feat(policies): data source for managed ruleset (#334)

* implement data source for managed ruleset

* add documentation for managed rulesets. ensure tests run with policy tests. fix documentation for managed policy.

sysdig/data_source_sysdig_secure_managed_policy_test.go

@@ -1,4 +1,4 @@
-//go:build tf_acc_sysdig || tf_acc_sysdig_secure
+//go:build tf_acc_sysdig || tf_acc_sysdig_secure || tf_acc_policies
 
 package sysdig_test
 

sysdig/data_source_sysdig_secure_managed_ruleset.go

@@ -0,0 +1,63 @@
+package sysdig
+
+import (
+	"context"
+	"time"
+
+	v2 "github.com/draios/terraform-provider-sysdig/sysdig/internal/client/v2"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/diag"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+)
+
+func dataSourceSysdigSecureManagedRuleset() *schema.Resource {
+	timeout := 5 * time.Minute
+
+	return &schema.Resource{
+		ReadContext: dataSourceSysdigManagedRulesetRead,
+
+		Timeouts: &schema.ResourceTimeout{
+			Read: schema.DefaultTimeout(timeout),
+		},
+
+		Schema: createPolicyDataSourceSchema(),
+	}
+}
+
+func dataSourceSysdigManagedRulesetRead(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
+	client, err := getSecurePolicyClient(meta.(SysdigClients))
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	policyName := d.Get("name").(string)
+	policyType := d.Get("type").(string)
+
+	policies, _, err := client.GetPolicies(ctx)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	var policy v2.Policy
+	for _, existingPolicy := range policies {
+		if existingPolicy.Name == policyName && existingPolicy.Type == policyType {
+			if existingPolicy.IsDefault || existingPolicy.TemplateId == 0 {
+				return diag.Errorf("policy is not a managed ruleset")
+			}
+			policy = existingPolicy
+			break
+		}
+	}
+
+	if policy.ID == 0 {
+		return diag.Errorf("unable to find managed ruleset")
+	}
+
+	loadedPolicy, _, err := client.GetPolicyByID(ctx, policy.ID)
+	if err != nil {
+		return diag.FromErr(err)
+	}
+
+	policyDataSourceToResourceData(loadedPolicy, d)
+
+	return nil
+}

sysdig/data_source_sysdig_secure_managed_ruleset_test.go

@@ -0,0 +1,57 @@
+//go:build tf_acc_sysdig || tf_acc_sysdig_secure || tf_acc_policies
+
+package sysdig_test
+
+import (
+	"fmt"
+	"os"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+
+	"github.com/draios/terraform-provider-sysdig/sysdig"
+)
+
+func TestAccManagedRulesetDataSource(t *testing.T) {
+	rText := acctest.RandStringFromCharSet(10, acctest.CharSetAlphaNum)
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck: func() {
+			if v := os.Getenv("SYSDIG_SECURE_API_TOKEN"); v == "" {
+				t.Fatal("SYSDIG_SECURE_API_TOKEN must be set for acceptance tests")
+			}
+		},
+		ProviderFactories: map[string]func() (*schema.Provider, error){
+			"sysdig": func() (*schema.Provider, error) {
+				return sysdig.Provider(), nil
+			},
+		},
+		Steps: []resource.TestStep{
+			{
+				Config: managedRulesetDataSource(rText),
+			},
+		},
+	})
+}
+
+func managedRulesetDataSource(name string) string {
+	return fmt.Sprintf(`
+resource "sysdig_secure_managed_ruleset" "sample" {
+	name = "%s"
+	description = "Test Description"
+	inherited_from {
+		name = "Sysdig Runtime Threat Detection"
+		type = "falco"
+	}
+	enabled = true
+}
+
+data "sysdig_secure_managed_ruleset" "example" {
+	depends_on = [sysdig_secure_managed_ruleset.sample]
+	name = "%s"
+	type = "falco"
+}
+`, name, name)
+}

