feat(secure-vm): implement sysdig_secure_accept_vulnerability_risk resource (#579)

* chore(nix): add flake for reproducible development environment

* build: update project to go 1.23

* fix: solve vulnerabilities by upgrading deps

Solved the following vulnerabilities:
- GO-2024-2947
- GO-2024-2687
- GO-2024-2611
- GO-2023-2153

* feat: implement sysdig_secure_accept_vulnerability_risk resource

* build(nix): add package and app to bundle terraform with the provider

* build(nix): add devshell to be able to launch a local dev shell from remote/local code

* build(nix): use 1.0.0-local version in the nix package

* fix: use correct format for expiration_date

* fix(lint): solve linter problems

* chore(build): downgrade dependencies from sysdig that break the tests

* fix(lint): adjust drift in lint options from makefile to gh actions

* ci: reenable go:build flag for tf_acc_sysdig_secure

* fix(ci): use the api.us1.sysdig.com url in case of secure.sysdig.com

* docs: add doc for sysdig_secure_vulnerability_accept_risk

* fix(ci): restore or remove env var from tests

* ci: add more dependencies to check target

* chore: update flake dependencies to update terraform to 1.10

* fix(docs): correct example of hostname_contains

* docs: clarify that image wildcard can only be used at the beginning or the end

* docs: rename opt args to context args and clarify they are not fully optional

* Update website/docs/r/secure_vulnerability_accept_risk.md

Co-authored-by: Alvaro Iradier <[email protected]>

* Update website/docs/r/secure_vulnerability_accept_risk.md

Co-authored-by: Alvaro Iradier <[email protected]>

* fix(docs): add again the rule risk acceptance

* ci: remove hacky way to make tests pass in us1

---------

Co-authored-by: Alvaro Iradier <[email protected]>

Author: tembleking

go.mod

@@ -1,12 +1,14 @@
 module github.com/draios/terraform-provider-sysdig
 
-go 1.19
+go 1.23
+
+toolchain go1.23.3
 
 require (
 	github.com/Jeffail/gabs/v2 v2.7.0
 	github.com/aws/aws-sdk-go v1.44.284
 	github.com/hashicorp/go-cty v1.4.1-0.20200414143053-d3edf31b6320
-	github.com/hashicorp/go-retryablehttp v0.7.4
+	github.com/hashicorp/go-retryablehttp v0.7.7
 	github.com/hashicorp/terraform-plugin-log v0.8.0
 	github.com/hashicorp/terraform-plugin-sdk/v2 v2.26.1
 	github.com/jmespath/go-jmespath v0.4.0
@@ -15,7 +17,7 @@ require (
 	github.com/spf13/cast v1.5.1
 	github.com/stretchr/testify v1.8.4
 	github.com/sysdiglabs/agent-kilt/runtimes/cloudformation v0.0.0-20240201123620-2272de6dee9f
-	google.golang.org/protobuf v1.30.0
+	google.golang.org/protobuf v1.36.0
 )
 
