Secure policies composite policy resources follow up changes (#485)

* address review comments

* add ml threshold description

* fix lint errors

* propagate errors in reading policy data

* fix additional lint errors

* remove severity from aws ml test

* remove severity

* remove more references to severity in ML rule

* fix ml test - remove severity field

* remove more severity references

* Update data_source_sysdig_secure_ml_policy_test.go

* remvoe severity reference in docs

* add policy level severity in tests

* fix lint errors in cloudauth

* address review comments

Author: kmvachhani

sysdig/data_source_sysdig_secure_aws_ml_policy.go

@@ -5,7 +5,6 @@ import (
 	"time"
 
 	v2 "github.com/draios/terraform-provider-sysdig/sysdig/internal/client/v2"
-	"github.com/hashicorp/terraform-plugin-log/tflog"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 )
@@ -25,7 +24,7 @@ func dataSourceSysdigSecureAWSMLPolicy() *schema.Resource {
 }
 
 func dataSourceSysdigSecureAWSMLPolicyRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
-	return awsMLPolicyDataSourceRead(ctx, d, meta, "custom policy", isCustomCompositePolicy)
+	return awsMLPolicyDataSourceRead(ctx, d, meta, "custom AWS ML policy", isCustomCompositePolicy)
 }
 
 func createAWSMLPolicyDataSourceSchema() map[string]*schema.Schema {
@@ -61,41 +60,12 @@ func createAWSMLPolicyDataSourceSchema() map[string]*schema.Schema {
 }
 
 func awsMLPolicyDataSourceRead(ctx context.Context, d *schema.ResourceData, meta interface{}, resourceName string, validationFunc func(v2.PolicyRulesComposite) bool) diag.Diagnostics {
-	client, err := getSecureCompositePolicyClient(meta.(SysdigClients))
+	policy, err := compositePolicyDataSourceRead(ctx, d, meta, resourceName, policyTypeAWSML, validationFunc)
 	if err != nil {
 		return diag.FromErr(err)
 	}
 
-	policyName := d.Get("name").(string)
-	policyType := policyTypeAWSML
-
-	policies, _, err := client.FilterCompositePoliciesByNameAndType(ctx, policyType, policyName)
-	if err != nil {
-		return diag.FromErr(err)
-	}
-
-	var policy v2.PolicyRulesComposite
-	for _, existingPolicy := range policies {
-		tflog.Debug(ctx, "Filtered policies", map[string]interface{}{"name": existingPolicy.Policy.Name})
-
-		if existingPolicy.Policy.Name == policyName && existingPolicy.Policy.Type == policyType {
-			if !validationFunc(existingPolicy) {
-				return diag.Errorf("policy is not a %s", resourceName)
-			}
-			policy = existingPolicy
-			break
-		}
-	}
-
-	if policy.Policy == nil {
-		return diag.Errorf("unable to find policy %s", resourceName)
-	}
-
-	if policy.Policy.ID == 0 {
-		return diag.Errorf("unable to find %s", resourceName)
-	}
-
-	err = awsMLPolicyToResourceData(&policy, d)
+	err = awsMLPolicyToResourceData(policy, d)
 	if err != nil {
 		return diag.FromErr(err)
 	}

sysdig/data_source_sysdig_secure_aws_ml_policy_test.go

@@ -50,7 +50,6 @@ resource "sysdig_secure_aws_ml_policy" "policy_1" {
     anomalous_console_login {
       enabled   = true
       threshold = 2
-      severity  = 1
     }
   }
 

sysdig/data_source_sysdig_secure_drift_policy.go

@@ -5,7 +5,6 @@ import (
 	"time"
 
 	v2 "github.com/draios/terraform-provider-sysdig/sysdig/internal/client/v2"
-	"github.com/hashicorp/terraform-plugin-log/tflog"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 )
@@ -25,7 +24,7 @@ func dataSourceSysdigSecureDriftPolicy() *schema.Resource {
 }
 
 func dataSourceSysdigSecureDriftPolicyRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
-	return driftPolicyDataSourceRead(ctx, d, meta, "custom policy", isCustomCompositePolicy)
+	return driftPolicyDataSourceRead(ctx, d, meta, "custom drift policy", isCustomCompositePolicy)
 }
 
 func createDriftPolicyDataSourceSchema() map[string]*schema.Schema {
@@ -74,41 +73,12 @@ func createDriftPolicyDataSourceSchema() map[string]*schema.Schema {
 }
 
 func driftPolicyDataSourceRead(ctx context.Context, d *schema.ResourceData, meta interface{}, resourceName string, validationFunc func(v2.PolicyRulesComposite) bool) diag.Diagnostics {
-	client, err := getSecureCompositePolicyClient(meta.(SysdigClients))
+	policy, err := compositePolicyDataSourceRead(ctx, d, meta, resourceName, policyTypeDrift, validationFunc)
 	if err != nil {
 		return diag.FromErr(err)
 	}
 
-	policyName := d.Get("name").(string)
-	policyType := policyTypeDrift
-
-	policies, _, err := client.FilterCompositePoliciesByNameAndType(ctx, policyType, policyName)
-	if err != nil {
-		return diag.FromErr(err)
-	}
-
-	var policy v2.PolicyRulesComposite
-	for _, existingPolicy := range policies {
-		tflog.Debug(ctx, "Filtered policies", map[string]interface{}{"name": existingPolicy.Policy.Name})
-
-		if existingPolicy.Policy.Name == policyName && existingPolicy.Policy.Type == policyType {
-			if !validationFunc(existingPolicy) {
-				return diag.Errorf("policy is not a %s", resourceName)
-			}
-			policy = existingPolicy
-			break
-		}
-	}
-
-	if policy.Policy == nil {
-		return diag.Errorf("unable to find policy %s", resourceName)
-	}
-
-	if policy.Policy.ID == 0 {
-		return diag.Errorf("unable to find %s", resourceName)
-	}
-
-	err = driftPolicyToResourceData(&policy, d)
+	err = driftPolicyToResourceData(policy, d)
 	if err != nil {
 		return diag.FromErr(err)
 	}

sysdig/data_source_sysdig_secure_malware_policy.go

@@ -5,7 +5,6 @@ import (
 	"time"
 
 	v2 "github.com/draios/terraform-provider-sysdig/sysdig/internal/client/v2"
-	"github.com/hashicorp/terraform-plugin-log/tflog"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 )
@@ -25,7 +24,7 @@ func dataSourceSysdigSecureMalwarePolicy() *schema.Resource {
 }
 
 func dataSourceSysdigSecureMalwarePolicyRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
-	return malwarePolicyDataSourceRead(ctx, d, meta, "custom policy", isCustomCompositePolicy)
+	return malwarePolicyDataSourceRead(ctx, d, meta, "custom malware policy", isCustomCompositePolicy)
 }
 
 func isCustomCompositePolicy(policy v2.PolicyRulesComposite) bool {
@@ -78,41 +77,12 @@ func createMalwarePolicyDataSourceSchema() map[string]*schema.Schema {
 }
 
 func malwarePolicyDataSourceRead(ctx context.Context, d *schema.ResourceData, meta interface{}, resourceName string, validationFunc func(v2.PolicyRulesComposite) bool) diag.Diagnostics {
-	client, err := getSecureCompositePolicyClient(meta.(SysdigClients))
+	policy, err := compositePolicyDataSourceRead(ctx, d, meta, resourceName, policyTypeMalware, validationFunc)
 	if err != nil {
 		return diag.FromErr(err)
 	}
 
-	policyName := d.Get("name").(string)
-	policyType := policyTypeMalware
-
-	policies, _, err := client.FilterCompositePoliciesByNameAndType(ctx, policyType, policyName)
-	if err != nil {
-		return diag.FromErr(err)
-	}
-
-	var policy v2.PolicyRulesComposite
-	for _, existingPolicy := range policies {
-		tflog.Debug(ctx, "Filtered policies", map[string]interface{}{"name": existingPolicy.Policy.Name})
-
-		if existingPolicy.Policy.Name == policyName && existingPolicy.Policy.Type == policyType {
-			if !validationFunc(existingPolicy) {
-				return diag.Errorf("policy is not a %s", resourceName)
-			}
-			policy = existingPolicy
-			break
-		}
-	}
-
-	if policy.Policy == nil {
-		return diag.Errorf("unable to find policy %s", resourceName)
-	}
-
-	if policy.Policy.ID == 0 {
-		return diag.Errorf("unable to find %s", resourceName)
-	}
-
-	err = malwarePolicyToResourceData(&policy, d)
+	err = malwarePolicyToResourceData(policy, d)
 	if err != nil {
 		return diag.FromErr(err)
 	}

sysdig/data_source_sysdig_secure_ml_policy.go

@@ -2,6 +2,7 @@ package sysdig
 
 import (
 	"context"
+	"fmt"
 	"time"
 
 	v2 "github.com/draios/terraform-provider-sysdig/sysdig/internal/client/v2"
@@ -25,7 +26,7 @@ func dataSourceSysdigSecureMLPolicy() *schema.Resource {
 }
 
 func dataSourceSysdigSecureMLPolicyRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
-	return mlPolicyDataSourceRead(ctx, d, meta, "custom policy", isCustomCompositePolicy)
+	return mlPolicyDataSourceRead(ctx, d, meta, "custom ML policy", isCustomCompositePolicy)
 }
 
 func createMLPolicyDataSourceSchema() map[string]*schema.Schema {
@@ -61,17 +62,30 @@ func createMLPolicyDataSourceSchema() map[string]*schema.Schema {
 }
 
 func mlPolicyDataSourceRead(ctx context.Context, d *schema.ResourceData, meta interface{}, resourceName string, validationFunc func(v2.PolicyRulesComposite) bool) diag.Diagnostics {
-	client, err := getSecureCompositePolicyClient(meta.(SysdigClients))
+
+	policy, err := compositePolicyDataSourceRead(ctx, d, meta, resourceName, policyTypeML, validationFunc)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+	err = mlPolicyToResourceData(policy, d)
 	if err != nil {
 		return diag.FromErr(err)
 	}
 
