feat(cloud_security_kac_policy): add custom rules to KAC policy resource (#302)

Author: mr-jungchoi

docs/resources/cloud_security_kac_policy.md

@@ -64,6 +64,12 @@ resource "crowdstrike_cloud_security_kac_policy" "example" {
         privileged_container          = "Alert"
         sensitive_data_in_environment = "Disabled"
       }
+      custom_rules = [
+        {
+          id     = "123e4567-e89b-12d3-a456-426614174000"
+          action = "Alert"
+        }
+      ]
     }
   ]
   default_rule_group = {
@@ -75,6 +81,12 @@ resource "crowdstrike_cloud_security_kac_policy" "example" {
     default_rules = {
       container_run_as_root = "Prevent"
     }
+    custom_rules = [
+      {
+        id     = "123e4567-e89b-12d3-a456-426614174000"
+        action = "Disabled"
+      }
+    ]
   }
 }
 
@@ -108,10 +120,14 @@ output "cloud_security_kac_policy" {
 
 Optional:
 
-- `default_rules` (Attributes) Set the action Falcon KAC should take when assessing default rules. All default rules are set to "Alert" by default. Action must be one of:
- - "Disabled": Do nothing
- - "Alert": Send an alert
- - "Prevent": Prevent the object from running (see [below for nested schema](#nestedatt--default_rule_group--default_rules))
+- `custom_rules` (Attributes Set) Defines custom rules for the KAC policy. All custom rules attached to the policy must be included in every `rule_groups` block that defines `custom_rules`. Any `rule_groups` block that omits `custom_rules` will have all custom rules set to `"Disabled"` by default. Action must be one of:
+ - `"Disabled"`: Do nothing
+ - `"Alert"`: Send an alert
+ - `"Prevent"`: Prevent the object from running (see [below for nested schema](#nestedatt--default_rule_group--custom_rules))
+- `default_rules` (Attributes) Set the action Falcon KAC should take when assessing default rules. All default rules are set to `"Alert"` by default. Action must be one of:
+ - `"Disabled"`: Do nothing
+ - `"Alert"`: Send an alert
+ - `"Prevent"`: Prevent the object from running (see [below for nested schema](#nestedatt--default_rule_group--default_rules))
 - `deny_on_error` (Boolean) Defines how KAC will handle an unrecognized error or timeout when processing an admission request. If set to "false", the pod or workload will be allowed to run.
 - `image_assessment` (Attributes) When enabled, KAC applies image assessment policies to pods or workloads that are being created or updated on the Kubernetes cluster. (see [below for nested schema](#nestedatt--default_rule_group--image_assessment))
 
@@ -123,6 +139,15 @@ Read-Only:
 - `name` (String) Name of the default KAC policy rule group.
 - `namespaces` (Set of String) The default rule group namespace is `"*"`, which applies to all namespaces, and is not configurable.
 
+<a id="nestedatt--default_rule_group--custom_rules"></a>
+### Nested Schema for `default_rule_group.custom_rules`
+
+Required:
+
+- `action` (String) Determines what action Falcon KAC takes when assessing the custom rule.
+- `id` (String) Identifier for the KAC custom rule.
+
+
 <a id="nestedatt--default_rule_group--default_rules"></a>
 ### Nested Schema for `default_rule_group.default_rules`
 
@@ -188,10 +213,14 @@ Required:
 
 Optional:
 
-- `default_rules` (Attributes) Set the action Falcon KAC should take when assessing default rules. All default rules are set to "Alert" by default. Action must be one of:
- - "Disabled": Do nothing
- - "Alert": Send an alert
- - "Prevent": Prevent the object from running (see [below for nested schema](#nestedatt--rule_groups--default_rules))
+- `custom_rules` (Attributes Set) Defines custom rules for the KAC policy. All custom rules attached to the policy must be included in every `rule_groups` block that defines `custom_rules`. Any `rule_groups` block that omits `custom_rules` will have all custom rules set to `"Disabled"` by default. Action must be one of:
+ - `"Disabled"`: Do nothing
+ - `"Alert"`: Send an alert
+ - `"Prevent"`: Prevent the object from running (see [below for nested schema](#nestedatt--rule_groups--custom_rules))
+- `default_rules` (Attributes) Set the action Falcon KAC should take when assessing default rules. All default rules are set to `"Alert"` by default. Action must be one of:
+ - `"Disabled"`: Do nothing
+ - `"Alert"`: Send an alert
+ - `"Prevent"`: Prevent the object from running (see [below for nested schema](#nestedatt--rule_groups--default_rules))
 - `deny_on_error` (Boolean) Defines how KAC will handle an unrecognized error or timeout when processing an admission request. If set to "false", the pod or workload will be allowed to run.
 - `description` (String) Description of the KAC policy rule group.
 - `image_assessment` (Attributes) When enabled, KAC applies image assessment policies to pods or workloads that are being created or updated on the Kubernetes cluster. (see [below for nested schema](#nestedatt--rule_groups--image_assessment))
@@ -202,6 +231,15 @@ Read-Only:
 
