ENG-14702: Update documentation for repo level policies

docs/guides/repo_level_policy.md

@@ -1,20 +1,17 @@
 ---
-page_title: "Setup repo-level policy"
+page_title: "Setup repo-level policies"
 ---
 
-Cyral offers several pre-built [repo-level policy types](https://cyral.com/docs/policy/repo-level/).
-In this guide, we provide different examples on how to use them.
+Cyral offers several [policy wizards](https://cyral.com/docs/policy/repo-level/).
+These wizards generate policies for common use cases based on the parameters you provide. The created policies are part of a _policy set_.
+This guide shows how to define policy sets that use these wizards to create policies in Terraform.
 
 Recommended further reading:
 
 -   Refer to the [Cyral policies](https://cyral.com/docs/policy/overview/) page in our public
     docs for a complete documentation about the Cyral policy framework.
 -   Refer to the [`cyral_policy_set`](https://registry.terraform.io/providers/cyralinc/cyral/latest/docs/resources/policy_set)
     resource for more details about how to create policy sets in Terraform.
-    and how to use the pre-built repo-level policies in Terraform.
--   Refer to the [`cyral_rego_policy_instance`](https://registry.terraform.io/providers/cyralinc/cyral/latest/docs/resources/rego_policy_instance)
-    resource for more details about the [template parameters](https://registry.terraform.io/providers/cyralinc/cyral/latest/docs/resources/rego_policy_instance#template-parameters)
-    and how to use the pre-built repo-level policies in Terraform.
 
 ## Example: data firewall
 
@@ -32,15 +29,21 @@ resource "cyral_repository" "mysql1" {
   }
 }
 
-# Creates a policy instance from template to filter table
+# Creates a policy set using the data firewall wizard to filter table
 # 'finance.cards', returning only data where
 # finance.cards.country = 'US' for users not in 'Admin' group
-resource "cyral_rego_policy_instance" "policy" {
-  name        = "data-firewall-policy"
-  category    = "SECURITY"
+resource "cyral_policy_set" "data_firewall_policy" {
+  name        = "data firewall policy"
   description = "Returns only data where finance.cards.country = 'US' in table 'finance.cards' for users not in 'Admin' group"
-  template_id = "data-firewall"
-  parameters  = "{ \"dataSet\": \"finance.cards\", \"dataFilter\": \" finance.cards.country = 'US' \", \"labels\": [\"CCN\"], \"excludedIdentities\": { \"groups\": [\"Admin\"] } }"
+  wizard_id   = "data-firewall"
+  parameters  = jsonencode(
+    {
+      "dataSet" = "finance.cards"
+      "dataFilter" = " finance.cards.country = 'US' "
+      "labels" = ["CCN"]
+      "excludedIdentities" = { "groups" = ["Admin"] }
+    }
+  )
   enabled     = true
   scope {
     repo_ids = [cyral_repository.mysql1.id]
@@ -65,14 +68,19 @@ resource "cyral_repository" "mysql1" {
   }
 }
 
-# Creates a policy instance from template to apply null masking to
+# Creates a policy set using the data masking wizard to apply null masking to
 # any data labeled as CCN for users in group 'Marketing'
-resource "cyral_rego_policy_instance" "policy" {
-  name        = "data-masking-policy"
-  category    = "SECURITY"
+resource "cyral_policy_set" "data_masking_policy" {
+  name        = "data masking policy"
   description = "Apply null masking to any data labeled as CCN for users in group 'Marketing'"
-  template_id = "data-masking"
-  parameters  = "{ \"maskType\": \"NULL_MASK\", \"labels\": [\"CCN\"], \"identities\": { \"included\": { \"groups\": [\"Marketing\"] } }}"
+  wizard_id   = "data-masking"
+  parameters  = jsonencode(
+    {
+      "maskType" = "null"
+      "labels" = ["CCN"]
+      "identities" = { "included": { "groups" = ["Marketing"] } }
+    }
+  )
   enabled     = true
   scope {
     repo_ids = [cyral_repository.mysql1.id]
@@ -97,14 +105,20 @@ resource "cyral_repository" "mysql1" {
   }
 }
 
