feat(hss): add new resource to create a vulnerability scan task (#8410)

Author: ruwenqiang123

docs/resources/hss_vulnerability_scan_task.md

@@ -0,0 +1,117 @@
+---
+subcategory: "Host Security Service (HSS)"
+layout: "huaweicloud"
+page_title: "HuaweiCloud: huaweicloud_hss_vulnerability_scan_task"
+description: |-
+  Manages a vulnerability scan task resource within HuaweiCloud.
+---
+
+# huaweicloud_hss_vulnerability_scan_task
+
+Manages a vulnerability scan task resource within HuaweiCloud.
+
+-> This resource is a one-time action resource. Deleting this resource will not clear the corresponding request record,
+  but will only remove the resource information from the tf state file.
+
+## Example Usage
+
+```hcl
+variable "manual_scan_type" {
+  type = list(string)
+}
+
+resource "huaweicloud_hss_vulnerability_scan_task" "test" {
+  manual_scan_type = var.manual_scan_type
+  batch_flag       = true
+  range_type       = "all_host"
+}
+```
+
+## Argument Reference
+
+The following arguments are supported:
+
+* `region` - (Optional, String, ForceNew) Specifies the region in which to create the resource.
+  If omitted, the provider-level region will be used.
+  Changing this parameter will create a new resource.
+
+* `manual_scan_type` - (Required, List, NonUpdatable) Specifies the operation type.
+  The valid values are as follows:
+  + **linux_vul**: Linux vulnerability.
+  + **windows_vul**: Windows vulnerability.
+  + **web_cms**: Web-CMS vulnerability.
+  + **app_vul**: Application vulnerability.
+  + **urgent_vul**: Emergency vulnerability.
+
+* `batch_flag` - (Required, Bool, NonUpdatable) Specifies Whether the operation is performed in batches.
+  If the value is true, all supported servers are scanned.
+  The valid values are as follows:
+  + **true**
+  + **false**
+
+* `range_type` - (Required, String, NonUpdatable) Specifies the range of servers to be scanned.
+  The valid values are as follows:
+  + **all_host**
+  + **specific_host**
+
+* `agent_id_list` - (Optional, List, NonUpdatable) Specifies the ID list of the server agent.
+
+  -> This parameter is valid and required when the `range_type` is set to **specific_host**.
+
+* `urgent_vul_id_list` - (Optional, List, NonUpdatable) Specifies the scan all ID list of emergency vulnerabilities.
+  If this parameter is left blank, all emergency vulnerabilities are scanned.
+  The valid values are as follows:
+  + **URGENT-CVE-2023-46604**
+  + **URGENT-HSSVD-2020-1109**
+  + **URGENT-CVE-2022-26134**
+  + **URGENT-CVE-2023-22515**
+  + **URGENT-CVE-2023-22518**
+  + **URGENT-CVE-2023-28432**
+  + **URGENT-CVE-2023-37582**
+  + **URGENT-CVE-2023-33246**
+  + **URGENT-CNVD-2023-02709**
+  + **URGENT-CVE-2022-36804**
+  + **URGENT-CVE-2022-22965**
+  + **URGENT-CVE-2022-25845**
+  + **URGENT-CVE-2019-14439**
+  + **URGENT-CVE-2020-13933**
+  + **URGENT-CVE-2020-26217**
+  + **URGENT-CVE-2021-4034**
+  + **URGENT-CVE-2021-44228**
+  + **URGENT-CVE-2022-0847**
+
+  -> For more details, please refer to [document](https://support.huaweicloud.com/intl/en-us/api-hss2.0/CreateVulnerabilityScanTask_0.html).
+
+* `enterprise_project_id` - (Optional, String, NonUpdatable) Specifies the enterprise project ID.  
+  This parameter is valid only when the enterprise project is enabled.
+  The default value is **0**, indicating the default enterprise project.
+  If it is necessary to operate the hosts under all enterprise projects, the value is **all_granted_eps**.
+  If you only have permissions for a specific enterprise project, you need set the enterprise project ID. Otherwise,
+  the operation may fail due to insufficient permissions.
+
+## Attribute Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+* `id` - The resource ID.
+
+* `scan_type` - The scan task type.
+
+* `start_time` - The scan task start time.
+
+* `end_time` - The scan task end time.
+
+* `scan_vul_types` - The list of vulnerability types scanned by the task.
+
+* `status` - The scan task status.
+  The valid values are as follows:
+  + **running**
+  + **finished**
+
+* `scanning_host_num` - The number of hosts are being scanned.
+
+* `success_host_num` - The number of hosts have been successfully scanned.
+
+* `failed_host_num` - The number of hosts fail to be scanned.
+
+* `estimated_time` - The expected completion time.

