it is possible to set both Computed and Optional at the same time (ref: https://github.com/hashicorp/terraform-plugin-sdk/blob/v2.14.0/helper/schema/schema.go#L41-L43). The result is that the Optional value will be used (if provided), and if not provided, then a default value will be Computed by the Aqua Server instead (which is currently Linux). This behavior prevents the enablement of host_os-specification from being a breaking change.

The function resourceEnforcerGroupUpdate is already using the HasChanges method to check whether the parameter host_os has been changed. Also, the expandEnforcerGroup function already includes a code block that updates enforcerGroup.HostOs by executing d.GetOk("host_os"), so most of the functionality needed for allowing the parameter host_os to be set is already in place.

An important consideration when updating the host_os specification in the resourceEnforcerGroup Schema is to also specify ForceNew: true. This is necessary because Linux and Windows Enforcer Groups require a slightly different collection of inputs and generate fundamentally different outputs, so converting an existing resource from one "Host OS" type to another isn't possible; in order to reuse the same group_id for a resource that is switching "Host OS" type, the resource must be replaced.

Finally, to ensure that only valid "Host OS" values are accepted by the provider, the ValidateFunc field can be specified in the resourceEnforcerGroup Schema, in which validation can be performed on the input value of host_os (accepting only Linux or Windows as valid input).

Create a provider for Firewall Policies that supports CRUD.

• You should add REST APIs to the "client" directory (firewall_policy.go).
• Make sure you add unit tests to the fireall_policy data and resource.

Please see terraform provider reference here: https://github.com/BryanKMorrow/terraform-provider-aqua
and Aqua SDK in Go here: https://github.com/BryanKMorrow/aqua-sdk-go

Hi there,

Thank you for opening an issue. Please note that we try to keep the Terraform issue tracker reserved for bug reports and feature requests. For general usage questions, please see: https://www.terraform.io/community.html.

Terraform Version

Run terraform -v to show the version. If you are not running the latest version of Terraform, please upgrade because your issue may have already been fixed.

Affected Resource(s)

Please list the resources as a list, for example:

• aquasec_image_assurance_policy
• aquasec_container_runtime_policy
• aquasec_user

If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.

Terraform Configuration Files

Example provided for user resource only for brevity. Concept applies to all resources.

Before:

resource "aquasec_user" "IaC" {
    // Unmodifiable field
    user_id = "IaC"
  
    // Modifiable fields
    password = var.password
    roles = [
        "infrastructure"
    ]
    email = "[email protected]"
    first_time = true 
    name = "Infrastructure as Code" 
}

After:

resource "aquasec_user" "IaC" {
    // Unmodifiable field
    user_id = "infra"
  
    // Modifiable fields
    password = var.password
    roles = [
        "infrastructure"
    ]
    email = "[email protected]"
    first_time = true 
    name = "Infrastructure as Code" 
}

Debug Output

Please provider a link to a GitHub Gist containing the complete debug output: https://www.terraform.io/docs/internals/debugging.html. Please do NOT paste the debug output in the issue; just paste a link to the Gist.

Panic Output

If Terraform produced a panic, please provide a link to a GitHub Gist containing the output of the crash.log.

Expected Behavior

What should have happened?

As Aqua doesn't support the modification of these fields, the only way to change them is to delete the resource and create a new one.

Actual Behavior

What actually happened?

State inconsistent with live data

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform apply the sample resource
2. Modify the resource to change one of the non-editable fields
3. terraform apply the change

Important Factoids

Are there anything atypical about your accounts that we should know? For example: Running in EC2 Classic? Custom version of OpenStack? Tight ACLs?

References

Are there any other GitHub issues (open or closed) or Pull Requests that should be linked here? For example:

https://www.terraform.io/plugin/sdkv2/schemas/schema-behaviors#forcenew

There are several cases for Enforcer Group parameters where the key and value passed to the ResourceData struct's Set method are not aligned (likely via copy/paste errors when duplicating code snippets); that is, the wrong referenced value (obtained via a GetEnforcerGroup call to the hostsbatch API) is used to set the value associated with the specified ResourceData object's key.

For example, r.ContainerAntivirusProtection is used to set the value of the key container_activity_protection for the ResourceData object d (this key's source value should actually come from r.ContainerActivityProtection).

In this collection of Set calls, there is also a duplicate case of type being set, which should be removed.

Expected Behavior

Each ResourceData object's key should have its value set by its corresponding actual value, retrieved via a GetEnforcerGroup call to the hostsbatch API.