sysdig/data_source_sysdig_secure_policy.go

@@ -127,7 +127,6 @@ func policyDataSourceToResourceData(policy v2.Policy, d *schema.ResourceData) {
 		if action.Type != "POLICY_ACTION_CAPTURE" {
 			action := strings.Replace(action.Type, "POLICY_ACTION_", "", 1)
 			actions[0]["container"] = strings.ToLower(action)
-			//d.Set("actions.0.container", strings.ToLower(action))
 		} else {
 			actions[0]["capture"] = []map[string]interface{}{{
 				"seconds_after_event":  action.AfterEventNs / 1000000000,

sysdig/provider.go

@@ -127,6 +127,7 @@ func Provider() *schema.Provider {
 			"sysdig_secure_trusted_cloud_identity": dataSourceSysdigSecureTrustedCloudIdentity(),
 			"sysdig_secure_notification_channel":   dataSourceSysdigSecureNotificationChannel(),
 			"sysdig_secure_managed_policy":         dataSourceSysdigSecureManagedPolicy(),
+			"sysdig_secure_managed_ruleset":        dataSourceSysdigSecureManagedRuleset(),
 
 			"sysdig_current_user":      dataSourceSysdigCurrentUser(),
 			"sysdig_user":              dataSourceSysdigUser(),

website/docs/d/secure_managed_policy.md

@@ -15,7 +15,7 @@ Retrieves the information of an existing Sysdig Secure Managed Policy.
 ## Example Usage
 
 ```terraform
-data "sysdig_secure_notification_channel" "sample-email" {
+data "sysdig_secure_managed_policy" "example" {
   name                 = "Sysdig Runtime Threat Detection"
   type                 = "falco"
 }

website/docs/d/secure_managed_ruleset.md

@@ -0,0 +1,66 @@
+---
+subcategory: "Sysdig Secure"
+layout: "sysdig"
+page_title: "Sysdig: sysdig_secure_managed_ruleset"
+description: |-
+  Retrieves a Sysdig Secure Managed Ruleset.
+---
+
+# sysdig_secure_managed_ruleset
+
+Retrieves the information of an existing Sysdig Secure Managed Ruleset.
+
+-> **Note:** Sysdig Terraform Provider is under rapid development at this point. If you experience any issue or discrepancy while using it, please make sure you have the latest version. If the issue persists, or you have a Feature Request to support an additional set of resources, please open a [new issue](https://github.com/sysdiglabs/terraform-provider-sysdig/issues/new) in the GitHub repository.
+
+## Example Usage
+
+```terraform
+data "sysdig_secure_managed_ruleset" "example" {
+  name                 = "Sysdig Runtime Threat Detection - Managed Ruleset"
+  type                 = "falco"
+}
+```
+
+## Argument Reference
+
+* `name` - (Required) The name of the Secure managed ruleset.
+
+* `type` - (Optional) Specifies the type of the runtime policy. Must be one of: `falco`, `list_matching`, `k8s_audit`,
+  `aws_cloudtrail`, `gcp_auditlog`, `azure_platformlogs`. By default it is `falco`.
+
+## Attributes Reference
+
+In addition to all arguments above, the following attributes are exported:
+
+* `id` - The id for the managed policy.
+
+* `description` - The description for the managed policy.
+
+* `severity` -  The severity of Secure policy. The accepted values
+    are: 0, 1, 2, 3 (High), 4, 5 (Medium), 6 (Low) and 7 (Info).
+
+* `enabled` - Whether the policy is enabled or not.
+
+* `runbook` - Customer provided url that provides a runbook for a given policy.
+
+* `scope` - The application scope for the policy.
+
+* `rules` - An array of rules with the properties `name` and `enabled` to identify the rule name and whether it is enabled.
+
+* `notification_channels` - IDs of the notification channels to send alerts to
+    when the policy is fired.
+
+### Actions block
+
+The actions block is optional and supports:
+
+* `container` - (Optional) The action applied to container when this Policy is
+    triggered. Can be *stop*, *pause* or *kill*. If this is not specified,
+    no action will be applied at the container level.
+
+* `capture` - (Optional) Captures with Sysdig the stream of system calls:
+    * `seconds_before_event` - (Required) Captures the system calls during the
+    amount of seconds before the policy was triggered.
+    * `seconds_after_event` - (Required) Captures the system calls for the amount
+    of seconds after the policy was triggered.
+    * `name` - (Optional) The name of the capture file