docs: update documentation

Author: tembleking

sysdig/resource_sysdig_secure_vulnerability_rule_bundle.go

@@ -11,6 +11,7 @@ import (
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/validation"
 )
 
 func vulnerabilityRuleSchemaImageConfigLabel() *schema.Schema {
@@ -126,14 +127,16 @@ func vulnerabilityRuleSchemaSeveritiesAndThreats() *schema.Schema {
 					Description: "Internal identifier for the severities and threats rule block.",
 				},
 				"severity_at_least": {
-					Type:        schema.TypeString,
-					Optional:    true,
-					Description: "Vulnerability severity must be at least this level (critical, high, medium, low, negligible).",
+					Type:         schema.TypeString,
+					Optional:     true,
+					Description:  "Vulnerability severity must be at least this level (critical, high, medium, low, negligible).",
+					ValidateFunc: validation.StringInSlice([]string{"critical", "high", "medium", "low", "negligible"}, false),
 				},
 				"severity_equals": {
-					Type:        schema.TypeString,
-					Optional:    true,
-					Description: "Vulnerability severity must be exactly this level.",
+					Type:         schema.TypeString,
+					Optional:     true,
+					Description:  "Vulnerability severity must be exactly this level.",
+					ValidateFunc: validation.StringInSlice([]string{"critical", "high", "medium", "low", "negligible"}, false),
 				},
 				"cvss_at_least": {
 					Type:        schema.TypeFloat,
@@ -166,9 +169,10 @@ func vulnerabilityRuleSchemaSeveritiesAndThreats() *schema.Schema {
 					},
 				},
 				"package_type": {
-					Type:        schema.TypeString,
-					Optional:    true,
-					Description: "Type of the package (e.g., 'os', 'npm', 'maven').",
+					Type:         schema.TypeString,
+					Optional:     true,
+					Description:  "Type of the package.",
+					ValidateFunc: validation.StringInSlice([]string{"os", "nonOs"}, false),
 				},
 				"in_use": {
 					Type:        schema.TypeBool,

website/docs/r/secure_vulnerability_rule_bundle.md

@@ -3,33 +3,42 @@ subcategory: "Sysdig Secure"
 layout: "sysdig"
 page_title: "Sysdig: sysdig_secure_vulnerability_rule_bundle"
 description: |-
-  Creates a Sysdig Secure Vulnerability Rule Bundle.
+  Creates a Sysdig Secure Vulnerability Rule Bundle for defining custom vulnerability management rules.
 ---
 
 # Resource: sysdig_secure_vulnerability_rule_bundle
 
-Creates a Sysdig Secure Vulnerability Rule Bundle to define custom rules for vulnerability management, supporting various types of rules.
+Creates a Sysdig Secure Vulnerability Rule Bundle.
+
+A **Rule Bundle** is a collection of rules that can be reused across multiple [Vulnerability Policies](https://docs.sysdig.com/en/docs/sysdig-secure/policies/vulnerability_policies/). Rule bundles allow you to define a standardized set of conditions for evaluating vulnerabilities, which can then be applied consistently to different policies. For more details, see the official documentation on [Rule Bundles](https://docs.sysdig.com/en/sysdig-secure/vm_policies/rule_bundles/).
 
 -> **Note:** Sysdig Terraform Provider is under rapid development at this point. If you experience any issue or discrepancy while using it, please make sure you have the latest version. If the issue persists, or you have a Feature Request to support an additional set of resources, please open a [new issue](https://github.com/sysdiglabs/terraform-provider-sysdig/issues/new) in the GitHub repository.
 
 ## Example Usage
 
+### Image Label Example
+
+This example defines a rule bundle that checks for the presence or absence of specific image labels.
+
 ```terraform
-resource "sysdig_secure_vulnerability_rule_bundle" "example" {
-  name = "Example Rule Bundle"
+resource "sysdig_secure_vulnerability_rule_bundle" "example_image_label" {
+  name = "Example Rule Bundle - Image Label"
 
+  # Rule to ensure a specific label exists
   rule {
     image_label {
       label_must_exist = "required-label"
     }
   }
 
+  # Rule to ensure a specific label does not exist
   rule {
     image_label {
       label_must_not_exist = "forbidden-label"
     }
   }
 
+  # Rule to ensure a label exists and has a specific value
   rule {
     image_label {
       label_must_exist_and_contain_value {
@@ -41,38 +50,114 @@ resource "sysdig_secure_vulnerability_rule_bundle" "example" {
 }
 ```
 
-## Argument Reference
+### Severities and Threats Example
 
-* `name` - (Required) The name of the vulnerability rule bundle.
+This example creates a comprehensive rule bundle that evaluates vulnerabilities based on severity, threat intelligence, and other risk factors.
 
-* `description` - (Optional) A description for the rule bundle.
+```terraform
+resource "sysdig_secure_vulnerability_rule_bundle" "example_severities" {
+  name        = "Example Rule Bundle - Severities & Threats"
+  description = "Bundle with rules for high-priority vulnerabilities"
+
+  rule {
+    severities_and_threats {
+      # Severity and disclosure criteria
+      severity_at_least          = "high"
+      disclosure_older_than_days = 90
+
+      # Package and runtime context
+      package_type = "os"
+      in_use       = true # Only trigger if the package is loaded in memory
+
+      # Fix and exploitability status
+      fix_available_since_days            = 30
+      public_exploit_available_since_days = 15
+
+      # Exploit characteristics (CVSS vector)
+      exploit_no_admin_privileges = true
+      exploit_no_user_interaction = true
+      exploit_network_attack_vector = true
+
+      # CISA KEV (Known Exploited Vulnerabilities) intelligence
+      cisa_kev_in_ransomware_campaign = true
+      cisa_kev_available_since_days   = 10
+      cisa_kev_due_date_in_days       = 21
+
+      # EPSS (Exploit Prediction Scoring System) scores
+      epss_score_at_least_percentage      = 80
+      epss_percentile_at_least_percentage = 90
+    }
+  }
+}
+```
 
-* `rule` - (Required) List of rule definitions. Each rule supports multiple types (e.g., `image_label`). Each type may have different required attributes:
+## Argument Reference
 
-### Rule Types
+* `name` - (Required) The name of the vulnerability rule bundle.
 
