feat: Allow minimal configuration while appending to Falco rule (#55)

* feat: Allow minimal configuration while appending to Falco rule

* docs: Update documentation for rules

Author: tembleking

sysdig/resource_sysdig_secure_rule.go

@@ -16,7 +16,8 @@ func createRuleSchema(original map[string]*schema.Schema) map[string]*schema.Sch
 		},
 		"description": {
 			Type:     schema.TypeString,
-			Required: true,
+			Optional: true,
+			Default:  "",
 		},
 		"tags": {
 			Type:     schema.TypeList,

sysdig/resource_sysdig_secure_rule_falco.go

@@ -2,13 +2,14 @@ package sysdig
 
 import (
 	"context"
-	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
-	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
+	"errors"
 	"strconv"
 	"strings"
 	"time"
 
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
 
 	"github.com/draios/terraform-provider-sysdig/sysdig/secure"
 )
@@ -33,17 +34,20 @@ func resourceSysdigSecureRuleFalco() *schema.Resource {
 			},
 			"output": {
 				Type:     schema.TypeString,
-				Required: true,
+				Optional: true,
+				Default:  "",
 			},
 			"priority": {
-				Type:         schema.TypeString,
-				Required:     true,
-				ValidateFunc: validation.StringInSlice([]string{"emergency", "alert", "critical", "error", "warning", "notice", "informational", "informational", "debug"}, false),
+				Type:             schema.TypeString,
+				Optional:         true,
+				Default:          "warning",
+				ValidateDiagFunc: validateDiagFunc(validation.StringInSlice([]string{"emergency", "alert", "critical", "error", "warning", "notice", "informational", "debug"}, false)),
 			},
 			"source": {
-				Type:         schema.TypeString,
-				Required:     true,
-				ValidateFunc: validation.StringInSlice([]string{"syscall", "k8s_audit"}, false),
+				Type:             schema.TypeString,
+				Optional:         true,
+				Default:          "",
+				ValidateDiagFunc: validateDiagFunc(validation.StringInSlice([]string{"syscall", "k8s_audit"}, false)),
 			},
 			"append": {
 				Type:     schema.TypeBool,
@@ -60,7 +64,10 @@ func resourceSysdigRuleFalcoCreate(ctx context.Context, d *schema.ResourceData,
 		return diag.FromErr(err)
 	}
 
-	rule := resourceSysdigRuleFalcoFromResourceData(d)
+	rule, err := resourceSysdigRuleFalcoFromResourceData(d)
+	if err != nil {
+		return diag.FromErr(err)
+	}
 
 	rule, err = client.CreateRule(ctx, rule)
 	if err != nil {
@@ -113,7 +120,10 @@ func resourceSysdigRuleFalcoUpdate(ctx context.Context, d *schema.ResourceData,
 		return diag.FromErr(err)
 	}
 
-	rule := resourceSysdigRuleFalcoFromResourceData(d)
+	rule, err := resourceSysdigRuleFalcoFromResourceData(d)
+	if err != nil {
+		return diag.FromErr(err)
+	}
 
 	rule.Version = d.Get("version").(int)
 	rule.ID, _ = strconv.Atoi(d.Id())
@@ -144,22 +154,38 @@ func resourceSysdigRuleFalcoDelete(ctx context.Context, d *schema.ResourceData,
 	return nil
 }
 
-func resourceSysdigRuleFalcoFromResourceData(d *schema.ResourceData) secure.Rule {
+func resourceSysdigRuleFalcoFromResourceData(d *schema.ResourceData) (secure.Rule, error) {
 	rule := ruleFromResourceData(d)
 	rule.Details.RuleType = "FALCO"
 
-	rule.Details.Source = d.Get("source").(string)
-	rule.Details.Output = d.Get("output").(string)
-	rule.Details.Priority = d.Get("priority").(string)
+	appendMode, appendModeIsSet := d.GetOk("append")
+	if appendModeIsSet {
+		ptr := appendMode.(bool)
+		rule.Details.Append = &ptr
+	}
+
+	if source, ok := d.GetOk("source"); ok && source.(string) != "" {
+		rule.Details.Source = source.(string)
+	} else if !appendModeIsSet || !(appendMode.(bool)) {
+		return secure.Rule{}, errors.New("source must be set when append = false")
+	}
+
+	if output, ok := d.GetOk("output"); ok && output.(string) != "" {
+		rule.Details.Output = output.(string)
+	} else if !appendModeIsSet || !(appendMode.(bool)) {
+		return secure.Rule{}, errors.New("output must be set when append = false")
+	}
+
+	if priority, ok := d.GetOk("priority"); ok && priority.(string) != "" {
+		rule.Details.Priority = priority.(string)
+	} else if !appendModeIsSet || !(appendMode.(bool)) {
+		return secure.Rule{}, errors.New("priority must be set when append = false")
+	}
+
 	rule.Details.Condition = &secure.Condition{
 		Condition:  d.Get("condition").(string),
 		Components: []interface{}{},
 	}
 
