feat(policies): add minimum_engine_version argument to macro and falco rule resources (#366)

Ben Lucas · web-flow · commit b757a316da0a · 2023-06-13T16:37:56.000-07:00
* initial changes to introduce argument for  to falco_rule and macro resources

* add minimum_engine_version output to data source for falco rule

* update documentation for new argument
diff --git a/sysdig/data_source_sysdig_secure_rule_falco.go b/sysdig/data_source_sysdig_secure_rule_falco.go
@@ -42,6 +42,11 @@ func dataSourceSysdigSecureRuleFalco() *schema.Resource {
 				Type:     schema.TypeString,
 				Computed: true,
 			},
+			"minimum_engine_version": {
+				Type:     schema.TypeInt,
+				Computed: true,
+				Optional: true,
+			},
 			"append": {
 
 				Type:     schema.TypeBool,
@@ -108,6 +113,9 @@ func dataSourceSysdigRuleFalcoRead(ctx context.Context, d *schema.ResourceData,
 	_ = d.Set("output", rule.Details.Output)
 	_ = d.Set("priority", rule.Details.Priority)
 	_ = d.Set("source", rule.Details.Source)
+	if rule.Details.MinimumEngineVersion != nil {
+		_ = d.Set("minimum_engine_version", *rule.Details.MinimumEngineVersion)
+	}
 	if rule.Details.Append != nil {
 		_ = d.Set("append", *rule.Details.Append)
 	}
diff --git a/sysdig/internal/client/v2/model.go b/sysdig/internal/client/v2/model.go
@@ -228,11 +228,12 @@ type Items struct {
 }
 
 type Macro struct {
-	ID        int            `json:"id,omitempty"`
-	Version   int            `json:"version,omitempty"`
-	Name      string         `json:"name"`
-	Condition MacroCondition `json:"condition"`
-	Append    bool           `json:"append"`
+	ID                   int            `json:"id,omitempty"`
+	Version              int            `json:"version,omitempty"`
+	Name                 string         `json:"name"`
+	Condition            MacroCondition `json:"condition"`
+	Append               bool           `json:"append"`
+	MinimumEngineVersion *int           `json:"minimumEngineVersion,omitempty"`
 }
 
 type MacroCondition struct {
@@ -294,12 +295,13 @@ type Details struct {
 	Syscalls *Syscalls `json:"syscalls,omitempty"`
 
 	// Falco
-	Append     *bool        `json:"append,omitempty"`
-	Source     string       `json:"source,omitempty"`
-	Output     string       `json:"output,omitempty"`
-	Condition  *Condition   `json:"condition,omitempty"`
-	Priority   string       `json:"priority,omitempty"`
-	Exceptions []*Exception `json:"exceptions,omitempty"`
+	Append               *bool        `json:"append,omitempty"`
+	Source               string       `json:"source,omitempty"`
+	Output               string       `json:"output,omitempty"`
+	Condition            *Condition   `json:"condition,omitempty"`
+	Priority             string       `json:"priority,omitempty"`
+	Exceptions           []*Exception `json:"exceptions,omitempty"`
+	MinimumEngineVersion *int         `json:"minimumEngineVersion,omitempty"`
 
 	RuleType string `json:"ruleType"`
 }
diff --git a/sysdig/resource_sysdig_secure_macro.go b/sysdig/resource_sysdig_secure_macro.go
@@ -2,10 +2,11 @@ package sysdig
 
 import (
 	"context"
-	v2 "github.com/draios/terraform-provider-sysdig/sysdig/internal/client/v2"
 	"strconv"
 	"time"
 
+	v2 "github.com/draios/terraform-provider-sysdig/sysdig/internal/client/v2"
+
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 )
@@ -44,6 +45,10 @@ func resourceSysdigSecureMacro() *schema.Resource {
 				Type:     schema.TypeString,
 				Required: true,
 			},
+			"minimum_engine_version": {
+				Type:     schema.TypeInt,
+				Optional: true,
+			},
 			"version": {
 				Type:     schema.TypeInt,
 				Computed: true,
@@ -110,6 +115,9 @@ func resourceSysdigMacroRead(ctx context.Context, d *schema.ResourceData, meta i
 	_ = d.Set("version", macro.Version)
 	_ = d.Set("condition", macro.Condition.Condition)
 	_ = d.Set("append", macro.Append)
+	if macro.MinimumEngineVersion != nil {
+		_ = d.Set("minimum_engine_version", *macro.MinimumEngineVersion)
+	}
 
 	return nil
 }
@@ -130,9 +138,15 @@ func resourceSysdigMacroDelete(ctx context.Context, d *schema.ResourceData, meta
 }
 
 func macroFromResourceData(d *schema.ResourceData) v2.Macro {
-	return v2.Macro{
+	macro := v2.Macro{
 		Name:      d.Get("name").(string),
 		Append:    d.Get("append").(bool),
 		Condition: v2.MacroCondition{Condition: d.Get("condition").(string)},
 	}
+	minimumEngineVersionInterface, ok := d.GetOk("minimum_engine_version")
+	if ok {
+		minimumEngineVersion := minimumEngineVersionInterface.(int)
+		macro.MinimumEngineVersion = &minimumEngineVersion
+	}
+	return macro
 }
diff --git a/sysdig/resource_sysdig_secure_macro_test.go b/sysdig/resource_sysdig_secure_macro_test.go
@@ -48,6 +48,9 @@ func TestAccMacro(t *testing.T) {
 			{
 				Config: macroWithMacroAndList(rText(), rText(), rText()),
 			},
+			{
+				Config: macroWithMinimumEngineVersion(rText()),
+			},
 		},
 	})
 }
@@ -109,3 +112,13 @@ resource "sysdig_secure_macro" "sample6" {
 }
 `, listWithName(name3), name1, name2)
 }
+
+func macroWithMinimumEngineVersion(name string) string {
+	return fmt.Sprintf(`
+resource "sysdig_secure_macro" "sample" {
+	minimum_engine_version = 13
+	name = "terraform_test_%s"
+	condition = "always_true"
+  }
+`, name)
+}
diff --git a/sysdig/resource_sysdig_secure_rule_falco.go b/sysdig/resource_sysdig_secure_rule_falco.go
@@ -60,6 +60,10 @@ func resourceSysdigSecureRuleFalco() *schema.Resource {
 				Default:          "",
 				ValidateDiagFunc: validateDiagFunc(validateFalcoRuleSource),
 			},
+			"minimum_engine_version": {
+				Type:     schema.TypeInt,
+				Optional: true,
+			},
 			"append": {
 				Type:     schema.TypeBool,
 				Optional: true,
@@ -147,6 +151,9 @@ func resourceSysdigRuleFalcoRead(ctx context.Context, d *schema.ResourceData, me
 	_ = d.Set("output", rule.Details.Output)
 	_ = d.Set("priority", strings.ToLower(rule.Details.Priority))
 	_ = d.Set("source", rule.Details.Source)
+	if rule.Details.MinimumEngineVersion != nil {
+		_ = d.Set("minimum_engine_version", *rule.Details.MinimumEngineVersion)
+	}
 	if rule.Details.Append != nil {
 		_ = d.Set("append", *rule.Details.Append)
 	}
@@ -272,6 +279,12 @@ func resourceSysdigRuleFalcoFromResourceData(d *schema.ResourceData) (v2.Rule, e
 		return v2.Rule{}, errors.New("priority must be set when append = false")
 	}
 
+	minimumEngineVersionInterface, ok := d.GetOk("minimum_engine_version")
+	if ok {
+		minimumEngineVersion := minimumEngineVersionInterface.(int)
+		rule.Details.MinimumEngineVersion = &minimumEngineVersion
+	}
+
 	rule.Details.Condition = &v2.Condition{
 		Condition:  d.Get("condition").(string),
 		Components: []interface{}{},
diff --git a/sysdig/resource_sysdig_secure_rule_falco_test.go b/sysdig/resource_sysdig_secure_rule_falco_test.go
@@ -39,6 +39,9 @@ func TestAccRuleFalco(t *testing.T) {
 			{
 				Config: ruleFalcoUpdatedTerminalShell(ruleRandomImmutableText),
 			},
+			{
+				Config: ruleFalcoTerminalShellWithMinimumEngineVersion(rText()),
+			},
 			{
 				ResourceName:      "sysdig_secure_rule_falco.terminal_shell",
 				ImportState:       true,
@@ -254,3 +257,18 @@ resource "sysdig_secure_rule_falco" "attach_to_cluster_admin_role_exceptions" {
    }
 }`
 }
+
+func ruleFalcoTerminalShellWithMinimumEngineVersion(name string) string {
+	return fmt.Sprintf(`
+resource "sysdig_secure_rule_falco" "terminal_shell" {
+  name = "TERRAFORM TEST %s - Terminal Shell"
+  minimum_engine_version = 13
+  description = "TERRAFORM TEST %s"
+  tags = ["container", "shell", "mitre_execution"]
+
+  condition = "spawned_process and container and shell_procs and proc.tty != 0 and container_entrypoint"
+  output = "A shell was spawned in a container with an attached terminal (user=%%user.name %%container.info shell=%%proc.name parent=%%proc.pname cmdline=%%proc.cmdline terminal=%%proc.tty container_id=%%container.id image=%%container.image.repository)"
+  priority = "notice"
+  source = "syscall" // syscall or k8s_audit
+}`, name, name)
+}
diff --git a/website/docs/d/secure_rule_falco.md b/website/docs/d/secure_rule_falco.md
@@ -40,6 +40,7 @@ In addition to the argument above, the following attributes are exported:
 * `priority` - The priority of the Falco rule. It can be: "emergency", "alert", "critical", "error", "warning", "notice", "info" or "debug". By default is "warning".
 * `exceptions` - The exceptions key is a list of identifier plus list of tuples of filtercheck fields. See below for details.
 * `append` - This indicates that the rule being created appends the condition to an existing Sysdig-provided rule
+* `minimum_engine_version` - This is used to indicate that the rule requires a minimum engine version.
 * `version` - Current version of the resource in Sysdig Secure.
 
