Skip to content
Permalink

Comparing changes

Choose two branches to see what’s changed or to start a new pull request. If you need to, you can also or learn more about diff comparisons.

Open a pull request

Create a new pull request by comparing changes across two branches. If you need to, you can also . Learn more about diff comparisons here.
base repository: AxtonGrams/terraform-provider-wiz
Failed to load repositories. Confirm that selected base ref is valid, then try again.
Loading
base: v1.1.5
Choose a base ref
...
head repository: AxtonGrams/terraform-provider-wiz
Failed to load repositories. Confirm that selected head ref is valid, then try again.
Loading
compare: main
Choose a head ref
Loading
Showing with 4,023 additions and 276 deletions.
  1. +43 −12 .github/workflows/pull.yml
  2. +5 −5 .github/workflows/release.yml
  3. +1 −0 CODEOWNERS
  4. +1 −0 docs/data-sources/cloud_config_rules.md
  5. +1 −0 docs/resources/cloud_config_rule.md
  6. +0 −3 docs/resources/connector_aws.md
  7. +106 −0 docs/resources/connector_gcp.md
  8. +37 −1 docs/resources/project.md
  9. +82 −0 docs/resources/project_cloud_account_link.md
  10. +78 −0 docs/resources/report_graph_query.md
  11. +124 −0 docs/resources/saml_group_mapping.md
  12. +1 −1 docs/resources/security_framework.md
  13. +2 −0 docs/resources/service_account.md
  14. +0 −2 examples/resources/wiz_connector_aws/resource.tf
  15. +18 −0 examples/resources/wiz_connector_gcp/import.sh
  16. +37 −0 examples/resources/wiz_connector_gcp/resource.tf
  17. +1 −0 examples/resources/wiz_project/import.sh
  18. +25 −0 examples/resources/wiz_project/resource.tf
  19. +2 −0 examples/resources/wiz_project_cloud_account_link/import.sh
  20. +21 −0 examples/resources/wiz_project_cloud_account_link/resource.tf
  21. +43 −0 examples/resources/wiz_report_graph_query/resource.tf
  22. +12 −0 examples/resources/wiz_saml_group_mapping/import.sh
  23. +65 −0 examples/resources/wiz_saml_group_mapping/resource.tf
  24. +51 −42 go.mod
  25. +158 −111 go.sum
  26. +10 −0 internal/acceptance/common.go
  27. +10 −0 internal/acceptance/provider_test.go
  28. +133 −0 internal/acceptance/resource_cloud_config_rule_test.go
  29. +1 −7 internal/acceptance/{resource_connector_test.go → resource_connector_aws_test.go}
  30. +77 −0 internal/acceptance/resource_connector_gcp_test.go
  31. +45 −0 internal/acceptance/resource_project_cloud_account_link_test.go
  32. +80 −0 internal/acceptance/resource_project_test.go
  33. +64 −0 internal/acceptance/resource_report_graph_query_test.go
  34. +56 −0 internal/acceptance/resource_saml_group_mapping_test.go
  35. +26 −1 internal/provider/provider.go
  36. +4 −0 internal/provider/resource_cloud_config_rule.go
  37. +12 −42 internal/provider/resource_connector_aws.go
  38. +470 −0 internal/provider/resource_connector_gcp.go
  39. +47 −0 internal/provider/resource_connector_gcp_test.go
  40. +13 −0 internal/provider/resource_control.go
  41. +25 −6 internal/provider/resource_control_associations.go
  42. +81 −15 internal/provider/resource_project.go
  43. +593 −0 internal/provider/resource_project_cloud_account_link.go
  44. +180 −0 internal/provider/resource_project_cloud_account_link_test.go
  45. +66 −0 internal/provider/resource_report.go
  46. +328 −0 internal/provider/resource_report_graph_query.go
  47. +438 −0 internal/provider/resource_saml_group_mapping.go
  48. +55 −0 internal/provider/resource_saml_group_mapping_test.go
  49. +1 −0 internal/provider/resource_saml_idp.go
  50. +7 −0 internal/wiz/enums.go
  51. +287 −28 internal/wiz/structs.go
55 changes: 43 additions & 12 deletions .github/workflows/pull.yml
Original file line number Diff line number Diff line change
@@ -10,9 +10,9 @@ jobs:
timeout-minutes: 5
steps:
- name: Check out code into the Go module directory
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v4
uses: actions/setup-go@v5
with:
go-version-file: 'go.mod'
cache: true
@@ -25,8 +25,8 @@ jobs:
name: go-lint
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v4
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version-file: 'go.mod'
- uses: danhunsaker/golang-github-actions@v1.3.1
@@ -36,8 +36,8 @@ jobs:
name: go-fmt
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v4
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version-file: 'go.mod'
