ENG-14743: Fix repo level policy examples (#605)

* ENG-14743: Fix repo level policy examples

* bump dependencies

* update changelog

* fix release date

CHANGELOG.md

@@ -1,3 +1,13 @@
+## 4.16.1 (January 7, 2025)
+
+### Improvements:
+
+- ENG-14743: Bump all dependencies ([#605](https://github.com/cyralinc/terraform-provider-cyral/pull/605))
+
+### Documentation:
+
+- ENG-14743: Fix repo level policy examples ([#605](https://github.com/cyralinc/terraform-provider-cyral/pull/605))
+
 ## 4.16.0 (January 2, 2025)
 
 It is safe to use this version with all `v4` control planes as long
@@ -11,11 +21,11 @@ Data source incompatible with control planes previous to `v4.18`:
 
 - `cyral_policy_wizards`
 
-## Features:
+### Features:
 
 - ENG-14612: Implement cyral_policy_wizards datasource ([#593](https://github.com/cyralinc/terraform-provider-cyral/pull/593))
 
-## Improvements:
+### Improvements:
 
 - Bump golang.org/x/crypto from 0.30.0 to 0.31.0 ([#590](https://github.com/cyralinc/terraform-provider-cyral/pull/590))
 - Bump google.golang.org/grpc from 1.68.1 to 1.69.0 ([#592](https://github.com/cyralinc/terraform-provider-cyral/pull/592))

docs/guides/repo_level_policy.md

@@ -36,7 +36,7 @@ resource "cyral_policy_set" "data_firewall_policy" {
   name        = "data firewall policy"
   description = "Returns only data where finance.cards.country = 'US' in table 'finance.cards' for users not in 'Admin' group"
   wizard_id   = "data-firewall"
-  parameters  = jsonencode(
+  wizard_parameters  = jsonencode(
     {
       "dataset" = "finance.cards"
       "dataFilter" = " finance.cards.country = 'US' "
@@ -74,7 +74,7 @@ resource "cyral_policy_set" "data_masking_policy" {
   name        = "data masking policy"
   description = "Apply null masking to any data labeled as CCN for users in group 'Marketing'"
   wizard_id   = "data-masking"
-  parameters  = jsonencode(
+  wizard_parameters  = jsonencode(
     {
       "maskType" = "null"
       "labels" = ["CCN"]
@@ -111,7 +111,7 @@ resource "cyral_policy_set" "data_protection_policy" {
   name        = "data protection policy"
   description = "Raise an alert and block updates and deletes on label CCN"
   wizard_id   = "data-protection"
-  parameters  = jsonencode(
+  wizard_parameters  = jsonencode(
     {
       "block" = true
       "alertSeverity" = "high"
@@ -150,7 +150,7 @@ resource "cyral_policy_set" "rate_limit_policy" {
   name        = "rate limit policy"
   description = "Raise an alert and set a rate limit of 500 rows per hour for group 'Marketing' and any data labeled as CCN"
   wizard_id   = "rate-limit"
-  parameters  = jsonencode(
+  wizard_parameters  = jsonencode(
     {
       "rateLimit" = 500
       "enforce" = true
@@ -189,7 +189,7 @@ resource "cyral_policy_set" "read_limit_policy" {
   name        = "read limit policy"
   description = "Limits to 100 the amount of rows that can be read per query on the entire repository for group 'Devs'"
   wizard_id   = "read-limit"
-  parameters  = jsonencode(
+  wizard_parameters  = jsonencode(
     {
       "rowLimit" = 100
       "enforce" = true
@@ -226,7 +226,7 @@ resource "cyral_policy_set" "repository_protection_policy" {
   name        = "repository protection policy"
   description = "Alert if more than 100 rows are updated or deleted per query on all repository data by anyone except group 'Admin'"
   wizard_id   = "repository-protection"
-  parameters  = jsonencode(
+  wizard_parameters  = jsonencode(
     {
       "rowLimit" = 100
       "datasets" = "*"
@@ -263,7 +263,7 @@ resource "cyral_policy_set" "service_account_abuse_policy" {
   name        = "service account abuse policy"
   description = "Alert and block whenever the service accounts john is used without end user attribution"
   wizard_id   = "service-account-abuse"
-  parameters  = jsonencode(
+  wizard_parameters  = jsonencode(
     {
       "block" = true
       "alertSeverity" = "high"
@@ -300,7 +300,7 @@ resource "cyral_policy_set" "user_segmentation_policy" {
   name        = "user segmentation policy"
   description = "Filter table 'finance.cards' when users in group 'Marketing' read label CCN, returning only data where finance.cards.country = 'US'"
   wizard_id   = "user-segmentation"
-  parameters  = jsonencode(
+  wizard_parameters  = jsonencode(
     {
       "dataset" = "finance.cards"
       "dataFilter" = " finance.cards.country = 'US' "

