trendmicro / terraform-provider-conformity Goto Github PK
View Code? Open in Web Editor NEWConformity Terraform provider
Home Page: https://registry.terraform.io/providers/trendmicro/conformity/latest/docs
License: Mozilla Public License 2.0
terraform-provider-conformity's People
Contributors
Stargazers
Watchers
Forkers
brettnwoods abdelmoneim-nafea shunyeka-spl jbrmg fionagriffin-1 mustafa-qamaruddin cr-trojan23 mingli-trend dpoblete-kpmg johan1252 9albiterraform-provider-conformity's Issues
Resources do not handle unmanaged deletions correctly
Hi,
if I create a Conformity group with Terraform, then delete the group via API or Conformity UI and then re-run Terraform, an error is thrown as the HTTP client returns an error. I would expect that Terraform detects that the group does not longer exist and plans to recreate the group instead.
│ Error: {"errors":[{"status":422,"detail":"Group ID entered is invalid"}]}
│
│ with conformity_group.this["mygroup"],
│ on groups.tf line 7, in resource "conformity_group" "this":
│ 7: resource "conformity_group" "this" {
│
I did not test this with other resources, but from looking at the source code, the bug likely affects other resources like accounts as well.
From a technical perspective, the HTTP response code for the "Not Found" error on a GET request (422 in this example) should be processed in the Conformity provider. By calling d.SetId("") in a read method (e.g. resourceConformityGroupRead), you can tell Terraform that the remote resource has been deleted and needs to be recreated.
Regards
Jan
conformity_profile: Rule settings for GCP not supported
Hi,
the conformity_profile resource allows the definition of rules only for azure and aws as defined in the validation function:
However, GCP has been added to Conformity and should be added to the resource, too.
Regards
Jan
Missing resource: conformity_azure_active_directory
With #14 , you will add the resource conformity_gcp_org. Are there any plans to add support for the corresponding Azure source conformity_azure_active_directory? This would complement the existing conformity_azure_account resource very well.
conformity_azure_account: environment field should not be required
The environment flag on conformity_azure_account is marked as required in the Terraform provider, but it is not required according to the API specification: https://cloudone.trendmicro.com/docs/conformity/api-reference/tag/Accounts#paths/~1accounts/post
This makes it difficult to import existing accounts without specified environment (requires a modification of the account which is not necessary).
conformity_profile: Incomplete handling of IncludedExtraSettings.included.attributes.extraSettings.values
Hi,
we found some issues when working with profiles as the conformityprofileresource does handle all possibilities in theIncludedExtraSettings.included.attributes.extraSettings.values` field. The field is currently defined as follows:
type ProfileValues struct {
Label string `json:"label,omitempty"`
Value string `json:"value,omitempty"`
Enabled bool `json:"enabled,omitempty"`
}(source)
However, the values field may have different values.
Example 1: The value field within the ProfileValues struct may also be a number. This leads to an error Error: json: cannot unmarshal number into Go struct field ProfileValues.included.attributes.extraSettings.values.value of type string
{
"type": "rules",
"id": "EC2-034",
"attributes": {
"enabled": false,
"extraSettings": [
{
"name": "SecurityGroupsSafelistNamePattern",
"type": "single-value-regex",
"value": null
},
{
"name": "commonlyUsedPorts",
"type": "multiple-number-values",
"values": [
{
"value": 80
},
{
"value": 443
},
[...]This may be fixed by changing the value field from string to interface{} (
Example 2: The values array itself may not consist only of []*ProfileValues entries, but we also encountered []string values, leading to an error Error: json: cannot unmarshal string into Go struct field IncludedExtraSettings.included.attributes.extraSettings.values of type cloudconformity.ProfileValues
{
"type": "rules",
"id": "RTM-008",
"attributes": {
"enabled": false,
"extraSettings": [
{
"name": "authorisedRegions",
"regions": true,
"type": "regions",
"values": [
"af-south-1",
"ap-east-1",
"ap-northeast-1",
"ap-northeast-2",
[...]Fixing the second issue may be more complex as it requires support for more generic structures, but it is required to fully support all profiles.