- uses: danhunsaker/golang-github-actions@v1.3.1
@@ -47,8 +47,8 @@ jobs:
name: go-imports
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- uses: actions/setup-go@v4
- uses: actions/checkout@v4
- uses: actions/setup-go@v5
with:
go-version-file: 'go.mod'
- name: check
@@ -61,12 +61,14 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out code into the Go module directory
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v4
uses: actions/setup-go@v5
with:
go-version-file: 'go.mod'
cache: true
- name: Setup terraform
uses: hashicorp/setup-terraform@v3
- run: go generate ./...
- name: git diff
run: |
@@ -78,11 +80,40 @@ jobs:
runs-on: ubuntu-latest
steps:
- name: Check out code into the Go module directory
uses: actions/checkout@v3
uses: actions/checkout@v4
- name: Set up Go
uses: actions/setup-go@v4
uses: actions/setup-go@v5
with:
go-version-file: 'go.mod'
cache: true
id: go
- run: go test -v -cover ./internal/provider/... ./internal/client/... ./internal/config/... ./internal/utils/...
codeowners:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
with:
ref: ${{ github.event.pull_request.head.ref }}
repository: ${{ github.event.pull_request.head.repo.full_name }}
- name: Check for CODEOWNERS file
uses: andstor/file-existence-action@v3
id: check_codeowners_1
with:
files: CODEOWNERS
- name: Check for CODEOWNERS file
uses: andstor/file-existence-action@v3
id: check_codeowners_2
with:
files: docs/CODEOWNERS
- name: Check for CODEOWNERS file
uses: andstor/file-existence-action@v3
id: check_codeowners_3
with:
files: .github/CODEOWNERS
- name: Validate CODEOWNERS
uses: mszostok/codeowners-validator@v0.7.4
if: steps.check_codeowners_1.outputs.files_exists || steps.check_codeowners_2.outputs.files_exists ||steps.check_codeowners_3.outputs.files_exists
with:
checks: "files,owners,duppatterns,syntax"
github_access_token: ${{ secrets.CODEOWNERS_PAT}}
10 changes: 5 additions & 5 deletions .github/workflows/release.yml
Original file line number Diff line number Diff line change
@@ -22,29 +22,29 @@ jobs:
steps:
-
name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@v4
-
name: Unshallow
run: git fetch --prune --unshallow
-
name: Set up Go
uses: actions/setup-go@v4
uses: actions/setup-go@v5
with:
go-version-file: 'go.mod'
cache: true
-
name: Import GPG key
uses: crazy-max/ghaction-import-gpg@v5
uses: crazy-max/ghaction-import-gpg@v6
id: import_gpg
with:
gpg_private_key: ${{ secrets.GPG_PRIVATE_KEY }}
passphrase: ${{ secrets.PASSPHRASE }}
-
name: Run GoReleaser
uses: goreleaser/goreleaser-action@v4.3.0
uses: goreleaser/goreleaser-action@v6.1.0
with:
version: latest
args: release --rm-dist
args: release --clean
env:
GPG_FINGERPRINT: ${{ steps.import_gpg.outputs.fingerprint }}
# GitHub sets this automatically
1 change: 1 addition & 0 deletions CODEOWNERS
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
* @axtongrams/reviewers
1 change: 1 addition & 0 deletions docs/data-sources/cloud_config_rules.md
Original file line number Diff line number Diff line change
@@ -67,6 +67,7 @@ data "wiz_cloud_config_rules" "aws_critical" {
- KUBERNETES
- AZURE_RESOURCE_MANAGER
- DOCKER_FILE
- ADMISSION_CONTROLLER
- `project` (List of String) Search by project.
- `risk_equals_all` (List of String)
- `risk_equals_any` (List of String)
1 change: 1 addition & 0 deletions docs/resources/cloud_config_rule.md
Original file line number Diff line number Diff line change
@@ -117,3 +117,4 @@ Required:
- KUBERNETES
- AZURE_RESOURCE_MANAGER
- DOCKER_FILE
- ADMISSION_CONTROLLER
3 changes: 0 additions & 3 deletions docs/resources/connector_aws.md
Original file line number Diff line number Diff line change
@@ -23,7 +23,6 @@ resource "wiz_connector_aws" "example" {
extra_config = jsonencode(
{
"skipOrganizationScan" : true,
"diskAnalyzerInFlightDisabled" : false,
"optedInRegions" : ["us-east-1"],
"excludedAccounts" : [],
"excludedOUs" : [],
@@ -51,7 +50,6 @@ resource "wiz_connector_aws" "example" {
"excludedAccounts" : ["100000000009", "100000000010", "100000000013"],
"excludedOUs" : ["EXCLUDE-ME"],
"auditLogMonitorEnabled" : false,
"diskAnalyzerInFlightDisabled" : false,
"skipOrganizationScan" : true,
"optedInRegions" : [],
"cloudTrailConfig" : {
@@ -83,7 +81,6 @@ resource "wiz_connector_aws" "example" {

