From baad1167b68b6c55638b52a47878daf0567c0216 Mon Sep 17 00:00:00 2001 From: JBakstPaloAlto Date: Sun, 17 Nov 2024 09:33:10 +0200 Subject: [PATCH 1/5] Initial commit --- .../custom-build-policies/code-editor.adoc | 25 ++++++++++++++++--- 1 file changed, 22 insertions(+), 3 deletions(-) diff --git a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc index 70ef6a0ea9..527f746d16 100644 --- a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc +++ b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc @@ -6,7 +6,9 @@ Prisma Cloud supports Code Editor capability where you can create a policy rule for custom Configuration policies during Build-time checks. Code Editor is the default view for Build policy rule and as an example a YAML policy template is always available on the Prisma Cloud console. The Code Editor is a suitable option when you want to create complex custom policies that include both Attribute and Connection-State with a support of AND/OR logic. However, for custom secrets Code Editor supports only an OR logic. -* *Attribute* +=== Key Features + +==== Attribute-Based Policies + Attribute when defined in a policy describes attribute configurations for resources. Each resource must contain values the attribute configuration has specified or display the presence or absence of the attribute configuration. The syntax and attribute configurations used in YAML templates is similar to Terraform. + @@ -146,7 +148,7 @@ cond_type: "secrets" - "my-super-secret-password-regex" ---- -* *Connection State* +==== Connection-Based Policies + Connection State when defined in a policy specifies a connect or disconnect between resources of different types. + @@ -206,7 +208,7 @@ The table below provides instructions on how to use Connection State Operators. |=== -* *AND/OR Logic* +=== Logical (AND/OR) Operators + A policy may include layers of defined Attributes and Connection State, or both. To define the connection between the two AND/OR logic is used. Using Code Editor you can customize the Attribute, Connection State or both at multiple layers. + @@ -403,3 +405,20 @@ If there are errors in your custom code during a test, the console displays a so //image::governance/code-editor-6.png + NOTE: You are in *Step 2* of Create Custom Policies for Build-Time Checks. You are required to complete the rest of the steps to see your new custom Build-time check policy on the Prisma Cloud console. + +=== Limitation + +Nesting``NOT` conditions within connection blocks is currently not supported. + +EXAMPLE + +---- +definition: + not: + cond_type: "connection" + resource_types: + - "aws_elb" + connected_resource_types: + - "aws_security_group" + operator: "exists" +---- From d42fd15a1f9193e2bde4adddca25a4ecd25eec62 Mon Sep 17 00:00:00 2001 From: JBakstPaloAlto Date: Sun, 17 Nov 2024 09:46:48 +0200 Subject: [PATCH 2/5] Resorted topic - moving the procedure to the top --- .../custom-build-policies/code-editor.adoc | 128 +++++++++--------- 1 file changed, 66 insertions(+), 62 deletions(-) diff --git a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc index 527f746d16..5763e7533f 100644 --- a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc +++ b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc @@ -3,10 +3,74 @@ [.task] == Code Editor -Prisma Cloud supports Code Editor capability where you can create a policy rule for custom Configuration policies during Build-time checks. Code Editor is the default view for Build policy rule and as an example a YAML policy template is always available on the Prisma Cloud console. +Prisma Cloud supports Code Editor capability where you can create a policy rule for custom Configuration policies during Build-time checks. Code Editor is the default view for Build policy rule and as an example a YAML policy template is always available on the Prisma Cloud console. The Code Editor is a suitable option when you want to create complex custom policies that include both Attribute and Connection-State with a support of AND/OR logic. However, for custom secrets Code Editor supports only an OR logic. -=== Key Features +=== How to Create Custom Policies + +[.procedure] + +.. Select *Policies > Add Policy > Config > Add Policy Details* and then select *Next*. +//+ +//image::governance/code-editor.png ++ +The Code Editor is as a default view with an example of a YAML template. ++ +In this example, you see the YAML template with custom secrets where `secrets` is a `category`. +//+ +//image::governance/code-editor-7.png + +.. Select *More Options* and then select *Clear Editor* to remove the YAML template example. +//+ +//image::governance/code-editor-1.png + +.. Add your custom YAML code. + +.. Select *Test* to test your custom code. +//+ +//image::governance/code-editor-2.png ++ +For every test, the console displays up to 30 results. Each time you test your code, Prisma Cloud scans all integrated repositories to give you a list of up to 30 resources that match this custom code policy. +//+ +//image::governance/code-editor-3.png ++ +You can also review the results for more details on the impacted resource and misconfiguration. +//+ +//In this example you see the contextualized information about an impacted resource from your custom code. +//+ +//image::governance/code-editor-4.png ++ +If there are errors in your custom code during a test, the console displays a solution. +//+ +//In this example, you see solution for the errors from your code. +//+ +//image::governance/code-editor-5.png + +.. Select *Validate and Next* to access *Compliance Standards* to complete the custom Build-time check policy. +//+ +//image::governance/code-editor-6.png ++ +NOTE: You are in *Step 2* of Create Custom Policies for Build-Time Checks. You are required to complete the rest of the steps to see your new custom Build-time check policy on the