From bad8d837744d411a7c65774d4b8b55d6362add27 Mon Sep 17 00:00:00 2001 From: Hod Alpert Date: Sun, 11 Dec 2022 11:20:53 +0200 Subject: [PATCH] NSOF-6989 ufr: introduce resource and data-source --- docs/data-sources/url_filtering_rule.md | 65 +++++ docs/resources/url_filtering_rule.md | 259 ++++++++++++++++++ .../data-source.tf | 7 + .../block_for_work_hours.tf | 36 +++ .../default_rule.tf | 33 +++ .../pfptmeta_url_filtering_rule/high_risk.tf | 20 ++ .../isolate_web_mail.tf | 16 ++ .../pfptmeta_url_filtering_rule/log_all.tf | 44 +++ .../warn_for_dropbox.tf | 19 ++ internal/client/url_filtering_rule.go | 123 +++++++++ .../acc_tests/url_filtering_rule_test.go | 256 +++++++++++++++++ internal/provider/common/validations.go | 12 + internal/provider/provider.go | 7 +- .../provider/url_filtering_rule/common.go | 143 ++++++++++ .../url_filtering_rule/data_source.go | 132 +++++++++ .../provider/url_filtering_rule/resource.go | 219 +++++++++++++++ .../data-sources/url_filtering_rule.md.tmpl | 17 ++ .../resources/url_filtering_rule.md.tmpl | 39 +++ 18 files changed, 1445 insertions(+), 2 deletions(-) create mode 100644 docs/data-sources/url_filtering_rule.md create mode 100644 docs/resources/url_filtering_rule.md create mode 100644 examples/data-sources/pfptmeta_url_filtering_rule/data-source.tf create mode 100644 examples/resources/pfptmeta_url_filtering_rule/block_for_work_hours.tf create mode 100644 examples/resources/pfptmeta_url_filtering_rule/default_rule.tf create mode 100644 examples/resources/pfptmeta_url_filtering_rule/high_risk.tf create mode 100644 examples/resources/pfptmeta_url_filtering_rule/isolate_web_mail.tf create mode 100644 examples/resources/pfptmeta_url_filtering_rule/log_all.tf create mode 100644 examples/resources/pfptmeta_url_filtering_rule/warn_for_dropbox.tf create mode 100644 internal/client/url_filtering_rule.go create mode 100644 internal/provider/acc_tests/url_filtering_rule_test.go create mode 100644 internal/provider/url_filtering_rule/common.go create mode 100644 internal/provider/url_filtering_rule/data_source.go create mode 100644 internal/provider/url_filtering_rule/resource.go create mode 100644 templates/data-sources/url_filtering_rule.md.tmpl create mode 100644 templates/resources/url_filtering_rule.md.tmpl diff --git a/docs/data-sources/url_filtering_rule.md b/docs/data-sources/url_filtering_rule.md new file mode 100644 index 00000000..40978ccc --- /dev/null +++ b/docs/data-sources/url_filtering_rule.md @@ -0,0 +1,65 @@ +--- +# generated by https://github.com/hashicorp/terraform-plugin-docs +page_title: "Data Source pfptmeta_url_filtering_rule - terraform-provider-pfptmeta" +subcategory: "Web Security Resources" +description: |- + The Proofpoint Web Security solution protects against web-based security threats by defining URL filtering rules + which include various content and threat categories, as well as cloud-based applications and tenant restrictions. + With these measures, you can enforce company security policies and filter malicious internet traffic in real time. +--- + +# Data Source (pfptmeta_url_filtering_rule) + +The Proofpoint Web Security solution protects against web-based security threats by defining URL filtering rules +which include various content and threat categories, as well as cloud-based applications and tenant restrictions. +With these measures, you can enforce company security policies and filter malicious internet traffic in real time. + +## Example Usage + +```terraform +data "pfptmeta_url_filtering_rule" "ufr" { + id = "ufr-123abc" +} + +output "catalog_app" { + value = data.pfptmeta_url_filtering_rule.ufr +} +``` + + +## Schema + +### Read-Only + +- `action` (String) Enum: `ISOLATION`, `BLOCK`, `LOG`, `RESTRICT`, `WARN`. +This action determines what must be done according to this URL filtering rule if a user tries to reach a restricted URL. +- `advanced_threat_protection` (Boolean) Enables the first-rate security engine based on up-to-date web threat intelligence gathered from two decades of protecting the world's largest organizations from email-borne attacks. +- `apply_to_org` (Boolean) indicates whether this URL filtering rule applies to the org. +- `catalog_app_categories` (List of String) ENUM: `Instant Messaging`, `eCommerce`, `Content Management`, `Software Development`, `Project Management`, `Marketing`, `CRM`, `Telecommunications`, `Social and Communication`, `Productivity`, `Collaboration`, `Business and Finance`, `Utilities`, `IT Service Management`, `Social Networking`, `Office Document and Productivity`, `Cloud File Sharing`, `Web Meetings`, `Identity and Access Management`, `IT Services and Hosting`, `Webmail`, `Website Builder`, `Human Capital Management`, `Sales and CRM`, `E-commerce and Accounting`, `Streaming Media`, `Cloud Storage`, `Operations Management`, `Online Meeting`, `Supply Chain`, `Security and Compliance`, `Entertainment and Lifestyle`, `System and Network`, `Retail and Consumer Services`, `Health and Benefits`, `Data and Analytics`, `Education and References`, `Personal instant messaging`, `Legal`, `Other`, `Hosting Services`, `News and Media`, `Sales`, `Enterprise Resource Planning`, `Advertising`, `Travel and Transportation`, `Property Management`, `Government Services`, `Games`, `Code Hosting`. +List of catalog app categories that the URL filtering rule must restrict. +- `catalog_app_risk` (Number) Risk threshold to be used to restrict all catalog apps which has that risk or higher. +- `cloud_apps` (List of String) List of [cloud app](https://registry.terraform.io/providers/nsofnetworks/pfptmeta/latest/docs/resources/cloud_app) IDs which the URL filtering rule should restrict. +- `countries` (List of String) A list of countries in which this rule should be applied. Each country should be represented by a Alpha-2 code (ISO-3166). Enum: `AD`,`AE`,`AF`,`AG`,`AI`,`AL`,`AM`,`AO`,`AQ`,`AR`,`AS`,`AT`,`AU`,`AW`,`AX`,`AZ`,`BA`,`BB`,`BD`,`BE`,`BF`,`BG`,`BH`,`BI`,`BJ`,`BL`,`BM`,`BN`,`BO`,`BQ`,`BR`,`BS`,`BT`,`BV`,`BW`,`BY`,`BZ`,`CA`,`CC`,`CD`,`CF`,`CG`,`CH`,`CI`,`CK`,`CL`,`CM`,`CN`,`CO`,`CR`,`CU`,`CV`,`CW`,`CX`,`CY`,`CZ`,`DE`,`DJ`,`DK`,`DM`,`DO`,`DZ`,`EC`,`EE`,`EG`,`EH`,`ER`,`ES`,`ET`,`FI`,`FJ`,`FK`,`FM`,`FO`,`FR`,`GA`,`GB`,`GD`,`GE`,`GF`,`GG`,`GH`,`GI`,`GL`,`GM`,`GN`,`GP`,`GQ`,`GR`,`GS`,`GT`,`GU`,`GW`,`GY`,`HK`,`HM`,`HN`,`HR`,`HT`,`HU`,`ID`,`IE`,`IL`,`IM`,`IN`,`IO`,`IQ`,`IR`,`IS`,`IT`,`JE`,`JM`,`JO`,`JP`,`KE`,`KG`,`KH`,`KI`,`KM`,`KN`,`KP`,`KR`,`KW`,`KY`,`KZ`,`LA`,`LB`,`LC`,`LI`,`LK`,`LR`,`LS`,`LT`,`LU`,`LV`,`LY`,`MA`,`MC`,`MD`,`ME`,`MF`,`MG`,`MH`,`MK`,`ML`,`MM`,`MN`,`MO`,`MP`,`MQ`,`MR`,`MS`,`MT`,`MU`,`MV`,`MW`,`MX`,`MY`,`MZ`,`NA`,`NC`,`NE`,`NF`,`NG`,`NI`,`NL`,`NO`,`NP`,`NR`,`NU`,`NZ`,`OM`,`PA`,`PE`,`PF`,`PG`,`PH`,`PK`,`PL`,`PM`,`PN`,`PR`,`PS`,`PT`,`PW`,`PY`,`QA`,`RE`,`RO`,`RS`,`RU`,`RW`,`SA`,`SB`,`SC`,`SD`,`SE`,`SG`,`SH`,`SI`,`SJ`,`SK`,`SL`,`SM`,`SN`,`SO`,`SR`,`SS`,`ST`,`SV`,`SX`,`SY`,`SZ`,`TC`,`TD`,`TF`,`TG`,`TH`,`TJ`,`TK`,`TL`,`TM`,`TN`,`TO`,`TR`,`TT`,`TV`,`TW`,`TZ`,`UA`,`UG`,`UM`,`US`,`UY`,`UZ`,`VA`,`VC`,`VE`,`VG`,`VI`,`VN`,`VU`,`WF`,`WS`,`YE`,`YT`,`ZA`,`ZM`,`ZW` +- `description` (String) +- `enabled` (Boolean) +- `exempt_sources` (List of String) Subgroup of 'sources' on which the URL filtering rule should not be applied. +- `expires_at` (String) Defines the rule expiration time. This can be useful when creating exceptions for users who need them for a limited period of time as an alternative for full disconnection from the proxy. When no value is given the URL filtering rule will never expire. Takes `RFC3339` (`2006-01-02T15:04:05Z`) date format. +- `filter_expression` (String) Defines filtering expressions to ensure granularity in URL filtering rule application. +These expressions consist of the **{Key:Value}** tags according to the internal and external risk factors obtained from the following sources: + +- Proofpoint’s Nexus People Risk Explorer (NPRE). +- Proofpoint’s Targeted Attack Protection (TAP). +- CrowdStrike’s Falcon Zero Trust Assessment (ZTA). +- Configured posture checks. +- User-defined tags. +- Auto-generated tags, such as platform type, device type, etc. +- `forbidden_content_categories` (List of String) List of [content category](https://registry.terraform.io/providers/nsofnetworks/pfptmeta/latest/docs/resources/content_category) IDs which the URL filtering rule should restrict. +- `id` (String) The ID of this resource. +- `name` (String) +- `networks` (List of String) List of source [IP network](https://registry.terraform.io/providers/nsofnetworks/pfptmeta/latest/docs/resources/ip_network) IDs the URL filtering rule applies on +- `priority` (Number) Determines the order in which the URL-filtering rules are evaluated. The order is significant since the first URL-filtering rule that finds a URL restricted is the one to determine which action to execute. Lower priority value means the URL-filtering rule will be evaluated earlier. +- `schedule` (List of String) List of [time frame](https://registry.terraform.io/providers/nsofnetworks/pfptmeta/latest/docs/resources/time_frame) IDs during which the URL filtering rule