feat: add vulnerability policy resource (#662)

Author: tembleking

sysdig/internal/client/v2/sysdig.go

@@ -18,39 +18,43 @@ type SysdigRequest struct {
 
 type SysdigCommon interface {
 	Common
-	GroupMappingInterface
-	GroupMappingConfigInterface
+
 	CustomRoleInterface
 	CustomRolePermissionInterface
-	TeamServiceAccountInterface
-	IPFiltersInterface
+	GroupMappingConfigInterface
+	GroupMappingInterface
 	IPFilteringSettingsInterface
+	IPFiltersInterface
+	TeamServiceAccountInterface
 }
 
 type SysdigMonitor interface {
 	SysdigCommon
 	MonitorCommon
+
 	CloudAccountMonitorInterface
 }
 
 type SysdigSecure interface {
 	SysdigCommon
 	SecureCommon
-	PolicyInterface
-	CompositePolicyInterface
-	RuleInterface
-	ListInterface
-	MacroInterface
-	DeprecatedScanningPolicyInterface
-	DeprecatedScanningPolicyAssignmentInterface
-	DeprecatedVulnerabilityExceptionListInterface
-	DeprecatedVulnerabilityExceptionInterface
+
 	CloudAccountSecureInterface
-	CloudauthAccountSecureInterface
-	OrganizationSecureInterface
 	CloudauthAccountComponentSecureInterface
 	CloudauthAccountFeatureSecureInterface
+	CloudauthAccountSecureInterface
+	CompositePolicyInterface
+	DeprecatedScanningPolicyAssignmentInterface
+	DeprecatedScanningPolicyInterface
+	DeprecatedVulnerabilityExceptionInterface
+	DeprecatedVulnerabilityExceptionListInterface
+	ListInterface
+	MacroInterface
 	OnboardingSecureInterface
+	OrganizationSecureInterface
+	PolicyInterface
+	RuleInterface
+	VulnerabilityPolicyClient
 }
 
 func (sr *SysdigRequest) Request(ctx context.Context, method string, url string, payload io.Reader) (*http.Response, error) {