Actual Behavior

In those cases where parameters are mis-matched, the value of a ResourceData object can be incorrectly set via an update to an unrelated parameter. For example, the auto_discover_configure_registries key is currently being set by the value of r.AllowKubeEnforcerAudit, instead of by r.AutoDiscoverConfigureRegistries.

Identified Enforcer Group parameter mis-matches

The following entries in the resourceEnforcerGroupRead function (in the file aquasec/resource_enforcer_group.go) contain errors and should be corrected, as shown:

From: d.Set("container_activity_protection", r.ContainerAntivirusProtection)
To:   d.Set("container_activity_protection", r.ContainerActivityProtection)

From: d.Set("host_behavioral_engine", r.BehavioralEngine)
To:   d.Set("host_behavioral_engine", r.HostBehavioralEngine)

From: d.Set("host_protection", r.HostNetworkProtection)
To:   d.Set("host_protection", r.HostProtection)

From: d.Set("auto_discover_configure_registries", r.AllowKubeEnforcerAudit)
To:   d.Set("auto_discover_configure_registries", r.AutoDiscoverConfigureRegistries)

Duplicate to remove: d.Set("type", r.Type)

Similarly, the following entries in the dataEnforcerGroupRead function (in the file aquasec/data_enforcer_group.go) contain errors and should be corrected, as shown (these actually mirror the errors present in the resourceEnforcerGroupRead function):

From: d.Set("container_activity_protection", group.ContainerAntivirusProtection)
To:   d.Set("container_activity_protection", group.ContainerActivityProtection)

From: d.Set("host_behavioral_engine", group.BehavioralEngine)
To:   d.Set("host_behavioral_engine", group.HostBehavioralEngine)

From: d.Set("host_protection", group.HostNetworkProtection)
To:   d.Set("host_protection", group.HostProtection)

From: d.Set("auto_discover_configure_registries", group.AllowKubeEnforcerAudit)
To:   d.Set("auto_discover_configure_registries", group.AutoDiscoverConfigureRegistries)

Duplicate to remove: d.Set("type", group.Type)

Create provider for Image Registry. It should include all the image registry settings, including:
a. Type
b. Scanning Interval
c. Scanning images prefix

Please see terraform provider reference here: https://github.com/BryanKMorrow/terraform-provider-aqua
and Aqua SDK in Go here: https://github.com/BryanKMorrow/aqua-sdk-go

Hi there,

Thank you for opening an issue. Please note that we try to keep the Terraform issue tracker reserved for bug reports and feature requests. For general usage questions, please see: https://www.terraform.io/community.html.

Terraform Version

aquasec = {
  version = "0.8.4"

Affected Resource(s)

resource "aquasec_image_assurance_policy"

Terraform Configuration Files

    terraform {
      required_providers {
        aquasec = {
          version = "0.8.4"
          source  = "aquasecurity/aquasec"
        }
      }
    }

    provider "aquasec" {
      username = ""
      aqua_url = "https://*****.cloud.aquasec.com/"
      password = "PASSWORD_HERE"

      verify_tls = false
    }

    resource "aquasec_image_assurance_policy" "resource_name" {
      name               = "resource_name"
      assurance_type     = "image"  
      application_scopes = [
        "Global"
      ]

      auto_scan_enabled = true

      cves_white_list_enabled = true
      cves_white_list         = [
        "",
      ]

      ignored_risk_resources = [
        "",
      ]

      custom_severity_enabled = true
      cvss_severity           = "critical"

      scope {
        expression = "v1"

        variables {
          attribute = "image.name"
          name      = ""
          value     = "org/resource:*"
        }
      }
    }

Debug Output

Stack trace from the terraform-provider-aquasec_v0.8.4 plugin:

