add stateful policy and rule support

kmvachhani · kmvachhani · commit a8a081d70ead · 2025-02-25T10:55:08.000-08:00
diff --git a/sysdig/internal/client/v2/model.go b/sysdig/internal/client/v2/model.go
@@ -520,12 +520,15 @@ type Rule struct {
 }
 
 const (
-	RuleTypeContainer  = "CONTAINER"
-	RuleTypeFalco      = "FALCO"
-	RuleTypeFilesystem = "FILESYSTEM"
-	RuleTypeNetwork    = "NETWORK"
-	RuleTypeProcess    = "PROCESS"
-	RuleTypeSyscall    = "SYSCALL"
+	RuleTypeContainer           = "CONTAINER"
+	RuleTypeFalco               = "FALCO"
+	RuleTypeFilesystem          = "FILESYSTEM"
+	RuleTypeNetwork             = "NETWORK"
+	RuleTypeProcess             = "PROCESS"
+	RuleTypeSyscall             = "SYSCALL"
+	RuleTypeStatefulSequence    = "STATEFUL_SEQUENCE"
+	StatefulUniqPercentRuleType = "STATEFUL_UNIQ_PERCENT"
+	StatefulCountRuleType       = "STATEFUL_COUNT"
 )
 
 type Details struct {
diff --git a/sysdig/internal/client/v2/rules.go b/sysdig/internal/client/v2/rules.go
@@ -8,11 +8,15 @@ import (
 )
 
 const (
-	CreateRulePath   = "%s/api/secure/rules?skipPolicyV2Msg=%t"
-	GetRuleByIDPath  = "%s/api/secure/rules/%d"
-	UpdateRulePath   = "%s/api/secure/rules/%d?skipPolicyV2Msg=%t"
-	DeleteURLPath    = "%s/api/secure/rules/%d?skipPolicyV2Msg=%t"
-	GetRuleGroupPath = "%s/api/secure/rules/groups?name=%s&type=%s"
+	CreateRulePath           = "%s/api/secure/rules?skipPolicyV2Msg=%t"
+	GetRuleByIDPath          = "%s/api/secure/rules/%d"
+	UpdateRulePath           = "%s/api/secure/rules/%d?skipPolicyV2Msg=%t"
+	DeleteURLPath            = "%s/api/secure/rules/%d?skipPolicyV2Msg=%t"
+	GetRuleGroupPath         = "%s/api/secure/rules/groups?name=%s&type=%s"
+	CreateStatefulRulePath   = "%s/api/policies/v3/statefulRules"
+	UpdateStatefulRulePath   = "%s/api/policies/v3/statefulRules/%d"
+	DeleteStatefulRulePath   = "%s/api/policies/v3/statefulRules/%d"
+	GetStatefulRuleGroupPath = "%s/api/policies/v3/statefulRules/groups?name=%s&type=%s"
 )
 
 type RuleInterface interface {
@@ -22,6 +26,10 @@ type RuleInterface interface {
 	UpdateRule(ctx context.Context, rule Rule) (Rule, error)
 	DeleteRule(ctx context.Context, ruleID int) error
 	GetRuleGroup(ctx context.Context, ruleName string, ruleType string) ([]Rule, error)
+	CreateStatefulRule(ctx context.Context, rule Rule) (Rule, error)
+	UpdateStatefulRule(ctx context.Context, rule Rule) (Rule, error)
+	DeleteStatefulRule(ctx context.Context, ruleID int) error
+	GetStatefulRuleGroup(ctx context.Context, ruleName string, ruleType string) ([]Rule, error)
 }
 
