ENG-10012: (v2) Deprecate rewrite_on_violation, add enable_dataset_re…

…writes (#310)

* Rename rewrite_on_violation -> enable_dataset_rewrites

* Update docs

* Deprecate instead of removing

* Fix docs

cyral/resource_cyral_repository_conf_analysis.go

@@ -26,10 +26,16 @@ type UserFacingConfig struct {
 	EnableDataMasking          bool     `json:"enableDataMasking"`
 	LogGroups                  []string `json:"logGroups,omitempty"`
 	Redact                     string   `json:"redact"`
-	RewriteOnViolation         bool     `json:"rewriteOnViolation"`
+	RewriteOnViolation         bool     `json:"rewriteOnViolation,omitempty"`
+	EnableDatasetRewrites      bool     `json:"enableDatasetRewrites,omitempty"`
 }
 
 func resourceRepositoryConfAnalysis() *schema.Resource {
+	rewriteOnViolationDeprecationMessage := "This arguments only works for " +
+		"control plane versions up to `v2.34.x`. Please see " +
+		"`enable_dataset_rewrites` for a similar option for control " +
+		"plane versions greater or equal to `v2.35.x`."
+
 	return &schema.Resource{
 		Description: "Manages Repository Analysis Configuration. This resource allows configuring both " +
 			"[Log Settings](https://cyral.com/docs/manage-repositories/repo-log-volume) " +
@@ -88,9 +94,17 @@ func resourceRepositoryConfAnalysis() *schema.Resource {
 				Optional:    true,
 			},
 			"rewrite_on_violation": {
-				Description: "If set to `true` it will enable rewriting queries on violations.",
-				Type:        schema.TypeBool,
-				Optional:    true,
+				Description:   "If set to `true` it will enable rewriting queries on violations.",
+				Type:          schema.TypeBool,
+				Optional:      true,
+				Deprecated:    rewriteOnViolationDeprecationMessage,
+				ConflictsWith: []string{"enable_dataset_rewrites"},
+			},
+			"enable_dataset_rewrites": {
+				Description:   "If set to `true` it will enable rewriting queries.",
+				Type:          schema.TypeBool,
+				Optional:      true,
+				ConflictsWith: []string{"rewrite_on_violation"},
 			},
 			"comment_annotation_groups": {
 				Description: "Valid values are: `identity`, `client`, `repo`, `sidecar`. The " +
@@ -267,6 +281,7 @@ func getConfAnalysisDataFromResource(d *schema.ResourceData) (RepositoryConfAnal
 			LogGroups:                  logGroups,
 			Redact:                     d.Get("redact").(string),
 			RewriteOnViolation:         d.Get("rewrite_on_violation").(bool),
+			EnableDatasetRewrites:      d.Get("enable_dataset_rewrites").(bool),
 		},
 	}, nil
 }
@@ -293,4 +308,5 @@ func setConfAnalysisDataToResource(d *schema.ResourceData, resourceData Reposito
 	d.Set("log_groups", logGroupsSet)
 	d.Set("redact", resourceData.Config.Redact)
 	d.Set("rewrite_on_violation", resourceData.Config.RewriteOnViolation)
+	d.Set("enable_dataset_rewrites", resourceData.Config.EnableDatasetRewrites)
 }

cyral/resource_cyral_repository_conf_analysis_test.go

@@ -121,7 +121,7 @@ func testAccRepoConfAnalysisCheck_DefaultValues() resource.TestCheckFunc {
 		resource.TestCheckResourceAttr("cyral_repository_conf_analysis.test_conf_analysis",
 			"redact", "all"),
 		resource.TestCheckResourceAttr("cyral_repository_conf_analysis.test_conf_analysis",
-			"rewrite_on_violation", "false"),
+			"enable_dataset_rewrites", "false"),
 	)
 }
 