Panic Output

panic: interface conversion: interface {} is *schema.Set, not []interface {}

goroutine 120 [running]:
github.com/aquasecurity/terraform-provider-aquasec/aquasec.expandImageAssurancePolicy(0x140006e4280, 0x101079c2e)
	github.com/aquasecurity/terraform-provider-aquasec/aquasec/resource_image_assurance_policy.go:984 +0x3ce0
github.com/aquasecurity/terraform-provider-aquasec/aquasec.resourceImageAssurancePolicyCreate(0x140006e4280, 0x1012cb700, 0x1400042a240, 0xffffffffffffffff, 0x1400067f798)
	github.com/aquasecurity/terraform-provider-aquasec/aquasec/resource_image_assurance_policy.go:582 +0x84
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).create(0x140000bb980, 0x1012f6fb8, 0x14000045700, 0x140006e4280, 0x1012cb700, 0x1400042a240, 0x0, 0x0, 0x0)
	github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:278 +0x5c
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).Apply(0x140000bb980, 0x1012f6fb8, 0x14000045700, 0x140005b13b0, 0x140005b3c20, 0x1012cb700, 0x1400042a240, 0x0, 0x0, 0x0, ...)
	github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:396 +0x4e4
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*GRPCProviderServer).ApplyResourceChange(0x140000900f0, 0x1012f6fb8, 0x14000045700, 0x14000423d10, 0x14000045700, 0x10129e280, 0x0)
	github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/grpc_provider.go:955 +0x6f8
github.com/hashicorp/terraform-plugin-go/tfprotov5/server.(*server).ApplyResourceChange(0x14000822040, 0x1012f7060, 0x14000045700, 0x140005b1180, 0x14000822040, 0x1010250c0, 0x101278be0)
	github.com/hashicorp/[email protected]/tfprotov5/server/server.go:332 +0x94
github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_ApplyResourceChange_Handler(0x10129e280, 0x14000822040, 0x1012f7060, 0x140006ba960, 0x140008385a0, 0x0, 0x1012f7060, 0x140006ba960, 0x140001ce880, 0xcb4)
	github.com/hashicorp/[email protected]/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:380 +0x1c8
google.golang.org/grpc.(*Server).processUnaryRPC(0x140000b8380, 0x1012fea78, 0x14000603080, 0x140005e4400, 0x1400037e450, 0x1016f5be0, 0x0, 0x0, 0x0)
	google.golang.org/[email protected]/server.go:1194 +0x3e8
google.golang.org/grpc.(*Server).handleStream(0x140000b8380, 0x1012fea78, 0x14000603080, 0x140005e4400, 0x0)
	google.golang.org/[email protected]/server.go:1517 +0xa50
google.golang.org/grpc.(*Server).serveStreams.func1.2(0x14000514150, 0x140000b8380, 0x1012fea78, 0x14000603080, 0x140005e4400)
	google.golang.org/[email protected]/server.go:859 +0x94
created by google.golang.org/grpc.(*Server).serveStreams.func1
	google.golang.org/[email protected]/server.go:857 +0x1f8

Expected Behavior

Actually create assurance policy

Actual Behavior

Error thrown, shown above.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. $ terraform init
2. $ terraform plan
3. $ terraform apply --auto-approve

terraform.log

Hi!

Tested the new version of the Terraform provider today, but unfortunately, we are still having issues using the provider with our Aqua SaaS solution. The reason is the same as described in this comment in the PR: #93 (comment).

More details:

As you can see here https://github.com/aquasecurity/terraform-provider-aquasec/blob/main/client/client.go#L53-L60, client type for our login is set to SaaS, which makes sense. However, when getting the token for login here https://github.com/aquasecurity/terraform-provider-aquasec/blob/main/client/client.go#L68-L72, SaaS clients are using login with “email” and “password”, rather than “id” and “password” as shown here https://github.com/aquasecurity/terraform-provider-aquasec/blob/main/client/client.go#L108-L112. This makes the provider fail with the following message on initialization when we try to sign in with a user created in the Aqua SaaS Console:

{
  "status": 422,
  "code": 1,
  "message": "Invalid request",
  "errors": [
   {
     "field": "data.email",
     "message": "pattern mismatch",
     "value": "terraform",
     "type": "string",
     "schemaPath": [
      "properties",
      "email"
     ]
   }
  ]
}

Expected Behavior

Provider should be able to login to Aqua SaaS and create resources with Terraform.

Actual Behavior

Provider fails at login step.

Steps to Reproduce

1. Create a user in Aqua SaaS Console with "Administrator" rights
2. Use username and password for this user in the aquasec provider block

References

We had a hope that #93 would solve our issues, but this was not the case

We would like to implement a Terraform Provider Entity and Data from the Aqua Services objects.

Aqua Services are shown in the Aqua UI under Administration -> Services.

The REST API for services is: https://docs.aquasec.com/reference#services

Note that you should be able to assign a Firewall Policy to an Aqua Service.

Create provider for Container, Host, and Function Runtime Policies

Terraform Version

terraform:1.0.3 in Gitlab CICD SaaS

Using Docker executor with image registry.gitlab.com/gitlab-org/terraform-images/releases/terraform:1.0.3 ...
Authenticating with credentials from job payload (GitLab Registry)
Pulling docker image registry.gitlab.com/gitlab-org/terraform-images/releases/terraform:1.0.3 ...