Regards
Jan
provider support for custom rules?
Hello,
We are seeking to configure conformity custom rules via terraform.
We have a working terraform/conformity environment. We can create other resource types (eg communication channels)
We're following the AWS example for a custom rule here:
https://github.com/trendmicro/terraform-provider-conformity/blob/5c1d891b19ff88f1f485f7dcfd46c6c096bbc2fb/example/custom_rule/main.tf
Running terraform plan results in the following error:
│ Error: Invalid resource type
│
│ on custom_rules.tf line 1, in resource "conformity_custom_rule" "example":
│ 1: resource "conformity_custom_rule" "example"{
│
│ The provider trendmicro/conformity does not support resource type "conformity_custom_rule".
Is this expected? What would you suggest we do to troubleshoot?
thanks.
conformity_profile always creates a change
Hi,
when using the conformity_profile resource, terraform plans a change on each run.
Example:
resource "conformity_profile" "test" {
name = "test"
}Steps to reproduce:
- run
terraform applyto create the profile - run
terraform applyagain
Even after running terraform apply again, the change planned for the next execution again. I think the profile_id field should not be set and the id field should be used instead.
conformity_azure_account: Rule settings are not applied if no settings are defined
Hi,
we face the issue that rule settings are not updated when terraform apply is executed (provider version 0.3.9). Here is a description on how to reproduce the issue:
- Define an
conformity_azure_accountresource without rule settings
Example:
resource "conformity_azure_account" "test" {
name = "test"
environment = "env"
active_directory_id = "ad-id"
subscription_id = "sub-id"
}
- Define a profile with manual rule manual rule configurations
Example:
- Apply the profile to the Azure account with strategy
replace - Run
terraform apply
Terraform will detect the manual rule configurations and wants to remove them:
After applying the changes and running terraform plan, Terraform will plan the same changes as the manual rule configurations are still present in the backend.
The logs indicate that no update request is sent to the backend:
2022-06-07T07:43:35.060Z [INFO] Starting apply for conformity_azure_account.test
2022-06-07T07:43:35.063Z [DEBUG] conformity_azure_account.test: applying the planned Update change
2022-06-07T07:43:35.471Z [INFO] provider.terraform-provider-conformity_v0.3.9: 2022/06/07 07:43:35 [DEBUG] Request URL: https://conformity.de-1.cloudone.trendmicro.com/api/accounts/<account-id> timestamp=2022-06-07T07:43:35.471Z
2022-06-07T07:43:35.473Z [INFO] provider.terraform-provider-conformity_v0.3.9: 2022/06/07 07:43:35 [DEBUG] Method: GET: timestamp=2022-06-07T07:43:35.471Z
2022-06-07T07:43:35.474Z [INFO] provider.terraform-provider-conformity_v0.3.9: 2022/06/07 07:43:35 [DEBUG] -----RA+5YKL+m3qN54ho102L6AuoPfkw+XFmmkaFziGph6jbfrdiir3LktPuo+Y9cJ9jBqT2EuEwjhYqFWzgHWB2808DNM9spSO8oXvbicKqFZ2NjVZx4xQW0Khws311SaQHEyiCd8kD/7hYo1QBwO0bRCeaS8hXj8h74/Mz+cJjZ+8u8CSNKHcn8wMX+p5SONPSaeN5TqCBmE/pyxSN2REZinoiWXcSBGXigtFK4eU4d0WvtZRTs62VlU2fc+MK7h6Lm11x9F/Z5vJ+cyzv/RbE+JC4VzbsGz0ApUlYOpfjwTocmloRsU7xpUEBa1YEsjZki9/qB2EL7Zyhn7pp0mJdkg==-----: timestamp=2022-06-07T07:43:35.471Z
2022-06-07T07:43:35.971Z [INFO] provider.terraform-provider-conformity_v0.3.9: 2022/06/07 07:43:35 [DEBUG] Response Body of accountDetails: timestamp=2022-06-07T07:43:35.971Z
