GCP and Azure Falco rule support (#261)

ukitazume · web-flow · commit 4deea589c2fc · 2023-03-14T16:07:54.000+09:00
* Add gcp_audiLog and azure_platformlogs as source

* fix the dup words

* fix test comment

* use %[1]s format to remove dup args and run the tests

* write working rule to pass the test
diff --git a/sysdig/resource_sysdig_secure_rule_falco.go b/sysdig/resource_sysdig_secure_rule_falco.go
@@ -56,7 +56,7 @@ func resourceSysdigSecureRuleFalco() *schema.Resource {
 				Type:             schema.TypeString,
 				Optional:         true,
 				Default:          "",
-				ValidateDiagFunc: validateDiagFunc(validation.StringInSlice([]string{"syscall", "k8s_audit", "aws_cloudtrail"}, false)),
+				ValidateDiagFunc: validateDiagFunc(validation.StringInSlice([]string{"syscall", "k8s_audit", "aws_cloudtrail", "gcp_auditlog", "azure_platformlogs"}, false)),
 			},
 			"append": {
 				Type:     schema.TypeBool,
diff --git a/sysdig/resource_sysdig_secure_rule_falco_test.go b/sysdig/resource_sysdig_secure_rule_falco_test.go
@@ -50,6 +50,12 @@ func TestAccRuleFalco(t *testing.T) {
 				ImportState:       true,
 				ImportStateVerify: true,
 			},
+			{
+				Config: ruleFalcoGcpAuditlog(rText()),
+			},
+			{
+				Config: ruleFalcoAzureAuditlog(rText()),
+			},
 			{
 				Config: ruleFalcoKubeAudit(rText()),
 			},
@@ -155,6 +161,34 @@ resource "sysdig_secure_rule_falco" "kube_audit" {
 }`, name, name)
 }
 
+func ruleFalcoGcpAuditlog(name string) string {
+	return fmt.Sprintf(`
+resource "sysdig_secure_rule_falco" "gcp_audit" {
+  name = "TERRAFORM TEST %[1]s - GCP Audit"
+  description = "TERRAFORM TEST %[1]s"
+  tags = ["gcp"]
+
+  condition = "gcp.serviceName=\"compute.googleapis.com\" and gcp.methodName endswith \".compute.instances.setMetadata\""
+  output = "GCP Audit Event received (%%gcp.serviceName, %%gcp.methodName)"
+  priority = "debug"
+  source = "gcp_auditlog"
+}`, name)
+}
+
+func ruleFalcoAzureAuditlog(name string) string {
+	return fmt.Sprintf(`
+resource "sysdig_secure_rule_falco" "azure_audit" {
+  name = "TERRAFORM TEST %[1]s - Azure Audit"
+  description = "TERRAFORM TEST %[1]s"
+  tags = ["azure"]
+
+  condition = "jevt.value[/operationName] = \"DeleteBlob\""
+  output = "Azure Audit Event received (%%jevt.value[/operationName])"
+  priority = "debug"
+  source = "azure_platformlogs"
+}`, name)
+}
+
 func ruleFalcoTerminalShellWithAppend() string {
 	return `
 resource "sysdig_secure_rule_falco" "terminal_shell_append" {
diff --git a/website/docs/r/secure_rule_falco.md b/website/docs/r/secure_rule_falco.md
@@ -23,7 +23,7 @@ resource "sysdig_secure_rule_falco" "example" {
   condition = "spawned_process and container and shell_procs and proc.tty != 0 and container_entrypoint"
   output    = "A shell was spawned in a container with an attached terminal (user=%user.name %container.info shell=%proc.name parent=%proc.pname cmdline=%proc.cmdline terminal=%proc.tty container_id=%container.id image=%container.image.repository)"
   priority  = "notice"
-  source    = "syscall" // syscall or k8s_audit
+  source    = "syscall" // syscall, k8s_audit, aws_cloudtrail, gcp_auditlog or azure_platformlogs
 
 
   exceptions {
@@ -64,7 +64,7 @@ The following arguments are supported:
 * `condition` - (Required) A [Falco condition](https://falco.org/docs/rules/) is simply a Boolean predicate on Sysdig events expressed using the Sysdig [filter syntax](http://www.sysdig.org/wiki/sysdig-user-guide/#filtering) and macro terms. 
 * `output` - (Optional) Add additional information to each Falco notification's output. Required if append is false.
 * `priority` - (Optional) The priority of the Falco rule. It can be: "emergency", "alert", "critical", "error", "warning", "notice", "info" or "debug". By default is "warning".
-* `source` - (Optional) The source of the event. It can be either "syscall", "k8s_audit" or "aws_cloudtrail". Required if append is false.
+* `source` - (Optional) The source of the event. It can be either "syscall", "k8s_audit", "aws_cloudtrail", "gcp_auditlog", or "azure_platformlogs". Required if append is false.
 * `exceptions` - (Optional) The exceptions key is a list of identifier plus list of tuples of filtercheck fields. See below for details.
 * `append` - (Optional) This indicates that the rule being created appends the condition to an existing Sysdig-provided rule. By default this is false. Appending to user-created rules is not supported by the API.
 
@@ -95,4 +95,4 @@ Secure Falco runtime rules can be imported using the ID, e.g.
 
 ```
 $ terraform import sysdig_secure_rule_falco.example 12345
-```
+```
