You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
It’s unclear how to add an exception to an existing Falco rule using the Sysdig Terraform provider. Currently, it seems that to add an exception to an existing Falco rule (e.g., "Delete DB Snapshot"), I need to create a new copy of the rule from scratch and then add the exception.
This process requires copying every field from the existing rule, which can lead to redundancy and makes it difficult to maintain parity with the rule updates provided by Sysdig. To simplify this, I attempted to use the sysdig_secure_rule_falcodata source to extract the values from the existing rule and avoid hard-coding them.
Here's an example:
resource"sysdig_secure_rule_falco""aws_db_snapshot_deleted" {
name="AWS Delete DB Snapshot"description=data.sysdig_secure_rule_falco.delete_db_snapshot.descriptiontags=data.sysdig_secure_rule_falco.delete_db_snapshot.tags# Using the condition and output from the existing rulecondition=data.sysdig_secure_rule_falco.delete_db_snapshot.conditionoutput=data.sysdig_secure_rule_falco.delete_db_snapshot.output# The priority field needs conversion to lowercase as Terraform fails with uppercasepriority=lower(data.sysdig_secure_rule_falco.delete_db_snapshot.priority)
source=data.sysdig_secure_rule_falco.delete_db_snapshot.source# Attempting to copy the exceptions block dynamically# it doesn't work, values return `null`dynamic"exceptions" {
for_each=data.sysdig_secure_rule_falco.delete_db_snapshot.exceptionscontent {
name=exceptions.value.namefields=exceptions.value.fieldscomps=exceptions.value.compsvalues=exceptions.value.values
}
}
}
data"sysdig_secure_rule_falco""delete_db_snapshot" {
name="Delete DB Snapshot"
}
While this works for copying most of the rule's fields, I could not find a way to properly copy and reuse the exceptions block. This means I need to recreate the rule entirely, which feels cumbersome and counterintuitive.
Proposed Improvement
I suggest allowing exceptions to be managed as individual resources within the Terraform provider. This would enable referencing existing rules directly and appending or modifying their exceptions without duplicating the rule itself.
Advantages of This Approach
Avoid redundancy: No need to recreate an entire Falco rule just to add exceptions.
Seamless updates: Rules remain managed by the Sysdig team, so updates to rules propagate automatically without additional effort on our part.
Cleaner code: Terraform code becomes simpler and easier to maintain, focusing only on the customizations (like exceptions) instead of duplicating and managing entire rules.
Example Usage
Here's how I envision managing exceptions as separate resources:
I don't know how feasible is to add single rule exceptions as resources in the terraform provider. The main reason is that the API does not support single exception creation throw API calls, they are added to existing rules. Terraform expects that each managed resource has CRUD endpoints to manage its lifetime.
Description
It’s unclear how to add an exception to an existing Falco rule using the Sysdig Terraform provider. Currently, it seems that to add an exception to an existing Falco rule (e.g., "Delete DB Snapshot"), I need to create a new copy of the rule from scratch and then add the exception.
This process requires copying every field from the existing rule, which can lead to redundancy and makes it difficult to maintain parity with the rule updates provided by Sysdig. To simplify this, I attempted to use the sysdig_secure_rule_falco data source to extract the values from the existing rule and avoid hard-coding them.
Here's an example:
While this works for copying most of the rule's fields, I could not find a way to properly copy and reuse the exceptions block. This means I need to recreate the rule entirely, which feels cumbersome and counterintuitive.
Proposed Improvement
I suggest allowing exceptions to be managed as individual resources within the Terraform provider. This would enable referencing existing rules directly and appending or modifying their exceptions without duplicating the rule itself.
Advantages of This Approach
Example Usage
Here's how I envision managing exceptions as separate resources:
This would:
Questions
Let me know if additional details or clarifications are needed! Thank you!
The text was updated successfully, but these errors were encountered: