New Resources: Control, Cloud Config Rule, and Host Config Rule to Se…

…curity Sub-Category Associations (#25)

Add a new set of resources to manage security sub-category associations to cloud configuration rules, host configuratio rules, and controls:
- wiz_host_config_rule_associations
- wiz_cloud_config_rule_associations
- wiz_control_associations

docs/resources/cloud_config_rule.md

@@ -78,7 +78,6 @@ EOT
 - `description` (String) Detailed description for this rule. There is a defect in the API that makes this required; the description field cannot be nullified after one is defined, so we make it required.
 - `name` (String) Name of this rule, as appeared in the UI in the portal.
 - `remediation_instructions` (String) Steps to mitigate the issue that match this rule. If possible, include sample commands to execute in your cloud provider's console. Markdown formatting is supported.
-- `security_sub_categories` (Set of String) Associate this rule with security sub-categories to easily monitor your compliance. New Configuration Findings created by this rule will be tagged with the selected sub-categories. There is a defect in the API that makes this required; the security_sub_categories field cannot be nullified after one is defined, so we make it required.
 - `target_native_types` (Set of String) The identifier types of the resources targeted by this rule, as seen on the cloud provider service. e.g. 'ec2'
 
 ### Optional
@@ -103,6 +102,7 @@ EOT
 ### Read-Only
 
 - `id` (String) Wiz internal identifier.
+- `security_sub_categories` (Set of String) Associate this rule with security sub-categories to easily monitor your compliance. New Configuration Findings created by this rule will be tagged with the selected sub-categories. There is a defect in the API that makes this required; the security_sub_categories field cannot be nullified after one is defined, so we make it required.
 
 <a id="nestedblock--iac_matchers"></a>
 ### Nested Schema for `iac_matchers`

docs/resources/cloud_config_rule_associations.md

@@ -0,0 +1,45 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "wiz_cloud_config_rule_associations Resource - terraform-provider-wiz"
+subcategory: ""
+description: |-
+  Manage associations between cloud configuration rules and security sub-categories. Associations defined outside this resouce will remain untouched through the lifecycle of this resource. Wiz managed cloud configuration rules cannot be associated to Wiz managed security sub-categories. This resource does not support imports; it can, however, overlay existing resources to bring them under management.
+---
+
+# wiz_cloud_config_rule_associations (Resource)
+
+Manage associations between cloud configuration rules and security sub-categories. Associations defined outside this resouce will remain untouched through the lifecycle of this resource. Wiz managed cloud configuration rules cannot be associated to Wiz managed security sub-categories. This resource does not support imports; it can, however, overlay existing resources to bring them under management.
+
+## Example Usage
+
+```terraform
+resource "wiz_cloud_config_rule_associations" "test" {
+  security_sub_category_ids = [
+    "2e5bc0d5-835b-4b4c-99cf-b1c6ace90a52",
+    "708ec4a1-1a5c-4cb3-9c52-511229c5bb35",
+  ]
+  cloud_config_rule_ids = [
+    "301e5fd0-6a1a-42a7-99f5-3b0436d55a7f",
+    "a5fbd955-ed78-445a-827a-06d6cbe5aab2",
+  ]
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `cloud_config_rule_ids` (List of String) List of cloud configuration rule IDs.
+- `security_sub_category_ids` (List of String) List of security sub-category IDs.
+
+### Optional
+
+- `details` (String) Details of the association. This information is not used to manage resources but can serve as notes or documentation for the associations.
+    - Defaults to `undefined`.
+
+### Read-Only
+
+- `id` (String) Internal identifier for the association.
+
+

docs/resources/control.md

@@ -61,7 +61,6 @@ resource "wiz_control" "test" {
 - `name` (String) Name of the Control.
 - `query` (String) The query that the control runs.
 - `scope_query` (String) The query that represents the control's scope.
-- `security_sub_categories` (List of String) List of security sub-categories IDs. If unsure, use 'wsct-id-8', which is '1 Custom Controls'.
 - `severity` (String) Severity that will be set for this control.
     - Allowed values: 
         - INFORMATIONAL
@@ -73,7 +72,7 @@ resource "wiz_control" "test" {
 ### Optional
 
 - `description` (String) Description of the Control.
-- `enabled` (Boolean) Whether to enable the Control.
+- `enabled` (Boolean) Whether to enable the Control. This has a known defect where if set to false, it will be created as true because the API to create Controls does not accept this parameter.
     - Defaults to `true`.
 - `project_id` (String) Project scope of the control. Use '*' for all projects.
     - Defaults to `*`.
@@ -82,5 +81,6 @@ resource "wiz_control" "test" {
 ### Read-Only
 
 - `id` (String) Internal identifier for the Control
+- `security_sub_categories` (List of String) List of security sub-categories IDs.
 