 ### Exceptions
diff --git a/website/docs/r/secure_macro.md b/website/docs/r/secure_macro.md
@@ -37,6 +37,11 @@ resource "sysdig_secure_macro" "https_port" {
     The macros can only be extended once, for example if there is an existing macro called "foo", one can have another 
     append macro called "foo" but not a second one. By default this is false.
 
+* `minimum_engine_version` - (Optional) This is used to indicate that the macro requires a minimum engine version. This
+    can allow you to add macros that would not normally pass validation with older agents in your environment. The macro
+    will only be processed by agents that support the minimum_engine_version specified.
+
+
 ## Attributes Reference
 
 No additional attributes are exported.
diff --git a/website/docs/r/secure_rule_falco.md b/website/docs/r/secure_rule_falco.md
@@ -66,7 +66,11 @@ The following arguments are supported:
 * `priority` - (Optional) The priority of the Falco rule. It can be: "emergency", "alert", "critical", "error", "warning", "notice", "info" or "debug". By default is "warning".
 * `source` - (Optional) The source of the event. It can be either "syscall", "k8s_audit", "aws_cloudtrail", "gcp_auditlog", or "azure_platformlogs". Required if append is false.
 * `exceptions` - (Optional) The exceptions key is a list of identifier plus list of tuples of filtercheck fields. See below for details.
-* `append` - (Optional) This indicates that the rule being created appends the condition to an existing Sysdig-provided rule. By default this is false. Appending to user-created rules is not supported by the API.
+* `append` - (Optional) This indicates that the rule being created appends the condition to an existing Sysdig-provided
+  rule. By default this is false. Appending to user-created rules is not supported by the API.
+* `minimum_engine_version` - (Optional) This is used to indicate that the rule requires a minimum engine version. This
+    can allow you to add rules that would not normally pass validation with older agents in your environment. The rule
+    will only be processed by agents that support the minimum_engine_version specified.
 
 ### Exceptions
 

Original file line number	Diff line number	Diff line change
`@@ -48,6 +48,9 @@ func TestAccMacro(t *testing.T) {`
`48`	`48`	`{`
`49`	`49`	`Config: macroWithMacroAndList(rText(), rText(), rText()),`
`50`	`50`	`},`
	`51`	`+ {`
	`52`	`+ Config: macroWithMinimumEngineVersion(rText()),`
	`53`	`+ },`
`51`	`54`	`},`
`52`	`55`	`})`
`53`	`56`	`}`
`@@ -109,3 +112,13 @@ resource "sysdig_secure_macro" "sample6" {`
`109`	`112`	`}`
`110`	`113`	`, listWithName(name3), name1, name2)
`111`	`114`	`}`
	`115`	`+`
	`116`	`+func macroWithMinimumEngineVersion(name string) string {`
	`117`	+ return fmt.Sprintf(`
	`118`	`+resource "sysdig_secure_macro" "sample" {`
	`119`	`+ minimum_engine_version = 13`
	`120`	`+ name = "terraform_test_%s"`
	`121`	`+ condition = "always_true"`
	`122`	`+ }`
	`123`	+`, name)
	`124`	`+}`