fix(secure-policy): Update falco rule exceptions type to match falco expectations (#233)

Ben Lucas · web-flow · commit d0b440aad9c3 · 2022-12-23T10:17:19.000-08:00
* updates types for falco rule exceptions to more closely match how falco structures the exception values.

* switch back to using string so we can jsonencode the value.  update documentation to provide working example

* fix spelling in readme. fix tests.

* fix additional unit test
diff --git a/README.md b/README.md
@@ -63,7 +63,7 @@ $ make test
 If you want to execute the **acceptance tests**, you can run `make testacc`.
 - Follow [Terraform acceptance test guideliness](https://www.terraform.io/plugin/sdkv2/testing/acceptance-tests)
 - Please note that you need a token for Sysdig Monitor and another one for Sysdig Secure, and since the **acceptance tests create real infrastructure**
-you should execute them in an environment where you can remove the resorces easily.
+you should execute them in an environment where you can remove the resources easily.
 - Acceptance tests are launched in Sysdig production environment
 
 ```sh
diff --git a/sysdig/resource_sysdig_secure_rule_falco.go b/sysdig/resource_sysdig_secure_rule_falco.go
@@ -284,10 +284,7 @@ func resourceSysdigRuleFalcoFromResourceData(d *schema.ResourceData) (secure.Rul
 			}
 
 			comps := cast.ToStringSlice(exceptionMap["comps"])
-			if len(comps) == 1 {
-				newFalcoException.Comps = comps[0]
-			}
-			if len(comps) > 1 {
+			if len(comps) >= 1 {
 				newFalcoException.Comps = comps
 			}
 
@@ -298,10 +295,7 @@ func resourceSysdigRuleFalcoFromResourceData(d *schema.ResourceData) (secure.Rul
 			}
 
 			fields := cast.ToStringSlice(exceptionMap["fields"])
-			if len(fields) == 1 {
-				newFalcoException.Fields = fields[0]
-			}
-			if len(fields) > 1 {
+			if len(fields) >= 1 {
 				newFalcoException.Fields = fields
 			}
 
diff --git a/sysdig/resource_sysdig_secure_rule_falco_test.go b/sysdig/resource_sysdig_secure_rule_falco_test.go
@@ -191,12 +191,12 @@ resource "sysdig_secure_rule_falco" "falco_rule_with_exceptions" {
    name = "only_one_field"
    fields = ["ka.req.binding.subjects"]
    comps = ["in"]
-   values = jsonencode(["foo"])
+   values = jsonencode([["foo"]])
   }
   exceptions {
    name = "only_one_field_without_comps"
    fields = ["ka.req.binding.subjects"]
-   values = jsonencode(["foo"])
+   values = jsonencode([["foo"]])
   }
 }
 `, name)
@@ -213,7 +213,7 @@ resource "sysdig_secure_rule_falco" "attach_to_cluster_admin_role_exceptions" {
         name = "proc_name"
         fields = ["proc.name"]
         comps = ["in"]
-        values = jsonencode(["sh"])
+        values = jsonencode([["sh"]])
    }
 }`
 }
diff --git a/website/docs/r/secure_rule_falco.md b/website/docs/r/secure_rule_falco.md
@@ -30,7 +30,7 @@ resource "sysdig_secure_rule_falco" "example" {
     name   = "proc_names"
     fields = ["proc.name"]
     comps  = ["in"]
-    values = jsonencode(["python", "python2", "python3"]) # If only one element is provided, do not specify it a list of lists.
+    values = jsonencode([[["python", "python2", "python3"]]]) # If only one element is provided, it should still needs to be specified as a list of lists.
   }
 
   exceptions {

Original file line number	Diff line number	Diff line change
`@@ -284,10 +284,7 @@ func resourceSysdigRuleFalcoFromResourceData(d *schema.ResourceData) (secure.Rul`
`284`	`284`	`}`
`285`	`285`
`286`	`286`	`comps := cast.ToStringSlice(exceptionMap["comps"])`
`287`		`- if len(comps) == 1 {`
`288`		`- newFalcoException.Comps = comps[0]`
`289`		`- }`
`290`		`- if len(comps) > 1 {`
	`287`	`+ if len(comps) >= 1 {`
`291`	`288`	`newFalcoException.Comps = comps`
`292`	`289`	`}`
`293`	`290`
`@@ -298,10 +295,7 @@ func resourceSysdigRuleFalcoFromResourceData(d *schema.ResourceData) (secure.Rul`
`298`	`295`	`}`
`299`	`296`
`300`	`297`	`fields := cast.ToStringSlice(exceptionMap["fields"])`
`301`		`- if len(fields) == 1 {`
`302`		`- newFalcoException.Fields = fields[0]`
`303`		`- }`
`304`		`- if len(fields) > 1 {`
	`298`	`+ if len(fields) >= 1 {`
`305`	`299`	`newFalcoException.Fields = fields`
`306`	`300`	`}`
`307`	`301`
Original file line number	Diff line number	Diff line change
`@@ -191,12 +191,12 @@ resource "sysdig_secure_rule_falco" "falco_rule_with_exceptions" {`
`191`	`191`	`name = "only_one_field"`
`192`	`192`	`fields = ["ka.req.binding.subjects"]`
`193`	`193`	`comps = ["in"]`
`194`		`- values = jsonencode(["foo"])`
	`194`	`+ values = jsonencode([["foo"]])`
`195`	`195`	`}`
`196`	`196`	`exceptions {`
`197`	`197`	`name = "only_one_field_without_comps"`
`198`	`198`	`fields = ["ka.req.binding.subjects"]`
`199`		`- values = jsonencode(["foo"])`
	`199`	`+ values = jsonencode([["foo"]])`
`200`	`200`	`}`
`201`	`201`	`}`
`202`	`202`	`, name)
`@@ -213,7 +213,7 @@ resource "sysdig_secure_rule_falco" "attach_to_cluster_admin_role_exceptions" {`
`213`	`213`	`name = "proc_name"`
`214`	`214`	`fields = ["proc.name"]`
`215`	`215`	`comps = ["in"]`
`216`		`- values = jsonencode(["sh"])`
	`216`	`+ values = jsonencode([["sh"]])`
`217`	`217`	`}`
`218`	`218`	}`
`219`	`219`	`}`
Original file line number	Diff line number	Diff line change
`@@ -30,7 +30,7 @@ resource "sysdig_secure_rule_falco" "example" {`
`30`	`30`	`name = "proc_names"`
`31`	`31`	`fields = ["proc.name"]`
`32`	`32`	`comps = ["in"]`
`33`		`- values = jsonencode(["python", "python2", "python3"]) # If only one element is provided, do not specify it a list of lists.`
	`33`	`+ values = jsonencode([[["python", "python2", "python3"]]]) # If only one element is provided, it should still needs to be specified as a list of lists.`
`34`	`34`	`}`
`35`	`35`
`36`	`36`	`exceptions {`