 

docs/resources/control_associations.md

@@ -0,0 +1,45 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "wiz_control_associations Resource - terraform-provider-wiz"
+subcategory: ""
+description: |-
+  Manage associations between controls and security sub-categories. Associations defined outside this resouce will remain untouched through the lifecycle of this resource. Wiz managed controls cannot be associated to Wiz managed security sub-categories. This resource does not support imports; it can, however, overlay existing resources to bring them under management.
+---
+
+# wiz_control_associations (Resource)
+
+Manage associations between controls and security sub-categories. Associations defined outside this resouce will remain untouched through the lifecycle of this resource. Wiz managed controls cannot be associated to Wiz managed security sub-categories. This resource does not support imports; it can, however, overlay existing resources to bring them under management.
+
+## Example Usage
+
+```terraform
+resource "wiz_control_associations" "test" {
+  security_sub_category_ids = [
+    "2e5bc0d5-835b-4b4c-99cf-b1c6ace90a52",
+    "708ec4a1-1a5c-4cb3-9c52-511229c5bb35",
+  ]
+  control_ids = [
+    "301e5fd0-6a1a-42a7-99f5-3b0436d55a7f",
+    "a5fbd955-ed78-445a-827a-06d6cbe5aab2",
+  ]
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `control_ids` (List of String) List of control IDs.
+- `security_sub_category_ids` (List of String) List of security sub-category IDs.
+
+### Optional
+
+- `details` (String) Details of the association. This information is not used to manage resources but can serve as notes or documentation for the associations.
+    - Defaults to `undefined`.
+
+### Read-Only
+
+- `id` (String) Internal identifier for the association.
+
+

docs/resources/host_config_rule_associations.md

@@ -0,0 +1,45 @@
+---
+# generated by https://github.com/hashicorp/terraform-plugin-docs
+page_title: "wiz_host_config_rule_associations Resource - terraform-provider-wiz"
+subcategory: ""
+description: |-
+  Manage associations between host configuration rules and security sub-categories. Associations defined outside this resouce will remain untouched through the lifecycle of this resource. Wiz managed host configuration rules cannot be associated to Wiz managed security sub-categories. This resource does not support imports; it can, however, overlay existing resources to bring them under management.
+---
+
+# wiz_host_config_rule_associations (Resource)
+
+Manage associations between host configuration rules and security sub-categories. Associations defined outside this resouce will remain untouched through the lifecycle of this resource. Wiz managed host configuration rules cannot be associated to Wiz managed security sub-categories. This resource does not support imports; it can, however, overlay existing resources to bring them under management.
+
+## Example Usage
+
+```terraform
+resource "wiz_host_config_rule_associations" "test" {
+  security_sub_category_ids = [
+    "2e5bc0d5-835b-4b4c-99cf-b1c6ace90a52",
+    "708ec4a1-1a5c-4cb3-9c52-511229c5bb35",
+  ]
+  cloud_config_rule_ids = [
+    "301e5fd0-6a1a-42a7-99f5-3b0436d55a7f",
+    "a5fbd955-ed78-445a-827a-06d6cbe5aab2",
+  ]
+}
+```
+
+<!-- schema generated by tfplugindocs -->
+## Schema
+
+### Required
+
+- `host_config_rule_ids` (List of String) List of host configuration rule IDs.
+- `security_sub_category_ids` (List of String) List of security sub-category IDs.
+
+### Optional
+
+- `details` (String) Details of the association. This information is not used to manage resources but can serve as notes or documentation for the associations.
+    - Defaults to `undefined`.
+
+### Read-Only
+
+- `id` (String) Internal identifier for the association.
+
+

examples/resources/wiz_cloud_config_rule_associations/resource.tf

@@ -0,0 +1,10 @@
+resource "wiz_cloud_config_rule_associations" "test" {
+  security_sub_category_ids = [
+    "2e5bc0d5-835b-4b4c-99cf-b1c6ace90a52",
+    "708ec4a1-1a5c-4cb3-9c52-511229c5bb35",
+  ]
+  cloud_config_rule_ids = [
+    "301e5fd0-6a1a-42a7-99f5-3b0436d55a7f",
+    "a5fbd955-ed78-445a-827a-06d6cbe5aab2",
+  ]
+}

examples/resources/wiz_control_associations/resource.tf

@@ -0,0 +1,10 @@
+resource "wiz_control_associations" "test" {
+  security_sub_category_ids = [
+    "2e5bc0d5-835b-4b4c-99cf-b1c6ace90a52",
+    "708ec4a1-1a5c-4cb3-9c52-511229c5bb35",
+  ]
+  control_ids = [
+    "301e5fd0-6a1a-42a7-99f5-3b0436d55a7f",
+    "a5fbd955-ed78-445a-827a-06d6cbe5aab2",
+  ]
+}