will be enforced +- `sources` (List of String) Users and groups on which the URL filtering rule should be applied. +- `tenant_restriction` (String) [Tenant restrictions](https://registry.terraform.io/providers/nsofnetworks/pfptmeta/latest/docs/resources/tenant_restriction) for this rule. Only the `RESTRICT` action is allowed when this option is set. +- `threat_categories` (List of String) List of [threat category](https://registry.terraform.io/providers/nsofnetworks/pfptmeta/latest/docs/resources/threat_category) IDs the URL filtering rule will protect against +- `warn_ttl` (Number) Time in minutes during which the warning page is not shown again after user proceeds to URL diff --git a/docs/resources/url_filtering_rule.md b/docs/resources/url_filtering_rule.md new file mode 100644 index 00000000..3ebb2768 --- /dev/null +++ b/docs/resources/url_filtering_rule.md @@ -0,0 +1,259 @@ +--- +# generated by https://github.com/hashicorp/terraform-plugin-docs +page_title: "Resource pfptmeta_url_filtering_rule - terraform-provider-pfptmeta" +subcategory: "Web Security Resources" +description: |- + The Proofpoint Web Security solution protects against web-based security threats by defining URL filtering rules + which include various content and threat categories, as well as cloud-based applications and tenant restrictions. + With these measures, you can enforce company security policies and filter malicious internet traffic in real time. +--- + +# Resource (pfptmeta_url_filtering_rule) + +The Proofpoint Web Security solution protects against web-based security threats by defining URL filtering rules +which include various content and threat categories, as well as cloud-based applications and tenant restrictions. +With these measures, you can enforce company security policies and filter malicious internet traffic in real time. + +## Example Usage + +### Default Rule: + +```terraform +resource "pfptmeta_threat_category" "malicious" { + name = "Malicious Threat" + confidence_level = "LOW" + risk_level = "LOW" + countries = ["IR", "KP"] + types = [ + "Bitcoin Related", "Blackhole", "Botnets", "Brute Forcer", "CnC", "Compromised", "Drop", "EXE Source", + "Fake AV", "Keyloggers and Monitoring", "Malware Sites", "Mobile CnC", "Mobile Spyware CnC", "P2P CnC", + "Phishing and Other Frauds", "Spyware and Adware", "Tor" + ] +} + +resource "pfptmeta_content_category" "strict" { + name = "Strict Category" + confidence_level = "LOW" + types = [ + "Sex Education", "Nudity", "Abused Drugs", "Marijuana", "Swimsuits and Intimate Apparel", "Violence", + "Gross", "Adult and Pornography", "Weapons", "Hate and Racism", "Gambling" + ] + urls = [".espn.com"] +} + +resource "pfptmeta_url_filtering_rule" "default_rule" { + name = "default rule" + description = "default rule" + apply_to_org = true + action = "BLOCK" + advanced_threat_protection = true + threat_categories = [pfptmeta_threat_category.malicious.id] + forbidden_content_categories = [pfptmeta_content_category.strict.id] + priority = 94 + warn_ttl = 15 +} +``` + +### High Risk: + +```terraform +data "pfptmeta_catalog_app" "salesforce" { + name = "Salesforce" + category = "Content Management" +} + +resource "pfptmeta_cloud_app" "salesforce" { + name = "salesforce" + app = data.pfptmeta_catalog_app.salesforce.id + urls = [".my.salesforce.com"] +} + +resource "pfptmeta_url_filtering_rule" "high_risk" { + name = "Block High Risk - Expression" + apply_to_org = true + action = "BLOCK" + cloud_apps = [pfptmeta_cloud_app.salesforce.id] + filter_expression = "crwd_agent:fail OR crwdzta:high OR npre-it" + priority = 90 + warn_ttl = 15 +} +``` + +### Log All: + +```terraform +resource "pfptmeta_threat_category" "log_all" { + name = "Threats To Log" + confidence_level = "LOW" + risk_level = "LOW" + types = [ + "Botnets", "Chat Server", "Phishing and Other Frauds", "Utility", "Self Signed SSL", "Brute Forcer", "DDoS Target", + "Parking", "Scanner", "Online Gaming", "Blackhole", "Compromised", "Fake AV", "Malware Sites", "P2P CnC", + "Remote Access Service", "Bitcoin Related", "SPAM URLs", "Mobile CnC", "Tor", "IP Check", "DynDNS", "CnC", + "Spyware and Adware", "Undesirable", "Mobile Spyware CnC", "Abused TLD", "EXE Source", "VPN", "Drop", + "Proxy Avoidance and Anonymizers", "Peer to Peer" + ] +} + +resource "pfptmeta_content_category" "log_all" { + name = "Category To Log" + confidence_level = "HIGH" + types = [ + "Abortion", "Sex Education", "Pay to Surf", "Web Advertisements", "Dynamically Generated Content", + "Parked Domains", "Alcohol and Tobacco", "Personal sites and Blogs", "Hacking", + "Abused Drugs", "Marijuana", "Training and Tools", "Reference and Research", "Educational Institutions", + "Web-based Email", "Financial Services", "Business and Economy", + "Individual Stock Advice and Tools", "Home and Garden", "Gambling", "Games", "Kids", "Legal", "Government", + "Health and Medicine", "Recreation and Hobbies", "Questionable", "Cheating", "Illegal", "Job Search", + "Swimsuits and Intimate Apparel", "Hate and Racism", "Local Information", "News and Media", "Nudity", + "Philosophy and Political Advocacy", "Adult and Pornography", "Internet Portals", "Real Estate", "Cult and Occult", + "Religion", "Search Engines", "Image and Video Search", "Auctions", "Shopping", "Online Greeting Cards", + "Fashion and Beauty", "Social Networking", "Dating", "Society", "Computer and Internet Security", + "Computer and Internet Info", "Shareware and Freeware", "Personal Storage", "Content Delivery Networks", + "Web Hosting", "Internet Communications", "Hunting and Fishing", "Sports", "Streaming Media", + "Entertainment and Arts", "Translation", "Travel", "Motor Vehicles", "Violence", "Gross", "Weapons" + ] + urls = [".clarivate.io"] +} + +resource "pfptmeta_url_filtering_rule" "log_all" { + name = "Log All" + apply_to_org = true + action = "LOG" + advanced_threat_protection = true + threat_categories = [pfptmeta_threat_category.log_all.id] + forbidden_content_categories = [pfptmeta_content_category.log_all.id] + priority = 95 + warn_ttl = 15 +} +``` + +### Isolate Web Mails: + +```terraform +resource "pfptmeta_content_category" "web_mail_category" { + name = "Webmail Category" + confidence_level = "LOW" + types = ["Web-based Email"] + urls = [".live.com", ".outlook.com"] +} + +resource "pfptmeta_url_filtering_rule" "isolate_web_mails" { + name = "Isolate Web Mails" + apply_to_org = true + action = "ISOLATION" + advanced_threat_protection = false + forbidden_content_categories = [pfptmeta_content_category.web_mail_category.id] + priority = 92 + warn_ttl = 15 +} +``` + +### Warn For Dropbox: + +```terraform +data "pfptmeta_catalog_app" "dropbox" { + name = "Dropbox" + category = "Collaboration" +} + +resource "pfptmeta_cloud_app" "dropbox_personal" { + name = "Dropbox Personal" + app = data.pfptmeta_catalog_app.dropbox.id + tenant_type = "Personal" +} + +resource "pfptmeta_url_filtering_rule" "warn_for_dropbox" { + name = "Warn For Dropbox" + apply_to_org = true + action = "WARN" + cloud_apps = [pfptmeta_cloud_app.dropbox_personal.id] + priority = 88 + warn_ttl = 15 +} +``` + +### Block Contents During Work Hours: + +```terraform +resource "pfptmeta_content_category" "news" { + name = "News" + confidence_level = "LOW" + types = ["News and Media"] +} + +resource "pfptmeta_content_category" "social_network" { + name = "Social Networking" + confidence_level = "LOW" + types = ["Social Networking"] +} + +resource "pfptmeta_time_frame" "work_hours" { + name = "Work Hours" + days = ["monday", "tuesday", "wednesday", "thursday", "friday"] + start_time { + hour = 8 + minute = 0 + } + end_time { + hour = 18 + minute = 0 + } +} + +resource "pfptmeta_url_filtering_rule" "work_time" { + name = "News And Social Networking" + description = "Blocks news and social networking during work hours" + apply_to_org = true + action = "BLOCK" + advanced_threat_protection = false + forbidden_content_categories = [pfptmeta_content_category.news.id, pfptmeta_content_category.social_network.id] + priority = 80 + warn_ttl = 15 + schedule = [pfptmeta_time_frame.work_hours.id] +} +``` + + +## Schema + +### Required + +- `action` (String) Enum: `ISOLATION`, `BLOCK`, `LOG`, `RESTRICT`, `WARN`. +This action determines what must be done according to this URL filtering rule if a user tries to reach a restricted URL. +- `name` (String) + +### Optional + +- `advanced_threat_protection` (Boolean) Enables the first-rate security engine based on up-to-date web threat intelligence gathered from two decades of protecting the world's largest organizations from email-borne attacks. +- `apply_to_org` (Boolean) indicates whether this URL filtering rule applies to the org. +- `catalog_app_categories` (List of String) ENUM: `Instant Messaging`, `eCommerce`, `Content Management`, `Software Development`, `Project Management`, `Marketing`, `CRM`, `Telecommunications`, `Social and Communication`, `Productivity`, `Collaboration`, `Business and Finance`, `Utilities`, `IT Service Management`, `Social Networking`, `Office Document and Productivity`, `Cloud File Sharing`, `Web