2022-06-07T07:43:35.973Z [INFO] provider.terraform-provider-conformity_v0.3.9: 2022/06/07 07:43:35 0x6b6340: timestamp=2022-06-07T07:43:35.971Z
2022-06-07T07:43:35.975Z [INFO] provider.terraform-provider-conformity_v0.3.9: 2022/06/07 07:43:35 [DEBUG] ----------: timestamp=2022-06-07T07:43:35.972Z
2022-06-07T07:43:35.977Z [INFO] provider.terraform-provider-conformity_v0.3.9: 2022/06/07 07:43:35 [DEBUG] Request URL: https://conformity.de-1.cloudone.trendmicro.com/api/accounts/<account-id>/settings/rules: timestamp=2022-06-07T07:43:35.975Z
2022-06-07T07:43:35.979Z [INFO] provider.terraform-provider-conformity_v0.3.9: 2022/06/07 07:43:35 [DEBUG] Method: GET: timestamp=2022-06-07T07:43:35.975Z
2022-06-07T07:43:35.980Z [INFO] provider.terraform-provider-conformity_v0.3.9: 2022/06/07 07:43:35 [DEBUG] -----PD/4vMjGx5WLvBiuIp+G02LJixds6i4QXZvWuHosHpcLRFD5XdN+t0Bq8qC2cqBjRbMVw/AOi6Iu2SKc7S9+RVjodQnFX9WkViXy13GQ8dScN5VZoyIfU9yaLvwG15VaV7H3F3wRnEDBNbC9hOrZ4vKzEsCu6rB5oK5qxirSAm0jAIvalVuPdyU8Mklt1l02w5DgIywgzyd+8Pan4f7Sc9ruQUS4fy7dGJA1eB7gdfRMZv3POyhaAd7v6jei7XcqsecbhLjxYVI4Qvi3WNtkM2c+QHa9t16Hwb0z5rEPze1stNuIpA/Nghyb9KEzJUbIFEW/VIxNSP08GvnkqrmfAQ==-----: timestamp=2022-06-07T07:43:35.976Z
2022-06-07T07:43:36.438Z [INFO] provider.terraform-provider-conformity_v0.3.9: 2022/06/07 07:43:36 [DEBUG] Response Body of GetAccountRuleSettings: timestamp=2022-06-07T07:43:36.437Z
2022-06-07T07:43:36.440Z [INFO] provider.terraform-provider-conformity_v0.3.9: 2022/06/07 07:43:36 0x6b6340: timestamp=2022-06-07T07:43:36.437Z
2022-06-07T07:43:36.443Z [INFO] provider.terraform-provider-conformity_v0.3.9: 2022/06/07 07:43:36 [DEBUG] ----------: timestamp=2022-06-07T07:43:36.438Z
conformity_gcp_org: private_key exposed in logs.
Hi,
the private_key field of the new resource conformity_gcp_org is not marked as Senstive: true. As a consequence of this, the private key is exposed in log files. Can you mark the field as Sensitive to protect its value?
Support nested conditions in custom rule
Problem
It's not possible to have composite rule within custom rule due to Terraform SDK limitation (nested datastructure as a schema is not supported)
Its possible to create a nested custom rule with api (in json)
// custom rule configuration json
"rules": [
{
"conditions": {
"any": [
{
"all": [
// condition 1
]
},
{
"all": [
// condition 2
,
// condition 3
]
}
]
},
// event
}
]
This rule cannot be translated directly into HCL conformity_custom_rule rules block.
Proposal
One way of solving this would be to:
- remove the
operationfrom therulesattributes conditionstype is string(validated as a json) that can be generated- passthrough the value of
conditionsto api request payload without extra processing
// conformity_custom_rule
rules {
event_type = ""
conditions = jsonencode(
{
any = [{
all = [
{
fact = ""
operator = ""
value = ""
}
]
},
{
all = [
{
fact = ""
operator = ""
value = ""
},
{
fact = ""
operator = ""
value = ""
}
]
}]
}
)
}
I don't hold this for the best solution but I would still like to hear your opinion
conformity_azure_account does not read tags from backend
Hi,
the conformity_azure_account resource does not not read the account tags from the backend. As a consequence of this, tag changes in the backend cannot be taken into account by Terraform. In addition, existing tags are also not added to the Terraform state when a resource is imported into the state and are overwritten on the first terraform apply.