sysdig/internal/client/v2/vulnerability_policy.go

@@ -0,0 +1,116 @@
+package v2
+
+import (
+	"context"
+	"errors"
+	"fmt"
+	"net/http"
+	"strconv"
+)
+
+const (
+	vulnerabilityPoliciesPath = "%s/secure/vulnerability/v1/policies"
+	vulnerabilityPolicyPath   = "%s/secure/vulnerability/v1/policies/%s"
+)
+
+type VulnerabilityPolicyClient interface {
+	CreateVulnerabilityPolicy(ctx context.Context, vulnerabilityPolicy VulnerabilityPolicy) (VulnerabilityPolicy, error)
+	GetVulnerabilityPolicyByID(ctx context.Context, vulnerabilityPolicyID string) (VulnerabilityPolicy, error)
+	UpdateVulnerabilityPolicy(ctx context.Context, vulnerabilityPolicy VulnerabilityPolicy) (VulnerabilityPolicy, error)
+	DeleteVulnerabilityPolicyByID(ctx context.Context, vulnerabilityPolicyID string) error
+}
+
+func (c *Client) CreateVulnerabilityPolicy(ctx context.Context, vulnerabilityPolicy VulnerabilityPolicy) (policy VulnerabilityPolicy, err error) {
+	payload, err := Marshal(vulnerabilityPolicy)
+	if err != nil {
+		return VulnerabilityPolicy{}, err
+	}
+
+	response, err := c.requester.Request(ctx, http.MethodPost, c.vulnerabilityPoliciesURL(), payload)
+	if err != nil {
+		return VulnerabilityPolicy{}, err
+	}
+	defer func() {
+		if dErr := response.Body.Close(); dErr != nil {
+			err = fmt.Errorf("unable to close response body: %w", dErr)
+		}
+	}()
+
+	if response.StatusCode != http.StatusOK && response.StatusCode != http.StatusCreated {
+		return VulnerabilityPolicy{}, c.ErrorFromResponse(response)
+	}
+
+	return Unmarshal[VulnerabilityPolicy](response.Body)
+}
+
+func (c *Client) GetVulnerabilityPolicyByID(ctx context.Context, vulnerabilityPolicyID string) (policy VulnerabilityPolicy, err error) {
+	response, err := c.requester.Request(ctx, http.MethodGet, c.vulnerabilityPolicyURL(vulnerabilityPolicyID), nil)
+	if err != nil {
+		return VulnerabilityPolicy{}, err
+	}
+	defer func() {
+		if dErr := response.Body.Close(); dErr != nil {
+			err = fmt.Errorf("unable to close response body: %w", dErr)
+		}
+	}()
+
+	if response.StatusCode != http.StatusOK {
+		return VulnerabilityPolicy{}, c.ErrorFromResponse(response)
+	}
+
+	return Unmarshal[VulnerabilityPolicy](response.Body)
+}
+
+func (c *Client) UpdateVulnerabilityPolicy(ctx context.Context, vulnerabilityPolicy VulnerabilityPolicy) (policy VulnerabilityPolicy, err error) {
+	if vulnerabilityPolicy.ID == nil {
+		return VulnerabilityPolicy{}, errors.New("policy id was null")
+	}
+
+	payload, err := Marshal(vulnerabilityPolicy)
+	if err != nil {
+		return VulnerabilityPolicy{}, err
+	}
+
+	idAsStr := strconv.Itoa(int(*vulnerabilityPolicy.ID))
+	response, err := c.requester.Request(ctx, http.MethodPut, c.vulnerabilityPolicyURL(idAsStr), payload)
+	if err != nil {
+		return VulnerabilityPolicy{}, err
+	}
+	defer func() {
+		if dErr := response.Body.Close(); dErr != nil {
+			err = fmt.Errorf("unable to close response body: %w", dErr)
+		}
+	}()
+
+	if response.StatusCode != http.StatusOK {
+		return VulnerabilityPolicy{}, c.ErrorFromResponse(response)
+	}
+
+	return Unmarshal[VulnerabilityPolicy](response.Body)
+}
+
+func (c *Client) DeleteVulnerabilityPolicyByID(ctx context.Context, vulnerabilityPolicyID string) (err error) {
+	response, err := c.requester.Request(ctx, http.MethodDelete, c.vulnerabilityPolicyURL(vulnerabilityPolicyID), nil)
+	if err != nil {
+		return err
+	}
+	defer func() {
+		if dErr := response.Body.Close(); dErr != nil {
+			err = fmt.Errorf("unable to close response body: %w", dErr)
+		}
+	}()
+
+	if response.StatusCode != http.StatusNoContent && response.StatusCode != http.StatusOK {
+		return c.ErrorFromResponse(response)
+	}
+
+	return err
+}
+
+func (c *Client) vulnerabilityPoliciesURL() string {
+	return fmt.Sprintf(vulnerabilityPoliciesPath, c.config.url)
+}
+
+func (c *Client) vulnerabilityPolicyURL(vulnerabilityPolicyID string) string {
+	return fmt.Sprintf(vulnerabilityPolicyPath, c.config.url, vulnerabilityPolicyID)
+}

sysdig/internal/client/v2/vulnerability_policy_model.go

@@ -0,0 +1,23 @@
+package v2
+
+type VulnerabilityPolicy struct {
+	Bundles     []Bundle `json:"bundles"`
+	Description string   `json:"description"`
+	Name        string   `json:"name"`
+	Stages      []Stage  `json:"stages,omitempty"`
+	ID          *int32   `json:"id,omitempty"`
+	Identifier  *string  `json:"identifier,omitempty"`
+}
+
+type Bundle struct {
+	ID int64 `json:"id"`
+}
+
+type Stage struct {
+	Name          string          `json:"name"`
+	Configuration []Configuration `json:"configuration,omitempty"`
+}
+
+type Configuration struct {
+	Scope string `json:"scope"`
+}

sysdig/provider.go

@@ -199,6 +199,7 @@ func (p *SysdigProvider) Provider() *schema.Provider {
 			"sysdig_secure_rule_syscall":                                  resourceSysdigSecureRuleSyscall(),
 			"sysdig_secure_team":                                          resourceSysdigSecureTeam(),
 			"sysdig_secure_vulnerability_accept_risk":                     resourceSysdigSecureVulnerabilityAcceptRisk(),
+			"sysdig_secure_vulnerability_policy":                          resourceSysdigSecureVulnerabilityPolicy(),
 			"sysdig_secure_zone":                                          resourceSysdigSecureZone(),
 		},
 		DataSourcesMap: map[string]*schema.Resource{