- `audit_log_monitor_enabled` (Boolean) Whether audit log monitor is enabled. Note an advanced license is required.
- `customer_role_arn` (String) The AWS customer role arn for Wiz to assume.
- `disk_analyzer_inflight_disabled` (Boolean) If using Outpost, whether disk analyzer inflight scanning is disabled.
- `events_cloudtrail_bucket_name` (String) If using Wiz Cloud Events, the CloudTrail bucket name.
- `events_cloudtrail_bucket_sub_account` (String) If using Wiz Cloud Events and CloudTrail is organizational, the CloudTrail bucket sub account.
- `events_cloudtrail_organization` (String) If using Wiz Cloud Events and CloudTrail is deployed to AWS organizations, the organizational ID.
106 changes: 106 additions & 0 deletions docs/resources/connector_gcp.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,106 @@
---
# generated by https://github.com/hashicorp/terraform-plugin-docs
page_title: "wiz_connector_gcp Resource - terraform-provider-wiz"
subcategory: ""
description: |-
Connectors are used to connect GCP resources to Wiz.
---

# wiz_connector_gcp (Resource)

Connectors are used to connect GCP resources to Wiz.

## Example Usage

```terraform
# Provision a simple GCP connector, organization-wide
resource "wiz_connector_gcp" "example" {
name = "example"
auth_params = jsonencode({
"isManagedIdentity" : true,
"organization_id" : "o-example"
})
extra_config = jsonencode(
{
"projects" : [],
"excludedProjects" : [],
"includedFolders" : [],
"excludedFolders" : [],
"auditLogMonitorEnabled" : false
}
)
}
# Provision a GCP connector targeting an individual Google project
resource "wiz_connector_gcp" "example" {
name = "example"
auth_params = jsonencode({
"isManagedIdentity" : true,
"project_id" : "exmaple-project-id"
})
extra_config = jsonencode(
{
"projects" : [],
"excludedProjects" : [],
"includedFolders" : [],
"excludedFolders" : [],
"auditLogMonitorEnabled" : false
}
)
}
```

<!-- schema generated by tfplugindocs -->
## Schema

### Required

- `auth_params` (String, Sensitive) The authentication parameters. Must be represented in `JSON` format.
- `name` (String) The connector name.

### Optional

- `enabled` (Boolean) Whether the connector is enabled.
- Defaults to `true`.
- `extra_config` (String) Extra configuration for the connector. Must be represented in `JSON` format.

