sysdiglabs · harshampatel-sysdig · Oct 30, 2025 · Oct 30, 2025 · Oct 30, 2025 · Oct 30, 2025
@@ -46,7 +46,7 @@ junit-report.xml
 # Binaries
 terraform-provider-sysdig
 oanc
-.vscode/settings.json
+.vscode/
 
 # goland .run
 .run/

@@ -0,0 +1,74 @@
+package sysdig
+
+import (
+	"context"
+	"time"
+
+	v2 "github.com/draios/terraform-provider-sysdig/sysdig/internal/client/v2"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+func dataSourceSysdigSecureOktaMLPolicy() *schema.Resource {
+	timeout := 5 * time.Minute
+
+	return &schema.Resource{
+		ReadContext: dataSourceSysdigSecureOktaMLPolicyRead,
+
+		Timeouts: &schema.ResourceTimeout{
+			Read: schema.DefaultTimeout(timeout),
+		},
+
+		Schema: createOktaMLPolicyDataSourceSchema(),
+	}
+}
+
+func dataSourceSysdigSecureOktaMLPolicyRead(ctx context.Context, d *schema.ResourceData, meta any) diag.Diagnostics {
+	return oktaMLPolicyDataSourceRead(ctx, d, meta, "custom Okta ML policy", isCustomCompositePolicy)
+}
+
+func createOktaMLPolicyDataSourceSchema() map[string]*schema.Schema {
+	return map[string]*schema.Schema{
+		// IMPORTANT: Type is implicit: It's automatically added upon conversion to JSON
+		"type": {
+			Type:     schema.TypeString,
+			Computed: true,
+		},
+		"name":                  NameSchema(),
+		"description":           DescriptionComputedSchema(),
+		"enabled":               EnabledComputedSchema(),
+		"severity":              SeverityComputedSchema(),
+		"scope":                 ScopeComputedSchema(),
+		"version":               VersionSchema(),
+		"notification_channels": NotificationChannelsComputedSchema(),
+		"runbook":               RunbookComputedSchema(),
+		"rule": {
+			Type:     schema.TypeList,
+			Computed: true,
+			Elem: &schema.Resource{
+				Schema: map[string]*schema.Schema{
+					"id":                      ReadOnlyIntSchema(),
+					"name":                    ReadOnlyStringSchema(),
+					"description":             DescriptionComputedSchema(),
+					"tags":                    TagsSchema(),
+					"version":                 VersionSchema(),
+					"anomalous_console_login": MLRuleThresholdAndSeverityComputedSchema(),
+				},
+			},
+		},
+	}
+}
+
+func oktaMLPolicyDataSourceRead(ctx context.Context, d *schema.ResourceData, meta any, resourceName string, validationFunc func(v2.PolicyRulesComposite) bool) diag.Diagnostics {
+	policy, err := compositePolicyDataSourceRead(ctx, d, meta, resourceName, policyTypeOktaML, validationFunc)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	err = oktaMLPolicyToResourceData(policy, d)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	return nil
+}
@@ -0,0 +1,63 @@
+//go:build tf_acc_sysdig_secure || tf_acc_policies || tf_acc_policies_okta
+
+package sysdig_test
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+
+	"github.com/draios/terraform-provider-sysdig/sysdig"
+)
+
+func TestAccOktaMLPolicyDataSource(t *testing.T) {
+	rText := acctest.RandStringFromCharSet(10, acctest.CharSetAlphaNum)
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck: func() {
+			if v := os.Getenv("SYSDIG_SECURE_API_TOKEN"); v == "" {
+				t.Fatal("SYSDIG_SECURE_API_TOKEN must be set for acceptance tests")
+			}
+		},
+		ProviderFactories: map[string]func() (*schema.Provider, error){
+			"sysdig": func() (*schema.Provider, error) {
+				return sysdig.Provider(), nil
+			},
+		},
+		Steps: []resource.TestStep{
+			{
+				Config: oktaOktaMLPolicyDataSource(rText),
+			},
-			{
-				Config: oktaOktaMLPolicyDataSource(rText),
-			},
+			{
+				Config: oktaOktaMLPolicyDataSource(rText),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("data.sysdig_secure_okta_ml_policy.policy_2", "name", fmt.Sprintf("Test Okta ML Policy %s", rText)),
+					resource.TestCheckResourceAttr("data.sysdig_secure_okta_ml_policy.policy_2", "description", fmt.Sprintf("Test Okta ML Policy Description %s", rText)),
+					resource.TestCheckResourceAttr("data.sysdig_secure_okta_ml_policy.policy_2", "enabled", "true"),
+					resource.TestCheckResourceAttr("data.sysdig_secure_okta_ml_policy.policy_2", "severity", "4"),
+				),
+			},
-			{
-				Config: oktaOktaMLPolicyDataSource(rText),
-			},
+			{
+				Config: oktaOktaMLPolicyDataSource(rText),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("data.sysdig_secure_okta_ml_policy.policy_2", "name", fmt.Sprintf("Test Okta ML Policy %s", rText)),
+					resource.TestCheckResourceAttr("data.sysdig_secure_okta_ml_policy.policy_2", "description", fmt.Sprintf("Test Okta ML Policy Description %s", rText)),
+					resource.TestCheckResourceAttr("data.sysdig_secure_okta_ml_policy.policy_2", "enabled", "true"),
+					resource.TestCheckResourceAttr("data.sysdig_secure_okta_ml_policy.policy_2", "severity", "4"),
+				),
+			},
+		},
+	})
+}
+
+func oktaOktaMLPolicyDataSource(name string) string {
-func oktaOktaMLPolicyDataSource(name string) string {
+func oktaMLPolicyDataSource(name string) string {
-func oktaOktaMLPolicyDataSource(name string) string {
+func oktaMLPolicyDataSource(name string) string {
+	return fmt.Sprintf(`
+resource "sysdig_secure_okta_ml_policy" "policy_1" {
+  name        = "Test Okta ML Policy %s"
+  description = "Test Okta ML Policy Description %s"
+  enabled     = true
+  severity    = 4
+
+  rule {
+    description = "Test Okta ML Rule Description"
+
+    anomalous_console_login {
+      enabled   = true
+      threshold = 2
+    }
+  }
+
+}
+
+data "sysdig_secure_okta_ml_policy" "policy_2" {
+  name       = sysdig_secure_okta_ml_policy.policy_1.name
+  depends_on = [sysdig_secure_okta_ml_policy.policy_1]
+}
+`, name, name)
+}
@@ -338,6 +338,8 @@ func (r *RuntimePolicyRule) UnmarshalJSON(b []byte) error {
 		d = &MLRuleDetails{}
 	case "AWS_MACHINE_LEARNING":
 		d = &AWSMLRuleDetails{}
+	case "OKTA_MACHINE_LEARNING":
+		d = &OktaMLRuleDetails{}
 	case "MALWARE":
 		d = &MalwareRuleDetails{}
 	default:
@@ -441,6 +443,16 @@ func (p AWSMLRuleDetails) GetRuleType() ElementType {
 	return p.RuleType
 }
 