-#### image_label
+* `description` - (Optional) A description for the rule bundle.
 
-Defines label-based matching rules for image configuration. Only one of the following attributes must be specified:
+* `rule` - (Required) A list of rule definitions. Each `rule` block must define exactly one of the available rule types. For more details on rule types, see the [Rules documentation](https://docs.sysdig.com/en/sysdig-secure/policies/vulnerability_policies/rules).
 
-* `label_must_exist` - (Optional) Label key that must exist in the image configuration.
-* `label_must_not_exist` - (Optional) Label key that must not exist in the image configuration.
-* `label_must_exist_and_contain_value` - (Optional) List of required label-value pairs, each containing:
+---
 
-  * `required_label` - (Required) Label key required in the image configuration.
-  * `required_value` - (Required) Value that the label must contain.
+### `rule` block
+
+Each `rule` block defines a single condition. A bundle can contain multiple rules.
+
+#### `image_label`
+
+Defines rules based on image labels to evaluate image configuration. Only one of the following attributes can be specified within a single `image_label` block.
+
+* `label_must_exist` - (Optional) The rule matches if an image contains a label with this key.
+* `label_must_not_exist` - (Optional) The rule matches if an image does not contain a label with this key.
+* `label_must_exist_and_contain_value` - (Optional) A block specifying a label key and value that must exist in the image configuration.
+  * `required_label` - (Required) The label key that must exist.
+  * `required_value` - (Required) The expected value for the given label key.
+
+#### `severities_and_threats`
+
+Defines rules based on vulnerability severity, threat intelligence, and other risk factors.
+
+* `severity_at_least` - (Optional) Matches if the vulnerability severity is at least this level. Valid values: `critical`, `high`, `medium`, `low`, `negligible`.
+* `severity_equals` - (Optional) Matches if the vulnerability severity is exactly this level. Valid values: `critical`, `high`, `medium`, `low`, `negligible`.
+* `cvss_at_least` - (Optional) Matches if the vulnerability's CVSS score is at least this value (e.g., `7.5`).
+* `disclosure_older_than_days` - (Optional) Matches if the vulnerability was publicly disclosed more than this number of days ago.
+* `disclosure_date` - (Optional) A block specifying that the vulnerability was disclosed within a specific date range.
+  * `from` - (Required) Start of the date range in `YYYY-MM-DD` format.
+  * `to` - (Required) End of the date range in `YYYY-MM-DD` format.
+* `package_type` - (Optional) Matches if the vulnerability is in a package of this type. Valid values: `os`, `nonOs`.
+* `in_use` - (Optional) If `true`, the rule matches only if the vulnerable package is loaded in memory at runtime.
+* `fix_available` - (Optional) If `true`, a fix is available for the vulnerability.
+* `fix_available_since_days` - (Optional) Matches if a fix has been available for at least this number of days.
+* `public_exploit_available` - (Optional) If `true`, a public exploit is known to exist for the vulnerability.
+* `public_exploit_available_since_days` - (Optional) Matches if a public exploit has been available for at least this number of days.
+* `exploit_no_admin_privileges` - (Optional) If `true`, the exploit does not require administrator privileges.
+* `exploit_no_user_interaction` - (Optional) If `true`, the exploit does not require user interaction.
+* `exploit_network_attack_vector` - (Optional) If `true`, the exploit has a network attack vector.
+* `cisa_kev_in_ransomware_campaign` - (Optional) If `true`, the vulnerability is part of a CISA KEV (Known Exploited Vulnerabilities) ransomware campaign.
+* `cisa_kev_available_since_days` - (Optional) Matches if the vulnerability has been in the CISA KEV catalog for at least this number of days.
+* `cisa_kev_due_date_in_days` - (Optional) Matches if the CISA KEV remediation due date is within this number of days.
+* `epss_score_at_least_percentage` - (Optional) Matches if the EPSS (Exploit Prediction Scoring System) score is at least this percentage (0-100).
+* `epss_percentile_at_least_percentage` - (Optional) Matches if the EPSS percentile is at least this percentage (0-100).
+
+-> **Note on mutually exclusive fields:**
+> - Within a `severities_and_threats` block, only one of `severity_at_least`, `severity_equals`, or `cvss_at_least` can be set.
+> - `disclosure_older_than_days` and `disclosure_date` are mutually exclusive.
+> - `public_exploit_available` and `public_exploit_available_since_days` are mutually exclusive.
+> - `fix_available` and `fix_available_since_days` are mutually exclusive.
 
 ## Attributes Reference
 
 In addition to all arguments above, the following attributes are exported:
 
-* `identifier` - External identifier computed after creation. Not to be used with the `secure_vulnerability_policy.bundles` field, use `id` for that.
+* `id` - The internal identifier of the vulnerability rule bundle. This is the ID to be used in the `sysdig_secure_vulnerability_policy.bundles` field.
+* `identifier` - The external identifier of the vulnerability rule bundle.
 
 ## Import
 
 Vulnerability rule bundles can be imported using their bundle ID, for example:
 
 ```shell
-$ terraform import sysdig_secure_vulnerability_rule_bundle.example bundle_123456
+$ terraform import sysdig_secure_vulnerability_rule_bundle.example 12345
 ```
-