Meetings`, `Identity and Access Management`, `IT Services and Hosting`, `Webmail`, `Website Builder`, `Human Capital Management`, `Sales and CRM`, `E-commerce and Accounting`, `Streaming Media`, `Cloud Storage`, `Operations Management`, `Online Meeting`, `Supply Chain`, `Security and Compliance`, `Entertainment and Lifestyle`, `System and Network`, `Retail and Consumer Services`, `Health and Benefits`, `Data and Analytics`, `Education and References`, `Personal instant messaging`, `Legal`, `Other`, `Hosting Services`, `News and Media`, `Sales`, `Enterprise Resource Planning`, `Advertising`, `Travel and Transportation`, `Property Management`, `Government Services`, `Games`, `Code Hosting`. +List of catalog app categories that the URL filtering rule must restrict. +- `catalog_app_risk` (Number) Risk threshold to be used to restrict all catalog apps which has that risk or higher. +- `cloud_apps` (List of String) List of [cloud app](https://registry.terraform.io/providers/nsofnetworks/pfptmeta/latest/docs/resources/cloud_app) IDs which the URL filtering rule should restrict. +- `countries` (List of String) A list of countries in which this rule should be applied. Each country should be represented by a Alpha-2 code (ISO-3166). Enum: `AD`,`AE`,`AF`,`AG`,`AI`,`AL`,`AM`,`AO`,`AQ`,`AR`,`AS`,`AT`,`AU`,`AW`,`AX`,`AZ`,`BA`,`BB`,`BD`,`BE`,`BF`,`BG`,`BH`,`BI`,`BJ`,`BL`,`BM`,`BN`,`BO`,`BQ`,`BR`,`BS`,`BT`,`BV`,`BW`,`BY`,`BZ`,`CA`,`CC`,`CD`,`CF`,`CG`,`CH`,`CI`,`CK`,`CL`,`CM`,`CN`,`CO`,`CR`,`CU`,`CV`,`CW`,`CX`,`CY`,`CZ`,`DE`,`DJ`,`DK`,`DM`,`DO`,`DZ`,`EC`,`EE`,`EG`,`EH`,`ER`,`ES`,`ET`,`FI`,`FJ`,`FK`,`FM`,`FO`,`FR`,`GA`,`GB`,`GD`,`GE`,`GF`,`GG`,`GH`,`GI`,`GL`,`GM`,`GN`,`GP`,`GQ`,`GR`,`GS`,`GT`,`GU`,`GW`,`GY`,`HK`,`HM`,`HN`,`HR`,`HT`,`HU`,`ID`,`IE`,`IL`,`IM`,`IN`,`IO`,`IQ`,`IR`,`IS`,`IT`,`JE`,`JM`,`JO`,`JP`,`KE`,`KG`,`KH`,`KI`,`KM`,`KN`,`KP`,`KR`,`KW`,`KY`,`KZ`,`LA`,`LB`,`LC`,`LI`,`LK`,`LR`,`LS`,`LT`,`LU`,`LV`,`LY`,`MA`,`MC`,`MD`,`ME`,`MF`,`MG`,`MH`,`MK`,`ML`,`MM`,`MN`,`MO`,`MP`,`MQ`,`MR`,`MS`,`MT`,`MU`,`MV`,`MW`,`MX`,`MY`,`MZ`,`NA`,`NC`,`NE`,`NF`,`NG`,`NI`,`NL`,`NO`,`NP`,`NR`,`NU`,`NZ`,`OM`,`PA`,`PE`,`PF`,`PG`,`PH`,`PK`,`PL`,`PM`,`PN`,`PR`,`PS`,`PT`,`PW`,`PY`,`QA`,`RE`,`RO`,`RS`,`RU`,`RW`,`SA`,`SB`,`SC`,`SD`,`SE`,`SG`,`SH`,`SI`,`SJ`,`SK`,`SL`,`SM`,`SN`,`SO`,`SR`,`SS`,`ST`,`SV`,`SX`,`SY`,`SZ`,`TC`,`TD`,`TF`,`TG`,`TH`,`TJ`,`TK`,`TL`,`TM`,`TN`,`TO`,`TR`,`TT`,`TV`,`TW`,`TZ`,`UA`,`UG`,`UM`,`US`,`UY`,`UZ`,`VA`,`VC`,`VE`,`VG`,`VI`,`VN`,`VU`,`WF`,`WS`,`YE`,`YT`,`ZA`,`ZM`,`ZW` +- `description` (String) +- `enabled` (Boolean) +- `exempt_sources` (List of String) Subgroup of 'sources' on which the URL filtering rule should not be applied. +- `expires_at` (String) Defines the rule expiration time. This can be useful when creating exceptions for users who need them for a limited period of time as an alternative for full disconnection from the proxy. When no value is given the URL filtering rule will never expire. Takes `RFC3339` (`2006-01-02T15:04:05Z`) date format. +- `filter_expression` (String) Defines filtering expressions to ensure granularity in URL filtering rule application. +These expressions consist of the **{Key:Value}** tags according to the internal and external risk factors obtained from the following sources: + +- Proofpoint’s Nexus People Risk Explorer (NPRE). +- Proofpoint’s Targeted Attack Protection (TAP). +- CrowdStrike’s Falcon Zero Trust Assessment (ZTA). +- Configured posture checks. +- User-defined tags. +- Auto-generated tags, such as platform type, device type, etc. +- `forbidden_content_categories` (List of String) List of [content category](https://registry.terraform.io/providers/nsofnetworks/pfptmeta/latest/docs/resources/content_category) IDs which the URL filtering rule should restrict. +- `networks` (List of String) List of source [IP network](https://registry.terraform.io/providers/nsofnetworks/pfptmeta/latest/docs/resources/ip_network) IDs the URL filtering rule applies on +- `priority` (Number) Determines the order in which the URL-filtering rules are evaluated. The order is significant since the first URL-filtering rule that finds a URL restricted is the one to determine which action to execute. Lower priority value means the URL-filtering rule will be evaluated earlier. +- `schedule` (List of String) List of [time frame](https://registry.terraform.io/providers/nsofnetworks/pfptmeta/latest/docs/resources/time_frame) IDs during which the URL filtering rule will be enforced +- `sources` (List of String) Users and groups on which the URL filtering rule should be applied. +- `tenant_restriction` (String) [Tenant restrictions](https://registry.terraform.io/providers/nsofnetworks/pfptmeta/latest/docs/resources/tenant_restriction) for this rule. Only the `RESTRICT` action is allowed when this option is set. +- `threat_categories` (List of String) List of [threat category](https://registry.terraform.io/providers/nsofnetworks/pfptmeta/latest/docs/resources/threat_category) IDs the URL filtering rule will protect against +- `warn_ttl` (Number) Time in minutes during which the warning page is not shown again after user proceeds to URL + +### Read-Only + +- `id` (String) The ID of this resource. diff --git a/examples/data-sources/pfptmeta_url_filtering_rule/data-source.tf b/examples/data-sources/pfptmeta_url_filtering_rule/data-source.tf new file mode 100644 index 00000000..2ecb7c62 --- /dev/null +++ b/examples/data-sources/pfptmeta_url_filtering_rule/data-source.tf @@ -0,0 +1,7 @@ +data "pfptmeta_url_filtering_rule" "ufr" { + id = "ufr-123abc" +} + +output "catalog_app" { + value = data.pfptmeta_url_filtering_rule.ufr +} \ No newline at end of file diff --git a/examples/resources/pfptmeta_url_filtering_rule/block_for_work_hours.tf b/examples/resources/pfptmeta_url_filtering_rule/block_for_work_hours.tf new file mode 100644 index 00000000..dcd9fb9c --- /dev/null +++ b/examples/resources/pfptmeta_url_filtering_rule/block_for_work_hours.tf @@ -0,0 +1,36 @@ +resource "pfptmeta_content_category" "news" { + name = "News" + confidence_level = "LOW" + types = ["News and Media"] +} + +resource "pfptmeta_content_category" "social_network" { + name = "Social Networking" + confidence_level = "LOW" + types = ["Social Networking"] +} + +resource "pfptmeta_time_frame" "work_hours" { + name = "Work Hours" + days = ["monday", "tuesday", "wednesday", "thursday", "friday"] + start_time { + hour = 8 + minute = 0 + } + end_time { + hour = 18 + minute = 0 + } +} + +resource "pfptmeta_url_filtering_rule" "work_time" { + name = "News And Social Networking" + description = "Blocks news and social networking during work hours" + apply_to_org = true + action = "BLOCK" + advanced_threat_protection = false + forbidden_content_categories = [pfptmeta_content_category.news.id, pfptmeta_content_category.social_network.id] + priority = 80 + warn_ttl = 15 + schedule = [pfptmeta_time_frame.work_hours.id] +} \ No newline at end of file diff --git a/examples/resources/pfptmeta_url_filtering_rule/default_rule.tf b/examples/resources/pfptmeta_url_filtering_rule/default_rule.tf new file mode 100644 index 00000000..0f113aa0 --- /dev/null +++ b/examples/resources/pfptmeta_url_filtering_rule/default_rule.tf @@ -0,0 +1,33 @@ +resource "pfptmeta_threat_category" "malicious" { + name = "Malicious Threat" + confidence_level = "LOW" + risk_level = "LOW" + countries = ["IR", "KP"] + types = [ + "Bitcoin Related", "Blackhole", "Botnets", "Brute Forcer", "CnC", "Compromised", "Drop", "EXE Source", + "Fake AV", "Keyloggers and Monitoring", "Malware Sites", "Mobile CnC", "Mobile Spyware CnC", "P2P CnC", + "Phishing and Other Frauds", "Spyware and Adware", "Tor" + ] +} + +resource "pfptmeta_content_category" "strict" { + name = "Strict Category" + confidence_level = "LOW" + types = [ + "Sex Education", "Nudity", "Abused Drugs", "Marijuana", "Swimsuits and Intimate Apparel", "Violence", + "Gross", "Adult and Pornography", "Weapons", "Hate and Racism", "Gambling" + ] + urls = [".espn.com"] +} + +resource "pfptmeta_url_filtering_rule" "default_rule" { + name = "default rule" + description = "default rule" + apply_to_org = true + action = "BLOCK" + advanced_threat_protection = true + threat_categories = [pfptmeta_threat_category.malicious.id] + forbidden_content_categories = [pfptmeta_content_category.strict.id] + priority = 94 + warn_ttl = 15 +} \ No newline at end of file diff --git a/examples/resources/pfptmeta_url_filtering_rule/high_risk.tf b/examples/resources/pfptmeta_url_filtering_rule/high_risk.tf new file mode 100644 index 00000000..52f60d22 --- /dev/null +++ b/examples/resources/pfptmeta_url_filtering_rule/high_risk.tf @@ -0,0 +1,20 @@ +data "pfptmeta_catalog_app" "salesforce" { + name = "Salesforce" + category = "Content Management" +} + +resource "pfptmeta_cloud_app" "salesforce" { + name = "salesforce" + app = data.pfptmeta_catalog_app.salesforce.id + urls = [".my.salesforce.com"] +} + +resource "pfptmeta_url_filtering_rule" "high_risk" { + name = "Block High Risk - Expression" + apply_to_org = true + action = "BLOCK" + cloud_apps = [pfptmeta_cloud_app.salesforce.id] + filter_expression = "crwd_agent:fail OR crwdzta:high OR npre-it" + priority = 90 + warn_ttl = 15 +} \ No newline at end of file diff --git a/examples/resources/pfptmeta_url_filtering_rule/isolate_web_mail.tf b/examples/resources/pfptmeta_url_filtering_rule/isolate_web_mail.tf new file mode 100644 index 00000000..014d2f1b --- /dev/null +++ b/examples/resources/pfptmeta_url_filtering_rule/isolate_web_mail.tf @@ -0,0 +1,16 @@ +resource "pfptmeta_content_category" "web_mail_category" { + name = "Webmail Category" + confidence_level = "LOW" + types = ["Web-based Email"] + urls = [".live.com", ".outlook.com"] +} + +resource "pfptmeta_url_filtering_rule" "isolate_web_mails" { + name = "Isolate Web Mails" + apply_to_org = true + action = "ISOLATION" + advanced_threat_protection = false + forbidden_content_categories = [pfptmeta_content_category.web_mail_category.id] + priority = 92 + warn_ttl = 15 +} \ No newline at end of file diff --git a/examples/resources/pfptmeta_url_filtering_rule/log_all.tf b/examples/resources/pfptmeta_url_filtering_rule/log_all.tf new file mode 100644 index 00000000..970e8e27 --- /dev/null +++ b/examples/resources/pfptmeta_url_filtering_rule/log_all.tf @@ -0,0 +1,44 @@ +resource "pfptmeta_threat_category" "log_all" { + name = "Threats To Log" + confidence_level = "LOW" + risk_level = "LOW" + types = [ + "Botnets", "Chat Server", "Phishing and Other Frauds", "Utility", "Self Signed SSL", "Brute Forcer", "DDoS Target", + "Parking", "Scanner", "Online Gaming", "Blackhole", "Compromised", "Fake AV", "Malware Sites", "P2P CnC", + "Remote Access Service", "Bitcoin Related", "SPAM URLs", "Mobile CnC", "Tor", "IP Check", "DynDNS", "CnC", + "Spyware and Adware", "Undesirable", "Mobile Spyware CnC", "Abused TLD", "EXE Source", "VPN", "Drop", + "Proxy Avoidance and Anonymizers", "Peer to Peer" + ] +} + +resource "pfptmeta_content_category" "log_all" { + name = "Category To Log" + confidence_level = "HIGH" + types = [ + "Abortion", "Sex Education", "Pay to Surf", "Web Advertisements", "Dynamically Generated Content", + "Parked Domains", "Alcohol and Tobacco", "Personal sites and Blogs", "Hacking", + "Abused Drugs", "Marijuana", "Training and Tools", "Reference and Research", "Educational Institutions", + "Web-based Email", "Financial Services", "Business and Economy", + "Individual Stock Advice and Tools", "Home and Garden", "Gambling", "Games", "Kids", "Legal", "Government", + "Health and Medicine", "Recreation and Hobbies", "Questionable", "Cheating", "Illegal", "Job Search", + "Swimsuits and Intimate Apparel", "Hate and Racism", "Local Information", "News and Media", "Nudity", + "Philosophy and Political Advocacy", "Adult and Pornography", "Internet Portals", "Real Estate", "Cult and Occult", + "Religion", "Search Engines", "Image and Video Search", "Auctions", "Shopping", "Online Greeting Cards", + "Fashion and Beauty", "Social Networking", "Dating", "Society", "Computer and Internet Security", + "Computer and Internet Info", "Shareware and Freeware", "Personal Storage", "Content Delivery Networks", + "Web Hosting", "Internet Communications", "Hunting and Fishing", "Sports", "Streaming Media", + "Entertainment and Arts", "Translation", "Travel", "Motor Vehicles", "Violence", "Gross", "Weapons" + ] + urls = [".clarivate.io"] +} + +resource "pfptmeta_url_filtering_rule" "log_all" { + name = "Log All" + apply_to_org = true + action = "LOG" + advanced_threat_protection = true + threat_categories = [pfptmeta_threat_category.log_all.id] + forbidden_content_categories = [pfptmeta_content_category.log_all.id] + priority = 95 + warn_ttl = 15 +} \ No newline at end of file diff --git a/examples/resources/pfptmeta_url_filtering_rule/warn_for_dropbox.tf b/examples/resources/pfptmeta_url_filtering_rule/warn_for_dropbox.tf new file mode 100644 index 00000000..d08f7a65 --- /dev/null +++ b/examples/resources/pfptmeta_url_filtering_rule/warn_for_dropbox.tf @@ -0,0 +1,19 @@ +data "pfptmeta_catalog_app" "dropbox" { + name = "Dropbox" + category = "Collaboration" +} + +resource "pfptmeta_cloud_app" "dropbox_personal" { + name = "Dropbox Personal" + app = data.pfptmeta_catalog_app.dropbox.id + tenant_type = "Personal" +} + +resource "pfptmeta_url_filtering_rule" "warn_for_dropbox" { + name = "Warn For Dropbox" + apply_to_org = true + action = "WARN" + cloud_apps = [pfptmeta_cloud_app.dropbox_personal.id] + priority = 88 + warn_ttl = 15 +} \ No newline at end of file diff --git a/internal/client/url_filtering_rule.go b/internal/client/url_filtering_rule.go new file mode 100644 index 00000000..69800c7b --- /dev/null +++ b/internal/client/url_filtering_rule.go @@ -0,0 +1,123 @@ +package client + +import ( + "bytes" + "context" + "encoding/json" + "fmt" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + "io/ioutil" + "net/http" + u "net/url" +) + +const urlFilteringRulesEndpoint string = "v1/url_filtering_rules" + +type UrlFilteringRule struct { + ID string `json:"id,omitempty"` + Name string `json:"name,omitempty"` + Description string `json:"description"` + Action string `json:"action"` + ApplyToOrg bool `json:"apply_to_org"` + Enabled bool `json:"enabled"` + Sources []string `json:"sources,omitempty"` + ExemptSources []string `json:"exempt_sources,omitempty"` + AdvancedThreatProtection bool `json:"advanced_threat_protection"` + CatalogAppCategories []string `json:"catalog_app_categories"` + CatalogAppRisk int `json:"catalog_app_risk,omitempty"` + CloudApps []string `json:"cloud_apps"` + Countries []string `json:"countries,omitempty"` + ExpiresAt string `json:"expires_at,omitempty"` + FilterExpression string `json:"filter_expression,omitempty"` + ForbiddenContentCategories []string `json:"forbidden_content_categories"` + Networks []string `json:"networks,omitempty"` + Priority int `json:"priority"` + Schedule []string `json:"schedule"` + TenantRestriction string `json:"tenant_restriction,omitempty"` + ThreatCategories []string `json:"threat_categories"` + WarnTtl int `json:"warn_ttl"` +} + +func NewUrlFilteringRule(d *schema.ResourceData) *UrlFilteringRule { + res := &UrlFilteringRule{} + if d.HasChange("name") { + res.Name = d.Get("name").(string) + } + res.Description = d.Get("description").(string) + res.Action = d.Get("action").(string) + res.ApplyToOrg = d.Get("apply_to_org").(bool) + res.Enabled = d.Get("enabled").(bool) + res.Sources = ConfigToStringSlice("sources", d) + res.ExemptSources = ConfigToStringSlice("exempt_sources", d) + res.AdvancedThreatProtection = d.Get("advanced_threat_protection").(bool) + res.CatalogAppCategories = ConfigToStringSlice("catalog_app_categories", d) + res.CatalogAppRisk = d.Get("catalog_app_risk").(int) + res.CloudApps = ConfigToStringSlice("cloud_apps", d) + res.Countries = ConfigToStringSlice("countries", d) + res.ExpiresAt = d.Get("expires_at").(string) + res.FilterExpression = d.Get("filter_expression").(string) + res.ForbiddenContentCategories = ConfigToStringSlice("forbidden_content_categories", d) + res.Networks = ConfigToStringSlice("networks", d) + res.Priority = d.Get("priority").(int) + res.Schedule = ConfigToStringSlice("schedule", d) + res.TenantRestriction = d.Get("tenant_restriction").(string) + res.ThreatCategories = ConfigToStringSlice("threat_categories", d) + res.WarnTtl = d.Get("warn_ttl").(int) + + return res +} + +func parseUrlFilteringRule(resp *http.Response) (*UrlFilteringRule, error) { + defer resp.Body.Close() + body, err := ioutil.ReadAll(resp.Body) + pg := &UrlFilteringRule{} + err = json.Unmarshal(body, pg) + if err != nil { + return nil, fmt.Errorf("could not parse url filtering rule response: %v", err) + } + return pg, nil +} + +func CreateUrlFilteringRule(ctx context.Context, c *Client, rg *UrlFilteringRule) (*UrlFilteringRule, error) { + rgUrl := fmt.Sprintf("%s/%s", c.BaseURL, urlFilteringRulesEndpoint) + body, err := json.Marshal(rg) + if err != nil { + return nil, fmt.Errorf("could not convert url filtering rule to json: %v", err) + } + resp, err := c.Post(ctx, rgUrl, bytes.NewReader(body)) + if err != nil { + return nil, err + } + return parseUrlFilteringRule(resp) +} + +func UpdateUrlFilteringRule(ctx context.Context, c *Client, rgID string, rg *UrlFilteringRule) (*UrlFilteringRule, error) { + rgUrl := fmt.Sprintf("%s/%s/%s", c.BaseURL, urlFilteringRulesEndpoint, rgID) + body, err := json.Marshal(rg) + if err != nil { + return nil, fmt.Errorf("could not convert url filtering rule to json: %v", err) + } + resp, err := c.Patch(ctx, rgUrl, bytes.NewReader(body)) + if err != nil { + return nil, err + } + return parseUrlFilteringRule(resp) +} + +func GetUrlFilteringRule(ctx context.Context, c *Client, rgID string) (*UrlFilteringRule, error) { + url := fmt.Sprintf("%s/%s/%s", c.BaseURL, urlFilteringRulesEndpoint, rgID) + resp, err := c.Get(ctx, url, u.Values{"expand": {"true"}}) + if err != nil { + return nil, err + } + return parseUrlFilteringRule(resp) +} + +func DeleteUrlFilteringRule(ctx context.Context, c *Client, pgID string) (*UrlFilteringRule, error) { + url := fmt.Sprintf("%s/%s/%s", c.BaseURL, urlFilteringRulesEndpoint, pgID) + resp, err := c.Delete(ctx, url, nil) + if err != nil { + return nil, err + } + return parseUrlFilteringRule(resp) +} diff --git a/internal/provider/acc_tests/url_filtering_rule_test.go b/internal/provider/acc_tests/url_filtering_rule_test.go new file mode 100644 index 00000000..ef9b0064 --- /dev/null +++ b/internal/provider/acc_tests/url_filtering_rule_test.go @@ -0,0 +1,256 @@ +package acc_tests + +import ( + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource" + "regexp" + "testing" +) + +const ( + urlFilteringRuleDependencies = ` +resource "pfptmeta_threat_category" "malicious" { + name = "Malicious Threat" + confidence_level = "LOW" + risk_level = "LOW" + countries = ["IR", "KP"] + types = [ + "Bitcoin Related", "Blackhole", "Botnets", "Brute Forcer", "CnC", "Compromised", "Drop", "EXE Source", + "Fake AV", "Keyloggers and Monitoring", "Malware Sites", "Mobile CnC", "Mobile Spyware CnC", "P2P CnC", + "Phishing and Other Frauds", "Spyware and Adware", "Tor" + ] +} + +resource "pfptmeta_content_category" "cc" { + name = "Strict category" + confidence_level = "LOW" + types = [ + "Sex Education", "Nudity", "Abused Drugs", "Marijuana", "Swimsuits and Intimate Apparel", "Violence", + "Gross", "Adult and Pornography", "Weapons", "Hate and Racism", "Gambling" + ] + urls = [".espn.com"] +} + +resource "pfptmeta_time_frame" "work_hours" { + name = "Work Hours" + days = ["monday", "tuesday", "wednesday", "thursday", "friday"] + start_time { + hour = 8 + minute = 0 + } + end_time { + hour = 18 + minute = 0 + } +} + +data "pfptmeta_catalog_app" "salesforce" { + name = "Salesforce" + category = "Content Management" +} + +resource "pfptmeta_cloud_app" "salesforce" { + name = "salesforce" + app = data.pfptmeta_catalog_app.salesforce.id + urls = [".my.salesforce.com"] +} + +resource "pfptmeta_user" "user" { + given_name = "ufr" + family_name = "user" + email = "ufr.user@example.com" +} +` + ufrResourceStep1 = ` +resource "pfptmeta_url_filtering_rule" "default_rule" { + name = "ufr" + description = "ufr desc" + apply_to_org = true + action = "BLOCK" + advanced_threat_protection = true + threat_categories = [pfptmeta_threat_category.malicious.id] + forbidden_content_categories = [pfptmeta_content_category.cc.id] + priority = 94 + warn_ttl = 15 + filter_expression = "crwd_agent:fail" + schedule = [pfptmeta_time_frame.work_hours.id] +} + +resource "pfptmeta_url_filtering_rule" "high_risk" { + name = "ufr 2" + apply_to_org = true + action = "BLOCK" + cloud_apps = [pfptmeta_cloud_app.salesforce.id] + priority = 90 + warn_ttl = 15 +} +` + ufrResourceStep2 = ` +resource "pfptmeta_url_filtering_rule" "default_rule" { + name = "ufr 1" + description = "ufr desc 1" + sources = [pfptmeta_user.user.id] + action = "ISOLATION" + advanced_threat_protection = false + forbidden_content_categories = [pfptmeta_content_category.cc.id] + priority = 50 + warn_ttl = 15 + filter_expression = "crwdzta:high" +} + +resource "pfptmeta_url_filtering_rule" "high_risk" { + name = "ufr 2 2" + sources = [pfptmeta_user.user.id] + action = "ISOLATION" + cloud_apps = [pfptmeta_cloud_app.salesforce.id] + priority = 51 + warn_ttl = 15 +} +` + datasourceUfrDependencies = ` +resource "pfptmeta_content_category" "cc" { + name = "for data-source test" + confidence_level = "LOW" + types = ["Sex Education"] +} + +resource "pfptmeta_url_filtering_rule" "default_rule" { + name = "data source ufr" + description = "data source ufr desc" + apply_to_org = true + action = "ISOLATION" + advanced_threat_protection = false + forbidden_content_categories = [pfptmeta_content_category.cc.id] + priority = 50 + warn_ttl = 15 + filter_expression = "crwdzta:high" +} +` + ufrForDataSource = ` +data "pfptmeta_url_filtering_rule" "ufr" { + id = pfptmeta_url_filtering_rule.default_rule.id +} +` +) + +func TestAccResourceURLFilteringRule(t *testing.T) { + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + ProviderFactories: providerFactories, + CheckDestroy: validateResourceDestroyed("url_filtering_rule", "v1/url_filtering_rules"), + Steps: []resource.TestStep{ + { + Config: urlFilteringRuleDependencies + ufrResourceStep1, + Check: resource.ComposeTestCheckFunc( + resource.TestMatchResourceAttr("pfptmeta_url_filtering_rule.default_rule", "id", regexp.MustCompile("^ufr-.+$")), + resource.TestCheckResourceAttr("pfptmeta_url_filtering_rule.default_rule", "name", "ufr"), + resource.TestCheckResourceAttr("pfptmeta_url_filtering_rule.default_rule", "description", "ufr desc"), + resource.TestCheckResourceAttr("pfptmeta_url_filtering_rule.default_rule", "apply_to_org", "true"), + resource.TestCheckResourceAttr("pfptmeta_url_filtering_rule.default_rule", "action", "BLOCK"), + resource.TestCheckResourceAttrPair("pfptmeta_url_filtering_rule.default_rule", "threat_categories.0", + "pfptmeta_threat_category.malicious", "id"), + resource.TestCheckResourceAttrPair("pfptmeta_url_filtering_rule.default_rule", "forbidden_content_categories.0", + "pfptmeta_content_category.cc", "id"), + resource.TestCheckResourceAttr("pfptmeta_url_filtering_rule.default_rule", "priority", "94"), + resource.TestCheckResourceAttr("pfptmeta_url_filtering_rule.default_rule", "warn_ttl", "15"), + resource.TestCheckResourceAttr("pfptmeta_url_filtering_rule.default_rule", "filter_expression", "crwd_agent:fail"), + resource.TestCheckResourceAttrPair("pfptmeta_url_filtering_rule.default_rule", "schedule.0", + "pfptmeta_time_frame.work_hours", "id"), + + resource.TestMatchResourceAttr("pfptmeta_url_filtering_rule.high_risk", "id", regexp.MustCompile("^ufr-.+$")), + resource.TestCheckResourceAttr("pfptmeta_url_filtering_rule.high_risk", "name", "ufr 2"), + resource.TestCheckResourceAttr("pfptmeta_url_filtering_rule.high_risk", "apply_to_org", "true"), + resource.TestCheckResourceAttr("pfptmeta_url_filtering_rule.high_risk", "action", "BLOCK"), + resource.TestCheckResourceAttrPair("pfptmeta_url_filtering_rule.high_risk", "cloud_apps.0", + "pfptmeta_cloud_app.salesforce", "id"), + resource.TestCheckResourceAttr("pfptmeta_url_filtering_rule.high_risk", "priority", "90"), + resource.TestCheckResourceAttr("pfptmeta_url_filtering_rule.high_risk", "warn_ttl", "15"), + ), + }, + { + Config: urlFilteringRuleDependencies + ufrResourceStep2, + Check: resource.ComposeTestCheckFunc( + resource.TestMatchResourceAttr("pfptmeta_url_filtering_rule.default_rule", "id", regexp.MustCompile("^ufr-.+$")), + resource.TestCheckResourceAttr("pfptmeta_url_filtering_rule.default_rule", "name", "ufr 1"), + resource.TestCheckResourceAttr("pfptmeta_url_filtering_rule.default_rule", "description", "ufr desc 1"), + resource.TestCheckResourceAttr("pfptmeta_url_filtering_rule.default_rule", "apply_to_org", "false"), + resource.TestCheckResourceAttrPair("pfptmeta_url_filtering_rule.default_rule", "sources.0", + "pfptmeta_user.user", "id"), + resource.TestCheckResourceAttr("pfptmeta_url_filtering_rule.default_rule", "action", "ISOLATION"), + resource.TestCheckResourceAttr("pfptmeta_url_filtering_rule.default_rule", "threat_categories.#", "0"), + resource.TestCheckResourceAttrPair("pfptmeta_url_filtering_rule.default_rule", "forbidden_content_categories.0", + "pfptmeta_content_category.cc", "id"), + resource.TestCheckResourceAttr("pfptmeta_url_filtering_rule.default_rule", "priority", "50"), + resource.TestCheckResourceAttr("pfptmeta_url_filtering_rule.default_rule", "warn_ttl", "15"), + resource.TestCheckResourceAttr("pfptmeta_url_filtering_rule.default_rule", "filter_expression", "crwdzta:high"), + resource.TestCheckResourceAttr("pfptmeta_url_filtering_rule.default_rule", "schedule.#", "0"), + + resource.TestMatchResourceAttr("pfptmeta_url_filtering_rule.high_risk", "id", regexp.MustCompile("^ufr-.+$")), + resource.TestCheckResourceAttr("pfptmeta_url_filtering_rule.high_risk", "name", "ufr 2 2"), + resource.TestCheckResourceAttr("pfptmeta_url_filtering_rule.high_risk", "apply_to_org", "false"), + resource.TestCheckResourceAttrPair("pfptmeta_url_filtering_rule.high_risk", "sources.0", + "pfptmeta_user.user", "id"), + resource.TestCheckResourceAttr("pfptmeta_url_filtering_rule.high_risk", "action", "ISOLATION"), + resource.TestCheckResourceAttrPair("pfptmeta_url_filtering_rule.high_risk", "cloud_apps.0", + "pfptmeta_cloud_app.salesforce", "id"), + resource.TestCheckResourceAttr("pfptmeta_url_filtering_rule.high_risk", "priority", "51"), + resource.TestCheckResourceAttr("pfptmeta_url_filtering_rule.high_risk", "warn_ttl", "15"), + ), + }, + }, + }) +} + +func TestAccDataSourceURLFilteringRule(t *testing.T) { + resource.ParallelTest(t, resource.TestCase{ + PreCheck: func() { testAccPreCheck(t) }, + ProviderFactories: providerFactories, + CheckDestroy: validateResourceDestroyed("url_filtering_rule", "v1/url_filtering_rules"), + Steps: []resource.TestStep{ + { + Config: urlFilteringRuleDependencies + ufrResourceStep1, + Check: resource.ComposeTestCheckFunc( + resource.TestMatchResourceAttr("pfptmeta_url_filtering_rule.default_rule", "id", regexp.MustCompile("^ufr-.