The conformity_aws_account does behave correctly: https://github.com/trendmicro/terraform-provider-conformity/blob/main/conformity/resource_aws_account.go#L157
The terraform-provider-conformity_v0.5.0 plugin crashed!
Hello,
we are getting an error when using conformity provider. It started happening today. Retry doesnt help.
TERRAFORM_VERSION: '1.4.6'
AWS_CLI_VERSION: '2.11.13'`
terraform plan \ # collapsed multi-line command
╷
│ Error: Plugin did not respond
│
│ with module.conformity[0].conformity_aws_account.aws,
│ on .terraform/modules/conformity/account.tf line 1, in resource "conformity_aws_account" "aws":
│ 1: resource "conformity_aws_account" "aws" {
│
│ The plugin encountered an error, and failed to respond to the
│ plugin.(*GRPCProvider).ReadResource call. The plugin logs may contain more
│ details.
╵
Stack trace from the terraform-provider-conformity_v0.5.0 plugin:
panic: interface conversion: interface {} is string, not map[string]interface {}
goroutine 54 [running]:
github.com/trendmicro/terraform-provider-conformity/conformity.flattenRuleValues({0xc00054e400, 0x1b, 0xbd6778})
github.com/trendmicro/terraform-provider-conformity/conformity/account_settings.go:155 +0x427
github.com/trendmicro/terraform-provider-conformity/conformity.flattenExtraSettings({0xc000313f80, 0x1, 0xbdaf82})
github.com/trendmicro/terraform-provider-conformity/conformity/account_settings.go:131 +0x391
github.com/trendmicro/terraform-provider-conformity/conformity.flattenSettings({0x1, {0xc0004dc990, 0xa}, {0xc0004dc988, 0x4}, 0x0, {0xc000313f80, 0x1, 0x4}, 0xc0005f1d10})
github.com/trendmicro/terraform-provider-conformity/conformity/account_settings.go:87 +0x395
github.com/trendmicro/terraform-provider-conformity/conformity.flattenRuleSettings({0xc0004d6f00, 0x2, 0xbd520d})
github.com/trendmicro/terraform-provider-conformity/conformity/account_settings.go:32 +0x1b8
github.com/trendmicro/terraform-provider-conformity/conformity.flattenAccountSettings(0xc000[35]
github.com/trendmicro/terraform-provider-conformity/conformity/account_settings.go:20 +0xd9
github.com/trendmicro/terraform-provider-conformity/conformity.resourceAwsAccountRead({0xcde960, 0xc00021ecf0}, 0xc00021c080, {0xbcca20, 0xc000402600})
github.com/trendmicro/terraform-provider-conformity/conformity/resource_aws_account.go:165 +0x406
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).read(0xc0000df260, {0xcde960, 0xc00021ecf0}, 0xd, {0xbcca20, 0xc000402600})
github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:724 +0x12e
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).RefreshWithoutUpgrade(0xc0000df260, {0xcde960, 0xc00021ecf0}, 0xc00032de10, {0xbcca20, 0xc000402600})
github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:1015 +0x585
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*GRPCProviderServer).ReadResource(0xc0002843a8, {0xcde8b8, 0xc000403100}, 0xc000403180)
github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/grpc_provider.go:613 +0x574
github.com/hashicorp/terraform-plugin-go/tfprotov5/tf5server.(*server).ReadResource(0xc0001b55e0, {0xcde960, 0xc00050bef0}, 0xc000[36]
github.com/hashicorp/[email protected]/tfprotov5/tf5server/server.go:746 +0x48c
github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_ReadResource_Handler({0xbac340, 0xc0001b55e0}, {0xcde960, 0xc00050bef0}, 0xc000361020, 0x0)
github.com/hashicorp/[email protected]/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:349 +0x170
google.golang.org/grpc.(*Server).processUnaryRPC(0xc0001fe8c0, {0xceb8e8, 0xc000308820}, 0xc0000c6c60, 0xc000293ec0, 0x11b4dd0, 0x0)
google.golang.org/[email protected]/server.go:1282 +0xccf
google.golang.org/grpc.(*Server).handleStream(0xc0001fe8c0, {0xceb8e8, 0xc000308820}, 0xc0000c6c60, 0x0)
google.golang.org/[email protected]/server.go:1619 +0xa2a
google.golang.org/grpc.(*Server).serveStreams.func1.2()
google.golang.org/[email protected]/server.go:921 +0x98
created by google.golang.org/grpc.(*Server).serveStreams.func1
google.golang.org/[email protected]/server.go:919 +0x294
Error: The terraform-provider-conformity_v0.5.0 plugin crashed!