docs/resources/rego_policy_instance.md

@@ -11,11 +11,24 @@ Manages a Rego Policy instance.
 ```terraform
 ### Global rego policy instance
 resource "cyral_rego_policy_instance" "policy" {
-  name = "some-rate-limit-policy"
+  name = "User Management"
   category = "SECURITY"
-  description = "Some policy description."
-  template_id = "rate-limit"
-  parameters = "{\"rateLimit\":7,\"labels\":[\"EMAIL\"],\"alertSeverity\":\"high\",\"block\":false,\"identities\":{\"included\":{\"groups\":[\"analysts\"]}},\"dbAccounts\":{\"included\":[\"admin\"]}}"
+  description = "Policy to govern user management operations"
+  template_id = "object-protection"
+  parameters = jsonencode(
+    {
+      "objectType" = "role/user"
+      "block" = true
+      "monitorCreates" = true
+      "monitorAlters" = true
+      "monitorDrops" = true
+      "identities" = {
+        "excluded" = {
+          "groups" = ["dba"]
+        }
+      }
+    }
+  )
   enabled = true
   tags = ["tag1", "tag2"]
 }
@@ -40,11 +53,24 @@ resource "cyral_repository" "repo" {
 }
 
 resource "cyral_rego_policy_instance" "policy" {
-  name = "some-data-masking-policy"
+  name = "User Management"
   category = "SECURITY"
-  description = "Some policy description."
-  template_id = "data-masking"
-  parameters = "{\"labels\":[\"ADDRESS\"],\"maskType\":\"NULL_MASK\"}"
+  description = "Policy to govern user management operations"
+  template_id = "object-protection"
+  parameters = jsonencode(
+    {
+      "objectType" = "role/user"
+      "block" = true
+      "monitorCreates" = true
+      "monitorAlters" = true
+      "monitorDrops" = true
+      "identities" = {
+        "excluded" = {
+          "groups" = ["dba"]
+        }
+      }
+    }
+  )
   enabled = true
   scope {
     repo_ids = [cyral_repository.repo.id]
@@ -54,11 +80,24 @@ resource "cyral_rego_policy_instance" "policy" {
 
 ### Rego policy instance with duration
 resource "cyral_rego_policy_instance" "policy" {
-  name = "some-data-masking-policy"
+  name = "User Management"
   category = "SECURITY"
-  description = "Some policy description."
-  template_id = "data-masking"
-  parameters = "{\"labels\":[\"ADDRESS\"],\"maskType\":\"NULL_MASK\"}"
+  description = "Policy to govern user management operations"
+  template_id = "object-protection"
+  parameters = jsonencode(
+    {
+      "objectType" = "role/user"
+      "block" = true
+      "monitorCreates" = true
+      "monitorAlters" = true
+      "monitorDrops" = true
+      "identities" = {
+        "excluded" = {
+          "groups" = ["dba"]
+        }
+      }
+    }
+  )
   enabled = true
   tags = ["tag1", "tag2"]
   duration = "10s"

examples/guides/repo_level_policies/data_firewall.tf

@@ -16,7 +16,7 @@ resource "cyral_policy_set" "data_firewall_policy" {
   name        = "data firewall policy"
   description = "Returns only data where finance.cards.country = 'US' in table 'finance.cards' for users not in 'Admin' group"
   wizard_id   = "data-firewall"
-  parameters  = jsonencode(
+  wizard_parameters  = jsonencode(
     {
       "dataset" = "finance.cards"
       "dataFilter" = " finance.cards.country = 'US' "

examples/guides/repo_level_policies/data_masking.tf

@@ -15,7 +15,7 @@ resource "cyral_policy_set" "data_masking_policy" {
   name        = "data masking policy"
   description = "Apply null masking to any data labeled as CCN for users in group 'Marketing'"
   wizard_id   = "data-masking"
-  parameters  = jsonencode(
+  wizard_parameters  = jsonencode(
     {
       "maskType" = "null"
       "labels" = ["CCN"]

examples/guides/repo_level_policies/data_protection.tf

@@ -15,7 +15,7 @@ resource "cyral_policy_set" "data_protection_policy" {