-# Creates a policy instance from template to raise a 'high' alert
-# and block updates and deletes on label CCN
-resource "cyral_rego_policy_instance" "policy" {
-  name        = "data-protection-policy"
-  category    = "SECURITY"
-  description = "Raise a 'high' alert and block updates and deletes on label CCN"
-  template_id = "data-protection"
-  parameters  = "{ \"block\": true, \"alertSeverity\": \"high\", \"monitorUpdates\": true, \"monitorDeletes\": true, \"labels\": [\"CCN\"]}"
+# Creates a policy set using the data protection wizard to raise
+# an alert and block updates and deletes on label CCN
+resource "cyral_policy_set" "data_protection_policy" {
+  name        = "data protection policy"
+  description = "Raise an alert and block updates and deletes on label CCN"
+  wizard_id   = "data-protection"
+  parameters  = jsonencode(
+    {
+      "block" = true
+      "alertSeverity" = "high"
+      "governedOperations" = ["update", "delete"]
+      "labels" = ["CCN"]
+    }
+  )
   enabled     = true
   scope {
     repo_ids = [cyral_repository.mysql1.id]
@@ -129,15 +143,21 @@ resource "cyral_repository" "pg1" {
   }
 }
 
-# Creates a policy instance from template to raise a 'high' alert
+# Creates a policy set using the rate limit wizard to raise an alert
 # and set a rate limit of 500 rows per hour for group 'Marketing'
 # and any data labeled as CCN
-resource "cyral_rego_policy_instance" "policy" {
-  name        = "rate-limit-policy"
-  category    = "SECURITY"
-  description = "Raise a 'high' alert and set a rate limit of 500 rows per hour for group 'Marketing' and any data labeled as CCN"
-  template_id = "rate-limit"
-  parameters  = "{ \"rateLimit\": 500, \"block\": true, \"alertSeverity\": \"high\", \"labels\": [\"CCN\"], \"identities\": { \"included\": { \"groups\": [\"Marketing\"] } }}"
+resource "cyral_policy_set" "rate_limit_policy" {
+  name        = "rate limit policy"
+  description = "Raise an alert and set a rate limit of 500 rows per hour for group 'Marketing' and any data labeled as CCN"
+  wizard_id   = "rate-limit"
+  parameters  = jsonencode(
+    {
+      "rateLimit" = 500
+      "enforce" = true
+      "labels" = ["CCN"]
+      "identities" = { "included": { "groups" = ["Marketing"] } }
+    }
+  )
   enabled     = true
   scope {
     repo_ids = [cyral_repository.pg1.id]
@@ -162,15 +182,21 @@ resource "cyral_repository" "pg1" {
   }
 }
 
-# Creates a policy instance from template to limits to 100 the
+# Creates a policy set using the read limit wizard to limits to 100 the
 # amount of rows that can be read per query on the entire
 # repository for group 'Devs'
-resource "cyral_rego_policy_instance" "policy" {
-  name        = "read-limit-policy"
-  category    = "SECURITY"
+resource "cyral_policy_set" "read_limit_policy" {
+  name        = "read limit policy"
   description = "Limits to 100 the amount of rows that can be read per query on the entire repository for group 'Devs'"
-  template_id = "read-limit"
-  parameters  = "{ \"rowLimit\": 100, \"block\": true, \"alertSeverity\": \"high\", \"appliesToAllData\": true, \"identities\": { \"included\": { \"groups\": [\"Devs\"] } }}"
+  wizard_id   = "read-limit"
+  parameters  = jsonencode(
+    {
+      "rowLimit" = 100
+      "enforce" = true
+      "datasets" = "*"
+      "identities" = { "included": { "groups" = ["Devs"] } }
+    }
+  )
   enabled     = true
   scope {
     repo_ids = [cyral_repository.pg1.id]
@@ -194,15 +220,20 @@ resource "cyral_repository" "mysql1" {
   }
 }
 