This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.
our terraform code:
resource "conformity_aws_account" "aws" {
name = var.name
environment = var.environment
role_arn = aws_cloudformation_stack.cloud-conformity.outputs["CloudConformityRoleArn"]
external_id = data.conformity_external_id.external.external_id
tags = var.tags
settings {
rule {
rule_id = "S3-021"
settings {
enabled = false
risk_level = "HIGH"
rule_exists = false
}
}
}
}
resource "conformity_communication_setting" "email_setting" {
email {
users = ["urn:cloudone:identity:us-1:111111111111:user/*********-*****-*****-***-********"]
}
filter {
risk_levels = ["HIGH", "VERY_HIGH", "EXTREME"]
}
relationships {
account {
id = resource.conformity_aws_account.aws.id
}
organisation {
id = "11111111111"
}
}
}
resource "conformity_report_config" "report" {
count = var.conformity_report_enabled ? 1 : 0
configuration {
title = "Cloud Conformity Report for AWS Accounts"
emails = ["[email protected]"]
send_email = true
scheduled = true
frequency = "* * 1" # every monday
should_email_include_csv = true
should_email_include_pdf = true
include_account_names = false
tz = "US/Eastern"
}
filter {
providers = ["aws"]
risk_levels = ["HIGH", "VERY_HIGH", "EXTREME"]
suppressed = false
suppressed_filter_mode = "v1"
statuses = ["FAILURE"]
}
}
Communications settings SNS topic missing "Status"
the Configure Triggers option on the SNS topic is missing "Status". This leads to getting notifications of success and failure rules both. Having ability to switchoff success and only get notified for failure rules is highly deserable option.
conformity_custom_rule: boolean values will be converted in a string value and the custom rule will fail
conformity_custom_rule: boolean values will be converted in a string value and the custom rule will fail
Resource: custom rule
Documentation: https://registry.terraform.io/providers/trendmicro/conformity/latest/docs/resources/conformity_custom_rule
Problem description
Reserved values as "null", "true", "false", are considered string by the provider. A "Null" cannot be used as a value using the provider, although it can be used as value on the dry-run endpoint, the provider will convert the boolean in a string, and it will affect the rule behavior.
In the example bellow when we defined the value as true, the provider convert in a string value "true" when create the resource on the Conformity platform, the rule will have a different behavior than the intended, and the buckets that do not have a policy defined to allow a cloudfront access will fail, because the boolean operator "isNullOrUndefined" will not be executed correctally on the backend.