Affected Resource(s)

• aquasec_image_assurance_policy

Terraform Configuration Files

terraform {
  required_providers {
    aquasec = {
      version = "0.8.3"
      source  = "aquasecurity/aquasec"
    }
  }
  backend "http" {}
}

provider "aquasec" {
}

#variable "username" {}
#variable "password" {}
resource "aquasec_user" "testandres" {
  user_id  = "testandres"
  password = "password"
  name     = "test"
  email    = "[email protected]"
  roles = [
    "Scanner"
  ]
}

resource "aquasec_image_assurance_policy" "testandres" {
  name           = "myapp"
  assurance_type = "image"
  description    = "Created using Terraform"
  application_scopes = [
    "Global"
  ]
  audit_on_failure             = true
  fail_cicd                    = false
  block_failed                 = true
  whitelisted_licenses_enabled = true
  whitelisted_licenses = [
    "AGPL-3.0",
    "Apache-2.0",
    "BSD-2-Clause"
  ]
}

resource "aquasec_container_runtime_policy" "testandres" {
  name                          = "testandres"
  description                   = "This is a container runtime policy"
  #enabled                       = false
  enforce                       = true
  block_non_compliant_images    = true
  block_non_compliant_workloads = true
  block_container_exec          = true
  block_unregistered_images     = true
  enable_drift_prevention       = true
  #application_scopes = [
  #  "Global"
  #]
  allowed_executables = [
    "test",
    "exe",
  ]
  blocked_executables = [
    "test1",
    "exe1",
  ]

  blocked_files = [
    "test",
    "files",
  ]
  audit_all_processes_activity = true
  audit_full_command_arguments = true
  audit_all_network_activity   = true

  enable_fork_guard        = true
  fork_guard_process_limit = 12

  enable_ip_reputation_security = true

  blocked_packages = [
    "pkg",
  ]
  blocked_inbound_ports = [
    "80",
    "8080"
  ]
  blocked_outbound_ports = [
    "90",
    "9090"
  ]
  enable_port_scan_detection = true
  blocked_volumes = [
    "blocked",
    "vol"
  ]
  readonly_files_and_directories = [
    "readonly",
    "/dir/"
  ]
  exceptional_readonly_files_and_directories = [
    "readonly2",
    "/dir2/"
  ]
  block_access_host_network   = true
  block_adding_capabilities   = true
  block_use_pid_namespace     = true
  block_use_ipc_namespace     = true
  block_use_user_namespace    = true
  block_use_uts_namespace     = true
  block_privileged_containers = true
  block_root_user             = true
  block_low_port_binding      = true
  limit_new_privileges        = true
  blocked_capabilities = [
    "ALL"
  ]
}

Debug Output

https://gist.github.com/andresguisado/c9c55902b420d9eab80c1a390584343d

Expected Behavior

Change Image assurance policy

Actual Behavior

Crashing TF provides

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform apply
2. change something in the assurance policy (personally I change fail_cicd to false)
3. terraform apply

Limitation

A handful of Enforcer Group parameters that should be supported by the provider are not currently manageable/modifiable:

• allowed_applications
• allowed_registries
• host_network_protection
• micro_enforcer_certs_secrets_name
• micro_enforcer_image_name
• micro_enforcer_secrets_name
• permission

Suggestion

Two actions need to take place for support to be enabled:

• In the function resourceEnforcerGroupUpdate (in the file aquasec/resource_enforcer_group.go), add each of the above items to the list of strings provided to the d.HasChanges method call.
• In the function expandEnforcerGroup (in the file aquasec/resource_enforcer_group.go), for each of the above items, add a code block that calls d.GetOk(<parameter>) and uses the return value to set the corresponding enforcerGroup.<parameter> value.

Note

The existing allowed_labels code block (which is the model by which allowed_applications and allowed_registries should been added) that sets the value of enforcerGroup.AllowedLabels derives its value from allowedLabels.([]string). However, in practice, this throws the following error when attempting to set a non-empty allowed_labels value:

│ Error: Plugin did not respond
│
│   with aquasec_enforcer_groups.demo1,
│   on aquasec-provider.tf line 38, in resource "aquasec_enforcer_groups" "demo1":
│   38: resource "aquasec_enforcer_groups" "demo1" {
│
│ The plugin encountered an error, and failed to respond to the plugin.(*GRPCProvider).ApplyResourceChange call. The plugin logs may contain more details.
╵

Stack trace from the terraform-provider-aquasec plugin:

panic: interface conversion: interface {} is *schema.Set, not []string

Instead, it is necessary to use enforcerGroup.AllowedLabels = convertStringArr(allowedLabels.(*schema.Set).List()), which uses the convertStringArr function used by gateways. Since that function expects the input to be []interface{}, it is necessary to call List() on the *schema.Set. This should also done for allowed_applications and allowed_registries.

