https://github.com/jfrog/terraform-provider-xray
Terraform provider to manage JFrog Xray
https://github.com/jfrog/terraform-provider-xray
artifactory configuration-as-code golang infrastructure-as-code jfrog terraform terraform-provider xray
Last synced: 3 months ago
JSON representation
Terraform provider to manage JFrog Xray
- Host: GitHub
- URL: https://github.com/jfrog/terraform-provider-xray
- Owner: jfrog
- License: apache-2.0
- Created: 2021-10-19T19:16:54.000Z (over 4 years ago)
- Default Branch: main
- Last Pushed: 2026-02-04T06:26:22.000Z (3 months ago)
- Last Synced: 2026-02-04T17:36:27.277Z (3 months ago)
- Topics: artifactory, configuration-as-code, golang, infrastructure-as-code, jfrog, terraform, terraform-provider, xray
- Language: Go
- Homepage: https://jfrog.com/xray/
- Size: 34.8 MB
- Stars: 155
- Watchers: 9
- Forks: 16
- Open Issues: 11
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- License: LICENSE
- Code of conduct: .github/CODE_OF_CONDUCT.md
- Codeowners: CODEOWNERS
Awesome Lists containing this project
README
# Terraform Provider Xray
[](https://github.com/jfrog/terraform-provider-xray/actions/workflows/acceptance-tests.yml)
[](https://github.com/jfrog/terraform-provider-xray/actions)
[](https://goreportcard.com/report/github.com/jfrog/terraform-provider-xray)
To use this provider in your Terraform module, follow the documentation [here](https://registry.terraform.io/providers/jfrog/xray/latest/docs).
[Xray general information](https://jfrog.com/xray/)
[Xray API Documentation](https://www.jfrog.com/confluence/display/JFROG/Xray+REST+API)
## Quick Start
Create a new Terraform file with `xray` resource (and `artifactory` resource as well):
HCL Example
```terraform
# Required for Terraform 0.13 and up (https://www.terraform.io/upgrade-guides/0-13.html)
terraform {
required_providers {
artifactory = {
source = "jfrog/artifactory"
version = "10.1.2"
}
project = {
source = "jfrog/project"
version = "1.3.4"
}
xray = {
source = "jfrog/xray"
version = "2.2.0"
}
}
}
provider "artifactory" {
// supply ARTIFACTORY_USERNAME, ARTIFACTORY_PASSWORD and ARTIFACTORY_URL as env vars
}
provider "project" {
// supply PROJECT_URL, PROJECT_ACCESS_TOKEN as env vars
url = "${var.project_url}"
access_token = "${var.project_access_token}"
}
provider "xray" {
// Also user can supply the following env vars:
// JFROG_URL or XRAY_URL
// XRAY_ACCESS_TOKEN or JFROG_ACCESS_TOKEN
}
resource "random_id" "randid" {
byte_length = 2
}
resource "artifactory_user" "user1" {
name = "user1"
email = "test-user1@artifactory-terraform.com"
groups = ["readers"]
password = "Passw0rd!"
}
resource "artifactory_local_docker_v2_repository" "docker-local" {
key = "docker-local"
description = "hello docker-local"
tag_retention = 3
max_unique_tags = 5
xray_index = true # must be set to true to be able to assign the watch to the repo
}
resource "artifactory_local_gradle_repository" "local-gradle-repo" {
key = "local-gradle-repo-basic"
checksum_policy_type = "client-checksums"
snapshot_version_behavior = "unique"
max_unique_snapshots = 10
handle_releases = true
handle_snapshots = true
suppress_pom_consistency_checks = true
xray_index = true # must be set to true to be able to assign the watch to the repo
}
resource "project" "myproject" {
key = "test"
display_name = "My Project"
description = "My Project"
admin_privileges {
manage_members = true
manage_resources = true
index_resources = true
}
}
resource "project" "myproject1" {
key = "test1"
display_name = "My Project"
description = "My Project"
admin_privileges {
manage_members = true
manage_resources = true
index_resources = true
}
}
resource "xray_security_policy" "security1" {
name = "test-security-policy-severity-${random_id.randid.dec}"
description = "Security policy description"
type = "security"
rule {
name = "rule-name-severity"
priority = 1
criteria {
min_severity = "High"
}
actions {
webhooks = []
mails = ["test@email.com"]
block_release_bundle_distribution = true
fail_build = true
notify_watch_recipients = true
notify_deployer = true
create_ticket_enabled = false // set to true only if Jira integration is enabled
build_failure_grace_period_in_days = 5 // use only if fail_build is enabled
block_download {
unscanned = true
active = true
}
}
}
}
resource "xray_security_policy" "security2" {
name = "test-security-policy-cvss-${random_id.randid.dec}"
description = "Security policy description"
type = "security"
rule {
name = "rule-name-cvss"
priority = 1
criteria {
cvss_range {
from = 1.5
to = 5.3
}
}
actions {
webhooks = []
mails = ["test@email.com"]
block_release_bundle_distribution = true
fail_build = true
notify_watch_recipients = true
notify_deployer = true
create_ticket_enabled = false // set to true only if Jira integration is enabled
build_failure_grace_period_in_days = 5 // use only if fail_build is enabled
block_download {
unscanned = true
active = true
}
}
}
}
resource "xray_license_policy" "license1" {
name = "test-license-policy-allowed-${random_id.randid.dec}"
description = "License policy, allow certain licenses"
type = "license"
rule {
name = "License_rule"
