feat(policies) add stateful policy and rule support (#604)

* add stateful policy and rule support

* fix tests

* Update resource_sysdig_secure_rule_stateful_test.go

* add tests for stateful policy, skip in ibm

* only run tests on secure

* use existing exception name

* add docs

* only allow name/values in exceptions

* address review comments part 1

* address review comments part 2

* address review comments part 3

* add version to resource

* add docs

* address lint errors

* Small fix to test

* Fix test failure

* Remove computed enabled flag for managed policy data source

---------

Co-authored-by: ombellare <omkar.bellare@sysdig.com>

Author: kmvachhani

sysdig/data_source_sysdig_secure_managed_policy_test.go

@@ -4,6 +4,7 @@ package sysdig_test
 
 import (
 	"os"
+	"strings"
 	"testing"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
@@ -13,6 +14,18 @@ import (
 )
 
 func TestAccManagedPolicyDataSource(t *testing.T) {
+	steps := []resource.TestStep{
+		{
+			Config: managedPolicyDataSource(),
+		},
+	}
+
+	if !strings.HasSuffix(os.Getenv("SYSDIG_SECURE_URL"), "ibm.com") {
+		steps = append(steps, resource.TestStep{
+			Config: managedStatefulPolicyDataSource(),
+		},
+		)
+	}
 	resource.ParallelTest(t, resource.TestCase{
 		PreCheck: func() {
 			if v := os.Getenv("SYSDIG_SECURE_API_TOKEN"); v == "" {
@@ -24,11 +37,7 @@ func TestAccManagedPolicyDataSource(t *testing.T) {
 				return sysdig.Provider(), nil
 			},
 		},
-		Steps: []resource.TestStep{
-			{
-				Config: managedPolicyDataSource(),
-			},
-		},
+		Steps: steps,
 	})
 }
 
@@ -40,3 +49,12 @@ data "sysdig_secure_managed_policy" "example" {
 }
 `
 }
+
+func managedStatefulPolicyDataSource() string {
+	return `
+data "sysdig_secure_managed_policy" "stateful_example" {
+	name = "Sysdig AWS Behavioral Analytics Threat Detection"
+	type = "awscloudtrail_stateful"
+}
+`
+}

sysdig/internal/client/v2/model.go

@@ -520,12 +520,15 @@ type Rule struct {
 }
 
 const (
-	RuleTypeContainer  = "CONTAINER"
-	RuleTypeFalco      = "FALCO"
-	RuleTypeFilesystem = "FILESYSTEM"
-	RuleTypeNetwork    = "NETWORK"
-	RuleTypeProcess    = "PROCESS"
-	RuleTypeSyscall    = "SYSCALL"
+	RuleTypeContainer           = "CONTAINER"
+	RuleTypeFalco               = "FALCO"
+	RuleTypeFilesystem          = "FILESYSTEM"
+	RuleTypeNetwork             = "NETWORK"
+	RuleTypeProcess             = "PROCESS"
+	RuleTypeSyscall             = "SYSCALL"
+	RuleTypeStatefulSequence    = "STATEFUL_SEQUENCE"
+	RuleTypeStatefulUniqPercent = "STATEFUL_UNIQ_PERCENT"
+	RuleTypeStatefulCount       = "STATEFUL_COUNT"
 )
 
 type Details struct {

sysdig/internal/client/v2/rules.go

@@ -8,11 +8,15 @@ import (
 )
 
 const (
-	CreateRulePath   = "%s/api/secure/rules?skipPolicyV2Msg=%t"
-	GetRuleByIDPath  = "%s/api/secure/rules/%d"
-	UpdateRulePath   = "%s/api/secure/rules/%d?skipPolicyV2Msg=%t"
-	DeleteURLPath    = "%s/api/secure/rules/%d?skipPolicyV2Msg=%t"
-	GetRuleGroupPath = "%s/api/secure/rules/groups?name=%s&type=%s"
+	CreateRulePath           = "%s/api/secure/rules?skipPolicyV2Msg=%t"
+	GetRuleByIDPath          = "%s/api/secure/rules/%d"
+	UpdateRulePath           = "%s/api/secure/rules/%d?skipPolicyV2Msg=%t"
+	DeleteURLPath            = "%s/api/secure/rules/%d?skipPolicyV2Msg=%t"
+	GetRuleGroupPath         = "%s/api/secure/rules/groups?name=%s&type=%s"
+	CreateStatefulRulePath   = "%s/api/policies/v3/statefulRules"
+	UpdateStatefulRulePath   = "%s/api/policies/v3/statefulRules/%d"
+	DeleteStatefulRulePath   = "%s/api/policies/v3/statefulRules/%d"
+	GetStatefulRuleGroupPath = "%s/api/policies/v3/statefulRules/groups?name=%s&type=%s"
 )
 