Provider version tested: v0.5.4 and v0.5.6
Detailed description
Conditions defined in the dry-run endpoint (custom-rules/run):
"conditions": {
"any": [
{
"value": true,
"operator": "isNullOrUndefined",
"fact": "cloudFrontInPolicy"
},
{
"value": ".*\"Service\".?\\S\"cloudfront.amazonaws.com\".*",
"operator": "pattern",
"fact": "cloudFrontInPolicy"
}
]
}HCL Code:
resource "conformity_custom_rule" "custom_rule_s3_cf_001"{
name = "S3 bucket access restricted through CloudFront or without bucket policy configuration"
description = "This rule checks if CloudFront is restricting S3 bucket access configured by Cloud Security Team"
remediation_notes = "If this is broken, please follow these steps:\n1. https://docs.aws.amazon.com/AmazonCloudFront/latest/DeveloperGuide/private-content-restricting-access-to-s3.html \n2. https://aws.amazon.com/blogs/networking-and-content-delivery/amazon-cloudfront-introduces-origin-access-control-oac/\n updated"
service = "S3"
resource_type = "s3-bucket"
categories = ["security"]
severity = "MEDIUM"
cloud_provider = "aws"
enabled = false
attributes {
name = "cloudFrontInPolicy"
path = "data.Policy"
required = true
}
rules {
operation = "any"
conditions {
fact = "cloudFrontInPolicy"
operator = "equal"
value = null
}
conditions {
fact = "cloudFrontInPolicy"
operator = "pattern"
value = ".*\"Service\".?\\S\"cloudfront.amazonaws.com\".*"
}
event_type = "Bucket is restricted by CloudFront or does not have access policy attached"
}
}Terraform shows that the bolean value could be transformed in a string value:
+ rules {
+ event_type = "Bucket is restricted by CloudFront or does not have access policy attached"
+ operation = "any"
+ conditions {
+ fact = "cloudFrontInPolicy"
+ operator = "isNullOrUndefined"
+ value = "true"
}
+ conditions {
+ fact = "cloudFrontInPolicy"
+ operator = "pattern"
+ value = ".*\"Service\".?\\S\"cloudfront.amazonaws.com\".*"
}
}And when we see the rule that is actually created by the terraform code:
"conditions": {
"any": [
{
"value": "true",
"operator": "isNullOrUndefined",
"fact": "cloudFrontInPolicy"
},
{
"value": ".*\"Service\".?\\S\"cloudfront.amazonaws.com\".*",
"operator": "pattern",
"fact": "cloudFrontInPolicy"
}
]
}And differently the result we have using the dry-run endpoint a bucket that does not have a policy defined will fail. And this configuration is not supported in the dry-run endpoint, if we try to define the boolean as a string, the dry-run endpoint return this error:
{
"errors": [
{
"status": 422,
"source": {
"pointer": "/data/attributes/configuration/rules"
},
"detail": "Value of isNullOrUndefined operator should be boolean"
}
]
}Support for region de-1
Hi,
our account is located in region de-1. However, I cannot configure the Terraform provider with that region as de-1 is not in the list of supported regions. Terraform returns the following error message:
Error: expected region to be one of [eu-west-1 us-west-2 ap-southeast-2], got de-1
Can you add support for the de-1 region?
Thanks
Jan
conformity_profile: Order of rule settings should be ignored
Hi,
when working with the conformity_profile resource, we noticed that it does not correctly calculates the diff for rule settings in the included blocks. For the diff calculation, the order of the included blocks is compared with the order of the rule settings returned by the backend API. However, the order of the backend API is often different from the order in the Terraform templates. The order in the backend cannot be changed by running terraform apply, so a change is detected in every plan. As a consequence of this, the order of the included blocks should be ignored (e.g. by sorting them by their ID first).
Steps to reproduce:
- Define a profile in which the backend and local order of settings does not match
resource "conformity_profile" "test" {
name = "test"
included {
enabled = true
id = "SecurityCenter-020"
provider = "azure"
extra_settings {
countries = false
multiple = false
name = "complianceStandards"
regions = false
type = "choice-multiple-value"
values {
enabled = false
label = "ISO 27001"
value = "ISO-27001"
}
values {
enabled = false
label = "PCI DSS 3.2.1"
value = "PCI-DSS-3.2.1"
}
values {
enabled = false
label = "SOC TSP"
value = "SOC-TSP"
}
values {
enabled = true
label = "Azure CIS 1.1.0"
value = "Azure-CIS-1.1.0"
}
}
}
included {
enabled = false
id = "Backup-001"
provider = "aws"
risk_level = "LOW"
}
}- run
terraform apply - run
terraform applyto validate that a change is detected (the order of the includes should be changed)
~ resource "conformity_profile" "test" {
id = "3j7Mk0u2h"
name = "test"
- profile_id = "3j7Mk0u2h" -> null
~ included {
~ enabled = false -> true
~ id = "Backup-001" -> "SecurityCenter-020"
~ provider = "aws" -> "azure"
- risk_level = "LOW" -> null
+ extra_settings {
+ countries = false
+ multiple = false
+ name = "complianceStandards"
+ regions = false
+ type = "choice-multiple-value"
+ values {
+ enabled = false
+ label = "ISO 27001"
+ value = "ISO-27001"
}
+ values {
+ enabled = false
+ label = "PCI DSS 3.2.1"
+ value = "PCI-DSS-3.2.1"
}
+ values {
+ enabled = false
+ label = "SOC TSP"
+ value = "SOC-TSP"
}
+ values {
+ enabled = true
+ label = "Azure CIS 1.1.0"
+ value = "Azure-CIS-1.1.0"
}
}
}
~ included {
~ enabled = true -> false
~ id = "SecurityCenter-020" -> "Backup-001"
~ provider = "azure" -> "aws"
+ risk_level = "LOW"
- extra_settings {
- countries = false -> null
- multiple = false -> null
- name = "complianceStandards" -> null
- regions = false -> null
- type = "choice-multiple-value" -> null
- values {
- enabled = false -> null
- label = "ISO 27001" -> null
- value = "ISO-27001" -> null
}
- values {
- enabled = false -> null
- label = "PCI DSS 3.2.1" -> null
- value = "PCI-DSS-3.2.1" -> null
}
- values {
- enabled = false -> null
- label = "SOC TSP" -> null
- value = "SOC-TSP" -> null
}
- values {
- enabled = true -> null
- label = "Azure CIS 1.1.0" -> null
- value = "Azure-CIS-1.1.0" -> null
}
}
}
}
conformity_report_config: Cannot set risk_levels filter
Hi,
the risk_levels filter on the conformity_report_config cannot be set successfully as the Terraform provider uses type string but the backend requires an array.
Example:
resource "conformity_report_config" "test" {
account_id = conformity_azure_account.test.id
configuration {
emails = ["[email protected]"]
frequency = "* * *"
scheduled = true
send_email = true
title = "Security Report for ${conformity_azure_account.test.name}"
tz = "Europe/Berlin"
}
filter {
categories = ["security"]
risk_levels = "EXTREME"
}
}
Error response from backend:
{"errors":[{"source":{"pointer":"/data/attributes/configuration/filter/riskLevels"},"status":422,"detail":"Configuration filter riskLevels should be array"}]}
Ideally, the Terraform provided would support array instead of string so that multiple risk_levels can be provided for any given filter.
Error: extra_settings.0.value: '' expected type 'string', got unconvertible type 'float64' While Importing AWS Account
Terraform Version
Terraform v0.13.7
+ provider registry.terraform.io/hashicorp/aws v2.70.0
+ provider registry.terraform.io/trendmicro/conformity v0.3.6
Affected Resource(s)
- conformity_aws_account
Terraform Configuration Files
resource "conformity_aws_account" "this" {
name = var.account_alias
environment = var.environment
role_arn = aws_iam_role.cloud_conformity[0].arn
external_id = var.cloud_conformity_external_id
}Expected Behaviour
When I run terraform import conformity_aws_account.this ${CONFORMITY_ACCOUNT_ID}, the currently existing AWS account within Conformity with the specified ${CONFORMITY_ACCOUNT_ID} is imported into the state
Actual Behaviour
The following error is returned
conformity_aws_account.this: Importing from ID "${CONFORMITY_ACCOUNT_ID}"...
conformity_aws_account.this: Import prepared!
Prepared conformity_aws_account for import
conformity_aws_account.this: Refreshing state... [id=${CONFORMITY_ACCOUNT_ID}]
Error: extra_settings.0.value: '' expected type 'string', got unconvertible type 'float64'Steps To Reproduce
- Set terraform to v0.13.7
- Set trendmicro/conformity to 0.3.6
- Run
terraform import conformity_aws_account.this ${CONFORMITY_ACCOUNT_ID}
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.