 func (client *Client) CreateRule(ctx context.Context, rule Rule) (Rule, error) {
@@ -125,3 +133,86 @@ func (client *Client) DeleteRuleURL(ruleID int) string {
 func (client *Client) GetRuleGroupURL(ruleName string, ruleType string) string {
 	return fmt.Sprintf(GetRuleGroupPath, client.config.url, url.QueryEscape(ruleName), url.QueryEscape(ruleType))
 }
+
+func (client *Client) CreateStatefulRuleURL() string {
+	return fmt.Sprintf(CreateStatefulRulePath, client.config.url)
+}
+
+func (client *Client) UpdateStatefulRuleURL(ruleID int) string {
+	return fmt.Sprintf(UpdateStatefulRulePath, client.config.url, ruleID)
+}
+
+func (client *Client) DeleteStatefulRuleURL(ruleID int) string {
+	return fmt.Sprintf(DeleteStatefulRulePath, client.config.url, ruleID)
+}
+
+func (client *Client) GetStatefulRuleGroupURL(ruleName string, ruleType string) string {
+	return fmt.Sprintf(GetStatefulRuleGroupPath, client.config.url, url.QueryEscape(ruleName), url.QueryEscape(ruleType))
+}
+
+func (client *Client) CreateStatefulRule(ctx context.Context, rule Rule) (Rule, error) {
+	payload, err := Marshal(rule)
+	if err != nil {
+		return Rule{}, err
+	}
+	response, err := client.requester.Request(ctx, http.MethodPost, client.CreateStatefulRuleURL(), payload)
+	if err != nil {
+		return Rule{}, err
+	}
+	defer response.Body.Close()
+
+	if response.StatusCode != http.StatusOK {
+		return Rule{}, client.ErrorFromResponse(response)
+	}
+
+	return Unmarshal[Rule](response.Body)
+}
+
+func (client *Client) UpdateStatefulRule(ctx context.Context, rule Rule) (Rule, error) {
+	payload, err := Marshal(rule)
+	if err != nil {
+		return Rule{}, err
+	}
+
+	response, err := client.requester.Request(ctx, http.MethodPut, client.UpdateStatefulRuleURL(rule.ID), payload)
+	if err != nil {
+		return Rule{}, err
+	}
+
+	defer response.Body.Close()
+
+	if response.StatusCode != http.StatusOK {
+		return Rule{}, client.ErrorFromResponse(response)
+	}
+
+	return Unmarshal[Rule](response.Body)
+}
+
+func (client *Client) DeleteStatefulRule(ctx context.Context, ruleID int) error {
+	fmt.Println("deleting stateful rule")
+	response, err := client.requester.Request(ctx, http.MethodDelete, client.DeleteStatefulRuleURL(ruleID), nil)
+	if err != nil {
+		return err
+	}
+	defer response.Body.Close()
+
+	if response.StatusCode != http.StatusNoContent && response.StatusCode != http.StatusOK {
+		return client.ErrorFromResponse(response)
+	}
+
+	return err
+}
+
+func (client *Client) GetStatefulRuleGroup(ctx context.Context, ruleName string, ruleType string) ([]Rule, error) {
+	response, err := client.requester.Request(ctx, http.MethodGet, client.GetStatefulRuleGroupURL(ruleName, ruleType), nil)
+	if err != nil {
+		return []Rule{}, err
+	}
+	defer response.Body.Close()
+
+	if response.StatusCode != http.StatusOK {
+		return []Rule{}, client.ErrorFromResponse(response)
+	}
+
+	return Unmarshal[[]Rule](response.Body)
+}
diff --git a/sysdig/provider.go b/sysdig/provider.go
@@ -148,6 +148,7 @@ func (p *SysdigProvider) Provider() *schema.Provider {
 			"sysdig_secure_rule_process":                                  resourceSysdigSecureRuleProcess(),
 			"sysdig_secure_rule_syscall":                                  resourceSysdigSecureRuleSyscall(),
 			"sysdig_secure_rule_falco":                                    resourceSysdigSecureRuleFalco(),
+			"sysdig_secure_rule_stateful":                                 resourceSysdigSecureStatefulRule(),
 			"sysdig_secure_team":                                          resourceSysdigSecureTeam(),
 			"sysdig_secure_list":                                          resourceSysdigSecureList(),
 			"sysdig_secure_macro":                                         resourceSysdigSecureMacro(),
diff --git a/sysdig/resource_sysdig_secure_policy.go b/sysdig/resource_sysdig_secure_policy.go
@@ -33,6 +33,7 @@ var validatePolicyType = validation.StringInSlice([]string{
 	"aws_machine_learning",
 	"machine_learning",
 	"guardduty",
+	"awscloudtrail_stateful",
 }, false)
 
 func resourceSysdigSecurePolicy() *schema.Resource {
diff --git a/sysdig/resource_sysdig_secure_rule_stateful.go b/sysdig/resource_sysdig_secure_rule_stateful.go
diff --git a/sysdig/resource_sysdig_secure_rule_stateful_test.go b/sysdig/resource_sysdig_secure_rule_stateful_test.go
