🧹 add createException api, deleteException api, add test

[vjeffrey]

fixed bug with creating exceptions

to test this, set jsonbase64 service account to your local dev and run:

terraform {
  required_providers {
    mondoo = {
      source  = "mondoohq/mondoo"
      version = ">= 0.21"
    }
  }
}
provider "mondoo" {
  endpoint = "http://localhost:8989"
    space = "test-infallible-taussig-796596"
}



# Define the domains
resource "mondoo_integration_domain" "mondoo_com" {
  host  = "mondoo.com"
  http  = false
  https = true
}

resource "mondoo_integration_domain" "releases_mondoo_com" {
  host  = "releases.mondoo.com"
  http  = false
  https = true
}

resource "mondoo_integration_domain" "lunalectric_com" {
  host  = "lunalectric.com"
  http  = false
  https = true
}

resource "mondoo_integration_domain" "gitlab_lunalectric_com" {
  host  = "gitlab.lunalectric.com"
  http  = false
  https = true
}

# Define the policies and domains for assignment
resource "mondoo_policy_assignment" "domain_policies" {
  policies = [
    "//policy.api.mondoo.app/policies/mondoo-tls-security",
    "//policy.api.mondoo.app/policies/mondoo-dns-security",
    "//policy.api.mondoo.app/policies/mondoo-email-security",
    "//policy.api.mondoo.app/policies/mondoo-http-security"
  ]
}


resource "mondoo_policy_assignment" "cis_policy_assignment_enabled" {

  policies = [
    "//policy.api.mondoo.app/policies/cis-microsoft-windows-10-l1-ce",
    "//policy.api.mondoo.app/policies/cis-microsoft-windows-10-l1-bl",
    "//policy.api.mondoo.app/policies/cis-microsoft-windows-11-l1-ce",
    "//policy.api.mondoo.app/policies/cis-microsoft-windows-11-l1-bl",
    "//policy.api.mondoo.app/policies/cis-microsoft-windows-server-2016-dc-level-1",
    "//policy.api.mondoo.app/policies/cis-microsoft-windows-server-2016-ms-level-1",
    "//policy.api.mondoo.app/policies/cis-microsoft-windows-server-2019-dc-level-1",
    "//policy.api.mondoo.app/policies/cis-microsoft-windows-server-2019-ms-level-1",
    "//policy.api.mondoo.app/policies/cis-microsoft-windows-server-2022-dc-level-1",
    "//policy.api.mondoo.app/policies/cis-microsoft-windows-server-2022-ms-level-1",
    "//policy.api.mondoo.app/policies/cis-microsoft-azure-windows-server-2019-dc-level-1",
    "//policy.api.mondoo.app/policies/cis-microsoft-azure-windows-server-2019-ms-level-1",
    "//policy.api.mondoo.app/policies/cis-microsoft-azure-windows-server-2022-dc-level-1",
    "//policy.api.mondoo.app/policies/cis-microsoft-azure-windows-server-2022-ms-level-1",
    "//policy.api.mondoo.app/policies/mondoo-edr-policy",
  ]

  state = "enabled"
}

# Set exceptions for Windows policies in the space
resource "mondoo_exception" "windows_defender_exception" {
  justification = "Windows Defender is disabled. Other EDR is used/configured instead."
  action        = "RISK_ACCEPTED"
  valid_until = "2025-09-09"
  check_mrns = [
    "//policy.api.mondoo.app/queries/cis-microsoft-windows-10--18.10.42.5.1",
    "//policy.api.mondoo.app/queries/cis-microsoft-windows-11--18.10.42.5.1",
    "//policy.api.mondoo.app/queries/cis-microsoft-windows-server-2016--18.10.42.5.1",
    "//policy.api.mondoo.app/queries/cis-microsoft-windows-server-2019--18.10.42.5.1",
    "//policy.api.mondoo.app/queries/cis-microsoft-windows-server-2022--18.10.42.5.1",
  ]
  depends_on = [
    mondoo_policy_assignment.cis_policy_assignment_enabled
  ]
}

you'll see it fail. then checkout this branch, run make install, make dev/enter, and remove any old tf state files and run this tf again, itll work

added import

more details

the update path is kinda wild. we didnt have exception ids exposed before, so it was search based. now that we have an id, that's much more ideal. but it means we have to ensure we account for that during the update path (which is why we check for exception id, then search for the exception and get the id if it's not present). the fallback there is that if we cant find the exception the user will need to import it.
since exception id is optional, the tf wont care about this as long as there r no changes to apply to the exception resource

i tested updating from older tf manually by installing version 0.23.0 locally, running the tf, and then getting on this branch version of the plugin and re-applying from there

[jaym]

what happens to existing state files where this doesnt exist

[vjeffrey]

hmm. good question. ill check

[vjeffrey]

good call, i tested and that then would fail to delete the exception on update.
im implementing a change that will searchf or the exception if we dont have the exception id. if we search for it and find it, great.
if not, then my thought was we return an error to the user and then allow them to import the exception resource

[vjeffrey]

ok. i tested this all out.

• if a user has an exception in their state file and there are no changes between the rest of the data in the exception and the state file, the tf wont complain because the exception id is optional
• if a user has an exception in their state file and there are changes between what exists and the state file, then the tf will trigger an update, which will now search for the exception, if found delete and recreate, if not found return error and instruct to import

[vjeffrey]

working on import resource now

[vjeffrey]

import resource should be working now as well

[kkereziev]

Leftover ?

[vjeffrey]

it is, but i want to try to get it working in the future. we should have the imports tested. this one is being real tricky on me so i was hoping to address the test itself in a followup

[vjeffrey]

oh nice thanks for the review @kkereziev ill address your feedback this afternoon