Hi there,

After pulling the provider source and installing and copying the v0.8 binary to the terraform-provider-aquasec/aquasec directory from the example instructions. : https://github.com/aquasecurity/terraform-provider-aquasec/tree/v0.8.0#install-and-test-the-provider-locally

Version of terraform being used:

 $ terraform version
Terraform v1.0.1
on darwin_amd64

I am not able to get the provider to work because terraform 'thinks' it should be connecting to a URL

Error:

$ terraform init

Initializing the backend...

Initializing provider plugins...
- Finding terraform-provider-aquasec/aquasec/aquasec versions matching "0.8.0"...

 Error: Failed to query available provider packages

 Could not retrieve the list of available versions for provider terraform-provider-aquasec/aquasec/aquasec: could not connect to terraform-provider-aquasec: Failed to request
 discovery document: Get "https://terraform-provider-aquasec/.well-known/terraform.json": dial tcp: lookup terraform-provider-aquasec: no such host

Current working directory.

$ pwd
~daniel/aqua/terraform/terraform-provider-aquasec/examples/resources

Location of provider binary.

$ find . -name terraform-provider-aquasec -type f
./.terraform/plugins/terraform-provider-aquasec/aquasec/aquasec/0.8/darwin_amd64/terraform-provider-aquasec

Code block used for provider

terraform {
  required_providers {
    aquasec = {
      version = "0.8"
      source  = "terraform-provider-aquasec/aquasec/aquasec"
    }
  }
}

it seems to throw the same error, regardless of which path I use, or whether I incorporate the whole or part of the file path to the binary location

Do i have to upload the provider binary to a separate GitHub repository to make this work ?

Am I doing something wrong or the path is wrong. Please can you provide a solution or guidance.
Many thanks

Hi,

First off it is great to see an Aquasec provider being created 👍

Would it be possible to have a CONTRIBUTING.md file or some notes in the README as to how I could get involved with this project?

Thanks!

Add terraform-provider support for managing host assurance policies.

When using 0.8.1 version of the provider from hcl
tested on Aqua Cloud Native Security Platform 5.0.20274, built Sep 30 2020 06:40:00
Generation of the resource aquasec_user the code block appears to execute but does
not generate a valid ID

resource "aquasec_user" "test-user" {
  user_id  = "terraform-user"
  password = "password"
  name     = "Terraform User"
  email    = "[email protected]"
  roles = [
    "Scanner",
    "Administrator"
  ]
}

When running terraform apply (after init and plan) and $TF_LOG=debug set

output appears as :

Plan: 2 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

aquasec_user.test-user: Creating... 
aquasec_enforcer_groups.new: Creating...
aquasec_container_runtime_policy.test: Modifying... [id=test]
aquasec_container_runtime_policy.test: Modifications complete after 1s [id=test]
╷
│ Error: user not found: terraform-user
│ 
│   with aquasec_user.test-user,
│   on main.tf line 23, in resource "aquasec_user" "test-user":
│   23: resource "aquasec_user" "test-user" {
│ 

No user is created and i cannot see the test user as stated in the User management part of aqua.

"end-to-end" means code, unit tests, acceptance tests, documentation and submission to terraform registry.

Few notes:

• The repo code is just for reference. Please make it right as you see fit.
• The github.com/BryanKMorrow/aqua-sdk-go/client referenced from the code is also for reference and if used must be copied to project and refactored as needed.

When trying to destroy an AWS ECR Repo that was deleted manually, we get this error:

aquasec_integration_registry.bp_ecr: Destroying... [id=AWS ECR]
Error: failed deleting user, status code: 404

And after removing an AWS ECR repo manually through the console and trying to re-apply terraform, we get an error instead of adding the AWS ECR repo again:

eks_dev-us-east-1 [default]➜ /Users/dennis/wrk/terraform-aqua git:(master) ✗ tfa
aquasec_integration_registry.bp_ecr: Refreshing state... [id=BigPanda AWS ECR]
aquasec_user.aqua_user["Tal Kimchi"]: Refreshing state... [id=talk]
aquasec_user.aqua_user["William White"]: Refreshing state... [id=wwhite]
aquasec_user.aqua_user["Yahel Agassi"]: Refreshing state... [id=yahela]
aquasec_user.aqua_user["Dennis Zheleznyak"]: Refreshing state... [id=dzheleznyak]
Error: registry not found: BigPanda AWS ECR

can we detect drift like this in the provider logic at apply time and give that to the state file?