@@ -136,7 +136,7 @@ func testAccRepoConfAnalysisConfig_Updated() string {
 		disable_pre_configured_alerts = false
 		block_on_violation = true
 		disable_filter_analysis = false
-		rewrite_on_violation = true
+		enable_dataset_rewrites = true
 		enable_data_masking = true
 		comment_annotation_groups = [
 			"identity"
@@ -166,7 +166,7 @@ func testAccRepoConfAnalysisCheck_Updated() resource.TestCheckFunc {
 		resource.TestCheckResourceAttr("cyral_repository_conf_analysis.test_conf_analysis",
 			"enable_data_masking", "true"),
 		resource.TestCheckResourceAttr("cyral_repository_conf_analysis.test_conf_analysis",
-			"rewrite_on_violation", "true"),
+			"enable_dataset_rewrites", "true"),
 		resource.TestCheckResourceAttr("cyral_repository_conf_analysis.test_conf_analysis",
 			"comment_annotation_groups.#", "1"),
 		resource.TestCheckResourceAttr("cyral_repository_conf_analysis.test_conf_analysis",

docs/resources/repository_conf_analysis.md

@@ -21,7 +21,7 @@ resource "cyral_repository_conf_analysis" "all_conf_analysis_enabled" {
   disable_pre_configured_alerts = false
   block_on_violation = true
   disable_filter_analysis = false
-  rewrite_on_violation = true
+  enable_dataset_rewrites = true
   enable_data_masking = true
   comment_annotation_groups = [ "identity" ]
   log_groups = [ "everything" ]
@@ -35,7 +35,7 @@ resource "cyral_repository_conf_analysis" "all_conf_analysis_disabled" {
   disable_pre_configured_alerts = true
   block_on_violation = false
   disable_filter_analysis = true
-  rewrite_on_violation = false
+  enable_dataset_rewrites = false
   enable_data_masking = false
   comment_annotation_groups = []
   log_groups = []
@@ -58,6 +58,7 @@ resource "cyral_repository_conf_analysis" "all_conf_analysis_disabled" {
 - `disable_filter_analysis` (Boolean) If set to `true` it will _disable_ filter analysis.
 - `disable_pre_configured_alerts` (Boolean) If set to `true` it will _disable_ preconfigured alerts.
 - `enable_data_masking` (Boolean) If set to `true` it will allow policies to force the masking of specified data fields in the results of queries. [Learn more](https://cyral.com/docs/using-cyral/masking/).
+- `enable_dataset_rewrites` (Boolean) If set to `true` it will enable rewriting queries.
 - `log_groups` (Set of String) Responsible for configuring the Log Settings. Valid values are documented below. The `log_groups` list support the following values:
   - `everything` - Enables all the Log Settings.
   - `dql` - Enables the `DQLs` setting for `all requests`.
@@ -79,7 +80,7 @@ resource "cyral_repository_conf_analysis" "all_conf_analysis_disabled" {
   - `new-connections` - Log new connections.
   - `closed-connections` - Log closed connections.
 - `redact` (String) Valid values are: `all`, `none` and `watched`. If set to `all` it will enable the redact of all literal values, `none` will disable it, and `watched` will only redact values from tracked fields set in the Datamap.
-- `rewrite_on_violation` (Boolean) If set to `true` it will enable rewriting queries on violations.
+- `rewrite_on_violation` (Boolean, Deprecated) If set to `true` it will enable rewriting queries on violations.
 
 ### Read-Only
 

examples/resources/cyral_repository_conf_analysis/resource.tf

@@ -7,7 +7,7 @@ resource "cyral_repository_conf_analysis" "all_conf_analysis_enabled" {
   disable_pre_configured_alerts = false
   block_on_violation = true
   disable_filter_analysis = false
-  rewrite_on_violation = true
+  enable_dataset_rewrites = true
   enable_data_masking = true
   comment_annotation_groups = [ "identity" ]
   log_groups = [ "everything" ]
@@ -21,7 +21,7 @@ resource "cyral_repository_conf_analysis" "all_conf_analysis_disabled" {
   disable_pre_configured_alerts = true
   block_on_violation = false
   disable_filter_analysis = true
-  rewrite_on_violation = false
+  enable_dataset_rewrites = false
   enable_data_masking = false
   comment_annotation_groups = []
   log_groups = []