Negate block_inbound and block_outbound tags for network rules (#385)

* SSPROD-27032 Negate block_inboud and block_outbound tags

* SSPROD-27032 Forbid omissions of block_inbound and block_outbound

* Add unit test for network rule allowing all traffic

Author: miguelgordo

sysdig/data_source_sysdig_secure_rule_network.go

@@ -76,8 +76,8 @@ func dataSourceSysdigRuleNetworkRead(ctx context.Context, d *schema.ResourceData
 }
 
 func networkRuleDataSourceToResourceData(rule v2.Rule, d *schema.ResourceData) diag.Diagnostics {
-	_ = d.Set("block_inbound", rule.Details.AllInbound)
-	_ = d.Set("block_outbound", rule.Details.AllOutbound)
+	_ = d.Set("block_inbound", !rule.Details.AllInbound)
+	_ = d.Set("block_outbound", !rule.Details.AllOutbound)
 
 	if rule.Details.TCPListenPorts == nil {
 		return diag.Errorf("no tcpListenPorts for a network rule")

sysdig/internal/client/v2/model.go

@@ -296,8 +296,8 @@ type Details struct {
 	ReadPaths      *ReadPaths      `json:"readPaths,omitempty"`
 
 	// Network
-	AllOutbound    bool            `json:"allOutbound,omitempty"`
-	AllInbound     bool            `json:"allInbound,omitempty"`
+	AllOutbound    bool            `json:"allOutbound"`
+	AllInbound     bool            `json:"allInbound"`
 	TCPListenPorts *TCPListenPorts `json:"tcpListenPorts,omitempty"`
 	UDPListenPorts *UDPListenPorts `json:"udpListenPorts,omitempty"`
 

sysdig/resource_sysdig_secure_rule_network.go

@@ -125,8 +125,8 @@ func resourceSysdigRuleNetworkRead(ctx context.Context, d *schema.ResourceData,
 	}
 	updateResourceDataForRule(d, rule)
 
-	_ = d.Set("block_inbound", rule.Details.AllInbound)
-	_ = d.Set("block_outbound", rule.Details.AllOutbound)
+	_ = d.Set("block_inbound", !rule.Details.AllInbound)
+	_ = d.Set("block_outbound", !rule.Details.AllOutbound)
 
 	if rule.Details.TCPListenPorts == nil {
 		return diag.Errorf("no tcpListenPorts for a filesystem rule")
@@ -216,8 +216,8 @@ func resourceSysdigRuleNetworkFromResourceData(d *schema.ResourceData) (rule v2.
 	rule.Details.TCPListenPorts = &v2.TCPListenPorts{}
 	rule.Details.UDPListenPorts = &v2.UDPListenPorts{}
 
-	rule.Details.AllInbound = d.Get("block_inbound").(bool)
-	rule.Details.AllOutbound = d.Get("block_outbound").(bool)
+	rule.Details.AllInbound = !d.Get("block_inbound").(bool)
+	rule.Details.AllOutbound = !d.Get("block_outbound").(bool)
 
 	rule.Details.TCPListenPorts.Items = []string{}
 	if tcpRules := d.Get("tcp").([]interface{}); len(tcpRules) > 0 {

sysdig/resource_sysdig_secure_rule_network_test.go

@@ -41,6 +41,9 @@ func TestAccRuleNetwork(t *testing.T) {
 			{
 				Config: ruleNetworkWithUDP(rText()),
 			},
+			{
+				Config: ruleNetworkAllowingAllTraffic(rText()),
+			},
 			{
 				ResourceName:      "sysdig_secure_rule_network.foo",
 				ImportState:       true,
@@ -75,6 +78,28 @@ resource "sysdig_secure_rule_network" "foo" {
 }`, name, name)
 }
 
+func ruleNetworkAllowingAllTraffic(name string) string {
+	return fmt.Sprintf(`
+resource "sysdig_secure_rule_network" "foo" {
+  name = "TERRAFORM TEST %s" // ID
+  description = "TERRAFORM TEST %s"
+  tags = ["network", "cis"]
+
+  block_inbound = false
+  block_outbound = false
+
+  tcp {
+    matching = true // default
+    ports = [80, 443]
+  }
+
+  udp {
+    matching = true // default
+    ports = [80, 443]
+  }
+}`, name, name)
+}
+
 func ruleNetworkWithoutTags(name string) string {
 	return fmt.Sprintf(`
 resource "sysdig_secure_rule_network" "foo" {