Prisma Cloud console. + +=== Limitation + +Nesting `NOT` conditions within connection blocks is currently not supported. + +EXAMPLE + +---- +definition: + not: + cond_type: "connection" + resource_types: + - "aws_elb" + connected_resource_types: + - "aws_security_group" + operator: "exists" +---- + + +=== Key Capabilities of the Code Editor ==== Attribute-Based Policies + @@ -362,63 +426,3 @@ definition: - "my-super-secret-password-regex" -[.procedure] - -.. Select *Policies > Add Policy > Config > Add Policy Details* and then select *Next*. -//+ -//image::governance/code-editor.png -+ -The Code Editor is as a default view with an example of a YAML template. -+ -In this example, you see the YAML template with custom secrets where `secrets` is a `category`. -//+ -//image::governance/code-editor-7.png - -.. Select *More Options* and then select *Clear Editor* to remove the YAML template example. -//+ -//image::governance/code-editor-1.png - -.. Add your custom YAML code. - -.. Select *Test* to test your custom code. -//+ -//image::governance/code-editor-2.png -+ -For every test, the console displays up to 30 results. Each time you test your code, Prisma Cloud scans all integrated repositories to give you a list of up to 30 resources that match this custom code policy. -//+ -//image::governance/code-editor-3.png -+ -You can also review the results for more details on the impacted resource and misconfiguration. -//+ -//In this example you see the contextualized information about an impacted resource from your custom code. -//+ -//image::governance/code-editor-4.png -+ -If there are errors in your custom code during a test, the console displays a solution. -//+ -//In this example, you see solution for the errors from your code. -//+ -//image::governance/code-editor-5.png - -.. Select *Validate and Next* to access *Compliance Standards* to complete the custom Build-time check policy. -//+ -//image::governance/code-editor-6.png -+ -NOTE: You are in *Step 2* of Create Custom Policies for Build-Time Checks. You are required to complete the rest of the steps to see your new custom Build-time check policy on the Prisma Cloud console. - -=== Limitation - -Nesting``NOT` conditions within connection blocks is currently not supported. - -EXAMPLE - ----- -definition: - not: - cond_type: "connection" - resource_types: - - "aws_elb" - connected_resource_types: - - "aws_security_group" - operator: "exists" ----- From fc89e2babc1c164cf01cb3bc81c7995dc721f8f6 Mon Sep 17 00:00:00 2001 From: JBakstPaloAlto Date: Sun, 17 Nov 2024 09:59:11 +0200 Subject: [PATCH 3/5] Fix sytax --- .../custom-build-policies/code-editor.adoc | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc index 5763e7533f..6654dc08f8 100644 --- a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc +++ b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc @@ -73,11 +73,10 @@ definition: === Key Capabilities of the Code Editor ==== Attribute-Based Policies -+ Attribute when defined in a policy describes attribute configurations for resources. Each resource must contain values the attribute configuration has specified or display the presence or absence of the attribute configuration. The syntax and attribute configurations used in YAML templates is similar to Terraform. -+ + In this example, the attribute defines a back-up configuration for Redshift clusters. -+ + [source] definition: cond_type: "attribute" @@ -213,11 +212,11 @@ cond_type: "secrets" ---- ==== Connection-Based Policies -+ + Connection State when defined in a policy specifies a connect or disconnect between resources of different types. -+ + In this example, `aws_lb` and `aws_elb` must have connection with `aws_security_group` or `aws_default_secuirty_group` to be compliant. -+ + [source] definition: cond_type: "connection" @@ -273,11 +272,11 @@ The table below provides instructions on how to use Connection State Operators. |=== === Logical (AND/OR) Operators -+ + A policy may include layers of defined Attributes and Connection State, or both. To define the connection between the two AND/OR logic is used. Using Code Editor you can customize the Attribute, Connection State or both at multiple layers. -+ + In this example, you see the both AND/OR logic applied to Attribute. -+ + [source] metadata: name: "Ensure all AWS databases have Backup Policy" From 05ea9662a449ffed31481d074fe5785c70f3f499 Mon Sep 17 00:00:00 2001 From: JBakstPaloAlto Date: Sun, 17 Nov 2024 19:31:00 +0200 Subject: [PATCH 4/5] After Taylor Smith's review --- .../governance/custom-build-policies/code-editor.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc index 6654dc08f8..10613eb1e8 100644 --- a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc +++ b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc @@ -54,7 +54,7 @@ NOTE: You are in *Step 2* of Create Custom Policies for Build-Time Checks. You a === Limitation -Nesting `NOT` conditions within connection blocks is currently not supported. +Nesting connection condition types within a NOT block is not currently supported. EXAMPLE From bc114a68e0211a389e75c153ca8a9b60dd0ba48e Mon Sep 17 00:00:00 2001 From: JBakstPaloAlto Date: Sun, 17 Nov 2024 19:35:53 +0200 Subject: [PATCH 5/5] Fix code phrase for NOT --- .../governance/custom-build-policies/code-editor.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc index 10613eb1e8..8ad9a199e7 100644 --- a/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc +++ b/docs/en/enterprise-edition/content-collections/governance/custom-build-policies/code-editor.adoc @@ -54,7 +54,7 @@ NOTE: You are in *Step 2* of Create Custom Policies for Build-Time Checks. You a === Limitation -Nesting connection condition types within a NOT block is not currently supported. +Nesting connection condition types within a 'NOT' block is not currently supported. EXAMPLE