feat: sysdig_secure_policy now supports killing the container (#57)

Author: tembleking

sysdig/resource_sysdig_secure_policy.go

@@ -92,7 +92,7 @@ func resourceSysdigSecurePolicy() *schema.Resource {
 						"container": {
 							Type:         schema.TypeString,
 							Optional:     true,
-							ValidateFunc: validation.StringInSlice([]string{"stop", "pause"}, false),
+							ValidateFunc: validation.StringInSlice([]string{"stop", "pause", "kill"}, false),
 						},
 						"capture": {
 							Type:     schema.TypeList,

sysdig/resource_sysdig_secure_policy_test.go

@@ -40,6 +40,9 @@ func TestAccPolicy(t *testing.T) {
 			{
 				Config: policiesWithDifferentSeverities(rText()),
 			},
+			{
+				Config: policiesWithKillAction(rText()),
+			},
 		},
 	})
 }
@@ -132,3 +135,20 @@ resource "sysdig_secure_policy" "sample_%d" {
 	}
 	return
 }
+
+func policiesWithKillAction(name string) (res string) {
+	return fmt.Sprintf(`
+resource "sysdig_secure_policy" "sample" {
+  name = "TERRAFORM TEST 1 %s"
+  description = "TERRAFORM TEST %s"
+  enabled = true
+  severity = 4
+  scope = "container.id != \"\""
+  rule_names = ["Terminal shell in container"]
+
+  actions {
+    container = "kill"
+  }
+}
+`, name, name)
+}

website/docs/r/sysdig_secure_policy.md

@@ -66,7 +66,8 @@ resource "sysdig_secure_policy" "write_apt_database" {
 The actions block is optional and supports:
 
 * `container` - (Optional) The action applied to container when this Policy is
-    triggered. Can be *stop* or *pause*.
+    triggered. Can be *stop*, *pause* or *kill*. If this is not specified,
+    no action will be applied at the container level.
 
 * `capture` - (Optional) Captures with Sysdig the stream of system calls:
     * `seconds_before_event` - (Required) Captures the system calls during the