 require (
@@ -27,15 +29,15 @@ require (
 	github.com/docker/distribution v2.8.2+incompatible // indirect
 	github.com/docker/docker v24.0.2+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.7.0 // indirect
-	github.com/fatih/color v1.13.0 // indirect
+	github.com/fatih/color v1.16.0 // indirect
 	github.com/go-akka/configuration v0.0.0-20200606091224-a002c0330665 // indirect
-	github.com/golang/protobuf v1.5.3 // indirect
-	github.com/google/go-cmp v0.5.9 // indirect
+	github.com/golang/protobuf v1.5.4 // indirect
+	github.com/google/go-cmp v0.6.0 // indirect
 	github.com/google/go-containerregistry v0.15.2 // indirect
 	github.com/hashicorp/errwrap v1.0.0 // indirect
 	github.com/hashicorp/go-checkpoint v0.5.0 // indirect
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
-	github.com/hashicorp/go-hclog v1.4.0 // indirect
+	github.com/hashicorp/go-hclog v1.6.3 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
 	github.com/hashicorp/go-plugin v1.4.8 // indirect
 	github.com/hashicorp/go-uuid v1.0.3 // indirect
@@ -51,7 +53,7 @@ require (
 	github.com/hashicorp/yamux v0.0.0-20181012175058-2f1d1f20f75d // indirect
 	github.com/klauspost/compress v1.16.6 // indirect
 	github.com/mattn/go-colorable v0.1.13 // indirect
-	github.com/mattn/go-isatty v0.0.19 // indirect
+	github.com/mattn/go-isatty v0.0.20 // indirect
 	github.com/mitchellh/copystructure v1.2.0 // indirect
 	github.com/mitchellh/go-homedir v1.1.0 // indirect
 	github.com/mitchellh/go-testing-interface v1.14.1 // indirect
@@ -69,14 +71,14 @@ require (
 	github.com/vmihailenco/msgpack/v4 v4.3.12 // indirect
 	github.com/vmihailenco/tagparser v0.1.1 // indirect
 	github.com/zclconf/go-cty v1.13.2 // indirect
-	golang.org/x/crypto v0.7.0 // indirect
-	golang.org/x/mod v0.10.0 // indirect
-	golang.org/x/net v0.9.0 // indirect
-	golang.org/x/sync v0.3.0 // indirect
-	golang.org/x/sys v0.14.0 // indirect
-	golang.org/x/text v0.9.0 // indirect
+	golang.org/x/crypto v0.31.0 // indirect
+	golang.org/x/mod v0.17.0 // indirect
+	golang.org/x/net v0.33.0 // indirect
+	golang.org/x/sync v0.10.0 // indirect
+	golang.org/x/sys v0.28.0 // indirect
+	golang.org/x/text v0.21.0 // indirect
 	google.golang.org/appengine v1.6.7 // indirect
-	google.golang.org/genproto v0.0.0-20221207170731-23e4bf6bdc37 // indirect
-	google.golang.org/grpc v1.51.0 // indirect
+	google.golang.org/genproto/googleapis/rpc v0.0.0-20241216192217-9240e9c98484 // indirect
+	google.golang.org/grpc v1.69.2 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -59,6 +59,7 @@ type SecureCommon interface {
 	PostureZoneInterface
 	PostureControlInterface
 	PostureAcceptRiskInterface
+	PostureVulnerabilityAcceptRiskInterface
 }
 
