fix(secure-policy): Add support for name/value exceptions (#239)

Ben Lucas · web-flow · commit 22ee2aa4bcc3 · 2023-01-09T07:10:30.000-08:00
* add support for exceptions without fields and comps

* update documentation

* switch fields to optional in documentation
diff --git a/sysdig/internal/client/secure/models.go b/sysdig/internal/client/secure/models.go
@@ -202,9 +202,10 @@ type Condition struct {
 
 type Exception struct {
 	Name   string      `json:"name"`
-	Fields interface{} `json:"fields"`
-	Comps  interface{} `json:"comps"`
+	Fields interface{} `json:"fields,omitempty"`
+	Comps  interface{} `json:"comps,omitempty"`
 	Values interface{} `json:"values,omitempty"`
+	Value  interface{} `json:"value,omitempty"`
 }
 
 func (r *Rule) ToJSON() io.Reader {
diff --git a/sysdig/resource_sysdig_secure_rule_falco.go b/sysdig/resource_sysdig_secure_rule_falco.go
@@ -79,11 +79,15 @@ func resourceSysdigSecureRuleFalco() *schema.Resource {
 						},
 						"values": {
 							Type:     schema.TypeString,
-							Required: true,
+							Optional: true,
+						},
+						"value": {
+							Type:     schema.TypeString,
+							Optional: true,
 						},
 						"fields": {
 							Type:     schema.TypeList,
-							Required: true,
+							Optional: true,
 							Elem:     &schema.Schema{Type: schema.TypeString},
 						},
 					},
@@ -283,20 +287,31 @@ func resourceSysdigRuleFalcoFromResourceData(d *schema.ResourceData) (secure.Rul
 				Name: exceptionMap["name"].(string),
 			}
 
+			fields := cast.ToStringSlice(exceptionMap["fields"])
+			if len(fields) >= 1 {
+				newFalcoException.Fields = fields
+			}
+
 			comps := cast.ToStringSlice(exceptionMap["comps"])
 			if len(comps) >= 1 {
 				newFalcoException.Comps = comps
 			}
 
 			values := cast.ToString(exceptionMap["values"])
-			err := json.Unmarshal([]byte(values), &newFalcoException.Values)
-			if err != nil {
-				return secure.Rule{}, err
+			if values != "" {
+				err := json.Unmarshal([]byte(values), &newFalcoException.Values)
+				if err != nil {
+					return secure.Rule{}, err
+				}
+			} else if newFalcoException.Fields != nil && newFalcoException.Comps != nil {
+				return secure.Rule{}, errors.New("values is required on an exception when fields and comps are set")
 			}
 
-			fields := cast.ToStringSlice(exceptionMap["fields"])
-			if len(fields) >= 1 {
-				newFalcoException.Fields = fields
+			value := cast.ToString(exceptionMap["value"])
+			newFalcoException.Value = value
+
+			if newFalcoException.Fields == nil && newFalcoException.Comps == nil && value == "" {
+				return secure.Rule{}, errors.New("value is required on an exception when fields and comps are not set")
 			}
 
 			falcoExceptions = append(falcoExceptions, newFalcoException)
diff --git a/website/docs/r/secure_rule_falco.md b/website/docs/r/secure_rule_falco.md
@@ -51,6 +51,11 @@ resource "sysdig_secure_rule_falco" "example" {
       [["java"], "sdjagent.jar"]
     ])
   }
+
+  exceptions {
+    name   = "image_suffix"
+    value = "secure-inline-scan" # Example of an exception with just a name/value pair
+  }
 }
 ```
 
@@ -76,9 +81,14 @@ For more information about the syntax of the exceptions, check the [official Fal
 Supported fields for exceptions:
 
 * `name` - (Required) The name of the exception. Only used to provide a handy name, and to potentially link together values in a later rule that has `append = true`.
-* `fields` - (Required) Contains one or more fields that will extract a value from the syscall/k8s_audit events.
+* `fields` - (Optional) Contains one or more fields that will extract a value from the syscall/k8s_audit events.
 * `comps` - (Optional) Contains comparison operators that align 1-1 with the items in the fields property.
-* `values` - (Required) Contains tuples of values. Each item in the tuple should align 1-1 with the corresponding field and comparison operator. Since the value can be a string, a list of strings or a list of a list of strings, the value of this field must be supplied in JSON format. You can use the default `jsonencode` function to provide this value. See the usage example on the top.
+* `values` - (Optional) Contains tuples of values. Each item in the tuple should align 1-1 with the corresponding field
+  and comparison operator. Since the value can be a string, a list of strings or a list of a list of strings, the value
+  of this field must be supplied in JSON format. You can use the default `jsonencode` function to provide this value.
+  See the usage example on the top. **Required** if `fields` and `comps` are set.
+* `value` - (Optional) Contains the single value used when exception is a name/value pair. **Required** if `fields` and
+  `comps` are not set
 
 ## Attributes Reference
 