+$")), + resource.TestCheckResourceAttr("pfptmeta_url_filtering_rule.default_rule", "name", "ufr"), + resource.TestCheckResourceAttr("pfptmeta_url_filtering_rule.default_rule", "description", "ufr desc"), + resource.TestCheckResourceAttr("pfptmeta_url_filtering_rule.default_rule", "apply_to_org", "true"), + resource.TestCheckResourceAttr("pfptmeta_url_filtering_rule.default_rule", "action", "BLOCK"), + resource.TestCheckResourceAttrPair("pfptmeta_url_filtering_rule.default_rule", "threat_categories.0", + "pfptmeta_threat_category.malicious", "id"), + resource.TestCheckResourceAttrPair("pfptmeta_url_filtering_rule.default_rule", "forbidden_content_categories.0", + "pfptmeta_content_category.cc", "id"), + resource.TestCheckResourceAttr("pfptmeta_url_filtering_rule.default_rule", "priority", "94"), + resource.TestCheckResourceAttr("pfptmeta_url_filtering_rule.default_rule", "warn_ttl", "15"), + resource.TestCheckResourceAttr("pfptmeta_url_filtering_rule.default_rule", "filter_expression", "crwd_agent:fail"), + resource.TestCheckResourceAttrPair("pfptmeta_url_filtering_rule.default_rule", "schedule.0", + "pfptmeta_time_frame.work_hours", "id"), + + resource.TestMatchResourceAttr("pfptmeta_url_filtering_rule.high_risk", "id", regexp.MustCompile("^ufr-.+$")), + resource.TestCheckResourceAttr("pfptmeta_url_filtering_rule.high_risk", "name", "ufr 2"), + resource.TestCheckResourceAttr("pfptmeta_url_filtering_rule.high_risk", "apply_to_org", "true"), + resource.TestCheckResourceAttr("pfptmeta_url_filtering_rule.high_risk", "action", "BLOCK"), + resource.TestCheckResourceAttrPair("pfptmeta_url_filtering_rule.high_risk", "cloud_apps.0", + "pfptmeta_cloud_app.salesforce", "id"), + resource.TestCheckResourceAttr("pfptmeta_url_filtering_rule.high_risk", "priority", "90"), + resource.TestCheckResourceAttr("pfptmeta_url_filtering_rule.high_risk", "warn_ttl", "15"), + ), + }, + { + Config: datasourceUfrDependencies + ufrForDataSource, + Check: resource.ComposeTestCheckFunc( + resource.TestMatchResourceAttr("data.pfptmeta_url_filtering_rule.ufr", "id", regexp.MustCompile("^ufr-.+$")), + resource.TestCheckResourceAttr("data.pfptmeta_url_filtering_rule.ufr", "name", "data source ufr"), + resource.TestCheckResourceAttr("data.pfptmeta_url_filtering_rule.ufr", "description", "data source ufr desc"), + resource.TestCheckResourceAttr("data.pfptmeta_url_filtering_rule.ufr", "apply_to_org", "true"), + resource.TestCheckResourceAttr("data.pfptmeta_url_filtering_rule.ufr", "action", "ISOLATION"), + resource.TestCheckResourceAttr("data.pfptmeta_url_filtering_rule.ufr", "advanced_threat_protection", "false"), + resource.TestCheckResourceAttr("data.pfptmeta_url_filtering_rule.ufr", "threat_categories.#", "0"), + resource.TestCheckResourceAttrPair("data.pfptmeta_url_filtering_rule.ufr", "forbidden_content_categories.0", + "pfptmeta_content_category.cc", "id"), + resource.TestCheckResourceAttr("data.pfptmeta_url_filtering_rule.ufr", "priority", "50"), + resource.TestCheckResourceAttr("data.pfptmeta_url_filtering_rule.ufr", "warn_ttl", "15"), + resource.TestCheckResourceAttr("data.pfptmeta_url_filtering_rule.ufr", "filter_expression", "crwdzta:high"), + ), + }, + }, + }) +} diff --git a/internal/provider/common/validations.go b/internal/provider/common/validations.go index f03264c3..713ed815 100644 --- a/internal/provider/common/validations.go +++ b/internal/provider/common/validations.go @@ -13,6 +13,7 @@ import ( "regexp" "strconv" "strings" + "time" ) var numericPattern = regexp.MustCompile("^[0-9]{1,30}$") @@ -339,3 +340,14 @@ func ValidatePEMCert() func(interface{}, cty.Path) diag.Diagnostics { return } } + +func ValidateIsoTimeFormat() func(interface{}, cty.Path) diag.Diagnostics { + return func(input interface{}, path cty.Path) (diags diag.Diagnostics) { + inputString := input.(string) + _, err := time.Parse(time.RFC3339, inputString) + if err != nil { + return diag.FromErr(err) + } + return + } +} diff --git a/internal/provider/provider.go b/internal/provider/provider.go index f47d6024..c7f03e58 100644 --- a/internal/provider/provider.go +++ b/internal/provider/provider.go @@ -44,6 +44,7 @@ import ( "github.com/nsofnetworks/terraform-provider-pfptmeta/internal/provider/threat_category" "github.com/nsofnetworks/terraform-provider-pfptmeta/internal/provider/time_frame" "github.com/nsofnetworks/terraform-provider-pfptmeta/internal/provider/trusted_network" + "github.com/nsofnetworks/terraform-provider-pfptmeta/internal/provider/url_filtering_rule" "github.com/nsofnetworks/terraform-provider-pfptmeta/internal/provider/user" "github.com/nsofnetworks/terraform-provider-pfptmeta/internal/provider/user_roles_attachment" "github.com/nsofnetworks/terraform-provider-pfptmeta/internal/provider/user_settings" @@ -117,7 +118,8 @@ func New(version string) func() *schema.Provider { "pfptmeta_time_frame": time_frame.DataSource(), "pfptmeta_catalog_app": catalog_app.DataSource(), "pfptmeta_tenant_restriction": tenant_restriction.DataSource(), - "pfptmeta_cloud_app": cloud_app.DataSource(), + "pfptmeta_cloud_app": cloud_app.DataSource(), + "pfptmeta_url_filtering_rule": url_filtering_rule.DataSource(), }, ResourcesMap: map[string]*schema.Resource{ "pfptmeta_network_element": network_element.Resource(), @@ -159,7 +161,8 @@ func New(version string) func() *schema.Provider { "pfptmeta_threat_category": threat_category.Resource(), "pfptmeta_time_frame": time_frame.Resource(), "pfptmeta_tenant_restriction": tenant_restriction.Resource(), - "pfptmeta_cloud_app": cloud_app.Resource(), + "pfptmeta_cloud_app": cloud_app.Resource(), + "pfptmeta_url_filtering_rule": url_filtering_rule.Resource(), }, } p.ConfigureContextFunc = configure(version, p) diff --git a/internal/provider/url_filtering_rule/common.go b/internal/provider/url_filtering_rule/common.go new file mode 100644 index 00000000..a2d05865 --- /dev/null +++ b/internal/provider/url_filtering_rule/common.go @@ -0,0 +1,143 @@ +package url_filtering_rule + +import ( + "context" + "github.com/hashicorp/terraform-plugin-sdk/v2/diag" + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + "github.com/nsofnetworks/terraform-provider-pfptmeta/internal/client" + "log" + "net/http" +) + +const ( + description = `The Proofpoint Web Security solution protects against web-based security threats by defining URL filtering rules +which include various content and threat categories, as well as cloud-based applications and tenant restrictions. +With these measures, you can enforce company security policies and filter malicious internet traffic in real time.` + actionDesc = "Enum: `ISOLATION`, `BLOCK`, `LOG`, `RESTRICT`, `WARN`.\n" + + "This action determines what must be done according to this URL filtering rule if a user tries to reach a restricted URL." + applyToOrgDesc = "indicates whether this URL filtering rule applies to the org." + sourcesDesc = "Users and groups on which the URL filtering rule should be applied." + exemptSources = "Subgroup of 'sources' on which the URL filtering rule should not be applied." + advancedThreatProtectionDesc = "Enables the first-rate security engine based on up-to-date web threat intelligence gathered from two decades of protecting the world's largest organizations from email-borne attacks." + catalogAppCategories = "ENUM: `Instant Messaging`, `eCommerce`, `Content Management`, `Software Development`, `Project Management`, " + + "`Marketing`, `CRM`, `Telecommunications`, `Social and Communication`, `Productivity`, `Collaboration`, " + + "`Business and Finance`, `Utilities`, `IT Service Management`, `Social Networking`, `Office Document and Productivity`, " + + "`Cloud File Sharing`, `Web Meetings`, `Identity and Access Management`, `IT Services and Hosting`, `Webmail`, " + + "`Website Builder`, `Human Capital Management`, `Sales and CRM`, `E-commerce and Accounting`, `Streaming Media`, " + + "`Cloud Storage`, `Operations Management`, `Online Meeting`, `Supply Chain`, `Security and Compliance`, " + + "`Entertainment and Lifestyle`, `System and Network`, `Retail and Consumer Services`, `Health and Benefits`, " + + "`Data and Analytics`, `Education and References`, `Personal instant messaging`, `Legal`, `Other`, `Hosting Services`, " + + "`News and Media`, `Sales`, `Enterprise Resource Planning`, `Advertising`, `Travel and Transportation`, " + + "`Property Management`, `Government Services`, `Games`, `Code Hosting`.