 type Requester interface {

sysdig/internal/client/v2/client.go

@@ -0,0 +1,98 @@
+package v2
+
+import (
+	"fmt"
+	"time"
+)
+
+type (
+	EntityType  string
+	ReasonType  string
+	StatusType  string
+	StageType   string
+	ContextType string
+)
+
+const (
+	EntityTypeImageName         EntityType = "imageName"
+	EntityTypeImagePrefix       EntityType = "imagePrefix"
+	EntityTypeImageSuffix       EntityType = "imageSuffix"
+	EntityTypeImageNameContains EntityType = "imageNameContains"
+	EntityTypeVulnerability     EntityType = "vulnerability"
+	EntityTypeHostName          EntityType = "hostName"
+	EntityTypeHostNameContains  EntityType = "hostNameContains"
+	EntityTypePolicyRule        EntityType = "policyRule"
+)
+
+const (
+	ReasonRiskTransferred ReasonType = "RiskTransferred"
+	ReasonRiskAvoided     ReasonType = "RiskAvoided"
+	ReasonRiskMitigated   ReasonType = "RiskMitigated"
+	ReasonRiskOwned       ReasonType = "RiskOwned"
+	ReasonRiskNotRelevant ReasonType = "RiskNotRelevant"
+	ReasonCustom          ReasonType = "Custom"
+)
+
+func ReasonTypeFromString(value string) (ReasonType, error) {
+	t := ReasonType(value)
+	switch t {
+	case ReasonRiskTransferred, ReasonRiskAvoided, ReasonRiskMitigated, ReasonRiskOwned, ReasonRiskNotRelevant, ReasonCustom:
+		return t, nil
+	default:
+		return "", fmt.Errorf("unsupported reason type: %s", value)
+	}
+}
+
+const (
+	StatusActive  StatusType = "active"
+	StatusExpired StatusType = "expired"
+)
+
+const (
+	ContextTypeImageName         ContextType = "imageName"
+	ContextTypeImagePrefix       ContextType = "imagePrefix"
+	ContextTypeImageSuffix       ContextType = "imageSuffix"
+	ContextTypeImageNameContains ContextType = "imageNameContains"
+	ContextTypeHostName          ContextType = "hostName"
+	ContextTypeHostNameContains  ContextType = "hostNameContains"
+	ContextTypePackageName       ContextType = "packageName"
+	ContextTypePackageVersion    ContextType = "packageVersion"
+)
+
+type AcceptVulnerabilityRiskRequest struct {
+	EntityType     EntityType                       `json:"entityType"`
+	EntityValue    string                           `json:"entityValue"`
+	Reason         ReasonType                       `json:"reason"`
+	Description    string                           `json:"description"`
+	ExpirationDate string                           `json:"expirationDate,omitempty"`
+	Context        []AcceptVulnerabilityRiskContext `json:"context"`
+	Stages         []StageType                      `json:"stages,omitempty"`
+}
+
+type UpdateAcceptVulnerabilityRiskRequest struct {
+	ID             string     `json:"id"`
+	ExpirationDate string     `json:"expirationDate,omitempty"`
+	Reason         ReasonType `json:"reason"`
+	Description    string     `json:"description"`
+}
+
+type AcceptVulnerabilityRisk struct {
+	ID             string                           `json:"id"`
+	EntityType     EntityType                       `json:"entityType"`
+	EntityValue    string                           `json:"entityValue"`
+	Reason         ReasonType                       `json:"reason"`
+	Description    string                           `json:"description"`
+	ExpirationDate string                           `json:"expirationDate,omitempty"`
+	Status         StatusType                       `json:"status"`
+	CreatedAt      time.Time                        `json:"createdAt,omitempty"`
+	UpdatedAt      time.Time                        `json:"updatedAt,omitempty"`
+	CreatedBy      string                           `json:"createdBy,omitempty"`
+	UpdatedBy      string                           `json:"updatedBy,omitempty"`
+	Context        []AcceptVulnerabilityRiskContext `json:"context"`
+	Stages         []StageType                      `json:"stages,omitempty"`
+}
+
+type AcceptVulnerabilityRiskContext struct {
+	ContextType  ContextType `json:"contextType"`
+	ContextValue string      `json:"contextValue"`
+}

sysdig/internal/client/v2/model_vulnerability_control.go

@@ -0,0 +1,104 @@
+package v2
+
+import (
+	"context"
+	"fmt"
+	"net/http"
+)
+
+type PostureVulnerabilityAcceptRiskInterface interface {
+	Base
+
+	SaveAcceptVulnerabilityRisk(ctx context.Context, p *AcceptVulnerabilityRiskRequest) (*AcceptVulnerabilityRisk, int, error)
+	GetAcceptanceVulnerabilityRisk(ctx context.Context, id string) (*AcceptVulnerabilityRisk, int, error)
+	DeleteAcceptanceVulnerabilityRisk(ctx context.Context, id string) error
+	UpdateAcceptanceVulnerabilityRisk(ctx context.Context, p *UpdateAcceptVulnerabilityRiskRequest) (*AcceptVulnerabilityRisk, int, error)
+}
+
+const (
+	AcceptVulnerabilityRiskCreatePath = "%s/secure/vulnerability/v1beta1/accepted-risks"
+	AcceptVulnerabilityRiskGetPath    = "%s/secure/vulnerability/v1beta1/accepted-risks/%s"
+	AcceptVulnerabilityRiskDeletePath = "%s/secure/vulnerability/v1beta1/accepted-risks/%s"
+	AcceptVulnerabilityRiskUpdatePath = "%s/secure/vulnerability/v1beta1/accepted-risks/%s"
+)
+
+func (c *Client) SaveAcceptVulnerabilityRisk(ctx context.Context, p *AcceptVulnerabilityRiskRequest) (*AcceptVulnerabilityRisk, int, error) {
+	payload, err := Marshal(p)
+	if err != nil {
+		return nil, 0, err
+	}
+
+	response, err := c.requester.Request(ctx, http.MethodPost, fmt.Sprintf(AcceptVulnerabilityRiskCreatePath, c.config.url), payload)
+	if err != nil {
+		return nil, 0, err
+	}
+	defer response.Body.Close()
+
+	if response.StatusCode != http.StatusCreated {
+		return nil, response.StatusCode, c.ErrorFromResponse(response)
+	}
+
+	resp, err := Unmarshal[AcceptVulnerabilityRisk](response.Body)
+	if err != nil {
+		return nil, 0, err
+	}
+
+	return &resp, 0, nil
+}
+
+func (c *Client) GetAcceptanceVulnerabilityRisk(ctx context.Context, id string) (*AcceptVulnerabilityRisk, int, error) {
+	response, err := c.requester.Request(ctx, http.MethodGet, fmt.Sprintf(AcceptVulnerabilityRiskGetPath, c.config.url, id), nil)
+	if err != nil {
+		return nil, 0, err
+	}
+	defer response.Body.Close()
+
+	if response.StatusCode != http.StatusOK {
+		return nil, response.StatusCode, c.ErrorFromResponse(response)
+	}
+
+	resp, err := Unmarshal[AcceptVulnerabilityRisk](response.Body)
+	if err != nil {
+		return nil, 0, err
+	}
+
+	return &resp, 0, nil
+}
+
+func (c *Client) DeleteAcceptanceVulnerabilityRisk(ctx context.Context, id string) error {
+	response, err := c.requester.Request(ctx, http.MethodDelete, fmt.Sprintf(AcceptVulnerabilityRiskDeletePath, c.config.url, id), nil)
+	if err != nil {
+		return err
+	}
+	defer response.Body.Close()
+
+	if response.StatusCode != http.StatusNoContent {
+		return c.ErrorFromResponse(response)
+	}
+
+	return nil
+}
+
+func (c *Client) UpdateAcceptanceVulnerabilityRisk(ctx context.Context, p *UpdateAcceptVulnerabilityRiskRequest) (*AcceptVulnerabilityRisk, int, error) {
+	payload, err := Marshal(p)
+	if err != nil {
+		return nil, 0, err
+	}
+
+	response, err := c.requester.Request(ctx, http.MethodPut, fmt.Sprintf(AcceptVulnerabilityRiskUpdatePath, c.config.url, p.ID), payload)
+	if err != nil {
+		return nil, 0, err
+	}
+	defer response.Body.Close()
+
+	if response.StatusCode != http.StatusOK {
+		return nil, response.StatusCode, c.ErrorFromResponse(response)
+	}
+
+	resp, err := Unmarshal[AcceptVulnerabilityRisk](response.Body)
+	if err != nil {
+		return nil, 0, err
+	}
+
+	return &resp, 0, nil
+}

sysdig/internal/client/v2/vulnerability_accept_risk.go

@@ -197,6 +197,7 @@ func (p *SysdigProvider) Provider() *schema.Provider {
 			"sysdig_secure_posture_policy":                                 resourceSysdigSecurePosturePolicy(),
 			"sysdig_secure_posture_control":                                resourceSysdigSecurePostureControl(),
 			"sysdig_secure_posture_accept_risk":                            resourceSysdigSecureAcceptPostureRisk(),
+			"sysdig_secure_vulnerability_accept_risk":                      resourceSysdigSecureVulnerabilityAcceptRisk(),
 		},
 		DataSourcesMap: map[string]*schema.Resource{
 			"sysdig_secure_agentless_scanning_assets":                     dataSourceSysdigSecureAgentlessScanningAssets(),