huaweicloud/provider.go

@@ -3099,6 +3099,7 @@ func Provider() *schema.Provider {
 			"huaweicloud_hss_setting_two_factor_login_config":                hss.ResourceSettingTwoFactorLoginConfig(),
 			"huaweicloud_hss_switch_honeypot_port_policy":                    hss.ResourceSwitchHoneypotPortPolicy(),
 			"huaweicloud_hss_vulnerability_information_export":               hss.ResourceVulnerabilityInformationExport(),
+			"huaweicloud_hss_vulnerability_scan_task":                        hss.ResourceVulnerabilityScanTask(),
 			"huaweicloud_hss_vulnerability_task_user_trace":                  hss.ResourceVulnerabilityTaskUserTrace(),
 			"huaweicloud_hss_vulnerability_history_export_task":              hss.ResourceVulnerabilityHistoryExportTask(),
 			"huaweicloud_hss_file_download":                                  hss.ResourceFileDownload(),

huaweicloud/services/acceptance/acceptance.go

@@ -738,6 +738,7 @@ var (
 	HW_HSS_DOMAIN      = os.Getenv("HW_HSS_DOMAIN")
 	HW_HSS_IAC_FILE_ID = os.Getenv("HW_HSS_IAC_FILE_ID")
 	HW_HSS_TASK_ID     = os.Getenv("HW_HSS_TASK_ID")
+	HW_HSS_AGENT_ID    = os.Getenv("HW_HSS_AGENT_ID")
 
 	HW_DDM_INSTANCE_ID = os.Getenv("HW_DDM_INSTANCE_ID")
 	HW_DDM_PROCESS_ID  = os.Getenv("HW_DDM_PROCESS_ID")
@@ -3922,6 +3923,13 @@ func TestAccPreCheckHSSTaskId(t *testing.T) {
 	}
 }
 
+// lintignore:AT003
+func TestAccPreCheckHSSAgentId(t *testing.T) {
+	if HW_HSS_AGENT_ID == "" {
+		t.Skip("HW_HSS_AGENT_ID must be set for the acceptance test")
+	}
+}
+
 // lintignore:AT003
 func TestAccPreCheckDDMInstanceID(t *testing.T) {
 	if HW_DDM_INSTANCE_ID == "" {

huaweicloud/services/acceptance/hss/resource_huaweicloud_hss_vulnerability_scan_task_test.go

@@ -0,0 +1,73 @@
+package hss
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
+
+	"github.com/huaweicloud/terraform-provider-huaweicloud/huaweicloud/config"
+	"github.com/huaweicloud/terraform-provider-huaweicloud/huaweicloud/services/acceptance"
+	"github.com/huaweicloud/terraform-provider-huaweicloud/huaweicloud/services/hss"
+)
+
+func getResourceVulnerabilityScanTaskFunc(cfg *config.Config, state *terraform.ResourceState) (interface{}, error) {
+	client, err := cfg.NewServiceClient("hss", acceptance.HW_REGION_NAME)
+	if err != nil {
+		return nil, fmt.Errorf("error creating HSS client: %s", err)
+	}
+
+	return hss.GetVulnerabilityScanTask(client, state.Primary.ID, acceptance.HW_ENTERPRISE_PROJECT_ID_TEST)
+}
+
+func TestAccResourceVulnerabilityScanTask_basic(t *testing.T) {
+	var (
+		resourceName = "huaweicloud_hss_vulnerability_scan_task.test"
+
+		object interface{}
+		rc     = acceptance.InitResourceCheck(
+			resourceName,
+			&object,
+			getResourceVulnerabilityScanTaskFunc,
+		)
+	)
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck: func() {
+			acceptance.TestAccPreCheck(t)
+			acceptance.TestAccPreCheckEpsID(t)
+			acceptance.TestAccPreCheckHSSAgentId(t)
+		},
+		ProviderFactories: acceptance.TestAccProviderFactories,
+		CheckDestroy:      nil,
+		Steps: []resource.TestStep{
+			{
+				Config: testAccVulnerabilityScanTask_basic(),
+				Check: resource.ComposeTestCheckFunc(
+					rc.CheckResourceExists(),
+					resource.TestCheckResourceAttr(resourceName, "manual_scan_type.#", "2"),
+					resource.TestCheckResourceAttr(resourceName, "batch_flag", "false"),
+					resource.TestCheckResourceAttr(resourceName, "range_type", "specific_host"),
+					resource.TestCheckResourceAttr(resourceName, "agent_id_list.#", "1"),
+					resource.TestCheckResourceAttr(resourceName, "urgent_vul_id_list.#", "1"),
+					resource.TestCheckResourceAttrSet(resourceName, "scan_type"),
+					resource.TestCheckResourceAttrSet(resourceName, "status"),
+				),
+			},
+		},
+	})
+}
+
+func testAccVulnerabilityScanTask_basic() string {
+	return fmt.Sprintf(`
+resource "huaweicloud_hss_vulnerability_scan_task" "test" {
+  manual_scan_type      = ["linux_vul","app_vul"]
+  batch_flag            = false
+  range_type            = "specific_host" 
+  agent_id_list         = ["%[1]s"]
+  urgent_vul_id_list    = ["URGENT-HSSVD-2020-1109"]
+  enterprise_project_id = "%[2]s"
+}
+`, acceptance.HW_HSS_AGENT_ID, acceptance.HW_ENTERPRISE_PROJECT_ID_TEST)
+}