DEV Community

Artem
Artem

Posted on • Updated on

Starting with Terraform Provider | Prisma Cloud Compute

Automating your security is crucial, especially for companies operating in the cloud! I have recently made a video tutorial on how to use Terraform provider for Prisma Cloud Compute.

It would help anyone using Palo Alto Network's security platform to start building automation around their security practices.

I will include code snippets from this tutorial below:

creds.json

{
  "username": "test",
  "password": "test",
  "console_url": "https://192.168.64.2:32677"
}
Enter fullscreen mode Exit fullscreen mode

main.tf

terraform {
  required_providers {
    prismacloudcompute = {
      source = "PaloAltoNetworks/prismacloudcompute"
      version = "0.1.0"
    }
  }
}

provider "prismacloudcompute" {
  config_file = "creds.json"
}

resource "prismacloudcompute_collection" "node_alpine" {
  name              = "node-alpine-collection"
  description       = "Collection for Node images based on Alpine"
  color             = "#68A063"
  application_ids   = ["*"]
  code_repositories = ["*"]
  images            = ["node:17-alpine3.12", "*/node:17-alpine3.12"]
  labels            = ["*"]
  namespaces        = ["*"]
}
resource "prismacloudcompute_ci_image_vulnerability_policy" "ruleset" {
  depends_on = [
    prismacloudcompute_collection.node_alpine,
  ]

  rule {
    collections = [
      prismacloudcompute_collection.node_alpine.name,
    ]
    disabled   = false
    effect     = "alert, block"
    grace_days = 30
    name       = "${prismacloudcompute_collection.node_alpine.name}-ci-policy"
    notes      = "CI policy for ${prismacloudcompute_collection.node_alpine.name}"
    only_fixed = true
    verbose    = false

    alert_threshold {
      disabled = false
      value    = 1
    }

    block_threshold {
      enabled = true
      value   = 2
    }

    cve_rule {
      description = "Ignore ansi-regex"
      effect      = "ignore"
      id          = "CVE-2021-3807"

      expiration {
        date    = "2022-01-06T06:00:00Z"
        enabled = true
      }
    }
    cve_rule {
      description = "Ignore busybox"
      effect      = "ignore"
      id          = "CVE-2021-28831"

      expiration {
        date    = "2022-01-06T06:00:00Z"
        enabled = true
      }
    }
  }

  rule {
    collections = [
      "All",
    ]
    disabled   = false
    effect     = "alert, block"
    grace_days = 30
    name       = "default"
    notes      = "Default policy for CI scans"
    only_fixed = true
    verbose    = false

    alert_threshold {
      disabled = false
      value    = 1
    }

    block_threshold {
      enabled = true
      value   = 2
    }
  }
}
Enter fullscreen mode Exit fullscreen mode

Top comments (0)