-# Creates a policy instance from template to limits to 100 the
-# amount of rows that can be updated or deleted per query on
-# all repository data for anyone except group 'Admin'
-resource "cyral_rego_policy_instance" "policy" {
-  name        = "repository-protection-policy"
-  category    = "SECURITY"
-  description = "Limits to 100 the amount of rows that can be updated or deleted per query on all repository data for anyone except group 'Admin'"
-  template_id = "repository-protection"
-  parameters  = "{ \"rowLimit\": 100, \"block\": true, \"alertSeverity\": \"high\", \"monitorUpdates\": true, \"monitorDeletes\": true, \"identities\": { \"excluded\": { \"groups\": [\"Admin\"] } }}"
+# Creates a policy set using the repository protection wizard to alert if more than
+# 100 rows are updated or deleted per query on all repository data by anyone except group 'Admin'
+resource "cyral_policy_set" "repository_protection_policy" {
+  name        = "repository protection policy"
+  description = "Alert if more than 100 rows are updated or deleted per query on all repository data by anyone except group 'Admin'"
+  wizard_id   = "repository-protection"
+  parameters  = jsonencode(
+    {
+      "rowLimit" = 100
+      "datasets" = "*"
+      "governedOperations" = ["update", "delete"]
+      "identities" = { "excluded": { "groups" = ["Admin"] } }
+    }
+  )
   enabled     = true
   scope {
     repo_ids = [cyral_repository.mysql1.id]
@@ -226,16 +257,19 @@ resource "cyral_repository" "pg1" {
   }
 }
 
-# Creates a policy instance from template to alert and block
-# whenever the following service accounts john try to read,
-# update, or delete data from the repository without end
-# user attribution.
-resource "cyral_rego_policy_instance" "policy" {
+# Creates a policy set using the service account abuse wizard to alert and block
+# whenever the service accounts john is used without end user attribution.
+resource "cyral_policy_set" "service_account_abuse_policy" {
   name        = "service account abuse policy"
-  category    = "SECURITY"
-  description = "Alert and block whenever the following service accounts john try to read, update, or delete data from the repository without end user attribution"
-  template_id = "service-account-abuse"
-  parameters  = "{ \"block\": true, \"alertSeverity\": \"high\", \"serviceAccounts\": [\"john\"]}"
+  description = "Alert and block whenever the service accounts john is used without end user attribution"
+  wizard_id   = "service-account-abuse"
+  parameters  = jsonencode(
+    {
+      "block" = true
+      "alertSeverity" = "high"
+      "serviceAccounts" = ["john"]
+    }
+  )
   enabled     = true
   scope {
     repo_ids = [cyral_repository.pg1.id]
@@ -259,15 +293,21 @@ resource "cyral_repository" "mysql1" {
   }
 }
 
-# Creates a policy instance from template to filter table
+# Creates a policy set using the user segmentation wizard to filter table
 # 'finance.cards' when users in group 'Marketing' read label
 # CCN, returning only data where finance.cards.country = 'US'
-resource "cyral_rego_policy_instance" "policy" {
-  name        = "user-segmentation-policy"
-  category    = "SECURITY"
+resource "cyral_policy_set" "user_segmentation_policy" {
+  name        = "user segmentation policy"
   description = "Filter table 'finance.cards' when users in group 'Marketing' read label CCN, returning only data where finance.cards.country = 'US'"
-  template_id = "user-segmentation"
-  parameters  = "{ \"dataSet\": \"finance.cards\", \"dataFilter\": \" finance.cards.country = 'US' \", \"labels\": [\"CCN\"], \"includedIdentities\": { \"groups\": [\"Marketing\"] } }"
+  wizard_id   = "user-segmentation"
+  parameters  = jsonencode(
+    {
+      "dataSet" = "finance.cards"
+      "dataFilter" = " finance.cards.country = 'US' "
+      "labels" = ["CCN"]
+      "includedIdentities" = { "groups" = ["Marketing"] }
+    }
+  )
   enabled     = true
   scope {
     repo_ids = [cyral_repository.mysql1.id]

docs/resources/rego_policy_instance.md

@@ -71,26 +71,49 @@ All templates use parameters defined as JSON, below is a list of all the corresp
 
 -> You can also use the Cyral API `GET` `/v1/regopolicies/templates` to retrieve all existing templates and their corresponding parameters schema.
 