-	if appendMode, ok := d.GetOk("append"); ok {
-		ptr := appendMode.(bool)
-		rule.Details.Append = &ptr
-	}
-
-	return rule
+	return rule, nil
 }

sysdig/resource_sysdig_secure_rule_falco_test.go

@@ -3,6 +3,7 @@ package sysdig_test
 import (
 	"fmt"
 	"os"
+	"regexp"
 	"testing"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
@@ -41,6 +42,15 @@ func TestAccRuleFalco(t *testing.T) {
 			{
 				Config: ruleFalcoKubeAudit(rText()),
 			},
+			// Incorrect configurations
+			{
+				Config:      ruleFalcoTerminalShellWithMissingOuput(rText()),
+				ExpectError: regexp.MustCompile("output must be set when append = false"),
+			},
+			{
+				Config:      ruleFalcoTerminalShellWithMissingSource(rText()),
+				ExpectError: regexp.MustCompile("source must be set when append = false"),
+			},
 		},
 	})
 }
@@ -49,13 +59,39 @@ func ruleFalcoTerminalShell(name string) string {
 	return fmt.Sprintf(`
 resource "sysdig_secure_rule_falco" "terminal_shell" {
   name = "TERRAFORM TEST %s - Terminal Shell"
-  description = "TERRAFORM TEST %s"
   tags = ["container", "shell", "mitre_execution"]
 
   condition = "spawned_process and container and shell_procs and proc.tty != 0 and container_entrypoint"
   output = "A shell was spawned in a container with an attached terminal (user=%%user.name %%container.info shell=%%proc.name parent=%%proc.pname cmdline=%%proc.cmdline terminal=%%proc.tty container_id=%%container.id image=%%container.image.repository)"
   priority = "notice"
   source = "syscall" // syscall or k8s_audit
+}`, name)
+}
+
+func ruleFalcoTerminalShellWithMissingOuput(name string) string {
+	return fmt.Sprintf(`
+resource "sysdig_secure_rule_falco" "terminal_shell" {
+  name = "TERRAFORM TEST %s - Terminal Shell"
+  description = "TERRAFORM TEST %s"
+  tags = ["container", "shell", "mitre_execution"]
+
+  condition = "spawned_process and container and shell_procs and proc.tty != 0 and container_entrypoint"
+  priority = "notice"
+  source = "syscall" // syscall or k8s_audit
+}`, name, name)
+}
+
+func ruleFalcoTerminalShellWithMissingSource(name string) string {
+	return fmt.Sprintf(`
+resource "sysdig_secure_rule_falco" "terminal_shell" {
+  name = "TERRAFORM TEST %s - Terminal Shell"
+  description = "TERRAFORM TEST %s"
+  tags = ["container", "shell", "mitre_execution"]
+
+  condition = "spawned_process and container and shell_procs and proc.tty != 0 and container_entrypoint"
+  output = "A shell was spawned in a container with an attached terminal (user=%%user.name %%container.info shell=%%proc.name parent=%%proc.pname cmdline=%%proc.cmdline terminal=%%proc.tty container_id=%%container.id image=%%container.image.repository)"
+  priority = "notice"
+  append = false
 }`, name, name)
 }
 
@@ -91,13 +127,7 @@ func ruleFalcoTerminalShellWithAppend() string {
 	return fmt.Sprintf(`
 resource "sysdig_secure_rule_falco" "terminal_shell_append" {
   name = "Terminal shell in container" # Sysdig-provided
-  description = ""
-  tags = ["shell", "mitre_execution"]
-
   condition = "and spawned_process and shell_procs and proc.tty != 0 and container_entrypoint"
-  output = "A shell was spawned in a container with an attached terminal (user=%%user.name %%container.info shell=%%proc.name parent=%%proc.pname cmdline=%%proc.cmdline terminal=%%proc.tty container_id=%%container.id image=%%container.image.repository)"
-  priority = "notice"
-  source = "syscall" // syscall or k8s_audit
   append = true
 }`)
 }