   name        = "data protection policy"
   description = "Raise an alert and block updates and deletes on label CCN"
   wizard_id   = "data-protection"
-  parameters  = jsonencode(
+  wizard_parameters  = jsonencode(
     {
       "block" = true
       "alertSeverity" = "high"

examples/guides/repo_level_policies/rate_limit.tf

@@ -16,7 +16,7 @@ resource "cyral_policy_set" "rate_limit_policy" {
   name        = "rate limit policy"
   description = "Raise an alert and set a rate limit of 500 rows per hour for group 'Marketing' and any data labeled as CCN"
   wizard_id   = "rate-limit"
-  parameters  = jsonencode(
+  wizard_parameters  = jsonencode(
     {
       "rateLimit" = 500
       "enforce" = true

examples/guides/repo_level_policies/read_limit.tf

@@ -16,7 +16,7 @@ resource "cyral_policy_set" "read_limit_policy" {
   name        = "read limit policy"
   description = "Limits to 100 the amount of rows that can be read per query on the entire repository for group 'Devs'"
   wizard_id   = "read-limit"
-  parameters  = jsonencode(
+  wizard_parameters  = jsonencode(
     {
       "rowLimit" = 100
       "enforce" = true

examples/guides/repo_level_policies/repository_protection.tf

@@ -15,7 +15,7 @@ resource "cyral_policy_set" "repository_protection_policy" {
   name        = "repository protection policy"
   description = "Alert if more than 100 rows are updated or deleted per query on all repository data by anyone except group 'Admin'"
   wizard_id   = "repository-protection"
-  parameters  = jsonencode(
+  wizard_parameters  = jsonencode(
     {
       "rowLimit" = 100
       "datasets" = "*"

examples/guides/repo_level_policies/service_account_abuse.tf

@@ -15,7 +15,7 @@ resource "cyral_policy_set" "service_account_abuse_policy" {
   name        = "service account abuse policy"
   description = "Alert and block whenever the service accounts john is used without end user attribution"
   wizard_id   = "service-account-abuse"
-  parameters  = jsonencode(
+  wizard_parameters  = jsonencode(
     {
       "block" = true
       "alertSeverity" = "high"

examples/guides/repo_level_policies/user_segmentation.tf

@@ -16,7 +16,7 @@ resource "cyral_policy_set" "user_segmentation_policy" {
   name        = "user segmentation policy"
   description = "Filter table 'finance.cards' when users in group 'Marketing' read label CCN, returning only data where finance.cards.country = 'US'"
   wizard_id   = "user-segmentation"
-  parameters  = jsonencode(
+  wizard_parameters  = jsonencode(
     {
       "dataset" = "finance.cards"
       "dataFilter" = " finance.cards.country = 'US' "

examples/resources/cyral_rego_policy_instance/resource.tf

@@ -1,10 +1,23 @@
 ### Global rego policy instance
 resource "cyral_rego_policy_instance" "policy" {
-  name = "some-rate-limit-policy"
+  name = "User Management"
   category = "SECURITY"
-  description = "Some policy description."
-  template_id = "rate-limit"
-  parameters = "{\"rateLimit\":7,\"labels\":[\"EMAIL\"],\"alertSeverity\":\"high\",\"block\":false,\"identities\":{\"included\":{\"groups\":[\"analysts\"]}},\"dbAccounts\":{\"included\":[\"admin\"]}}"
+  description = "Policy to govern user management operations"
+  template_id = "object-protection"
+  parameters = jsonencode(
+    {
+      "objectType" = "role/user"
+      "block" = true
+      "monitorCreates" = true
+      "monitorAlters" = true
+      "monitorDrops" = true
+      "identities" = {
+        "excluded" = {
+          "groups" = ["dba"]
+        }
+      }
+    }
+  )
   enabled = true
   tags = ["tag1", "tag2"]
 }
@@ -29,11 +42,24 @@ resource "cyral_repository" "repo" {
 }
 
 resource "cyral_rego_policy_instance" "policy" {