Terraform Aquasec Provider:

https://registry.terraform.io/providers/aquasecurity/aquasec/latest/docs/resources/enforcer_groups

Problem description:

Some variables used to create groups of Enforcers in Aqua using the plugin "Terraform Provider" (check the link above) are being correctly declared in the creation script (check the example script below) of groups of Enforcers with the desired values, however, after executing the "Terraform Provider" script, we can see that the group of Enforcers was created, but some of the fields declared through the variables present in the script are empty.

Reproduction Steps:

-Create an EKS cluster
-Install Aqua CSP 6.5
-Install Terraform and use the Aqua Terraform Provider
https://registry.terraform.io/providers/aquasecurity/aquasec/latest/docs
-Use the example script below in order to create an Enforcer group (review the values)
-Go to the Aqua UI > Enforcer Group and check if all the fields were populated correctly according to all the variable declared.

Affected Resource(s)

Please list the resources as a list, for example:

• aquasec_enforcer_groups

Terraform Configuration Files

terraform {
required_providers {
aquasec = {
version = "0.8.4"
source  = "aquasecurity/aquasec"
}
}
}

provider "aquasec" {
username   = "administrator"
aqua_url   = "https://10.0.101.194:30443"
password   = "Lvl1supp!"
verify_tls = false
}

resource "aquasec_enforcer_groups" "jasonTest" {
gateways = []
group_id = "tf_group"
logical_name = "some_logical"
type = "agent"
enforce = "true"
image_assurance = "true"
orchestrator {
type = "kubernetes"
service_account = "aqua-sa"
namespace       = "aqua"
}
}

Actual result:

1 - Some variables are being passed and populated correctly.
2 - List of variables that have been tested and are not working correctly:
service_account = "aqua-sa"
namespace = "aqua"
enforce = "true"

Expected results:

All variables are being passed and populated correctly the Enforcer Group's fields

When trying to install the provider from the terraform registry I get the following error:

Error: Failed to install provider

Error while installing aquasecurity/aquasec v0.6.0: could not query provider
registry for registry.terraform.io/aquasecurity/aquasec: failed to retrieve
authentication checksums for provider: 404 Not Found

I am using terraform version 0.13.7 following these instructions on the terraform registry page:

terraform {
  required_providers {
    aquasec = {
      source = "aquasecurity/aquasec"
      version = "0.6.0"
    }
  }
}

provider "aquasec" {
  username = "myusername"
  aqua_url = "https://myaquaurl.cloud.aquasec.com/"
  password = "mypassword"

}

and here are the relevant trace logs from the terraform init:

2021/07/06 19:25:53 [DEBUG] GET https://registry.terraform.io/v1/providers/aquasecurity/aquasec/versions
2021/07/06 19:25:53 [TRACE] HTTP client GET request to https://registry.terraform.io/v1/providers/aquasecurity/aquasec/versions
2021/07/06 19:25:53 [DEBUG] GET https://registry.terraform.io/v1/providers/aquasecurity/aquasec/0.6.0/download/darwin/amd64
2021/07/06 19:25:53 [TRACE] HTTP client GET request to https://registry.terraform.io/v1/providers/aquasecurity/aquasec/0.6.0/download/darwin/amd64
2021/07/06 19:25:53 [DEBUG] GET https://github.com/aquasecurity/terraform-provider-aquasec/releases/download/v0.6/terraform-provider-aquasec_0.6.0_SHA256SUMS
2021/07/06 19:25:53 [TRACE] HTTP client GET request to https://github.com/aquasecurity/terraform-provider-aquasec/releases/download/v0.6/terraform-provider-aquasec_0.6.0_SHA256SUMS

We want to be able to make new resources from the output of other resources being created

ie. when creating an Enforcer Group, an "Aqua Token" gets generated so the enforcers we deploy can be added to that group.

Can that token be returned on the successful creation of the group so the enforcers can be deployed to the newly created group easily?

Add terraform provider management for function assurance polcies