RMS: policy assignment&definition (#2701)

RMS: policy assignment&definition Summary of the Pull Request Policy assignment resource Policy definition data source PR Checklist Refers to: #2659 Tests added/passed. Documentation updated. Schema updated. Release notes added. Acceptance Steps Performed 2024/10/30 20:32:08 [INFO] Building Swift S3 auth structure 2024/10/30 20:32:08 [INFO] Setting AWS metadata API timeout to 100ms 2024/10/30 20:32:10 [INFO] Ignoring AWS metadata API endpoint at default location as it doesn't return any instance-id 2024/10/30 20:32:10 [INFO] Swift S3 Auth provider used: "StaticProvider" === RUN TestAccPolicyAssignment_custom === PAUSE TestAccPolicyAssignment_custom === CONT TestAccPolicyAssignment_custom --- PASS: TestAccPolicyAssignment_custom (439.98s) PASS Process finished with the exit code 0 2024/10/30 20:40:31 [INFO] Building Swift S3 auth structure 2024/10/30 20:40:31 [INFO] Setting AWS metadata API timeout to 100ms 2024/10/30 20:40:33 [INFO] Ignoring AWS metadata API endpoint at default location as it doesn't return any instance-id 2024/10/30 20:40:33 [INFO] Swift S3 Auth provider used: "StaticProvider" === RUN TestAccPolicyAssignment_basic === PAUSE TestAccPolicyAssignment_basic === CONT TestAccPolicyAssignment_basic --- PASS: TestAccPolicyAssignment_basic (491.21s) PASS Process finished with the exit code 0 Reviewed-by: Anton Sidelnikov
opentelekomcloud · Oct 31, 2024 · 78230d9 · 78230d9
1 parent 5ab7b8f
commit 78230d9
Show file tree

Hide file tree

Showing 10 changed files with 1,346 additions and 17 deletions.
diff --git a/docs/data-sources/rms_policy_definitions_v1.md b/docs/data-sources/rms_policy_definitions_v1.md
@@ -0,0 +1,72 @@
+---
+subcategory: "Config"
+layout: "opentelekomcloud"
+page_title: "OpenTelekomCloud: opentelekomcloud_rms_policy_definitions_v1"
+sidebar_current: "docs-opentelekomcloud-datasource-rms-policy-definitions-v1"
+description: |-
+  Manages an RMS Policy Definitions data source within OpenTelekomCloud.
+---
+
+Up-to-date reference of API arguments for RMS Policy Definitions you can get at
+[documentation portal](https://docs.otc.t-systems.com/config/api-ref/apis/compliance/querying_all_built-in_policies.html#rms-04-0501)
+
+
+# opentelekomcloud_rms_policy_definitions_v1
+
+Use this data source to query policy definition list.
+
+## Example Usage
+
+```hcl
+variable "trigger_type" {}
+
+data "opentelekomcloud_rms_policy_definitions_v1" "test" {
+  trigger_type = var.trigger_type
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `name` - (Optional, String) Specifies the name of the policy definitions used to query definition list.
+
+* `policy_type` - (Optional, String) Specifies the policy type used to query definition list.
+  The valid value is **builtin**.
+
+* `policy_rule_type` - (Optional, String) Specifies the policy rule type used to query definition list.
+
+* `trigger_type` - (Optional, String) Specifies the trigger type used to query definition list.
+  The valid values are **resource** and **period**.
+
+* `keywords` - (Optional, List) Specifies the keyword list used to query definition list.
+
+## Attribute Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+* `id` - The data source ID.
+
+* `definitions` - The policy definition list.
+  The [object](#policy_definitions) structure is documented below.
+
+<a name="policy_definitions"></a>
+The `definitions` block supports:
+
+* `id` - The ID of the policy definition.
+
+* `name` - The name of the policy definition.
+
+* `policy_type` - The policy type of the policy definition.
+
+* `description` - The description of the policy definition.
+
+* `policy_rule_type` - The policy rule type of the policy definition.
+
+* `policy_rule` - The policy rule of the policy definition.
+
+* `trigger_type` - The trigger type of the policy definition.
+
+* `keywords` - The keyword list of the policy definition.
+
+* `parameters` - The parameter reference map of the policy definition.
diff --git a/docs/resources/rms_policy_assignment_v1.md b/docs/resources/rms_policy_assignment_v1.md
@@ -0,0 +1,173 @@
+---
+subcategory: "Config"
+layout: "opentelekomcloud"
+page_title: "OpenTelekomCloud: opentelekomcloud_rms_policy_assignment_v1"
+sidebar_current: "docs-opentelekomcloud-rms-policy-assignment-v1"
+description: |-
+  Manages an RMS Policy Assignment resource within OpenTelekomCloud.
+---
+
+Up-to-date reference of API arguments for RMS Policy Assignment you can get at
+[documentation portal](https://docs.otc.t-systems.com/config/api-ref/apis/compliance/index.html)
+
+# opentelekomcloud_rms_policy_assignment_v1
+
+Using this resource to assign the policy and evaluate OpenTelekomCloud resources.
+
+## Example Usage
+
+### Assign a built-in policy to check a specified instance by a flavor
+
+```hcl
+variable "policy_assignment_name" {}
+variable "region_name" {}
+variable "ecs_instance_id" {}
+variable "compliant_flavor" {}
+
+data "opentelekomcloud_rms_policy_definitions_v1" "test" {
+  name = "allowed-ecs-flavors"
+}
+
+resource "opentelekomcloud_rms_policy_assignment_v1" "test" {
+  name                 = var.policy_assignment_name
+  description          = "An ECS is noncompliant if its flavor is not in the specified flavor list (filter by resource ID)."
+  policy_definition_id = try(data.opentelekomcloud_rms_policy_definitions_v1.test.definitions[0].id, "")
+  status               = "Enabled"
+
+  policy_filter {
+    region            = var.region_name
+    resource_provider = "ecs"
+    resource_type     = "cloudservers"
+    resource_id       = var.ecs_instance_id
+  }
+
+  parameters = {
+    listOfAllowedFlavors = "[\"${var.compliant_flavor}\"]"
+  }
+}
+```
+
+### Assign a custom policy
+
+```hcl
+variable "policy_assignment_name" {}
+variable "function_urn" {}
+variable "function_version" {}
+variable "rms_admin_trust_agency" {}
+
+resource "opentelekomcloud_rms_policy_assignment_v1" "test" {
+  name        = var.policy_assignment_name
+  description = "The ECS instances that do not conform to the custom function logic are considered non-compliant."
+  status      = "Enabled"
+
+  custom_policy {
+    function_urn = "${var.function_urn}:${var.function_version}"
+    auth_type    = "agency"
+    auth_value = {
+      agency_name = "\"${var.rms_admin_trust_agency}\""
+    }
+  }
+
+  parameters = {
+    string_example = "\"string_value\""
+    array_example  = "[\"array_element\"]"
+    object_example = "{\"terraform_version\":\"1.xx.x\"}"
+  }
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `name` - (Required, String, ForceNew) Specifies the name of the policy assignment.
+  The valid length is limited from `1` to `64`.
+  Change this parameter will create a new resource.
+
+* `description` - (Optional, String) Specifies the description of the policy assignment, which contain maximum of
+  `512` characters.
+
+* `policy_definition_id` - (Optional, String) Specifies the ID of the built-in policy definition.
+  This parameter and `custom_policy` are alternative.
+
+* `period` - (Optional, String) Specifies the period of the policy assignment.
+  The valid values are as follows:
+  + **One_Hour**
+  + **Three_Hours**
+  + **Six_Hours**
+  + **Twelve_Hours**
+  + **TwentyFour_Hours**
+
+  Most one of `period` and `policy_filter` can be configured.
+
+* `policy_filter` - (Optional, List) Specifies the configuration used to filter resources.
+  The [object](#rms_policy_filter) structure is documented below.
+
+-> If the `period` is configured, it means that the evaluation is performed periodically.
+  If the `policy_filter` is configured, it means that the evaluation is performed on the specified resources through
+  the filter. If neither parameter is configured, it means that the evaluation is performed on all resources under the
+  account.
+
+* `custom_policy` - (Optional, List) Specifies the configuration of the custom policy.
+  The [object](#rms_custom_policy) structure is documented below.
+
+* `parameters` - (Optional, Map) Specifies the rule definition of the policy assignment.
+
+* `status` - (Optional, String) Specifies the expect status of the policy.
+  The valid values are **Enabled** and **Disabled**.
+
+<a name="rms_policy_filter"></a>
+The `policy_filter` block supports:
+
+* `region` - (Optional, String) Specifies the name of the region to which the filtered resources belong.
+
+* `resource_provider` - (Optional, String) Specifies the service name to which the filtered resources belong.
+
+* `resource_type` - (Optional, String) Specifies the resource type of the filtered resources.
+
+* `resource_id` - (Optional, String) Specifies the resource ID used to filter a specified resource.
+
+* `tag_key` - (Optional, String) Specifies the tag name used to filter resources.
+  This parameter and `resource_id` are alternative.
+
+* `tag_value` - (Optional, String) Specifies the tag value used to filter resources.
+  Required if `tag_key` is set.
+
+<a name="rms_custom_policy"></a>
+The `custom_policy` block supports:
+
+* `function_urn` - (Required, String) Specifies the function URN used to create the custom policy.
+
+* `auth_type` - (Required, String) Specifies the authorization type of the custom policy.
+
+* `auth_value` - (Optional, Map) Specifies the authorization value of the custom policy.
+
+## Attribute Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+* `id` - The ID of the policy assignment.
+
+* `type` - The type of the policy assignment.
+  The valid values are as follows:
+  + **builtin**
+  + **custom**
+
+* `created_at` - The creation time of the policy assignment.
+
+* `updated_at` - The latest update time of the policy assignment.
+
+## Timeouts
+
+This resource provides the following timeouts configuration options:
+
+* `create` - Default is 5 minutes.
+* `update` - Default is 5 minutes.
+
+## Import
+
+Policy assignments can be imported using their `id`, e.g.
+
+```bash
+$ terraform import opentelekomcloud_rms_policy_assignment_v1.test 63f48e3762ce955981ab7e25
+```