### Read-Only

- `audit_log_monitor_enabled` (Boolean) Whether audit log monitor is enabled. Note an advanced license is required.
- `events_pub_sub_subscription_id` (String) If using Wiz Cloud Events, the Pub/Sub Subscription ID.
- `events_topic_name` (String) If using Wiz Cloud Events, the Topic Name in format `projects/<project_id>/topics/<topic_id>`.
- `excluded_folders` (List of String) The GCP folders excluded by the connector.
- `excluded_projects` (List of String) The GCP projects excluded by the connector.
- `folder_id` (String) The GCP folder ID.
- `id` (String) Wiz internal identifier for the connector.
- `included_folders` (List of String) The GCP folders included by the connector.
- `is_managed_identity` (String) Is managed identity?
- `organization_id` (String) The GCP organization ID.
- `projects` (List of String) The GCP projects to target with the connector.

## Import

Import is supported using the following syntax:

```shell
# Importing Considerations:
#
# Please note this is considered experimental, exercise caution and consider the following:
#
# - Make sure that the `auth_params` field is set to the same values as set when the resource was created outside of Terraform.
# This is due to the way we need to handle change as under normal diff conditions, `auth_params` requires a resource recreation.
#
# - For `auth_params` include `isManagedIdentity`. If using outposts, also include `outPostId` and `diskAnalyzer` structure.
#
# For more information, refer to the examples in the documentation.
#
terraform import wiz_connector_gcp.import_example "7be792ba-bfd1-46d0-9fba-5f6bc19df4a8"

# Optional - this is to set auth_params in state.
#
# If not run post-import, the next `terraform apply` will take care of it.
# Note any speculative changes to `auth_params` are for setting state for the one-time import only, any further changes would require a resource recreation as normal.
terraform apply --target=wiz_connector_gcp.import_example
```
38 changes: 37 additions & 1 deletion docs/resources/project.md
Original file line number Diff line number Diff line change
@@ -23,6 +23,31 @@ resource "wiz_project" "test" {
business_unit = "Technology"
}
# Folder projects example
resource "wiz_project" "root" {
name = "root"
description = "root"
is_folder = true
risk_profile {
business_impact = "MBI"
}
business_unit = "Technology"
}
resource "wiz_project" "child" {
name = "project_with_accounts"
parent_project_id = wiz_project.root.id
risk_profile {
business_impact = "MBI"
}
business_unit = "Technology"
cloud_account_link {
cloud_account_id = "477ea00a-4d4d-5bb4-9fa6-634691e68fff"
environment = "PRODUCTION"
}
}
# This resource contains multiple organization links, one with tags and another without
resource "wiz_project" "test" {
name = "Test App"
@@ -98,11 +123,14 @@ resource "wiz_project" "test" {
- `archived` (Boolean) Whether the project is archived/inactive
- Defaults to `false`.
- `business_unit` (String) The business unit to which the project belongs.
- `cloud_account_link` (Block Set) Associate the project directly with a cloud account by wiz identifier UID to organize all the subscription resources, issues, and findings within this project. (see [below for nested schema](#nestedblock--cloud_account_link))
- `cloud_account_link` (Block Set) Please either use this embedded set or the resource wiz_project_cloud_account_link. Associate the project directly with a cloud account by wiz identifier UID to organize all the subscription resources, issues, and findings within this project. (see [below for nested schema](#nestedblock--cloud_account_link))
- `cloud_organization_link` (Block Set) Associate the project with an organizational link to organize all the subscription resources, issues, and findings within this project. (see [below for nested schema](#nestedblock--cloud_organization_link))
- `description` (String) The project description.
- `identifiers` (List of String) Identifiers for the project.
- `is_folder` (Boolean) Whether the project is a folder.
- Defaults to `false`.
- `kubernetes_cluster_link` (Block Set) Associate the project with kubernetes clusters. (see [below for nested schema](#nestedblock--kubernetes_cluster_link))
- `parent_project_id` (String) The parent project ID.
- `project_owners` (List of String) A list of project owner IDs.
- `risk_profile` (Block List, Max: 1) Contains risk profile related properties for the project (see [below for nested schema](#nestedblock--risk_profile))
- `security_champions` (List of String) A list of security champions IDs.
@@ -287,3 +315,11 @@ Optional:
- UNKNOWN

- Defaults to `UNKNOWN`.

## Import

Import is supported using the following syntax:

```shell
terraform import wiz_project.example "848025a0-9c2d-5863-8c4d-b60799294fff"
```
Loading