Skip to main content

Provision Compliance Standard (and requirement/sections), with Saved Searches and Policies

note

This is a simplified example. Full example details and folder structure are in this GitHub repository: https://github.com/solalraveh/prismacloud_terraform

A more detailed example, using modules, is available in this GitHub repository: https://github.com/solalraveh/prismacloud_terraform_w_modules

README

# prismacloud_terraform

Working TF module to provision a compliance standard (with requirement and section), RQL search, saved search and policy from it that ties to the compliance standard.

The provider config file is/can be expected at the ".prismacloud_auth.json" file.
An example config structure can look like:
---
{
    "url": "api.eu.prismacloud.io",
    "username": "yada_access_key",
    "password": "yada_secret_key",
    "protocol": "https"
}
---
Another config parameter might be necessary if you do not opt for access/secret key but rather username/pass, that will be: "customer_name" and corresponding env variable "PRISMACLOUD_CUSTOMER_NAME".
If you use access/secret key, that would not be necessary.

Unless if you want to put the provider configs in a config file, then export your env var, similar to:

---
export PRISMACLOUD_USERNAME=yada_access_key
export PRISMACLOUD_PASSWORD=yada_secret_key
export PRISMACLOUD_URL=api.eu.prismacloud.io
export PRISMACLOUD_PROTOCOL=https
---

Full details at:
https://registry.terraform.io/providers/PaloAltoNetworks/prismacloud/latest/docs

Main .tf file:

terraform {
  required_providers {
    prismacloud = {
      source = "PaloAltoNetworks/prismacloud"
      version = ">=1.1.0"
    }
  }
}

# Configure the prismacloud provider
provider "prismacloud" {
    #json_config_file = ".prismacloud_auth.json"
}

resource "prismacloud_compliance_standard" "CS_PANW" {
    name = "PANW"
    description = "Compliance Standards PANW"
}

resource "prismacloud_compliance_standard_requirement" "CSR_PANW_TEAM1" {
    cs_id = prismacloud_compliance_standard.CS_PANW.cs_id
    name = "PANW - Building Blocks"
    description = "PANW Building Blocks"
    requirement_id = "PANW Building Blocks"
}

resource "prismacloud_compliance_standard_requirement_section" "CSRS_PANW_TEAM1_EC2" {
    csr_id = prismacloud_compliance_standard_requirement.CSR_PANW_TEAM1.csr_id
    section_id = "EC2"
    description = "Requirement Section for EC2"
}

resource "prismacloud_rql_search" "x" {
    search_type = "config"
    query = "config from cloud.resource where api.name = 'aws-ec2-key-pair' AND json.rule = keyName exists"
    time_range {
        relative {
            unit = "hour"
            amount = 24
        }
    }
}

resource "prismacloud_saved_search" "example" {
    name = var.policy_name
    description = var.description
    search_id = prismacloud_rql_search.x.search_id
    query = prismacloud_rql_search.x.query
    time_range {
        relative {
            unit = prismacloud_rql_search.x.time_range.0.relative.0.unit
            amount = prismacloud_rql_search.x.time_range.0.relative.0.amount
        }
    }
}

resource "prismacloud_policy" "this" {
    name                        = var.policy_name
    policy_type                 = var.policy_type
    description                 = var.description
    recommendation              = var.remediation
    restrict_alert_dismissal    = var.restrict_alert_dismissal
    enabled                     = var.enabled
    severity                    = var.policy_severity
    cloud_type                  = var.policy_cloud
    rule {
        name        = var.policy_name
        criteria    = prismacloud_saved_search.example.search_id
        rule_type   = var.rule_type
        parameters  = {
            "savedSearch": true,
            "withIac": false,
        }
    }
    compliance_metadata {
      compliance_id     = prismacloud_compliance_standard_requirement_section.CSRS_PANW_TEAM1_EC2.csrs_id
      custom_assigned = true
      requirement_id = prismacloud_compliance_standard_requirement.CSR_PANW_TEAM1.requirement_id
      requirement_name = prismacloud_compliance_standard_requirement.CSR_PANW_TEAM1.name
      section_id = prismacloud_compliance_standard_requirement_section.CSRS_PANW_TEAM1_EC2.section_id
      standard_name = prismacloud_compliance_standard.CS_PANW.name
      section_description = prismacloud_compliance_standard_requirement_section.CSRS_PANW_TEAM1_EC2.description
      standard_description = prismacloud_compliance_standard.CS_PANW.description
      #only mandatory parameter is compliance_id which corresponds to the section ID (not requirement and not compliance. section ID will identify those 2 automatically).
    }
}

terraform.tfvars

policy_name = "test aws EC2s"
policy_type = "config"
description = "yada"
remediation = "yada"
restrict_alert_dismissal = "false"
enabled = "true"
policy_severity = "medium"
policy_cloud = "aws"
rule_type = "Config"

variables.tf

variable "policy_name" {
  type = string
}

variable "policy_type" {
  type = string
}

variable "description" {
  type = string
}

variable "remediation" {
  type = string
}

variable "restrict_alert_dismissal" {
  type = bool
}

variable "enabled" {
  type = bool
}

variable "policy_severity" {
  type = string
}

variable "policy_cloud" {
  type = string
}

variable "rule_type" {
  type = string
}