-### Object Protection (object-protection)
+### Fail Closed (fail-closed) - Protect against statements that are not understood by Cyral.
+
+-   `block` (Boolean) Indicates whether unauthorized operations should be blocked. If true, operations violating the policy are prevented.
+-   `identities` (Object) Defines users, groups, or emails that are included or excluded from the policy. If included identities are defined, only those users are exempt from policy enforcement. Excluded identities are always subject to the policy. See [identities](#objects--identities).
+-   `dbAccounts` (Object) Defines database accounts to include or exclude from the policy. Excluded accounts are not subject to the policy, while included accounts must adhere to it. See [dbAccounts](#objects--dbAccounts).
+-   `alertSeverity` (String) Policy action to alert, using the respective severity. Allowed values are: `low`, `medium`, `high`.
+
+### Object Protection (object-protection) - Guards against operations like create, drop, and alter for specified object types.
 
 -   `objectType` (String) The type of object to monitor or protect. Supported types include tables, views, roles/users, and schemas. Specific actions depend on the object type.
--   `block` (Boolean) Indicates whether unauthorized operations should be blocked. If true, operations violating the policy are prevented..
+-   `block` (Boolean) Indicates whether unauthorized operations should be blocked. If true, operations violating the policy are prevented.
 -   `monitorCreates` (Boolean) Specifies whether to monitor 'CREATE' operations for the defined object type. Applies only to relevant object types.
 -   `monitorDrops` (Boolean) Specifies whether to monitor 'DROP' operations for the defined object type. Applies only to relevant object types.
 -   `monitorAlters` (Boolean) Specifies whether to monitor 'ALTER' operations for the defined object type. Applies only to relevant object types.
 -   `objects` (Array) A list of specific objects (e.g., tables or views) to monitor or protect. Required for 'table' or 'view' object types. Not applicable to 'role/user' or 'schema'.
--   `identities` (Object) Defines users, groups, or emails that are included or excluded from the policy. If included identities are defined, only those users are exempt from policy enforcement. Excluded identities are always subject to the policy.
--   `dbAccounts` (Object) Defines database accounts to include or exclude from the policy. Excluded accounts are not subject to the policy, while included accounts must adhere to it.
+-   `identities` (Object) Defines users, groups, or emails that are included or excluded from the policy. If included identities are defined, only those users are exempt from policy enforcement. Excluded identities are always subject to the policy. See [identities](#objects--identities).
+-   `dbAccounts` (Object) Defines database accounts to include or exclude from the policy. Excluded accounts are not subject to the policy, while included accounts must adhere to it. See [dbAccounts](#objects--dbAccounts).
+-   `alertSeverity` (String) Policy action to alert, using the respective severity. Allowed values are: `low`, `medium`, `high`.
 
-### Service Account Abuse (service-account-abuse)
+### Service Account Abuse (service-account-abuse) - Ensure service accounts can only be used by intended applications.
 
 -   `block` (Boolean) Policy action to enforce.
 -   `serviceAccounts` (Array) Service accounts for which end user attribution is always required.
 -   `alertSeverity` (String) Policy action to alert, using the respective severity. Allowed values are: `low`, `medium`, `high`.
 
