aquasecurity · semyonmor · Nov 25, 2025 · Nov 24, 2025
diff --git a/aquasec/data_enforcer_group.go b/aquasec/data_enforcer_group.go
@@ -419,6 +419,11 @@ func dataSourceEnforcerGroup() *schema.Resource {
 					},
 				},
 			},
+			"unified_mode": {
+				Type:        schema.TypeBool,
+				Description: "Indicates whether the Enforcer group is in unified mode.",
+				Computed:    true,
+			},
 		},
 	}
 }
@@ -490,6 +495,7 @@ func dataEnforcerGroupRead(ctx context.Context, d *schema.ResourceData, m interf
 		d.Set("allowed_applications", group.AllowedApplications)
 		d.Set("allowed_labels", group.AllowedLabels)
 		d.Set("allowed_registries", group.AllowedRegistries)
+		d.Set("unified_mode", group.UnifiedMode)
 
 		log.Println("[DEBUG]  setting id: ", name)
 		d.SetId(name)

diff --git a/aquasec/resource_enforcer_group.go b/aquasec/resource_enforcer_group.go
@@ -438,6 +438,11 @@ func resourceEnforcerGroup() *schema.Resource {
 				Description: "Set `True` to apply User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUA_RUNC_INTERCEPTION environment variable set to 0 in order to use User Access Control Policies.",
 				Optional:    true,
 			},
+			"unified_mode": {
+				Type:        schema.TypeBool,
+				Description: "",
+				Optional:    true,
+			},
 		},
 	}
 }
@@ -543,6 +548,7 @@ func resourceEnforcerGroupRead(ctx context.Context, d *schema.ResourceData, m in
 	d.Set("allowed_applications", r.AllowedApplications)
 	d.Set("allowed_labels", r.AllowedLabels)
 	d.Set("allowed_registries", r.AllowedRegistries)
+	d.Set("unified_mode", r.UnifiedMode)
 
 	return nil
 }
@@ -590,6 +596,7 @@ func resourceEnforcerGroupUpdate(ctx context.Context, d *schema.ResourceData, m
 		"user_access_control",
 		"orchestrator",
 		"schedule_scan_settings",
+		"unified_mode",
 	) {
 
 		ac := m.(*client.Client)
@@ -841,6 +848,11 @@ func expandEnforcerGroup(d *schema.ResourceData) client.EnforcerGroup {
 		enforcerGroup.UserAccessControl = userAccessControl.(bool)
 	}
 
+	unifiedMode, ok := d.GetOk("unified_mode")
+	if ok {
+		enforcerGroup.UnifiedMode = unifiedMode.(bool)
+	}
+
 	token, ok := d.GetOk("token")
 	if ok {
 		enforcerGroup.Token = token.(string)

diff --git a/aquasec/resource_enforcer_group_test.go b/aquasec/resource_enforcer_group_test.go
@@ -24,6 +24,7 @@ func TestAquasecEnforcerGroupResource(t *testing.T) {
 		EnforcerImageName:    "registry.aquasec.com/enforcer:6.5.22034",
 		Orchestrator:         client.EnforcerOrchestrator{},
 		ScheduleScanSettings: client.EnforcerScheduleScanSettings{},
+		UnifiedMode:          false,
 	}
 
