From b6c902e4effb609033a0019764959c02c05c0ff2 Mon Sep 17 00:00:00 2001 From: Fede Barcelona Date: Wed, 5 Nov 2025 12:29:49 +0100 Subject: [PATCH 1/2] feat(vulnerability-policy): add admission control stage --- .../client/v2/vulnerability_policy_model.go | 4 ++- ...urce_sysdig_secure_vulnerability_policy.go | 27 ++++++++++++++++++- ...sysdig_secure_vulnerability_policy_test.go | 10 ++++++- 3 files changed, 38 insertions(+), 3 deletions(-) diff --git a/sysdig/internal/client/v2/vulnerability_policy_model.go b/sysdig/internal/client/v2/vulnerability_policy_model.go index dffbaa38..20b30ad6 100644 --- a/sysdig/internal/client/v2/vulnerability_policy_model.go +++ b/sysdig/internal/client/v2/vulnerability_policy_model.go @@ -19,5 +19,7 @@ type Stage struct { } type Configuration struct { - Scope string `json:"scope"` + Scope string `json:"scope"` + Behaviour string `json:"behaviour,omitempty"` + UnknownImageAction string `json:"unknownImageAction,omitempty"` } diff --git a/sysdig/resource_sysdig_secure_vulnerability_policy.go b/sysdig/resource_sysdig_secure_vulnerability_policy.go index af2d7f4d..0916fce7 100644 --- a/sysdig/resource_sysdig_secure_vulnerability_policy.go +++ b/sysdig/resource_sysdig_secure_vulnerability_policy.go @@ -67,6 +67,7 @@ func resourceSysdigSecureVulnerabilityPolicy() *schema.Resource { "pipeline", "registry", "runtime", + "admission_control", }, false)), }, "configuration": { @@ -79,6 +80,18 @@ func resourceSysdigSecureVulnerabilityPolicy() *schema.Resource { Required: true, Description: "Scope expression for this stage", }, + "failure_action": { + Type: schema.TypeString, + Optional: true, + Description: "Required for `admission_control` stage only. Policy Failure Action. What should happen if the policy fails (aka: there's a rule vioation)", + ValidateFunc: validation.StringInSlice([]string{"reject", "warn"}, false), + }, + "unknown_image_action": { + Type: schema.TypeString, + Optional: true, + Description: "Required for `admission_control` stage only. Unknown Image Action. What should happen if the image is unknown.", + ValidateFunc: validation.StringInSlice([]string{"reject", "rejectAndScan", "warn"}, false), + }, }, }, }, @@ -193,6 +206,14 @@ func vulnerabilityPolicyStagesToMap(policyStages []v2.Stage) []map[string]any { newConfig := map[string]any{ "scope": stageconfig.Scope, } + + if stageconfig.Behaviour != "" { + newConfig["failure_action"] = stageconfig.Behaviour + } + + if stageconfig.UnknownImageAction != "" { + newConfig["unknown_image_action"] = stageconfig.UnknownImageAction + } configsMap = append(configsMap, newConfig) } @@ -297,7 +318,11 @@ func vulnerabilityPolicyConfigsFromSet(set *schema.Set) []v2.Configuration { for _, raw := range set.List() { rawMap := raw.(map[string]any) - out = append(out, v2.Configuration{Scope: rawMap["scope"].(string)}) + out = append(out, v2.Configuration{ + Scope: rawMap["scope"].(string), + Behaviour: rawMap["failure_action"].(string), + UnknownImageAction: rawMap["unknown_image_action"].(string), + }) } return out diff --git a/sysdig/resource_sysdig_secure_vulnerability_policy_test.go b/sysdig/resource_sysdig_secure_vulnerability_policy_test.go index 2fbad888..817f1c87 100644 --- a/sysdig/resource_sysdig_secure_vulnerability_policy_test.go +++ b/sysdig/resource_sysdig_secure_vulnerability_policy_test.go @@ -34,7 +34,7 @@ func TestAccVulnerabilityPolicy(t *testing.T) { Check: resource.ComposeTestCheckFunc( resource.TestCheckResourceAttr("sysdig_secure_vulnerability_policy.sample", "bundles.#", "2"), resource.TestCheckResourceAttr("sysdig_secure_vulnerability_policy.sample", "bundles.0", "1"), - resource.TestCheckResourceAttr("sysdig_secure_vulnerability_policy.sample", "stages.#", "3"), + resource.TestCheckResourceAttr("sysdig_secure_vulnerability_policy.sample", "stages.#", "4"), ), }, { @@ -90,6 +90,14 @@ resource "sysdig_secure_vulnerability_policy" "sample" { scope = "agent.tag.cluster = \"my-cluster\"" } } + stages { + name = "admission_control" + configuration { + scope = "agent.tag.cluster = \"my-cluster\"" + failure_action = "reject" + unknown_image_action = "rejectAndScan" + } + } } `, suffix, suffix, suffix) } From b397eabe4832cccd4e770e4a76f5464014984206 Mon Sep 17 00:00:00 2001 From: Fede Barcelona Date: Wed, 5 Nov 2025 12:35:46 +0100 Subject: [PATCH 2/2] docs(vulnerability-policy): add admission control stage documentation --- website/docs/r/secure_vulnerability_policy.md | 13 ++++++++++++- 1 file changed, 12 insertions(+), 1 deletion(-) diff --git a/website/docs/r/secure_vulnerability_policy.md b/website/docs/r/secure_vulnerability_policy.md index 52c7a27f..4b096e3e 100644 --- a/website/docs/r/secure_vulnerability_policy.md +++ b/website/docs/r/secure_vulnerability_policy.md @@ -26,6 +26,15 @@ resource "sysdig_secure_vulnerability_policy" "vulnerability_policy_example" { scope = "container.image != ''" } } + + stages { + name = "admission_control" + configuration { + scope = "kubernetes.cluster.name = 'my-cluster'" + failure_action = "reject" + unknown_image_action = "rejectAndScan" + } + } } ``` @@ -38,12 +47,14 @@ resource "sysdig_secure_vulnerability_policy" "vulnerability_policy_example" { ### Stages block -* `name` - (Required) Must be one of `pipeline`, `registry`, or `runtime`. +* `name` - (Required) Must be one of `pipeline`, `registry`, `runtime`, or `admission_control`. * `configuration` - (Optional) Configuration block for the stage. If no configuration is provided, it will apply to any workload in this stage. ### Configuration block * `scope` - (Required) Scope expression defining the stage applicability. +* `failure_action` - (Optional) Required for `admission_control` stage only. Policy Failure Action. What should happen if the policy fails (aka: there's a rule vioation). Must be one of `reject` or `warn`. +* `unknown_image_action` - (Optional) Required for `admission_control` stage only. Unknown Image Action. What should happen if the image is unknown. Must be one of `reject`, `rejectAndScan`, or `warn`. ## Attributes Reference