+### Stored Procedure Governance (stored-procedure-governance) - Restrict execution of stored procedures.
+
+-   `governedProcedures` (Array) List of stored procedures to be governed.
+-   `enforce` (Boolean) Whether to enforce the policy, if false, only alerts will be raised on policy violations.
+-   `identities` (Object) Defines users, groups, or emails that are included or excluded from the policy. If included identities are defined, only those users are exempt from policy enforcement. Excluded identities are always subject to the policy. See [identities](#objects--identities).
+-   `dbAccounts` (Object) Defines database accounts to include or exclude from the policy. Excluded accounts are not subject to the policy, while included accounts must adhere to it. See [dbAccounts](#objects--dbAccounts).
+-   `alertSeverity` (String) Policy action to alert, using the respective severity. Allowed values are: `low`, `medium`, `high`.
+
+### Ungoverned Statements (ungoverned-statements) - Control execution of statements not governed by other policies.
+
+-   `block` (Boolean) Indicates whether unauthorized operations should be blocked. If true, operations violating the policy are prevented.
+-   `identities` (Object) Defines users, groups, or emails that are included or excluded from the policy. If included identities are defined, only those users are exempt from policy enforcement. Excluded identities are always subject to the policy. See [identities](#objects--identities).
+-   `dbAccounts` (Object) Defines database accounts to include or exclude from the policy. Excluded accounts are not subject to the policy, while included accounts must adhere to it. See [dbAccounts](#objects--dbAccounts).
+-   `alertSeverity` (String) Policy action to alert, using the respective severity. Allowed values are: `low`, `medium`, `high`.
+
 ### Deprecated policy templates
 
-The remaining list of policy templates are deprecated an can not be used for creating new policies.
+The remaining list of policy templates are deprecated and can not be used for creating new policies.
 Manage existing policy instances is still supported.
 Please visit [`cyral_policy_set`](https://registry.terraform.io/providers/cyralinc/cyral/latest/docs/resources/policy_set) resource to find replacements for the deprecated policy templates.
 

examples/guides/repo_level_policies/data_firewall.tf

@@ -9,15 +9,21 @@ resource "cyral_repository" "mysql1" {
   }
 }
 
-# Creates a policy instance from template to filter table
+# Creates a policy set using the data firewall wizard to filter table
 # 'finance.cards', returning only data where
 # finance.cards.country = 'US' for users not in 'Admin' group
-resource "cyral_rego_policy_instance" "policy" {
-  name        = "data-firewall-policy"
-  category    = "SECURITY"
+resource "cyral_policy_set" "data_firewall_policy" {
+  name        = "data firewall policy"
   description = "Returns only data where finance.cards.country = 'US' in table 'finance.cards' for users not in 'Admin' group"
-  template_id = "data-firewall"
-  parameters  = "{ \"dataSet\": \"finance.cards\", \"dataFilter\": \" finance.cards.country = 'US' \", \"labels\": [\"CCN\"], \"excludedIdentities\": { \"groups\": [\"Admin\"] } }"
+  wizard_id   = "data-firewall"
+  parameters  = jsonencode(
+    {
+      "dataSet" = "finance.cards"
+      "dataFilter" = " finance.cards.country = 'US' "
+      "labels" = ["CCN"]
+      "excludedIdentities" = { "groups" = ["Admin"] }
+    }
+  )
   enabled     = true
   scope {
     repo_ids = [cyral_repository.mysql1.id]

examples/guides/repo_level_policies/data_masking.tf

@@ -9,14 +9,19 @@ resource "cyral_repository" "mysql1" {
   }
 }
 
-# Creates a policy instance from template to apply null masking to
+# Creates a policy set using the data masking wizard to apply null masking to
 # any data labeled as CCN for users in group 'Marketing'
-resource "cyral_rego_policy_instance" "policy" {
-  name        = "data-masking-policy"
-  category    = "SECURITY"
+resource "cyral_policy_set" "data_masking_policy" {
+  name        = "data masking policy"
   description = "Apply null masking to any data labeled as CCN for users in group 'Marketing'"
-  template_id = "data-masking"
-  parameters  = "{ \"maskType\": \"NULL_MASK\", \"labels\": [\"CCN\"], \"identities\": { \"included\": { \"groups\": [\"Marketing\"] } }}"
+  wizard_id   = "data-masking"
+  parameters  = jsonencode(
+    {
+      "maskType" = "null"
+      "labels" = ["CCN"]
+      "identities" = { "included": { "groups" = ["Marketing"] } }
+    }
+  )
   enabled     = true
   scope {
     repo_ids = [cyral_repository.mysql1.id]