 - `id` (String) Identifier for the KAC policy rule group.
 
+<a id="nestedatt--rule_groups--custom_rules"></a>
+### Nested Schema for `rule_groups.custom_rules`
+
+Required:
+
+- `action` (String) Determines what action Falcon KAC takes when assessing the custom rule.
+- `id` (String) Identifier for the KAC custom rule.
+
+
 <a id="nestedatt--rule_groups--default_rules"></a>
 ### Nested Schema for `rule_groups.default_rules`
 

examples/resources/crowdstrike_cloud_security_kac_policy/resource.tf

@@ -40,6 +40,12 @@ resource "crowdstrike_cloud_security_kac_policy" "example" {
         privileged_container          = "Alert"
         sensitive_data_in_environment = "Disabled"
       }
+      custom_rules = [
+        {
+          id     = "123e4567-e89b-12d3-a456-426614174000"
+          action = "Alert"
+        }
+      ]
     }
   ]
   default_rule_group = {
@@ -51,6 +57,12 @@ resource "crowdstrike_cloud_security_kac_policy" "example" {
     default_rules = {
       container_run_as_root = "Prevent"
     }
+    custom_rules = [
+      {
+        id     = "123e4567-e89b-12d3-a456-426614174000"
+        action = "Disabled"
+      }
+    ]
   }
 }
 

internal/cloud_security/kac_policy_resource.go

@@ -83,6 +83,7 @@ type ruleGroupTFModel struct {
 	Namespaces      types.Set    `tfsdk:"namespaces"`
 	Labels          types.Set    `tfsdk:"labels"`
 	DefaultRules    types.Object `tfsdk:"default_rules"`
+	CustomRules     types.Set    `tfsdk:"custom_rules"`
 }
 
 type imageAssessmentTFModel struct {
@@ -96,6 +97,11 @@ type labelTFModel struct {
 	Operator types.String `tfsdk:"operator"`
 }
 
+type customRuleTFModel struct {
+	ID     types.String `tfsdk:"id"`
+	Action types.String `tfsdk:"action"`
+}
+
 func (m *cloudSecurityKacPolicyResourceModel) wrap(
 	ctx context.Context,
 	policy *models.ModelsKACPolicy,
@@ -366,6 +372,7 @@ func (r *cloudSecurityKacPolicyResource) Schema(
 							},
 						},
 						"default_rules": defaultRulesSchema,
+						"custom_rules":  customRulesSchema,
 					},
 				},
 			},
@@ -390,6 +397,7 @@ func (r *cloudSecurityKacPolicyResource) Schema(
 							),
 							"namespaces":    types.SetUnknown(types.StringType),
 							"labels":        types.SetUnknown(types.ObjectType{AttrTypes: labelsAttrMap}),
+							"custom_rules":  types.SetNull(types.ObjectType{AttrTypes: customRulesAttrMap}),
 							"default_rules": defaultRulesDefaultValue,
 						},
 					),
@@ -482,6 +490,7 @@ func (r *cloudSecurityKacPolicyResource) Schema(
 						},
 					},
 					"default_rules": defaultRulesSchema,
+					"custom_rules":  customRulesSchema,
 				},
 			},
 			"last_updated": schema.StringAttribute{
@@ -788,56 +797,66 @@ func (r *cloudSecurityKacPolicyResource) ValidateConfig(
 ) {
 	var kacPolicyConfig cloudSecurityKacPolicyResourceModel
 	resp.Diagnostics.Append(req.Config.Get(ctx, &kacPolicyConfig)...)
+	if resp.Diagnostics.HasError() {
+		return
+	}
+
+	resp.Diagnostics.Append(r.validateCustomRulesPropagation(ctx, kacPolicyConfig)...)
 }
 
 func (r *cloudSecurityKacPolicyResource) ModifyPlan(
 	ctx context.Context,
 	req resource.ModifyPlanRequest,
 	resp *resource.ModifyPlanResponse,
 ) {
-	if req.State.Raw.IsNull() || req.Plan.Raw.IsNull() {
-		return
-	}
-
-	if req.Plan.Raw.Equal(req.State.Raw) {
+	if req.Plan.Raw.IsNull() || req.Plan.Raw.Equal(req.State.Raw) {
 		return
 	}
 