 type RuleInterface interface {
@@ -22,6 +26,10 @@ type RuleInterface interface {
 	UpdateRule(ctx context.Context, rule Rule) (Rule, error)
 	DeleteRule(ctx context.Context, ruleID int) error
 	GetRuleGroup(ctx context.Context, ruleName string, ruleType string) ([]Rule, error)
+	CreateStatefulRule(ctx context.Context, rule Rule) (Rule, error)
+	UpdateStatefulRule(ctx context.Context, rule Rule) (Rule, error)
+	DeleteStatefulRule(ctx context.Context, ruleID int) error
+	GetStatefulRuleGroup(ctx context.Context, ruleName string, ruleType string) ([]Rule, error)
 }
 
 func (client *Client) CreateRule(ctx context.Context, rule Rule) (Rule, error) {
@@ -125,3 +133,85 @@ func (client *Client) DeleteRuleURL(ruleID int) string {
 func (client *Client) GetRuleGroupURL(ruleName string, ruleType string) string {
 	return fmt.Sprintf(GetRuleGroupPath, client.config.url, url.QueryEscape(ruleName), url.QueryEscape(ruleType))
 }
+
+func (client *Client) CreateStatefulRuleURL() string {
+	return fmt.Sprintf(CreateStatefulRulePath, client.config.url)
+}
+
+func (client *Client) UpdateStatefulRuleURL(ruleID int) string {
+	return fmt.Sprintf(UpdateStatefulRulePath, client.config.url, ruleID)
+}
+
+func (client *Client) DeleteStatefulRuleURL(ruleID int) string {
+	return fmt.Sprintf(DeleteStatefulRulePath, client.config.url, ruleID)
+}
+
+func (client *Client) GetStatefulRuleGroupURL(ruleName string, ruleType string) string {
+	return fmt.Sprintf(GetStatefulRuleGroupPath, client.config.url, url.QueryEscape(ruleName), url.QueryEscape(ruleType))
+}
+
+func (client *Client) CreateStatefulRule(ctx context.Context, rule Rule) (Rule, error) {
+	payload, err := Marshal(rule)
+	if err != nil {
+		return Rule{}, err
+	}
+	response, err := client.requester.Request(ctx, http.MethodPost, client.CreateStatefulRuleURL(), payload)
+	if err != nil {
+		return Rule{}, err
+	}
+	defer response.Body.Close()
+
+	if response.StatusCode != http.StatusOK {
+		return Rule{}, client.ErrorFromResponse(response)
+	}
+
+	return Unmarshal[Rule](response.Body)
+}
+
+func (client *Client) UpdateStatefulRule(ctx context.Context, rule Rule) (Rule, error) {
+	payload, err := Marshal(rule)
+	if err != nil {
+		return Rule{}, err
+	}
+
+	response, err := client.requester.Request(ctx, http.MethodPut, client.UpdateStatefulRuleURL(rule.ID), payload)
+	if err != nil {
+		return Rule{}, err
+	}
+
+	defer response.Body.Close()
+
+	if response.StatusCode != http.StatusOK {
+		return Rule{}, client.ErrorFromResponse(response)
+	}
+
+	return Unmarshal[Rule](response.Body)
+}
+
+func (client *Client) DeleteStatefulRule(ctx context.Context, ruleID int) error {
+	response, err := client.requester.Request(ctx, http.MethodDelete, client.DeleteStatefulRuleURL(ruleID), nil)
+	if err != nil {
+		return err
+	}
+	defer response.Body.Close()
+
+	if response.StatusCode != http.StatusNoContent && response.StatusCode != http.StatusOK {
+		return client.ErrorFromResponse(response)
+	}
+
+	return err
+}
+
+func (client *Client) GetStatefulRuleGroup(ctx context.Context, ruleName string, ruleType string) ([]Rule, error) {
+	response, err := client.requester.Request(ctx, http.MethodGet, client.GetStatefulRuleGroupURL(ruleName, ruleType), nil)
+	if err != nil {
+		return []Rule{}, err
+	}
+	defer response.Body.Close()
+
+	if response.StatusCode != http.StatusOK {
+		return []Rule{}, client.ErrorFromResponse(response)
+	}
+
+	return Unmarshal[[]Rule](response.Body)
+}

sysdig/provider.go

@@ -148,6 +148,7 @@ func (p *SysdigProvider) Provider() *schema.Provider {
 			"sysdig_secure_rule_process":                                  resourceSysdigSecureRuleProcess(),
 			"sysdig_secure_rule_syscall":                                  resourceSysdigSecureRuleSyscall(),
 			"sysdig_secure_rule_falco":                                    resourceSysdigSecureRuleFalco(),
+			"sysdig_secure_rule_stateful":                                 resourceSysdigSecureStatefulRule(),
 			"sysdig_secure_team":                                          resourceSysdigSecureTeam(),
 			"sysdig_secure_list":                                          resourceSysdigSecureList(),
 			"sysdig_secure_macro":                                         resourceSysdigSecureMacro(),

sysdig/resource_sysdig_secure_policy.go

@@ -33,6 +33,7 @@ var validatePolicyType = validation.StringInSlice([]string{
 	"aws_machine_learning",
 	"machine_learning",
 	"guardduty",
+	"awscloudtrail_stateful",
 }, false)
 
 func resourceSysdigSecurePolicy() *schema.Resource {