-  name = "some-data-masking-policy"
+  name = "User Management"
   category = "SECURITY"
-  description = "Some policy description."
-  template_id = "data-masking"
-  parameters = "{\"labels\":[\"ADDRESS\"],\"maskType\":\"NULL_MASK\"}"
+  description = "Policy to govern user management operations"
+  template_id = "object-protection"
+  parameters = jsonencode(
+    {
+      "objectType" = "role/user"
+      "block" = true
+      "monitorCreates" = true
+      "monitorAlters" = true
+      "monitorDrops" = true
+      "identities" = {
+        "excluded" = {
+          "groups" = ["dba"]
+        }
+      }
+    }
+  )
   enabled = true
   scope {
     repo_ids = [cyral_repository.repo.id]
@@ -43,11 +69,24 @@ resource "cyral_rego_policy_instance" "policy" {
 
 ### Rego policy instance with duration
 resource "cyral_rego_policy_instance" "policy" {
-  name = "some-data-masking-policy"
+  name = "User Management"
   category = "SECURITY"
-  description = "Some policy description."
-  template_id = "data-masking"
-  parameters = "{\"labels\":[\"ADDRESS\"],\"maskType\":\"NULL_MASK\"}"
+  description = "Policy to govern user management operations"
+  template_id = "object-protection"
+  parameters = jsonencode(
+    {
+      "objectType" = "role/user"
+      "block" = true
+      "monitorCreates" = true
+      "monitorAlters" = true
+      "monitorDrops" = true
+      "identities" = {
+        "excluded" = {
+          "groups" = ["dba"]
+        }
+      }
+    }
+  )
   enabled = true
   tags = ["tag1", "tag2"]
   duration = "10s"

go.mod

@@ -13,8 +13,8 @@ require (
 	github.com/hashicorp/terraform-plugin-log v0.9.0
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.35.0
 	github.com/stretchr/testify v1.10.0
-	golang.org/x/exp v0.0.0-20241217172543-b2144cdd0a67
-	golang.org/x/oauth2 v0.24.0
+	golang.org/x/exp v0.0.0-20250106191152-7588d65b2ba8
+	golang.org/x/oauth2 v0.25.0
 	google.golang.org/grpc v1.69.2
 	google.golang.org/protobuf v1.36.1
 )
@@ -51,7 +51,7 @@ require (
 	github.com/hashicorp/go-retryablehttp v0.7.7 // indirect
 	github.com/hashicorp/go-uuid v1.0.3 // indirect
 	github.com/hashicorp/go-version v1.7.0 // indirect
-	github.com/hashicorp/hc-install v0.9.0 // indirect
+	github.com/hashicorp/hc-install v0.9.1 // indirect
 	github.com/hashicorp/hcl/v2 v2.23.0 // indirect
 	github.com/hashicorp/logutils v1.0.0 // indirect
 	github.com/hashicorp/terraform-exec v0.21.0 // indirect
@@ -80,18 +80,18 @@ require (
 	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
 	github.com/yuin/goldmark v1.7.1 // indirect
 	github.com/yuin/goldmark-meta v1.1.0 // indirect
-	github.com/zclconf/go-cty v1.15.1 // indirect
+	github.com/zclconf/go-cty v1.16.0 // indirect
 	go.abhg.dev/goldmark/frontmatter v0.2.0 // indirect
-	golang.org/x/crypto v0.31.0 // indirect
+	golang.org/x/crypto v0.32.0 // indirect
 	golang.org/x/mod v0.22.0 // indirect
-	golang.org/x/net v0.33.0 // indirect
+	golang.org/x/net v0.34.0 // indirect
 	golang.org/x/sync v0.10.0 // indirect
-	golang.org/x/sys v0.28.0 // indirect
+	golang.org/x/sys v0.29.0 // indirect
 	golang.org/x/text v0.21.0 // indirect
-	golang.org/x/tools v0.28.0 // indirect
+	golang.org/x/tools v0.29.0 // indirect
 	google.golang.org/appengine v1.6.8 // indirect
-	google.golang.org/genproto/googleapis/api v0.0.0-20241223144023-3abc09e42ca8 // indirect
-	google.golang.org/genproto/googleapis/rpc v0.0.0-20241223144023-3abc09e42ca8 // indirect
+	google.golang.org/genproto/googleapis/api v0.0.0-20250106144421-5f5ef82da422 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20250106144421-5f5ef82da422 // indirect
 	gopkg.in/yaml.v2 v2.3.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )