feat(vulnerability-policy): add admission control stage

Author: tembleking

sysdig/internal/client/v2/vulnerability_policy_model.go

@@ -19,5 +19,7 @@ type Stage struct {
 }
 
 type Configuration struct {
-	Scope string `json:"scope"`
+	Scope              string `json:"scope"`
+	Behaviour          string `json:"behaviour,omitempty"`
+	UnknownImageAction string `json:"unknownImageAction,omitempty"`
 }

sysdig/resource_sysdig_secure_vulnerability_policy.go

@@ -67,6 +67,7 @@ func resourceSysdigSecureVulnerabilityPolicy() *schema.Resource {
 									"pipeline",
 									"registry",
 									"runtime",
+									"admission_control",
 								}, false)),
 						},
 						"configuration": {
@@ -79,6 +80,18 @@ func resourceSysdigSecureVulnerabilityPolicy() *schema.Resource {
 										Required:    true,
 										Description: "Scope expression for this stage",
 									},
+									"failure_action": {
+										Type:         schema.TypeString,
+										Optional:     true,
+										Description:  "Required for `admission_control` stage only. Policy Failure Action. What should happen if the policy fails (aka: there's a rule vioation)",
+										ValidateFunc: validation.StringInSlice([]string{"reject", "warn"}, false),
+									},
+									"unknown_image_action": {
+										Type:         schema.TypeString,
+										Optional:     true,
+										Description:  "Required for `admission_control` stage only. Unknown Image Action. What should happen if the image is unknown.",
+										ValidateFunc: validation.StringInSlice([]string{"reject", "rejectAndScan", "warn"}, false),
+									},
 								},
 							},
 						},
@@ -193,6 +206,14 @@ func vulnerabilityPolicyStagesToMap(policyStages []v2.Stage) []map[string]any {
 			newConfig := map[string]any{
 				"scope": stageconfig.Scope,
 			}
+
+			if stageconfig.Behaviour != "" {
+				newConfig["failure_action"] = stageconfig.Behaviour
+			}
+
+			if stageconfig.UnknownImageAction != "" {
+				newConfig["unknown_image_action"] = stageconfig.UnknownImageAction
+			}
 			configsMap = append(configsMap, newConfig)
 		}
 
@@ -297,7 +318,11 @@ func vulnerabilityPolicyConfigsFromSet(set *schema.Set) []v2.Configuration {
 	for _, raw := range set.List() {
 		rawMap := raw.(map[string]any)
 
-		out = append(out, v2.Configuration{Scope: rawMap["scope"].(string)})
+		out = append(out, v2.Configuration{
+			Scope:              rawMap["scope"].(string),
+			Behaviour:          rawMap["failure_action"].(string),
+			UnknownImageAction: rawMap["unknown_image_action"].(string),
+		})
 	}
 
 	return out

sysdig/resource_sysdig_secure_vulnerability_policy_test.go

@@ -34,7 +34,7 @@ func TestAccVulnerabilityPolicy(t *testing.T) {
 				Check: resource.ComposeTestCheckFunc(
 					resource.TestCheckResourceAttr("sysdig_secure_vulnerability_policy.sample", "bundles.#", "2"),
 					resource.TestCheckResourceAttr("sysdig_secure_vulnerability_policy.sample", "bundles.0", "1"),
-					resource.TestCheckResourceAttr("sysdig_secure_vulnerability_policy.sample", "stages.#", "3"),
+					resource.TestCheckResourceAttr("sysdig_secure_vulnerability_policy.sample", "stages.#", "4"),
 				),
 			},
 			{
@@ -90,6 +90,14 @@ resource "sysdig_secure_vulnerability_policy" "sample" {
       scope = "agent.tag.cluster = \"my-cluster\""
     }
   }
+  stages {
+  	name = "admission_control"
+  	configuration {
+      scope = "agent.tag.cluster = \"my-cluster\""
+      failure_action = "reject"
+      unknown_image_action = "rejectAndScan"
+    }
+  }
 }
 `, suffix, suffix, suffix)
 }