sysdig/secure/models.go

@@ -150,7 +150,7 @@ type Details struct {
 	// Falco
 	Append    *bool      `json:"append,omitempty"`
 	Source    string     `json:"source,omitempty"`
-	Output    string     `json:"output,omitempty"`
+	Output    string     `json:"output"`
 	Condition *Condition `json:"condition,omitempty"`
 	Priority  string     `json:"priority,omitempty"`
 

website/docs/r/sysdig_secure_rule_container.md

@@ -28,7 +28,7 @@ resource "sysdig_secure_rule_container" "sample" {
 ## Argument Reference
 
 * `name` - (Required) The name of the Secure rule. It must be unique.
-* `description` - (Required) The description of Secure rule.
+* `description` - (Optional) The description of Secure rule. By default is empty.
 * `tags` - (Optional) A list of tags for this rule.
 
 ### Matching

website/docs/r/sysdig_secure_rule_falco.md

@@ -33,17 +33,17 @@ resource "sysdig_secure_rule_falco" "example" {
 The following arguments are supported:
 
 * `name` - (Required) The name of the Secure rule. It must be unique.
-* `description` - (Required) The description of Secure rule.
+* `description` - (Optional) The description of Secure rule. By default is empty.
 * `tags` - (Optional) A list of tags for this rule.
 
 - - -
 
 ### Conditions
 
 * `condition` - (Required) A [Falco condition](https://falco.org/docs/rules/) is simply a Boolean predicate on Sysdig events expressed using the Sysdig [filter syntax](http://www.sysdig.org/wiki/sysdig-user-guide/#filtering) and macro terms. 
-* `output` - (Required) Add additional information to each Falco notification's output.
-* `priority` - (Required) The priority of the Falco rule. It can be: "emergency", "alert", "critical", "error", "warning", "notice", "informational", "informational" or "debug".
-* `source` - (Required) The source of the event. It can be either "syscall" or "k8s_audit".
+* `output` - (Optional) Add additional information to each Falco notification's output. Required if append is false.
+* `priority` - (Optional) The priority of the Falco rule. It can be: "emergency", "alert", "critical", "error", "warning", "notice", "informational", "informational" or "debug". By default is "warning".
+* `source` - (Optional) The source of the event. It can be either "syscall" or "k8s_audit". Required if append is false.
 * `append` - (Optional) This indicates that the rule being created appends the condition to an existing Sysdig-provided rule. By default this is false. Appending to user-created rules is not supported by the API.
 
 ## Attributes Reference

website/docs/r/sysdig_secure_rule_filesystem.md

@@ -38,7 +38,7 @@ resource "sysdig_secure_rule_filesystem"  "example" {
 The following arguments are supported:
 
 * `name` - (Required) The name of the Secure rule. It must be unique.
-* `description` - (Required) The description of Secure rule.
+* `description` - (Optional) The description of Secure rule. By default is empty.
 * `tags` - (Optional) A list of tags for this rule.
 
 ### Read Only

website/docs/r/sysdig_secure_rule_network.md

@@ -41,7 +41,7 @@ resource "sysdig_secure_rule_network" "example" {
 The following arguments are supported:
 
 * `name` - (Required) The name of the Secure rule. It must be unique.
-* `description` - (Required) The description of Secure rule.
+* `description` - (Optional) The description of Secure rule. By default is empty.
 * `tags` - (Optional) A list of tags for this rule.
 
 ### Disallow incoming or outgoing connections

website/docs/r/sysdig_secure_rule_process.md

@@ -28,7 +28,7 @@ resource "sysdig_secure_rule_process" "sample" {
 ## Argument Reference
 
 * `name` - (Required) The name of the Secure rule. It must be unique.
-* `description` - (Required) The description of Secure rule.
+* `description` - (Optional) The description of Secure rule. By default is empty.
 * `tags` - (Optional) A list of tags for this rule.
 
 ### Matching

website/docs/r/sysdig_secure_rule_syscall.md

@@ -27,7 +27,7 @@ resource "sysdig_secure_rule_syscall" "foo" {
 ## Argument Reference
 
 * `name` - (Required) The name of the Secure rule. It must be unique.
-* `description` - (Required) The description of Secure rule.
+* `description` - (Optional) The description of Secure rule. By default is empty.
 * `tags` - (Optional) A list of tags for this rule.
 
 ### Matching