examples/resources/wiz_host_config_rule_associations/resource.tf

@@ -0,0 +1,10 @@
+resource "wiz_host_config_rule_associations" "test" {
+  security_sub_category_ids = [
+    "2e5bc0d5-835b-4b4c-99cf-b1c6ace90a52",
+    "708ec4a1-1a5c-4cb3-9c52-511229c5bb35",
+  ]
+  cloud_config_rule_ids = [
+    "301e5fd0-6a1a-42a7-99f5-3b0436d55a7f",
+    "a5fbd955-ed78-445a-827a-06d6cbe5aab2",
+  ]
+}

internal/provider/provider.go

@@ -252,16 +252,19 @@ yLyKQXhw2W2Xs0qLeC1etA+jTGDK4UfLeC0SF7FSi8o5LL21L8IzApar2pR/
 				"wiz_organizations": dataSourceWizOrganizations(),
 			},
 			ResourcesMap: map[string]*schema.Resource{
-				"wiz_automation_action":  resourceWizAutomationAction(),
-				"wiz_automation_rule":    resourceWizAutomationRule(),
-				"wiz_cicd_scan_policy":   resourceWizCICDScanPolicy(),
-				"wiz_cloud_config_rule":  resourceWizCloudConfigurationRule(),
-				"wiz_control":            resourceWizControl(),
-				"wiz_project":            resourceWizProject(),
-				"wiz_saml_idp":           resourceWizSAMLIdP(),
-				"wiz_security_framework": resourceWizSecurityFramework(),
-				"wiz_service_account":    resourceWizServiceAccount(),
-				"wiz_user":               resourceWizUser(),
+				"wiz_automation_action":              resourceWizAutomationAction(),
+				"wiz_automation_rule":                resourceWizAutomationRule(),
+				"wiz_cicd_scan_policy":               resourceWizCICDScanPolicy(),
+				"wiz_cloud_config_rule":              resourceWizCloudConfigurationRule(),
+				"wiz_cloud_config_rule_associations": resourceWizCloudConfigRuleAssociations(),
+				"wiz_control":                        resourceWizControl(),
+				"wiz_control_associations":           resourceWizControlAssociations(),
+				"wiz_host_config_rule_associations":  resourceWizHostConfigRuleAssociations(),
+				"wiz_project":                        resourceWizProject(),
+				"wiz_saml_idp":                       resourceWizSAMLIdP(),
+				"wiz_security_framework":             resourceWizSecurityFramework(),
+				"wiz_service_account":                resourceWizServiceAccount(),
+				"wiz_user":                           resourceWizUser(),
 			},
 		}
 		p.ConfigureContextFunc = configure(version, p)

internal/provider/resource_cloud_config_rule.go

@@ -91,7 +91,7 @@ func resourceWizCloudConfigurationRule() *schema.Resource {
 			},
 			"security_sub_categories": {
 				Type:        schema.TypeSet,
-				Required:    true,
+				Computed:    true,
 				Description: "Associate this rule with security sub-categories to easily monitor your compliance. New Configuration Findings created by this rule will be tagged with the selected sub-categories. There is a defect in the API that makes this required; the security_sub_categories field cannot be nullified after one is defined, so we make it required.",
 				Elem: &schema.Schema{
 					Type: schema.TypeString,
@@ -195,7 +195,6 @@ func resourceWizCloudConfigurationRuleCreate(ctx context.Context, d *schema.Reso
 	vars.IACMatchers = getIACMatchers(ctx, d)
 	vars.ScopeAccountIDs = utils.ConvertListToString(d.Get("scope_account_ids").(*schema.Set).List())
 	vars.FunctionAsControl = utils.ConvertBoolToPointer(d.Get("function_as_control").(bool))
-	vars.SecuritySubCategories = utils.ConvertListToString(d.Get("security_sub_categories").(*schema.Set).List())
 
 	// process the request
 	data := &CreateCloudConfigurationRule{}
@@ -408,13 +407,6 @@ func resourceWizCloudConfigurationRuleUpdate(ctx context.Context, d *schema.Reso
 		}
 		vars.Patch.TargetNativeTypes = targetNativeTypes
 	}
-	if d.HasChange("security_sub_categories") {
-		securitySubCategories := make([]string, 0)
-		for _, j := range d.Get("security_sub_categories").(*schema.Set).List() {
-			securitySubCategories = append(securitySubCategories, j.(string))
-		}
-		vars.Patch.SecuritySubCategories = securitySubCategories
-	}
 	// include all optional fields in the patch in the event they were nullified
 	vars.Patch.Enabled = utils.ConvertBoolToPointer(d.Get("enabled").(bool))
 	vars.Patch.OPAPolicy = d.Get("opa_policy").(string)