-	var originalPlan, plan, state cloudSecurityKacPolicyResourceModel
-
-	resp.Diagnostics.Append(req.Plan.Get(ctx, &originalPlan)...)
+	var plan, state cloudSecurityKacPolicyResourceModel
+	var diags diag.Diagnostics
 	resp.Diagnostics.Append(req.Plan.Get(ctx, &plan)...)
-	resp.Diagnostics.Append(req.State.Get(ctx, &state)...)
+
+	plan, diags = r.propagateCustomRules(ctx, plan)
+	resp.Diagnostics.Append(diags...)
 	if resp.Diagnostics.HasError() {
 		return
 	}
 
-	// Computed+Optional object attributes (default_rule_group) cause constant plan diffs
-	// This causes computed values that need to be set on update (LastUpdated) to be marked
-	// as Unknown, resulting in constant plan diffs.
-	// When there are no plan changes and LastUpdated is Unknown revert it to prior state value.
-	if plan.LastUpdated.IsUnknown() {
-		plan.LastUpdated = state.LastUpdated
-
-		resp.Diagnostics.Append(resp.Plan.Set(ctx, &plan)...)
+	if !req.State.Raw.IsNull() {
+		resp.Diagnostics.Append(req.State.Get(ctx, &state)...)
 		if resp.Diagnostics.HasError() {
 			return
 		}
 
-		// Revert if LastUpdated is not the only change
-		if !resp.Plan.Raw.Equal(req.State.Raw) {
-			plan = originalPlan
-			resp.Diagnostics.Append(resp.Plan.Set(ctx, originalPlan)...)
+		// Computed+Optional object attributes (default_rule_group) cause constant plan diffs
+		// This causes computed values that need to be set on update (LastUpdated) to be marked
+		// as Unknown, resulting in constant plan diffs.
+		// When there are no plan changes and LastUpdated is Unknown revert it to prior state value.
+		if plan.LastUpdated.IsUnknown() {
+			planLastUpdated := plan.LastUpdated
+			plan.LastUpdated = state.LastUpdated
+
+			resp.Diagnostics.Append(resp.Plan.Set(ctx, &plan)...)
+			if resp.Diagnostics.HasError() {
+				return
+			}
+
+			// Revert if LastUpdated is not the only change
+			if !resp.Plan.Raw.Equal(req.State.Raw) {
+				plan.LastUpdated = planLastUpdated
+				resp.Diagnostics.Append(resp.Plan.Set(ctx, plan)...)
+			}
 		}
-	}
 
-	modifiedPlan, modifyDiags := r.matchRuleGroupIDsByName(ctx, plan, state)
-	resp.Diagnostics.Append(modifyDiags...)
-	if resp.Diagnostics.HasError() {
-		return
+		plan, diags = r.matchRuleGroupIDsByName(ctx, plan, state)
+		resp.Diagnostics.Append(diags...)
+		if resp.Diagnostics.HasError() {
+			return
+		}
 	}
 
-	resp.Diagnostics.Append(resp.Plan.Set(ctx, modifiedPlan)...)
+	resp.Diagnostics.Append(resp.Plan.Set(ctx, plan)...)
 }
 
 func (r *cloudSecurityKacPolicyResource) matchRuleGroupIDsByName(
@@ -1164,6 +1183,15 @@ func (r *cloudSecurityKacPolicyResource) reconcileRuleGroupUpdates(
 		apiKacPolicy = updatedApiKacPolicy
 	}
 
+	updatedApiKacPolicy, customRulesDiags := r.reconcileCustomRules(ctx, plan.ID.ValueString(), planTFRuleGroups, apiKacPolicy)
+	diags.Append(customRulesDiags...)
+	if diags.HasError() {
+		return nil, diags
+	}
+	if updatedApiKacPolicy != nil {
+		apiKacPolicy = updatedApiKacPolicy
+	}
+
 	return apiKacPolicy, diags
 }