+	return nil
+}
+
+func compositePolicyDataSourceRead(ctx context.Context, d *schema.ResourceData, meta interface{}, resourceName string, policyType string, validationFunc func(v2.PolicyRulesComposite) bool) (*v2.PolicyRulesComposite, error) {
+	client, err := getSecureCompositePolicyClient(meta.(SysdigClients))
+	if err != nil {
+		return nil, err
+	}
+
 	policyName := d.Get("name").(string)
-	policyType := policyTypeML
 
 	policies, _, err := client.FilterCompositePoliciesByNameAndType(ctx, policyType, policyName)
 	if err != nil {
-		return diag.FromErr(err)
+		return nil, err
 	}
 
 	var policy v2.PolicyRulesComposite
@@ -80,25 +94,20 @@ func mlPolicyDataSourceRead(ctx context.Context, d *schema.ResourceData, meta in
 
 		if existingPolicy.Policy.Name == policyName && existingPolicy.Policy.Type == policyType {
 			if !validationFunc(existingPolicy) {
-				return diag.Errorf("policy is not a %s", resourceName)
+				return nil, fmt.Errorf("policy is not a %s", resourceName)
 			}
 			policy = existingPolicy
 			break
 		}
 	}
 
 	if policy.Policy == nil {
-		return diag.Errorf("unable to find policy %s", resourceName)
+		return nil, fmt.Errorf("unable to find policy %s", resourceName)
 	}
 
 	if policy.Policy.ID == 0 {
-		return diag.Errorf("unable to find %s", resourceName)
+		return nil, fmt.Errorf("unable to find %s", resourceName)
 	}
 
-	err = mlPolicyToResourceData(&policy, d)
-	if err != nil {
-		return diag.FromErr(err)
-	}
-
-	return nil
+	return &policy, nil
 }

sysdig/data_source_sysdig_secure_ml_policy_test.go

@@ -50,8 +50,7 @@ resource "sysdig_secure_ml_policy" "policy_1" {
     cryptomining_trigger {
       enabled   = true
       threshold = 1
-      severity  = 1
-    }
+     }
   }
 
 }

sysdig/internal/client/v2/model.go

@@ -357,17 +357,6 @@ func (r *RuntimePolicyRule) UnmarshalJSON(b []byte) error {
 		return err
 	}
 
-	if findDetails.FindType.RuleType == "DRIFT" {
-		d1 := &DriftRuleDetails{}
-		err = json.Unmarshal(getRawDetails.RawDetails, d1)
-		if err != nil {
-			return err
-		}
-		if d1.Exceptions != nil && d1.ProhibitedBinaries != nil {
-			d = d1
-		}
-	}
-
 	var findDetailsIdPtr *FlexInt
 	if findDetails.Id != nil {
 		findDetailsId := FlexInt(*findDetails.Id)

sysdig/resource_sysdig_secure_aws_ml_policy_test.go

@@ -50,7 +50,6 @@ resource "sysdig_secure_aws_ml_policy" "sample" {
     anomalous_console_login {
       enabled   = true
       threshold = 2
-      severity  = 1
     }
   }
 
@@ -74,7 +73,6 @@ resource "sysdig_secure_aws_ml_policy" "sample" {
     anomalous_console_login {
       enabled   = true
       threshold = 2
-      severity  = 1
     }
   }
 

sysdig/resource_sysdig_secure_cloud_auth_account.go

@@ -523,7 +523,10 @@ func componentsToResourceData(components []*cloudauth.AccountComponent) []map[st
 						diag.FromErr(err)
 					}
 					var gcpKeyBytesBuffer bytes.Buffer
-					json.Indent(&gcpKeyBytesBuffer, gcpKeyBytes, "", "  ")
+					err = json.Indent(&gcpKeyBytesBuffer, gcpKeyBytes, "", "  ")
+					if err != nil {
+						diag.FromErr(err)
+					}
 					gcpKeyBytes = append(gcpKeyBytesBuffer.Bytes(), '\n')
 				}
 				spGcpBytes, err := json.Marshal(&internalServicePrincipalMetadata{
@@ -572,7 +575,10 @@ func getComponentMetadataString(message protoreflect.ProtoMessage) string {
 	}
 	// re-marshal through encoding/json to get consistent key ordering, avoiding diff errors with TF internals
 	metadataMap := make(map[string]interface{})
-	json.Unmarshal(protoJsonMessage, &metadataMap)
+	err = json.Unmarshal(protoJsonMessage, &metadataMap)
+	if err != nil {
+		diag.FromErr(err)
+	}
 	jsonMessage, err := json.Marshal(metadataMap)
 	if err != nil {
 		diag.FromErr(err)

sysdig/resource_sysdig_secure_ml_policy_test.go

@@ -50,7 +50,6 @@ resource "sysdig_secure_ml_policy" "sample" {
     cryptomining_trigger {
       enabled   = true
       threshold = 2
-      severity  = 1
     }
   }
 
@@ -74,7 +73,6 @@ resource "sysdig_secure_ml_policy" "sample" {
     cryptomining_trigger {
       enabled   = true
       threshold = 2
-      severity  = 1
     }
   }