+type OktaMLRuleDetails struct {
+	RuleType              ElementType                 `json:"ruleType" yaml:"ruleType"`
+	AnomalousConsoleLogin *MLRuleThresholdAndSeverity `json:"anomalousConsoleLogin" yaml:"anomalousConsoleLogin"`
+	Details               `json:"-"`
+}
+
+func (p OktaMLRuleDetails) GetRuleType() ElementType {
+	return p.RuleType
+}
+
 type PolicyRule struct {
 	Name    string `json:"ruleName"`
 	Enabled bool   `json:"enabled"`

@@ -151,6 +151,7 @@ func (p *SysdigProvider) Provider() *schema.Provider {
 			"sysdig_monitor_team":                                          resourceSysdigMonitorTeam(),
 
 			"sysdig_secure_aws_ml_policy":                                 resourceSysdigSecureAWSMLPolicy(),
+			"sysdig_secure_okta_ml_policy":                                resourceSysdigSecureOktaMLPolicy(),
 			"sysdig_secure_cloud_auth_account":                            resourceSysdigSecureCloudauthAccount(),
 			"sysdig_secure_cloud_auth_account_component":                  resourceSysdigSecureCloudauthAccountComponent(),
 			"sysdig_secure_cloud_auth_account_feature":                    resourceSysdigSecureCloudauthAccountFeature(),
@@ -216,6 +217,7 @@ func (p *SysdigProvider) Provider() *schema.Provider {
 
 			"sysdig_secure_agentless_scanning_assets":                     dataSourceSysdigSecureAgentlessScanningAssets(),
 			"sysdig_secure_aws_ml_policy":                                 dataSourceSysdigSecureAWSMLPolicy(),
+			"sysdig_secure_okta_ml_policy":                                dataSourceSysdigSecureOktaMLPolicy(),
 			"sysdig_secure_cloud_ingestion_assets":                        dataSourceSysdigSecureCloudIngestionAssets(),
 			"sysdig_secure_connection":                                    dataSourceSysdigSecureConnection(),
 			"sysdig_secure_custom_policy":                                 dataSourceSysdigSecureCustomPolicy(),