priority = 1
criteria {
allowed_licenses = ["Apache-1.0", "Apache-2.0"]
allow_unknown = false
multi_license_permissive = true
}
actions {
webhooks = []
mails = ["test@email.com"]
block_release_bundle_distribution = false
fail_build = true
notify_watch_recipients = true
notify_deployer = true
create_ticket_enabled = false // set to true only if Jira integration is enabled
custom_severity = "High"
build_failure_grace_period_in_days = 5 // use only if fail_build is enabled
block_download {
unscanned = true
active = true
}
}
}
}
resource "xray_license_policy" "license2" {
name = "test-license-policy-banned-${random_id.randid.dec}"
description = "License policy, block certain licenses"
type = "license"
rule {
name = "License_rule"
priority = 1
criteria {
banned_licenses = ["Apache-1.1", "APAFML"]
allow_unknown = false
multi_license_permissive = false
}
actions {
webhooks = []
mails = ["test@email.com"]
block_release_bundle_distribution = false
fail_build = true
notify_watch_recipients = true
notify_deployer = true
create_ticket_enabled = false // set to true only if Jira integration is enabled
custom_severity = "Medium"
build_failure_grace_period_in_days = 5 // use only if fail_build is enabled
block_download {
unscanned = true
active = true
}
}
}
}
resource "xray_watch" "all-repos" {
name = "all-repos-watch-${random_id.randid.dec}"
description = "Watch for all repositories, matching the filter"
active = true
watch_resource {
type = "all-repos"
filter {
type = "regex"
value = ".*"
}
}
assigned_policy {
name = xray_security_policy.security1.name
type = "security"
}
assigned_policy {
name = xray_license_policy.license1.name
type = "license"
}
watch_recipients = ["test@email.com", "test1@email.com"]
}
resource "xray_watch" "repository" {
name = "repository-watch-${random_id.randid.dec}"
description = "Watch a single repo or a list of repositories"
active = true
watch_resource {
type = "repository"
bin_mgr_id = "default"
name = artifactory_local_docker_v2_repository.docker-local.key
filter {
type = "regex"
value = ".*"
}
}
watch_resource {
type = "repository"
bin_mgr_id = "default"
name = artifactory_local_gradle_repository.local-gradle-repo.key
filter {
type = "package-type"
value = "Docker"
}
}
assigned_policy {
name = xray_security_policy.security1.name
type = "security"
}
assigned_policy {
name = xray_license_policy.license1.name
type = "license"
}
watch_recipients = ["test@email.com", "test1@email.com"]
}
resource "xray_watch" "build" {
name = "build-watch-${random_id.randid.dec}"
description = "Watch a single build or a list of builds"
active = true
watch_resource {
type = "build"
bin_mgr_id = "default"
name = "your-build-name"
}
watch_resource {
type = "build"
bin_mgr_id = "default"
name = "your-other-build-name"
}
assigned_policy {
name = xray_security_policy.security1.name
type = "security"
}
assigned_policy {
name = xray_license_policy.license1.name
type = "license"
}
watch_recipients = ["test@email.com", "test1@email.com"]
}
resource "xray_watch" "all-projects" {
name = "all-projects-watch-${random_id.randid.dec}"
description = "Watch all the projects"
active = true
watch_resource {
type = "all-projects"
bin_mgr_id = "default"
}
assigned_policy {
name = xray_security_policy.security1.name
type = "security"
}
assigned_policy {
name = xray_license_policy.license1.name
type = "license"
}
watch_recipients = ["test@email.com", "test1@email.com"]
}
resource "xray_watch" "project" {
name = "project-watch-${random_id.randid.dec}"
description = "Watch selected projects"
active = true
watch_resource {
type = "project"
name = project.myproject.key
}
watch_resource {
type = "project"
name = project.myproject1.key
}
assigned_policy {
name = xray_security_policy.security1.name
type = "security"
}
assigned_policy {
name = xray_license_policy.license1.name
type = "license"
}
watch_recipients = ["test@email.com", "test1@email.com"]
}
```
## License requirements:
This provider requires Xray to be added to your Artifactory installation.
Xray requires minimum Pro Team license (Public Marketplace version or SaaS) or Pro X license (Self-hosted).
See the details [here](https://jfrog.com/pricing/#sass)
You can determine which license you have by accessing the following Artifactory URL `${host}/artifactory/api/system/licenses/`
## Limitations of functionality
Currently, Xray provider is not supporting JSON objects in the Watch filter value. We are working on adding this functionality.
## Versioning
In general, this project follows [semver](https://semver.org/) as closely as we
can for tagging releases of the package. We've adopted the following versioning policy:
* We increment the **major version** with any incompatible change to
functionality, including changes to the exported Go API surface
or behavior of the API.
* We increment the **minor version** with any backwards-compatible changes to
functionality.
* We increment the **patch version** with any backwards-compatible bug fixes.
## Contributors
See the [contribution guide](CONTRIBUTIONS.md).
## License
Copyright (c) 2024 JFrog.
Apache 2.0 licensed, see [LICENSE](LICENSE) file.