Closed pwlandoll closed 2 years ago
Example REST API call for creating a project policy below.
If the query parameter is not provided then a global policy is created.
Current behavior of the xray_license_policy
and xray_security_policy
resources is to create a global policy.
#!/bin/bash
host="https://artifactory.site.com"
user="username"
pass="password"
key="test"
post_data() {
cat <<EOF
{
"name": "test-policy",
"type": "security",
"rules": [
{
"name": "test-rule",
"priority": 1,
"actions": {
"block_download": {
"unscanned": true,
"active": true
}
},
"criteria": {
"min_severity": "Low"
}
}
]
}
EOF
}
curl -i \
-u "${user}:${pass}" \
-H "Accept: application/json" \
-H "Content-Type:application/json" \
-X POST --data "$(post_data)" \
"${host}/xray/api/v2/policies?projectKey=${key}"
Example REST API call for creating a project watch below.
If the query parameter is not provided then a global watch is created.
Current behavior of the xray_watch
resource is to create a global watch.
#!/bin/bash
host="https://artifactory.site.com"
user="username"
pass="password"
key="test"
# Note: When creating a watch for a remote repository you have to use the remote repository cache name.
# i.e. test-remote-cache instead of test-remote.
# The REST API will return an error saying the test-remote repository does not exist.
# {"error":"Got invalid watch: repository test-remote doesn't exist"}
# This is undocumented or a bug in the REST API that needs to be fixed.
# If you get the list of watches using /api/v2/watches?projectKey=test the name of the remote repository will be test-remote instead of test-remote-cache.
post_data() {
cat <<EOF
{
"general_data": {
"name": "test-watch",
"active": true
},
"project_resources": {
"resources": [
{
"type": "repository",
"bin_mgr_id": "default",
"name": "test-local"
},
{
"type": "repository",
"bin_mgr_id": "default",
"name": "test-remote-cache"
}
]
},
"assigned_policies": [
{
"name": "test-policy",
"type": "security"
}
],
"watch_recipients":[]
}
EOF
}
curl -i \
-u "${user}:${pass}" \
-H "Accept: application/json" \
-H "Content-Type:application/json" \
-X POST --data "$(post_data)" \
"${host}/xray/api/v2/watches?projectKey=${key}"
Thanks @oallauddin I now see the additional query param for project key and understand what is required.
Our use case for Xray requires granting access to resources without the global "manage" permissions that would grant access to all Xray resources. To do this, we need to use the limited access granted with Projects to allow Xray resources to be created with the same limited access.
It appears that the Xray API provides the ability to create watches (see sample 5) and policies (see sample 4) in projects. From what I can tell, this is different than creating e.g. a watch that uses a watch resource of type
project
, since that would not grant users who have permissions in the project to manage the watch in the UI. So, we would like to be able to create Projects, grant users access to resources in that project, and create watches and policies in that project.We would like to be able to do this all within Terraform. Right now, the
xray
provider does not support theprojectKey
query parameter that would allow this.For example, using some sample code from the documentation:
See jfrog/terraform-provider-project#39 for previous discussion.