\n" + + "List of catalog app categories that the URL filtering rule must restrict." + catalogAppRiskDesc = "Risk threshold to be used to restrict all catalog apps which has that risk or higher." + cloudAppsDesc = "List of [cloud app](https://registry.terraform.io/providers/nsofnetworks/pfptmeta/latest/docs/resources/cloud_app) IDs which the URL filtering rule should restrict. " + countriesDesc = "A list of countries in which this rule should be applied. Each country should be represented by a Alpha-2 code (ISO-3166). " + + "Enum: `AD`,`AE`,`AF`,`AG`,`AI`,`AL`,`AM`,`AO`,`AQ`,`AR`,`AS`,`AT`,`AU`,`AW`,`AX`,`AZ`,`BA`,`BB`,`BD`,`BE`,`BF`," + + "`BG`,`BH`,`BI`,`BJ`,`BL`,`BM`,`BN`,`BO`,`BQ`,`BR`,`BS`,`BT`,`BV`,`BW`,`BY`,`BZ`,`CA`,`CC`,`CD`,`CF`,`CG`,`CH`," + + "`CI`,`CK`,`CL`,`CM`,`CN`,`CO`,`CR`,`CU`,`CV`,`CW`,`CX`,`CY`,`CZ`,`DE`,`DJ`,`DK`,`DM`,`DO`,`DZ`,`EC`,`EE`,`EG`," + + "`EH`,`ER`,`ES`,`ET`,`FI`,`FJ`,`FK`,`FM`,`FO`,`FR`,`GA`,`GB`,`GD`,`GE`,`GF`,`GG`,`GH`,`GI`,`GL`,`GM`,`GN`,`GP`," + + "`GQ`,`GR`,`GS`,`GT`,`GU`,`GW`,`GY`,`HK`,`HM`,`HN`,`HR`,`HT`,`HU`,`ID`,`IE`,`IL`,`IM`,`IN`,`IO`,`IQ`,`IR`,`IS`," + + "`IT`,`JE`,`JM`,`JO`,`JP`,`KE`,`KG`,`KH`,`KI`,`KM`,`KN`,`KP`,`KR`,`KW`,`KY`,`KZ`,`LA`,`LB`,`LC`,`LI`,`LK`,`LR`," + + "`LS`,`LT`,`LU`,`LV`,`LY`,`MA`,`MC`,`MD`,`ME`,`MF`,`MG`,`MH`,`MK`,`ML`,`MM`,`MN`,`MO`,`MP`,`MQ`,`MR`,`MS`,`MT`," + + "`MU`,`MV`,`MW`,`MX`,`MY`,`MZ`,`NA`,`NC`,`NE`,`NF`,`NG`,`NI`,`NL`,`NO`,`NP`,`NR`,`NU`,`NZ`,`OM`,`PA`,`PE`,`PF`," + + "`PG`,`PH`,`PK`,`PL`,`PM`,`PN`,`PR`,`PS`,`PT`,`PW`,`PY`,`QA`,`RE`,`RO`,`RS`,`RU`,`RW`,`SA`,`SB`,`SC`,`SD`,`SE`," + + "`SG`,`SH`,`SI`,`SJ`,`SK`,`SL`,`SM`,`SN`,`SO`,`SR`,`SS`,`ST`,`SV`,`SX`,`SY`,`SZ`,`TC`,`TD`,`TF`,`TG`,`TH`,`TJ`," + + "`TK`,`TL`,`TM`,`TN`,`TO`,`TR`,`TT`,`TV`,`TW`,`TZ`,`UA`,`UG`,`UM`,`US`,`UY`,`UZ`,`VA`,`VC`,`VE`,`VG`,`VI`,`VN`," + + "`VU`,`WF`,`WS`,`YE`,`YT`,`ZA`,`ZM`,`ZW`" + expiresAtDesc = "Defines the rule expiration time. " + + "This can be useful when creating exceptions for users who need them for a limited period of time as an alternative for full disconnection from the proxy. " + + "When no value is given the URL filtering rule will never expire. Takes `RFC3339` (`2006-01-02T15:04:05Z`) date format." + expressionDesc = `Defines filtering expressions to ensure granularity in URL filtering rule application. +These expressions consist of the **{Key:Value}** tags according to the internal and external risk factors obtained from the following sources: + +- Proofpoint’s Nexus People Risk Explorer (NPRE). +- Proofpoint’s Targeted Attack Protection (TAP). +- CrowdStrike’s Falcon Zero Trust Assessment (ZTA). +- Configured posture checks. +- User-defined tags. +- Auto-generated tags, such as platform type, device type, etc. +` + contentCategoriesDesc = "List of [content category](https://registry.terraform.io/providers/nsofnetworks/pfptmeta/latest/docs/resources/content_category) IDs which the URL filtering rule should restrict." + networkDesc = "List of source [IP network](https://registry.terraform.io/providers/nsofnetworks/pfptmeta/latest/docs/resources/ip_network) IDs the URL filtering rule applies on" + priorityDesc = "Determines the order in which the URL-filtering rules are evaluated. " + + "The order is significant since the first URL-filtering rule that finds a URL restricted is the one to determine which action to execute. " + + "Lower priority value means the URL-filtering rule will be evaluated earlier." + scheduleDesc = "List of [time frame](https://registry.terraform.io/providers/nsofnetworks/pfptmeta/latest/docs/resources/time_frame) IDs during which the URL filtering rule will be enforced" + tenantRestrictionDesc = "[Tenant restrictions](https://registry.terraform.io/providers/nsofnetworks/pfptmeta/latest/docs/resources/tenant_restriction) for this rule. " + + "Only the `RESTRICT` action is allowed when this option is set." + threatCategoriesDesc = "List of [threat category](https://registry.terraform.io/providers/nsofnetworks/pfptmeta/latest/docs/resources/threat_category) IDs the URL filtering rule will protect against" + warnTtlDesc = "Time in minutes during which the warning page is not shown again after user proceeds to URL" +) + +var excludedKeys = []string{"id"} + +func urlFilteringRuleRead(ctx context.Context, d *schema.ResourceData, meta interface{}) (diags diag.Diagnostics) { + id := d.Get("id").(string) + c := meta.(*client.Client) + a, err := client.GetUrlFilteringRule(ctx, c, id) + if err != nil { + errResponse, ok := err.(*client.ErrorResponse) + if ok && errResponse.Status == http.StatusNotFound { + log.Printf("[WARN] Removing url filtering rule %s because it's gone", id) + d.SetId("") + return + } else { + return diag.FromErr(err) + } + } + d.SetId(a.ID) + err = client.MapResponseToResource(a, d, excludedKeys) + if err != nil { + return diag.FromErr(err) + } + return +} +func urlFilteringRuleCreate(ctx context.Context, d *schema.ResourceData, meta interface{}) (diags diag.Diagnostics) { + c := meta.(*client.Client) + + body := client.NewUrlFilteringRule(d) + a, err := client.CreateUrlFilteringRule(ctx, c, body) + if err != nil { + return diag.FromErr(err) + } + d.SetId(a.ID) + err = client.MapResponseToResource(a, d, excludedKeys) + if err != nil { + return diag.FromErr(err) + } + return +} + +func urlFilteringRuleUpdate(ctx context.Context, d *schema.ResourceData, meta interface{}) (diags diag.Diagnostics) { + c := meta.(*client.Client) + + id := d.Id() + body := client.NewUrlFilteringRule(d) + a, err := client.UpdateUrlFilteringRule(ctx, c, id, body) + if err != nil { + return diag.FromErr(err) + } + d.SetId(a.ID) + err = client.MapResponseToResource(a, d, excludedKeys) + if err != nil { + return diag.FromErr(err) + } + return +} + +func urlFilteringRuleDelete(ctx context.Context, d *schema.ResourceData, meta interface{}) (diags diag.Diagnostics) { + c := meta.(*client.Client) + id := d.Id() + _, err := client.DeleteUrlFilteringRule(ctx, c, id) + if err != nil { + errResponse, ok := err.(*client.ErrorResponse) + if ok && errResponse.Status == http.StatusNotFound { + d.SetId("") + } else { + return diag.FromErr(err) + } + } + d.SetId("") + return +} diff --git a/internal/provider/url_filtering_rule/data_source.go b/internal/provider/url_filtering_rule/data_source.go new file mode 100644 index 00000000..57710d08 --- /dev/null +++ b/internal/provider/url_filtering_rule/data_source.go @@ -0,0 +1,132 @@ +package url_filtering_rule + +import ( + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + "github.com/nsofnetworks/terraform-provider-pfptmeta/internal/provider/common" +) + +func DataSource() *schema.Resource { + return &schema.Resource{ + // This description is used by the documentation generator and the language server. + Description: description, + ReadContext: urlFilteringRuleRead, + Schema: map[string]*schema.Schema{ + "id": { + Type: schema.TypeString, + Required: true, + ValidateDiagFunc: common.ValidateID(false, "ufr"), + }, + "name": { + Type: schema.TypeString, + Computed: true, + }, + "description": { + Type: schema.TypeString, + Computed: true, + }, + "enabled": { + Type: schema.TypeBool, + Computed: true, + }, + "action": { + Description: actionDesc, + Type: schema.TypeString, + Computed: true, + }, + "apply_to_org": { + Description: applyToOrgDesc, + Type: schema.TypeBool, + Computed: true, + }, + "sources": { + Description: sourcesDesc, + Type: schema.TypeList, + Elem: &schema.Schema{Type: schema.TypeString}, + Computed: true, + }, + "exempt_sources": { + Description: exemptSources, + Type: schema.TypeList, + Elem: &schema.Schema{Type: schema.TypeString}, + Computed: true, + }, + "advanced_threat_protection": { + Description: advancedThreatProtectionDesc, + Type: schema.TypeBool, + Computed: true, + }, + "catalog_app_categories": { + Description: catalogAppCategories, + Type: schema.TypeList, + Elem: &schema.Schema{Type: schema.TypeString}, + Computed: true, + }, + "catalog_app_risk": { + Description: catalogAppRiskDesc, + Type: schema.TypeInt, + Computed: true, + }, + "cloud_apps": { + Description: cloudAppsDesc, + Type: schema.TypeList, + Elem: &schema.Schema{Type: schema.TypeString}, + Computed: true, + }, + "countries": { + Description: countriesDesc, + Type: schema.TypeList, + Elem: &schema.Schema{Type: schema.TypeString}, + Computed: true, + }, + "expires_at": { + Description: expiresAtDesc, + Type: schema.TypeString, + Computed: true, + }, + "filter_expression": { + Description: expressionDesc, + Type: schema.TypeString, + Computed: true, + }, + "forbidden_content_categories": { + Description: contentCategoriesDesc, + Type: schema.TypeList, + Elem: &schema.Schema{Type: schema.TypeString}, + Computed: true, + }, + "networks": { + Description: networkDesc, + Type: schema.TypeList, + Elem: &schema.Schema{Type: schema.TypeString}, + Computed: true, + }, + "priority": { + Description: priorityDesc, + Type: schema.TypeInt, + Computed: true, + }, + "schedule": { + Description: scheduleDesc, + Type: schema.TypeList, + Elem: &schema.Schema{Type: schema.TypeString}, + Computed: true, + }, + "tenant_restriction": { + Description: tenantRestrictionDesc, + Type: schema.TypeString, + Computed: true, + }, + "threat_categories": { + Description: threatCategoriesDesc, + Type: schema.TypeList, + Elem: &schema.Schema{Type: schema.TypeString}, + Computed: true, + }, + "warn_ttl": { + Description: warnTtlDesc, + Type: schema.TypeInt, + Computed: true, + }, + }, + } +} diff --git a/internal/provider/url_filtering_rule/resource.go b/internal/provider/url_filtering_rule/resource.go new file mode 100644 index 00000000..45c4ddae --- /dev/null +++ b/internal/provider/url_filtering_rule/resource.go @@ -0,0 +1,219 @@ +package url_filtering_rule + +import ( + "github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema" + "github.com/nsofnetworks/terraform-provider-pfptmeta/internal/provider/common" +) + +const maxInt = int(^uint(0) >> 1) + +func Resource() *schema.Resource { + return &schema.Resource{ + // This description is used by the documentation generator and the language server. + Description: description, + CreateContext: urlFilteringRuleCreate, + ReadContext: urlFilteringRuleRead, + UpdateContext: urlFilteringRuleUpdate, + DeleteContext: urlFilteringRuleDelete, + Importer: &schema.ResourceImporter{ + StateContext: schema.ImportStatePassthroughContext, + }, + Schema: map[string]*schema.Schema{ + "id": { + Type: schema.TypeString, + Computed: true, + }, + "name": { + Type: schema.TypeString, + Required: true, + }, + "description": { + Type: schema.TypeString, + Optional: true, + }, + "enabled": { + Type: schema.TypeBool, + Optional: true, + Default: true, + }, + "action": { + Description: actionDesc, + Type: schema.TypeString, + Required: true, + ValidateDiagFunc: common.ValidateStringENUM("ISOLATION", "BLOCK", "LOG", "RESTRICT", "WARN"), + }, + "apply_to_org": { + Description: applyToOrgDesc, + Type: schema.TypeBool, + Optional: true, + ConflictsWith: []string{"sources", "exempt_sources"}, + }, + "sources": { + Description: sourcesDesc, + Type: schema.TypeList, + MaxItems: 200, + Elem: &schema.Schema{ + Type: schema.TypeString, + ValidateDiagFunc: common.ValidateID(false, "usr", "grp", "tun"), + }, + Optional: true, + ConflictsWith: []string{"apply_to_org"}, + }, + "exempt_sources": { + Description: exemptSources, + Type: schema.TypeList, + MaxItems: 200, + Elem: &schema.Schema{ + Type: schema.TypeString, + ValidateDiagFunc: common.ValidateID(false, "usr", "grp", "tun"), + }, + Optional: true, + ConflictsWith: []string{"apply_to_org"}, + }, + "advanced_threat_protection": { + Description: advancedThreatProtectionDesc, + Type: schema.TypeBool, + Optional: true, + }, + "catalog_app_categories": { + Description: catalogAppCategories, + Type: schema.TypeList, + MaxItems: 20, + Elem: &schema.Schema{ + Type: schema.TypeString, + ValidateDiagFunc: common.ValidateStringENUM("Instant Messaging", "eCommerce", + "Content Management", "Software Development", "Project Management", "Marketing", "CRM", + "Telecommunications", "Social and Communication", "Productivity", "Collaboration", + "Business and Finance", "Utilities", "IT Service Management", "Social Networking", + "Office Document and Productivity", "Cloud File Sharing", "Web Meetings", + "Identity and Access Management", "IT Services and Hosting", "Webmail", "Website Builder", + "Human Capital Management", "Sales and CRM", "E-commerce and Accounting", "Streaming Media", + "Cloud Storage", "Operations Management", "Online Meeting", "Supply Chain", + "Security and Compliance", "Entertainment and Lifestyle", "System and Network", + "Retail and Consumer Services", "Health and Benefits", "Data and Analytics", + "Education and References", "Personal instant messaging", "Legal", "Other", + "Hosting Services", "News and Media", "Sales", "Enterprise Resource Planning", "Advertising", + "Travel and Transportation", "Property Management", "Government Services", "Games", "Code Hosting"), + }, + Optional: true, + }, + "catalog_app_risk": { + Description: catalogAppRiskDesc, + Type: schema.TypeInt, + ValidateDiagFunc: common.ValidateIntRange(1, 8), + Optional: true, + }, + "cloud_apps": { + Description: cloudAppsDesc, + Type: schema.TypeList, + MaxItems: 50, + ConflictsWith: []string{"tenant_restriction", "tenant_restriction", "threat_categories"}, + Elem: &schema.Schema{ + Type: schema.TypeString, + ValidateDiagFunc: common.ValidateID(false, "ca"), + }, + Optional: true, + }, + "countries": { + Description: countriesDesc, + Type: schema.TypeList, + MaxItems: 10, + MinItems: 1, + Elem: &schema.Schema{ + Type: schema.TypeString, + ValidateDiagFunc: common.ValidateStringENUM("AD", "AE", "AF", "AG", "AI", "AL", "AM", "AO", + "AQ", "AR", "AS", "AT", "AU", "AW", "AX", "AZ", "BA", "BB", "BD", "BE", "BF", "BG", "BH", "BI", + "BJ", "BL", "BM", "BN", "BO", "BQ", "BR", "BS", "BT", "BV", "BW", "BY", "BZ", "CA", "CC", "CD", + "CF", "CG", "CH", "CI", "CK", "CL", "CM", "CN", "CO", "CR", "CU", "CV", "CW", "CX", "CY", "CZ", + "DE", "DJ", "DK", "DM", "DO", "DZ", "EC", "EE", "EG", "EH", "ER", "ES", "ET", "FI", "FJ", "FK", + "FM", "FO", "FR", "GA", "GB", "GD", "GE", "GF", "GG", "GH", "GI", "GL", "GM", "GN", "GP", "GQ", + "GR", "GS", "GT", "GU", "GW", "GY", "HK", "HM", "HN", "HR", "HT", "HU", "ID", "IE", "IL", "IM", + "IN", "IO", "IQ", "IR", "IS", "IT", "JE", "JM", "JO", "JP", "KE", "KG", "KH", "KI", "KM", "KN", + "KP", "KR", "KW", "KY", "KZ", "LA", "LB", "LC", "LI", "LK", "LR", "LS", "LT", "LU", "LV", "LY", + "MA", "MC", "MD", "ME", "MF", "MG", "MH", "MK", "ML", "MM", "MN", "MO", "MP", "MQ", "MR", "MS", + "MT", "MU", "MV", "MW", "MX", "MY", "MZ", "NA", "NC", "NE", "NF", "NG", "NI", "NL", "NO", "NP", + "NR", "NU", "NZ", "OM", "PA", "PE", "PF", "PG", "PH", "PK", "PL", "PM", "PN", "PR", "PS", "PT", + "PW", "PY", "QA", "RE", "RO", "RS", "RU", "RW", "SA", "SB", "SC", "SD", "SE", "SG", "SH", "SI", + "SJ", "SK", "SL", "SM", "SN", "SO", "SR", "SS", "ST", "SV", "SX", "SY", "SZ", "TC", "TD", "TF", + "TG", "TH", "TJ", "TK", "TL", "TM", "TN", "TO", "TR", "TT", "TV", "TW", "TZ", "UA", "UG", "UM", + "US", "UY", "UZ", "VA", "VC", "VE", "VG", "VI", "VN", "VU", "WF", "WS", "YE", "YT", "ZA", "ZM", + "ZW"), + }, + Optional: true, + }, + "expires_at": { + Description: expiresAtDesc, + Type: schema.TypeString, + Optional: true, + ValidateDiagFunc: common.ValidateIsoTimeFormat(), + }, + "filter_expression": { + Description: expressionDesc, + Type: schema.TypeString, + Optional: true, + }, + "forbidden_content_categories": { + Description: contentCategoriesDesc, + Type: schema.TypeList, + MaxItems: 20, + ConflictsWith: []string{"tenant_restriction", "cloud_apps"}, + Elem: &schema.Schema{ + Type: schema.TypeString, + ValidateDiagFunc: common.ValidateID(false, "cc"), + }, + Optional: true, + }, + "networks": { + Description: networkDesc, + Type: schema.TypeList, + MaxItems: 20, + MinItems: 1, + Elem: &schema.Schema{ + Type: schema.TypeString, + ValidateDiagFunc: common.ValidateID(false, "ipn"), + }, + Optional: true, + }, + "priority": { + Description: priorityDesc, + Type: schema.TypeInt, + ValidateDiagFunc: common.ValidateIntRange(1, 5000), + Optional: true, + }, + "schedule": { + Description: scheduleDesc, + Type: schema.TypeList, + MaxItems: 10, + Elem: &schema.Schema{ + Type: schema.TypeString, + ValidateDiagFunc: common.ValidateID(false, "tmf"), + }, + Optional: true, + }, + "tenant_restriction": { + Description: tenantRestrictionDesc, + Type: schema.TypeString, + Optional: true, + ValidateDiagFunc: common.ValidateID(false, "tr"), + ConflictsWith: []string{"forbidden_content_categories", "cloud_apps", "threat_categories"}, + }, + "threat_categories": { + Description: threatCategoriesDesc, + Type: schema.TypeList, + ConflictsWith: []string{"tenant_restriction", "cloud_apps"}, + MaxItems: 5, + Elem: &schema.Schema{ + Type: schema.TypeString, + ValidateDiagFunc: common.ValidateID(false, "tc"), + }, + Optional: true, + }, + "warn_ttl": { + Description: warnTtlDesc, + Type: schema.TypeInt, + ValidateDiagFunc: common.ValidateIntRange(1, 43800), + Optional: true, + }, + }, + } +} diff --git a/templates/data-sources/url_filtering_rule.md.tmpl b/templates/data-sources/url_filtering_rule.md.tmpl new file mode 100644 index 00000000..bc51b8d9 --- /dev/null +++ b/templates/data-sources/url_filtering_rule.md.tmpl @@ -0,0 +1,17 @@ +--- +# generated by https://github.com/hashicorp/terraform-plugin-docs +page_title: "{{.Type}} {{.Name}} - {{.ProviderName}}" +subcategory: "Web Security Resources" +description: |- +{{ .Description | plainmarkdown | trimspace | prefixlines " " }} +--- + +# {{.Type}} ({{.Name}}) + +{{ .Description | trimspace }} + +## Example Usage + +{{tffile "examples/data-sources/pfptmeta_url_filtering_rule/data-source.tf"}} + +{{ .SchemaMarkdown | trimspace }} diff --git a/templates/resources/url_filtering_rule.md.tmpl b/templates/resources/url_filtering_rule.md.tmpl new file mode 100644 index 00000000..6bae2021 --- /dev/null +++ b/templates/resources/url_filtering_rule.md.tmpl @@ -0,0 +1,39 @@ +--- +# generated by https://github.com/hashicorp/terraform-plugin-docs +page_title: "{{.Type}} {{.Name}} - {{.ProviderName}}" +subcategory: "Web Security Resources" +description: |- +{{ .Description | plainmarkdown | trimspace | prefixlines " " }} +--- + +# {{.Type}} ({{.Name}}) + +{{ .Description | trimspace }} + +## Example Usage + +### Default Rule: + +{{tffile "examples/resources/pfptmeta_url_filtering_rule/default_rule.tf"}} + +### High Risk: + +{{tffile "examples/resources/pfptmeta_url_filtering_rule/high_risk.tf"}} + +### Log All: + +{{tffile "examples/resources/pfptmeta_url_filtering_rule/log_all.tf"}} + +### Isolate Web Mails: + +{{tffile "examples/resources/pfptmeta_url_filtering_rule/isolate_web_mail.tf"}} + +### Warn For Dropbox: + +{{tffile "examples/resources/pfptmeta_url_filtering_rule/warn_for_dropbox.tf"}} + +### Block Contents During Work Hours: + +{{tffile "examples/resources/pfptmeta_url_filtering_rule/block_for_work_hours.tf"}} + +{{ .SchemaMarkdown | trimspace }}