feat: Add support for appending rules (#53)

Author: tembleking

sysdig/resource_sysdig_secure_rule_falco.go

@@ -45,6 +45,11 @@ func resourceSysdigSecureRuleFalco() *schema.Resource {
 				Required:     true,
 				ValidateFunc: validation.StringInSlice([]string{"syscall", "k8s_audit"}, false),
 			},
+			"append": {
+				Type:     schema.TypeBool,
+				Optional: true,
+				Default:  false,
+			},
 		}),
 	}
 }
@@ -95,6 +100,9 @@ func resourceSysdigRuleFalcoRead(ctx context.Context, d *schema.ResourceData, me
 	d.Set("output", rule.Details.Output)
 	d.Set("priority", strings.ToLower(rule.Details.Priority))
 	d.Set("source", rule.Details.Source)
+	if rule.Details.Append != nil {
+		d.Set("append", *rule.Details.Append)
+	}
 
 	return nil
 }
@@ -140,7 +148,6 @@ func resourceSysdigRuleFalcoFromResourceData(d *schema.ResourceData) secure.Rule
 	rule := ruleFromResourceData(d)
 	rule.Details.RuleType = "FALCO"
 
-	rule.Details.Append = false
 	rule.Details.Source = d.Get("source").(string)
 	rule.Details.Output = d.Get("output").(string)
 	rule.Details.Priority = d.Get("priority").(string)
@@ -149,5 +156,10 @@ func resourceSysdigRuleFalcoFromResourceData(d *schema.ResourceData) secure.Rule
 		Components: []interface{}{},
 	}
 
+	if appendMode, ok := d.GetOk("append"); ok {
+		ptr := appendMode.(bool)
+		rule.Details.Append = &ptr
+	}
+
 	return rule
 }

sysdig/resource_sysdig_secure_rule_falco_test.go

@@ -2,12 +2,14 @@ package sysdig_test
 
 import (
 	"fmt"
-	"github.com/draios/terraform-provider-sysdig/sysdig"
+	"os"
+	"testing"
+
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
-	"os"
-	"testing"
+
+	"github.com/draios/terraform-provider-sysdig/sysdig"
 )
 
 func TestAccRuleFalco(t *testing.T) {
@@ -33,6 +35,9 @@ func TestAccRuleFalco(t *testing.T) {
 			{
 				Config: ruleFalcoUpdatedTerminalShell(ruleRandomImmutableText),
 			},
+			{
+				Config: ruleFalcoTerminalShellWithAppend(),
+			},
 			{
 				Config: ruleFalcoKubeAudit(rText()),
 			},
@@ -81,3 +86,18 @@ resource "sysdig_secure_rule_falco" "kube_audit" {
   source = "k8s_audit" // syscall or k8s_audit
 }`, name, name)
 }
+
+func ruleFalcoTerminalShellWithAppend() string {
+	return fmt.Sprintf(`
+resource "sysdig_secure_rule_falco" "terminal_shell_append" {
+  name = "Terminal shell in container" # Sysdig-provided
+  description = ""
+  tags = ["shell", "mitre_execution"]
+
+  condition = "and spawned_process and shell_procs and proc.tty != 0 and container_entrypoint"
+  output = "A shell was spawned in a container with an attached terminal (user=%%user.name %%container.info shell=%%proc.name parent=%%proc.pname cmdline=%%proc.cmdline terminal=%%proc.tty container_id=%%container.id image=%%container.image.repository)"
+  priority = "notice"
+  source = "syscall" // syscall or k8s_audit
+  append = true
+}`)
+}

sysdig/secure/models.go

@@ -148,7 +148,7 @@ type Details struct {
 	Syscalls *Syscalls `json:"syscalls,omitempty"`
 
 	// Falco
-	Append    bool       `json:"append,omitempty"`
+	Append    *bool      `json:"append,omitempty"`
 	Source    string     `json:"source,omitempty"`
 	Output    string     `json:"output,omitempty"`
 	Condition *Condition `json:"condition,omitempty"`

website/docs/r/sysdig_secure_rule_falco.md

@@ -44,6 +44,7 @@ The following arguments are supported:
 * `output` - (Required) Add additional information to each Falco notification's output.
 * `priority` - (Required) The priority of the Falco rule. It can be: "emergency", "alert", "critical", "error", "warning", "notice", "informational", "informational" or "debug".
 * `source` - (Required) The source of the event. It can be either "syscall" or "k8s_audit".
+* `append` - (Optional) This indicates that the rule being created appends the condition to an existing Sysdig-provided rule. By default this is false. Appending to user-created rules is not supported by the API.
 
 ## Attributes Reference