ENG-14573: Add knowledge of mask_all_occurrences config field (#580)

* ENG-14573: Add knowledge of mask_all_occurrences config field * Update cyral/internal/repository/confanalysis/resource.go Co-authored-by: Wilson de Carvalho <[email protected]> * Update cyral/internal/repository/confanalysis/resource.go Co-authored-by: Wilson de Carvalho <[email protected]> * Fix invalid code * run make docker-compose/docs and pre-commit --------- Co-authored-by: Wilson de Carvalho <[email protected]>
cyralinc · Nov 27, 2024 · 39635f2 · 39635f2
1 parent 84614d4
commit 39635f2
Show file tree

Hide file tree

Showing 5 changed files with 20 additions and 0 deletions.
diff --git a/cyral/internal/repository/confanalysis/model.go b/cyral/internal/repository/confanalysis/model.go
@@ -20,6 +20,7 @@ type UserConfig struct {
 	DisableFilterAnalysis      bool     `json:"disableFilterAnalysis"`
 	DisablePreConfiguredAlerts bool     `json:"disablePreConfiguredAlerts"`
 	EnableDataMasking          bool     `json:"enableDataMasking"`
+	MaskAllOccurrences         bool     `json:"maskAllOccurrences"`
 	LogGroups                  []string `json:"logGroups,omitempty"`
 	Redact                     string   `json:"redact"`
 	EnableDatasetRewrites      bool     `json:"enableDatasetRewrites"`
@@ -49,6 +50,7 @@ func (r *UserConfig) WriteToSchema(d *schema.ResourceData) error {
 	d.Set("disable_filter_analysis", r.DisableFilterAnalysis)
 	d.Set("disable_pre_configured_alerts", r.DisablePreConfiguredAlerts)
 	d.Set("enable_data_masking", r.EnableDataMasking)
+	d.Set("mask_all_occurrences", r.MaskAllOccurrences)
 	d.Set("log_groups", logGroupsSet)
 	d.Set("redact", r.Redact)
 	d.Set("enable_dataset_rewrites", r.EnableDatasetRewrites)
@@ -80,6 +82,7 @@ func (r *UserConfig) ReadFromSchema(d *schema.ResourceData) error {
 	r.DisableFilterAnalysis = d.Get("disable_filter_analysis").(bool)
 	r.DisablePreConfiguredAlerts = d.Get("disable_pre_configured_alerts").(bool)
 	r.EnableDataMasking = d.Get("enable_data_masking").(bool)
+	r.MaskAllOccurrences = d.Get("mask_all_occurrences").(bool)
 	r.CommentAnnotationGroups = annotationGroups
 	r.LogGroups = logGroups
 	r.Redact = d.Get("redact").(string)

diff --git a/cyral/internal/repository/confanalysis/resource.go b/cyral/internal/repository/confanalysis/resource.go
@@ -121,6 +121,16 @@ func repositoryConfAnalysisResourceSchemaV0() *schema.Resource {
 				Type:     schema.TypeBool,
 				Optional: true,
 			},
+			"mask_all_occurrences": {
+				Description: "If set to `true` it will also mask filtering conditions like in" +
+					" `WHERE`, `HAVING` or `ON` clauses. **Note**: Enabling this may cause some" +
+					" performance degradation on large tables. It is required to set" +
+					" `enable_data_masking=true` to use this feature.",
+				Type:         schema.TypeBool,
+				Optional:     true,
+				Default:      false,
+				RequiredWith: []string{"enable_data_masking"},
+			},
 			"block_on_violation": {
 				Description: "If set to `true` it will enable query blocking in case of a " +
 					"policy violation.",

diff --git a/cyral/internal/repository/confanalysis/resource_test.go b/cyral/internal/repository/confanalysis/resource_test.go
@@ -136,6 +136,8 @@ func testAccRepoConfAnalysisCheck_DefaultValues() resource.TestCheckFunc {
 			"disable_pre_configured_alerts", "false"),
 		resource.TestCheckResourceAttr("cyral_repository_conf_analysis.test_conf_analysis",
 			"enable_data_masking", "false"),
+		resource.TestCheckResourceAttr("cyral_repository_conf_analysis.test_conf_analysis",
+			"mask_all_occurrences", "false"),
 		resource.TestCheckResourceAttr("cyral_repository_conf_analysis.test_conf_analysis",
 			"log_groups.#", "0"),
 		resource.TestCheckResourceAttr("cyral_repository_conf_analysis.test_conf_analysis",

diff --git a/docs/resources/repository_conf_analysis.md b/docs/resources/repository_conf_analysis.md
@@ -23,6 +23,7 @@ resource "cyral_repository_conf_analysis" "all_conf_analysis_enabled" {
   disable_filter_analysis = false
   enable_dataset_rewrites = true
   enable_data_masking = true
+  mask_all_occurrences = true
   comment_annotation_groups = [ "identity" ]
   log_groups = [ "everything" ]
 }
@@ -37,6 +38,7 @@ resource "cyral_repository_conf_analysis" "all_conf_analysis_disabled" {
   disable_filter_analysis = true
   enable_dataset_rewrites = false
   enable_data_masking = false
+  mask_all_occurrences = false
   comment_annotation_groups = []
   log_groups = []
 }
@@ -79,6 +81,7 @@ resource "cyral_repository_conf_analysis" "all_conf_analysis_disabled" {
     -   `error` - Log analysis errors.
     -   `new-connections` - Log new connections.
     -   `closed-connections` - Log closed connections.
+-   `mask_all_occurrences` (Boolean) If set to `true` it will also mask filtering conditions like in `WHERE`, `HAVING` or `ON` clauses. **Note**: Enabling this may cause some performance degradation on large tables. It is required to set `enable_data_masking=true` to use this feature.
 -   `redact` (String) Valid values are: `all`, `none` and `watched`. If set to `all` it will enable the redact of all literal values, `none` will disable it, and `watched` will only redact values from tracked fields set in the Datamap.
 
 ### Read-Only

diff --git a/examples/resources/cyral_repository_conf_analysis/resource.tf b/examples/resources/cyral_repository_conf_analysis/resource.tf
@@ -9,6 +9,7 @@ resource "cyral_repository_conf_analysis" "all_conf_analysis_enabled" {
   disable_filter_analysis = false
   enable_dataset_rewrites = true
   enable_data_masking = true
+  mask_all_occurrences = true
   comment_annotation_groups = [ "identity" ]
   log_groups = [ "everything" ]
 }
@@ -23,6 +24,7 @@ resource "cyral_repository_conf_analysis" "all_conf_analysis_disabled" {
   disable_filter_analysis = true
   enable_dataset_rewrites = false
   enable_data_masking = false
+  mask_all_occurrences = false
   comment_annotation_groups = []
   log_groups = []
 }