From 740b2d28abf8bcdbab7cf6c7a86d6f6bd9dc05b5 Mon Sep 17 00:00:00 2001 From: hila-krut-sysdig <115632909+hila-krut-sysdig@users.noreply.github.com> Date: Sun, 3 Nov 2024 13:46:06 +0200 Subject: [PATCH] feat(accept-risk) accept posture risk (#556) * accept posture risk * fix name * fix * fix * Refactor attribute section in secure posture accept risk documentation * fix test * fix * fix * open the option to put expires_at * ExpiresAt must be in the future * fix docs * fix * fix * fix * add fix --- sysdig/common.go | 13 + sysdig/internal/client/v2/client.go | 1 + .../client/v2/model_posture_control.go | 51 +++ .../internal/client/v2/posture_accept_risk.go | 106 ++++++ sysdig/provider.go | 1 + ...ource_sysdig_secure_accept_posture_risk.go | 305 ++++++++++++++++++ ..._sysdig_secure_accept_posture_risk_test.go | 52 +++ website/docs/r/secure_posture_accept_risk.md | 116 +++++++ 8 files changed, 645 insertions(+) create mode 100644 sysdig/internal/client/v2/posture_accept_risk.go create mode 100644 sysdig/resource_sysdig_secure_accept_posture_risk.go create mode 100644 sysdig/resource_sysdig_secure_accept_posture_risk_test.go create mode 100644 website/docs/r/secure_posture_accept_risk.md diff --git a/sysdig/common.go b/sysdig/common.go index 01d83aab..d569bb59 100644 --- a/sysdig/common.go +++ b/sysdig/common.go @@ -8,6 +8,9 @@ const ( SchemaAuthorsKey = "authors" SchemaAuthorKey = "author" SchemaNameKey = "name" + SchemaAcceptanceIDKey = "acceptance_id" + SchemaControlNameKey = "control_name" + SchemaZoneNameKey = "zone_name" SchemaEnabledKey = "enabled" SchemaStatusKey = "status" SchemaTypeKey = "type" @@ -17,6 +20,16 @@ const ( SchemaResourceRemediationDetailsKey = "remediation_details" SchemaKindKey = "kind" SchemaDescriptionKey = "description" + SchemaFilterKey = "filter" + SchemaExpiresInKey = "expires_in" + SchemaExpiresAtKey = "expires_at" + SchemaAcceptanceDateKey = "acceptance_date" + SchemaIsExpiredKey = "is_expired" + SchemaIsSystemKey = "is_system" + SchemaUsernameKey = "username" + SchemaAcceptPeriodKey = "accept_period" + SchemaEndTimeKey = "end_time" + SchemaReasonKey = "reason" SchemaVersionKey = "version" SchemaLinkKey = "link" SchemaGroupKey = "group" diff --git a/sysdig/internal/client/v2/client.go b/sysdig/internal/client/v2/client.go index c820e983..19a58af5 100644 --- a/sysdig/internal/client/v2/client.go +++ b/sysdig/internal/client/v2/client.go @@ -58,6 +58,7 @@ type SecureCommon interface { PosturePolicyInterface PostureZoneInterface PostureControlInterface + PostureAcceptRiskInterface } type Requester interface { diff --git a/sysdig/internal/client/v2/model_posture_control.go b/sysdig/internal/client/v2/model_posture_control.go index 13da3427..57481022 100644 --- a/sysdig/internal/client/v2/model_posture_control.go +++ b/sysdig/internal/client/v2/model_posture_control.go @@ -23,3 +23,54 @@ type PostureControl struct { Rego string `json:"rego"` RemediationDetails string `json:"remediationDetails"` } + +type AccepetPostureRiskRequest struct { + AcceptanceID string `json:"id"` + ControlName string `json:"controlName"` + ZoneName string `json:"zoneName"` + Description string `json:"description"` + Filter string `json:"filter"` + Reason string `json:"reason"` + ExpiresAt string `json:"expiresAt"` +} + +type UpdateAccepetPostureRiskRequest struct { + AcceptanceID string `json:"id"` + Acceptance UpdateAcceptPostureRiskFields `json:"riskAcceptance"` +} + +type UpdateAccepetPostureResponse struct { + Acceptance AcceptPostureRisk `json:"riskAcceptance"` +} + +type AcceptPostureRisk struct { + AcceptanceID string `json:"id"` + ControlName string `json:"controlName"` + ZoneName string `json:"zoneName"` + Description string `json:"description"` + Filter string `json:"filter"` + Reason string `json:"reason"` + ExpiresAt string `json:"expiresAt"` + AcceeptanceDate string `json:"acceptanceDate"` + UserName string `json:"username"` + Type string `json:"type"` + IsExpired bool `json:"isExpired"` + IsSystem bool `json:"isSystem"` + AcceptPeriod string `json:"acceptPeriod"` +} + +type UpdateAcceptPostureRiskFields struct { + Description string `json:"description"` + Reason string `json:"reason"` + ExpiresAt string `json:"expiresAt"` + AcceptPeriod string `json:"acceptPeriod"` +} + +type AcceptPostureRiskResponse struct { + Data AcceptPostureRisk `json:"data"` +} + +type DeleteAcceptPostureRisk struct { + AcceptanceID string `json:"id"` + Filter string `json:"filter"` +} diff --git a/sysdig/internal/client/v2/posture_accept_risk.go b/sysdig/internal/client/v2/posture_accept_risk.go new file mode 100644 index 00000000..20b25a26 --- /dev/null +++ b/sysdig/internal/client/v2/posture_accept_risk.go @@ -0,0 +1,106 @@ +package v2 + +import ( + "context" + "fmt" + "net/http" +) + +const ( + AcceptPostureRiskCreatePath = "%s/api/cspm/v1/compliance/risk-acceptances" + AcceptPostureRiskGetPath = "%s/api/cspm/v1/compliance/risk-acceptances/%s" + AcceptPostureRiskDelete = "%s/api/cspm/v1/compliance/violations/revoke" + AcceptPostureRiskUpdate = "%s/api/cspm/v1/compliance/risk-acceptances/%s" +) + +type PostureAcceptRiskInterface interface { + Base + SaveAcceptPostureRisk(ctx context.Context, p *AccepetPostureRiskRequest) (*AcceptPostureRiskResponse, string, error) + GetAcceptancePostureRisk(ctx context.Context, id string) (*AcceptPostureRiskResponse, string, error) + DeleteAcceptancePostureRisk(ctx context.Context, p *DeleteAcceptPostureRisk) error + UpdateAcceptancePostureRisk(ctx context.Context, p *UpdateAccepetPostureRiskRequest) (*AcceptPostureRisk, string, error) +} + +func (c *Client) SaveAcceptPostureRisk(ctx context.Context, p *AccepetPostureRiskRequest) (*AcceptPostureRiskResponse, string, error) { + payload, err := Marshal(p) + if err != nil { + return nil, "", err + } + response, err := c.requester.Request(ctx, http.MethodPost, c.getPostureControlURL(AcceptPostureRiskCreatePath), payload) + if err != nil { + return nil, "", err + } + + defer response.Body.Close() + if response.StatusCode != http.StatusOK && response.StatusCode != http.StatusCreated { + errStatus, err := c.ErrorAndStatusFromResponse(response) + return nil, errStatus, err + } + resp, err := Unmarshal[AcceptPostureRiskResponse](response.Body) + + if err != nil { + return nil, "", err + } + + return &resp, "", nil +} + +func (c *Client) GetAcceptancePostureRisk(ctx context.Context, id string) (*AcceptPostureRiskResponse, string, error) { + response, err := c.requester.Request(ctx, http.MethodGet, fmt.Sprintf(AcceptPostureRiskGetPath, c.config.url, id), nil) + if err != nil { + return nil, "", err + } + defer response.Body.Close() + + if response.StatusCode != http.StatusOK { + errStatus, err := c.ErrorAndStatusFromResponse(response) + return nil, errStatus, err + } + + wrapper, err := Unmarshal[AcceptPostureRiskResponse](response.Body) + if err != nil { + return nil, "", err + } + return &wrapper, "", nil +} + +func (c *Client) DeleteAcceptancePostureRisk(ctx context.Context, p *DeleteAcceptPostureRisk) error { + payload, err := Marshal(p) + if err != nil { + return err + } + + response, err := c.requester.Request(ctx, http.MethodPost, fmt.Sprintf(AcceptPostureRiskDelete, c.config.url), payload) + if err != nil { + return err + } + defer response.Body.Close() + + if response.StatusCode != http.StatusNoContent && response.StatusCode != http.StatusOK && response.StatusCode != http.StatusNotFound { + return c.ErrorFromResponse(response) + } + + return nil +} + +func (c *Client) UpdateAcceptancePostureRisk(ctx context.Context, p *UpdateAccepetPostureRiskRequest) (*AcceptPostureRisk, string, error) { + payload, err := Marshal(p) + if err != nil { + return nil, "", err + } + response, err := c.requester.Request(ctx, http.MethodPatch, fmt.Sprintf(AcceptPostureRiskUpdate, c.config.url, p.AcceptanceID), payload) + if err != nil { + return nil, "", err + } + defer response.Body.Close() + if response.StatusCode != http.StatusOK && response.StatusCode != http.StatusCreated { + errStatus, err := c.ErrorAndStatusFromResponse(response) + return nil, errStatus, err + } + resp, err := Unmarshal[AcceptPostureRiskResponse](response.Body) + if err != nil { + return nil, "", err + } + + return &resp.Data, "", nil +} diff --git a/sysdig/provider.go b/sysdig/provider.go index 3b2fa2a0..e538b7ef 100644 --- a/sysdig/provider.go +++ b/sysdig/provider.go @@ -196,6 +196,7 @@ func (p *SysdigProvider) Provider() *schema.Provider { "sysdig_secure_organization": resourceSysdigSecureOrganization(), "sysdig_secure_posture_policy": resourceSysdigSecurePosturePolicy(), "sysdig_secure_posture_control": resourceSysdigSecurePostureControl(), + "sysdig_secure_posture_accept_risk": resourceSysdigSecureAcceptPostureRisk(), }, DataSourcesMap: map[string]*schema.Resource{ "sysdig_secure_agentless_scanning_assets": dataSourceSysdigSecureAgentlessScanningAssets(), diff --git a/sysdig/resource_sysdig_secure_accept_posture_risk.go b/sysdig/resource_sysdig_secure_accept_posture_risk.go new file mode 100644 index 00000000..5089185a --- /dev/null +++ b/sysdig/resource_sysdig_secure_accept_posture_risk.go @@ -0,0 +1,305 @@ +package sysdig + +import ( + "context" + "fmt" + "strconv" + "time" + + v2 "github.com/draios/terraform-provider-sysdig/sysdig/internal/client/v2" + "github.com/hashicorp/terraform-plugin-sdk/v2/diag" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation" +) + +func resourceSysdigSecureAcceptPostureRisk() *schema.Resource { + timeout := 5 * time.Minute + + return &schema.Resource{ + CreateContext: resourceSysdigSecureAcceptPostureControlCreate, + ReadContext: resourceSysdigSecureAcceptPostureControlRead, + DeleteContext: resourceSysdigSecureAcceptPostureControlDelete, + UpdateContext: resourceSysdigSecureAcceptPostureControlUpdate, + Importer: &schema.ResourceImporter{ + StateContext: schema.ImportStatePassthroughContext, + }, + Timeouts: &schema.ResourceTimeout{ + Create: schema.DefaultTimeout(timeout), + }, + Schema: map[string]*schema.Schema{ + SchemaIDKey: { + Type: schema.TypeString, + Computed: true, + }, + SchemaControlNameKey: { + Type: schema.TypeString, + Required: true, + }, + SchemaZoneNameKey: { + Type: schema.TypeString, + Optional: true, + Default: "", + }, + SchemaDescriptionKey: { + Type: schema.TypeString, + Required: true, + }, + SchemaFilterKey: { + Type: schema.TypeString, + Optional: true, + Default: "", + }, + SchemaReasonKey: { + Type: schema.TypeString, + Required: true, + ValidateFunc: validation.StringInSlice([]string{"Risk Owned", "Risk Transferred", "Risk Avoided", "Risk Mitigated", "Risk Not Relevant", "Custom"}, false), + }, + SchemaExpiresInKey: { + Type: schema.TypeString, + Required: true, + ValidateFunc: validation.StringInSlice([]string{"7 Days", "30 Days", "60 Days", "90 Days", "Custom", "Never"}, false), + }, + SchemaExpiresAtKey: { + Type: schema.TypeString, + Computed: true, + }, + SchemaIsExpiredKey: { + Type: schema.TypeBool, + Computed: true, + }, + SchemaAcceptanceDateKey: { + Type: schema.TypeInt, + Computed: true, + }, + SchemaUsernameKey: { + Type: schema.TypeString, + Computed: true, + }, + SchemaTypeKey: { + Type: schema.TypeString, + Computed: true, + }, + SchemaIsSystemKey: { + Type: schema.TypeBool, + Computed: true, + }, + SchemaAcceptPeriodKey: { + Type: schema.TypeString, + Computed: true, + }, + SchemaEndTimeKey: { + Type: schema.TypeString, + Optional: true, + Default: "", + }, + }, + } +} + +func resourceSysdigSecureAcceptPostureControlCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + // Extract 'group' field from Terraform configuration + client, err := getPostureAcceptRiskClient(meta.(SysdigClients)) + if err != nil { + return diag.FromErr(err) + } + + req := &v2.AccepetPostureRiskRequest{ + AcceptanceID: d.Id(), + ControlName: d.Get(SchemaControlNameKey).(string), + ZoneName: d.Get(SchemaZoneNameKey).(string), + Description: d.Get(SchemaDescriptionKey).(string), + Filter: d.Get(SchemaFilterKey).(string), + Reason: d.Get(SchemaReasonKey).(string), + } + var endTime int64 + expiresIn := d.Get(SchemaExpiresInKey).(string) + if expiresIn == "7 Days" { + endTime = time.Now().AddDate(0, 0, 7).UTC().UnixMilli() + } else if expiresIn == "30 Days" { + endTime = time.Now().AddDate(0, 0, 30).UTC().UnixMilli() + } else if expiresIn == "60 Days" { + endTime = time.Now().AddDate(0, 0, 60).UTC().UnixMilli() + } else if expiresIn == "90 Days" { + endTime = time.Now().AddDate(0, 0, 90).UTC().UnixMilli() + } else if expiresIn == "Never" { + endTime = 0 + } else { + t := d.Get(SchemaEndTimeKey).(string) + endTime, _ = strconv.ParseInt(t, 10, 64) + } + if endTime <= time.Now().UTC().UnixMilli() { + return diag.Errorf("Error creating accept risk. error status: %s err: %s", "ExpiresAt must be in the future", fmt.Errorf("ExpiresAt must be in the future")) + } + req.ExpiresAt = strconv.FormatInt(endTime, 10) + acceptance, errStatus, err := client.SaveAcceptPostureRisk(ctx, req) + if err != nil { + return diag.Errorf("Error creating accept risk. error status: %s err: %s", errStatus, err) + } + d.SetId(acceptance.Data.AcceptanceID) + resourceSysdigSecureAcceptPostureControlRead(ctx, d, meta) + return nil +} + +func resourceSysdigSecureAcceptPostureControlUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + // Extract 'group' field from Terraform configuration + client, err := getPostureAcceptRiskClient(meta.(SysdigClients)) + if err != nil { + return diag.FromErr(err) + } + + req := &v2.UpdateAccepetPostureRiskRequest{ + AcceptanceID: d.Id(), + Acceptance: v2.UpdateAcceptPostureRiskFields{}, + } + expiresIn := d.Get(SchemaExpiresInKey).(string) + var millis int64 + if expiresIn == "7 Days" { + req.Acceptance.AcceptPeriod = "7" + millis = time.Now().AddDate(0, 0, 7).UTC().UnixMilli() + } else if expiresIn == "30 Days" { + req.Acceptance.AcceptPeriod = "30" + millis = time.Now().AddDate(0, 0, 30).UTC().UnixMilli() + } else if expiresIn == "60 Days" { + req.Acceptance.AcceptPeriod = "60" + millis = time.Now().AddDate(0, 0, 60).UTC().UnixMilli() + } else if expiresIn == "90 Days" { + req.Acceptance.AcceptPeriod = "90" + millis = time.Now().AddDate(0, 0, 90).UTC().UnixMilli() + } else if expiresIn == "Never" { + req.Acceptance.AcceptPeriod = "Never" + millis = 0 + } else { + req.Acceptance.AcceptPeriod = "Custom" + t := d.Get(SchemaEndTimeKey).(string) + millis, err = strconv.ParseInt(t, 10, 64) + if millis <= time.Now().UTC().UnixMilli() { + return diag.Errorf("Error updating accept risk. ID: %s, error status: %s err: %s", req.AcceptanceID, "ExpiresAt must be in the future", err) + } + if err != nil { + millis = time.Now().AddDate(0, 0, 30).UTC().UnixMilli() + } + } + req.Acceptance.ExpiresAt = strconv.FormatInt(millis, 10) + req.Acceptance.Description = d.Get(SchemaDescriptionKey).(string) + req.Acceptance.Reason = d.Get(SchemaReasonKey).(string) + + acceptance, errStatus, err := client.UpdateAcceptancePostureRisk(ctx, req) + if err != nil { + return diag.Errorf("Error updating accept risk. ID: %s, error status: %s err: %s", req.AcceptanceID, errStatus, err) + } + d.SetId(acceptance.AcceptanceID) + resourceSysdigSecureAcceptPostureControlRead(ctx, d, meta) + return nil +} + +func resourceSysdigSecureAcceptPostureControlRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + client, err := getPostureAcceptRiskClient(meta.(SysdigClients)) + if err != nil { + return diag.FromErr(err) + } + + id := d.Id() + acceptance, errStatus, err := client.GetAcceptancePostureRisk(ctx, id) + if err != nil { + return diag.FromErr(err) + } + if errStatus != "" { + return diag.Errorf("Error reading accept risk. error status: %s", errStatus) + } + + err = d.Set(SchemaControlNameKey, acceptance.Data.ControlName) + if err != nil { + return diag.FromErr(err) + } + + err = d.Set(SchemaZoneNameKey, acceptance.Data.ZoneName) + if err != nil { + return diag.FromErr(err) + } + + err = d.Set(SchemaDescriptionKey, acceptance.Data.Description) + if err != nil { + return diag.FromErr(err) + } + + err = d.Set(SchemaFilterKey, acceptance.Data.Filter) + if err != nil { + return diag.FromErr(err) + } + + err = d.Set(SchemaReasonKey, acceptance.Data.Reason) + if err != nil { + return diag.FromErr(err) + } + + acceptanceDate, err := strconv.ParseInt(acceptance.Data.AcceeptanceDate, 10, 64) + if err != nil { + return diag.FromErr(err) + } + err = d.Set(SchemaAcceptanceDateKey, acceptanceDate) + if err != nil { + return diag.FromErr(err) + } + + err = d.Set(SchemaExpiresAtKey, acceptance.Data.ExpiresAt) + if err != nil { + return diag.FromErr(err) + } + + err = d.Set(SchemaUsernameKey, acceptance.Data.UserName) + if err != nil { + return diag.FromErr(err) + } + + err = d.Set(SchemaTypeKey, acceptance.Data.Type) + if err != nil { + return diag.FromErr(err) + } + + err = d.Set(SchemaIsSystemKey, acceptance.Data.IsSystem) + if err != nil { + return diag.FromErr(err) + } + + err = d.Set(SchemaAcceptPeriodKey, acceptance.Data.AcceptPeriod) + if err != nil { + return diag.FromErr(err) + } + + err = d.Set(SchemaIsExpiredKey, acceptance.Data.IsExpired) + if err != nil { + return diag.FromErr(err) + } + return nil +} + +func resourceSysdigSecureAcceptPostureControlDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics { + client, err := getPostureAcceptRiskClient(meta.(SysdigClients)) + if err != nil { + return diag.FromErr(err) + } + id := d.Id() + err = client.DeleteAcceptancePostureRisk(ctx, &v2.DeleteAcceptPostureRisk{AcceptanceID: id}) + if err != nil { + return diag.FromErr(err) + } + return nil +} + +func getPostureAcceptRiskClient(c SysdigClients) (v2.PostureAcceptRiskInterface, error) { + var client v2.PostureAcceptRiskInterface + var err error + switch c.GetClientType() { + case IBMSecure: + client, err = c.ibmSecureClient() + if err != nil { + return nil, err + } + default: + client, err = c.sysdigSecureClientV2() + if err != nil { + return nil, err + } + } + return client, nil +} diff --git a/sysdig/resource_sysdig_secure_accept_posture_risk_test.go b/sysdig/resource_sysdig_secure_accept_posture_risk_test.go new file mode 100644 index 00000000..a016bec7 --- /dev/null +++ b/sysdig/resource_sysdig_secure_accept_posture_risk_test.go @@ -0,0 +1,52 @@ +//go:build tf_acc_sysdig_secure + +package sysdig_test + +import ( + "testing" + + "github.com/draios/terraform-provider-sysdig/sysdig" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" +) + +func TestAcceptSecurePostureRisk(t *testing.T) { + resource.ParallelTest(t, resource.TestCase{ + PreCheck: preCheckAnyEnv(t, SysdigSecureApiTokenEnv), + ProviderFactories: map[string]func() (*schema.Provider, error){ + "sysdig": func() (*schema.Provider, error) { + return sysdig.Provider(), nil + }, + }, + Steps: []resource.TestStep{ + { + Config: acceptPostureRiskResource(), + }, + { + Config: acceptPostureRiskZone(), + }, + }, + }) +} + +func acceptPostureRiskResource() string { + return ` +resource "sysdig_secure_posture_accept_risk" "accept_resource" { + description = "test accept posture risk resource" + control_name = "ServiceAccounts with cluster access" + reason = "Risk Transferred" + expires_in = "30 Days" + filter = "name in ('system:controller:daemon-set-s') and kind in ('ClusterRole')" +}` +} + +func acceptPostureRiskZone() string { + return ` +resource "sysdig_secure_posture_accept_risk" "accept_resource" { + description = "test accept posture risk resource" + control_name = "ServiceAccounts with cluster access" + reason = "Risk Transferred" + expires_in = "30 Days" + filter = "name in ('system:controller:daemon-set-s') and kind in ('ClusterRole')" +}` +} diff --git a/website/docs/r/secure_posture_accept_risk.md b/website/docs/r/secure_posture_accept_risk.md new file mode 100644 index 00000000..4d729e59 --- /dev/null +++ b/website/docs/r/secure_posture_accept_risk.md @@ -0,0 +1,116 @@ +--- +subcategory: "Sysdig Secure" +layout: "sysdig" +page_title: "Sysdig: sysdig_secure_posture_accept_risk" +description: |- + Accepts Sysdig Secure Posture Risk. +--- + +# Resource: sysdig_secure_posture_accept_risk + +Creates a Sysdig Secure Posture Accept Risk. + +-> **Note:** Sysdig Terraform Provider is under rapid development at this point. If you experience any issue or discrepancy while using it, please make sure you have the latest version. If the issue persists, or you have a Feature Request to support an additional set of resources, please open a [new issue](https://github.com/sysdiglabs/terraform-provider-sysdig/issues/new) in the GitHub repository. + +## Example Usage + +```terraform +resource "sysdig_secure_posture_accept_risk" "accept_risk_global" { + description = "Accept risk for zone" + control_name = "Network - Enabled Endpoint Private Access in Existing Clusters (EKS)" + reason = "Risk Transferred" + expires_in = "30 Days" + zone_name = "Entire Infrastructure" +} + +resource "sysdig_secure_posture_accept_risk" "accept_risk_resource" { + description = "Accept risk for resource" + control_name = "Fargate - Untrusted Workloads" + reason = "Risk Transferred" + expires_in = "30 Days" + filter = "name in (\"aws-int-01-cicd-aws-eks-workloads-shield\") and providerType in (\"AWS\") and kind in (\"AWS_EKS_CLUSTER\") and location in (\"us-east-1\")" +} + + +resource "sysdig_secure_posture_accept_risk" "scheduler_set_to_loopback_bind_address" { + description = "This is custom risk acceptance for scheduler_set_to_loopback_bind_address" + control_name = "Scheduler - Set to Loopback bind-address" + reason = "Custom" + expires_in = "Custom" + end_time = "1730293523000" + zone_name = "Entire Infrastructure" +} +``` + +## Argument Reference + +- `id` - (Computed) The unique identifier for the risk acceptance. +- `control_name` - (Required) The name of the posture control being accepted. +- `zone_name` - (Optional) The zone associated with the risk acceptance. +- `description` - (Required) A description of the risk acceptance. +- `filter` - (Optional) A filter for identifying the resources affected by the acceptance. + + ##### List of supported fields: + - name + - Type: string + - Example: name in ("cf-templates-1s951ca3qbh1-us-west-2") + - Description: The name of the resource to accept risk for + + - namespace + - Type: string + - Example: namespace in ("my-namespace") + - Description: The namespace to accept risk for + + - kind + - Type: string + - Example: kind in ("AWS_S3_BUCKET") + - Description: The resource kind to accept risk for + + - location + - Type: string + - Example: location in ("ap-southeast-2") + - Description: The cloud location/region to accept risk for + + - providerType + - Type: string + - Example: providerType in ("AWS") + - Description: The cloud provider to accept risk for (AWS/GCP/Azure) + +- `reason` - (Required) The reason for accepting the risk. Possible values are: + - `Risk Owned` + - `Risk Transferred` + - `Risk Avoided` + - `Risk Mitigated` + - `Risk Not Relevant` + - `Custom` +- `expires_in` - (Required) The duration for which the risk acceptance is valid. Possible values are: + - `7 Days` + - `30 Days` + - `60 Days` + - `90 Days` + - `Custom` + - `Never` +- `expires_at` - (Computed) This timestamp indicates when the acceptance expires, formatted in UTC time (milliseconds since epoch). +- `end_time` - (Optional) This timestamp indicates the custom time, when the acceptance expires, formatted in UTC time (milliseconds since epoch). + If you choose expires_in=Custom, you should provide future end_time, which specifies the expiration date in milliseconds. +- `is_expired` - (Computed) Indicates whether the acceptance is expired. +- `acceptance_date` - (Computed) The date when the risk was accepted. +- `username` - (Computed) The username of the user who accepted the risk. +- `type` - (Computed) The type of risk acceptance. +- `is_system` - (Computed) Indicates whether the acceptance is sysdig-accepts. +- `accept_period` - (Computed) The period for which the risk is accepted. + + +## Attributes Reference + +In addition to all arguments above, the following attributes are exported: + +- `author` - (Computed) The custom control author. + +## Import + +Posture accept risk can be imported using the ID, e.g. + +``` +$ terraform import sysdig_secure_posture_accept_risk.example c 12345 +```