 	rootRef := enforcerGroupsRef(basicEnforcerGroup.ID)
@@ -44,6 +45,7 @@ func TestAquasecEnforcerGroupResource(t *testing.T) {
 					resource.TestCheckResourceAttr(rootRef, "enforce", fmt.Sprintf("%v", basicEnforcerGroup.Enforce)),
 					resource.TestCheckResourceAttr(rootRef, "gateways.0", basicEnforcerGroup.Gateways[0]),
 					resource.TestCheckResourceAttr(rootRef, "type", basicEnforcerGroup.Type),
+					resource.TestCheckResourceAttr(rootRef, "unified_mode", "false"),
 				),
 			},
 			{
@@ -55,6 +57,7 @@ func TestAquasecEnforcerGroupResource(t *testing.T) {
 					resource.TestCheckResourceAttr(rootRef, "enforce", fmt.Sprintf("%v", basicEnforcerGroup.Enforce)),
 					resource.TestCheckResourceAttr(rootRef, "gateways.0", basicEnforcerGroup.Gateways[0]),
 					resource.TestCheckResourceAttr(rootRef, "type", basicEnforcerGroup.Type),
+					resource.TestCheckResourceAttr(rootRef, "unified_mode", "false"),
 				),
 			},
 			{
@@ -66,6 +69,7 @@ func TestAquasecEnforcerGroupResource(t *testing.T) {
 					resource.TestCheckResourceAttr(rootRef, "enforce", fmt.Sprintf("%v", basicEnforcerGroup.Enforce)),
 					resource.TestCheckResourceAttr(rootRef, "gateways.0", basicEnforcerGroup.Gateways[0]),
 					resource.TestCheckResourceAttr(rootRef, "type", basicEnforcerGroup.Type),
+					resource.TestCheckResourceAttr(rootRef, "unified_mode", "false"),
 				),
 			},
 			{
@@ -92,6 +96,7 @@ func getBasicEnforcerGroupResource(enforcerGroup client.EnforcerGroup) string {
 			namespace = "%s"
 			master = "%v"
 		}
+		unified_mode = %v
 	}
 	`, enforcerGroup.ID,
 		enforcerGroup.ID,
@@ -104,6 +109,7 @@ func getBasicEnforcerGroupResource(enforcerGroup client.EnforcerGroup) string {
 		enforcerGroup.Orchestrator.ServiceAccount,
 		enforcerGroup.Orchestrator.Namespace,
 		enforcerGroup.Orchestrator.Master,
+		enforcerGroup.UnifiedMode,
 	)
 }
 
@@ -128,6 +134,7 @@ func getBasicEnforcerGroupResourceWithScheduleScanSettings(enforcerGroup client.
 			days      = [0,1,2,3,4,5,6]
 			time      = [4,0]
 		}
+		unified_mode = %v
 	}
 	`, enforcerGroup.ID,
 		enforcerGroup.ID,
@@ -140,6 +147,7 @@ func getBasicEnforcerGroupResourceWithScheduleScanSettings(enforcerGroup client.
 		enforcerGroup.Orchestrator.ServiceAccount,
 		enforcerGroup.Orchestrator.Namespace,
 		enforcerGroup.Orchestrator.Master,
+		enforcerGroup.UnifiedMode,
 	)
 }
 

diff --git a/client/enforcers.go b/client/enforcers.go
@@ -97,6 +97,7 @@ type EnforcerGroup struct {
 	AllowedLabels                             []string                     `json:"allowed_labels"`
 	AllowedRegistries                         []string                     `json:"allowed_registries"`
 	ScheduleScanSettings                      EnforcerScheduleScanSettings `json:"schedule_scan_settings"`
+	UnifiedMode                               bool                         `json:"unified_mode"`
 }
 
 // GetEnforcerGroup - returns single Enforcer group

diff --git a/docs/data-sources/enforcer_groups.md b/docs/data-sources/enforcer_groups.md
@@ -99,6 +99,7 @@ output "group_details" {
 - `syscall_enabled` (Boolean) When set to `True` allows profiling and monitoring system calls made by running containers.
 - `token` (String) The batch install token.
 - `type` (String) Enforcer Type.
+- `unified_mode` (Boolean) Indicates whether the Enforcer group is in unified mode.
 - `user_access_control` (Boolean) When set to `True` applies User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUA_RUNC_INTERCEPTION environment variable set to 0 in order to use User Access Control Policies.
 
 <a id="nestedatt--command"></a>

diff --git a/docs/resources/enforcer_groups.md b/docs/resources/enforcer_groups.md
@@ -68,6 +68,7 @@ description: |-
 - `schedule_scan_settings` (Block List, Max: 1) Scheduling scan time for which you are creating the Enforcer group. (see [below for nested schema](#nestedblock--schedule_scan_settings))
 - `sync_host_images` (Boolean) Set `True` to configure Enforcers to discover local host images. Discovered images will be listed under Images > Host Images, as well as under Infrastructure (in the Images tab for applicable hosts).
 - `syscall_enabled` (Boolean) Set `True` will allow profiling and monitoring system calls made by running containers.
+- `unified_mode` (Boolean)
 - `user_access_control` (Boolean) Set `True` to apply User Access Control Policies to containers. Note that Aqua Enforcers must be deployed with the AQUA_RUNC_INTERCEPTION environment variable set to 0 in order to use User Access Control Policies.
 
 ### Read-Only