feat(secure): surface Falco static-analyzer warnings as Terraform Diagnostics

[ivanlysiuk-sysdig]

Summary

Adds Terraform Diagnostics for Falco static-analyzer warnings (today LOAD_NO_EVTTYPE) emitted by the Sysdig backend on sysdig_secure_rule_falco create/update. The backend has been shipping these under warnings[] on the v2 rule response for a few weeks — the provider's internal SDK just wasn't deserializing the field.

This wires it end-to-end so TF users see warnings inline in terraform apply output.

Opening as draft until the deprecation cleanup in #734 lands.

What it looks like

When applying a rule whose condition causes the backend's Falco validator to emit a perf warning:

│ Warning: Falco performance warning (LOAD_NO_EVTTYPE) on rule "my_test_rule"
│
│   with sysdig_secure_rule_falco.my_test_rule,
│   on main.tf line 12, in resource "sysdig_secure_rule_falco" "my_test_rule":
│   12: resource "sysdig_secure_rule_falco" "my_test_rule" {
│
│ Rule matches too many evt.type values. This has a significant
│ performance penalty.
│
│ Enabled in policies: my-runtime-policy
│ Agent versions: linux-14.5.2

The apply still succeeds — these are advisory, not gates. (The backend supports an opt-in performanceWarningPackGate=true query parameter for "save anyway" semantics; not wired in this PR — leaving it as a follow-up unless there's interest. The TF UX for a gate isn't obvious.)

Changes

File	Change
sysdig/internal/client/v2/model.go	Add FalcoWarning type and Warnings []FalcoWarning field on Rule. JSON shape mirrors the backend response.
sysdig/falco_warnings.go	New shared helper falcoWarningsToDiagnostics(warnings) mapping each warning to a diag.Warning with the Falco code in Summary and message + enabled-in-policies + agent-versions in Detail.
sysdig/resource_sysdig_secure_rule_falco.go	Capture rule.Warnings on Create and updatedRule.Warnings on Update; surface via the helper.

Net: +55, -9.

Backwards compatibility

Zero new required fields. Rules whose backend response carries no warnings emit zero diagnostics (helper returns nil on empty input). Existing acceptance tests are unaffected since they don't inspect Diagnostics beyond the error count.

Out of scope (deliberately)

• sysdig_secure_rule_macro and sysdig_secure_rule_list: macros + lists were de-scoped from the Falco perf warnings v1 effort on the backend side. The backend doesn't surface warnings on those endpoints, so wiring them on the TF side would be no-ops.
• Performance-warning gate (performanceWarningPackGate=true): mentioned above; defer.
• V4 endpoints: long-term follow-up.
• Acceptance test that asserts the new Diagnostics: needs a backend with a deliberately-broken rule; better landed alongside the e2e validation since the warning shape depends on the validator's emission timing.

End-to-end validation

Ran the matrix on a fresh Sysdig stack deployed with a backend image that includes the full warnings stack.

Matrix

Resource	Condition	Expected	Result
sysdig_secure_rule_falco.positive_no_evttype	proc.name=ssprod_68089_tf_test (no evt.type)	LOAD_NO_EVTTYPE Diagnostic on Create	20 LOAD_NO_EVTTYPE Warnings attached, incl. one named ssprod_68089_tf_no_evttype
sysdig_secure_rule_falco.negative_clean	spawned_process and proc.name=… (evt.type filtered via macro)	No new Diagnostics from this rule	Pass — apply clean for this resource
sysdig_secure_macro.negative_macro	trivial macro	No Diagnostics (backend descoped)	Pass — apply clean
sysdig_secure_list.negative_list	trivial list	No Diagnostics (backend descoped)	Pass — apply clean

Apply complete! Resources: 4 added, 0 changed, 0 destroyed. — apply succeeded; warnings are advisory.

Sample Diagnostic

│ Warning: Falco performance warning (LOAD_NO_EVTTYPE) on rule "ssprod_68089_tf_no_evttype"
│
│   with sysdig_secure_rule_falco.positive_no_evttype,
│   on main.tf line 33, in resource "sysdig_secure_rule_falco" "positive_no_evttype":
│   33: resource "sysdig_secure_rule_falco" "positive_no_evttype" {
│
│ Rule matches too many evt.type values. This has a significant performance
│ penalty.
│ Agent versions: linux-14.6.0

(Enabled in policies: is omitted here because the test rules aren't referenced by any policy; the enrichment populates that line whenever the rule is part of an active policy — exercised via direct backend POST against the same stack.)

Notes

• All Warnings attach to a single resource in the Diagnostics summary block — Terraform's plugin-sdk de-duplicates identical Diagnostic content emitted from multiple resource Create calls in the same apply. The validator returns the same pack-wide warning set on each rule write, so dedup attributes them to the last resource to finish creating in this graph.
• sysdig_secure_rule_{container,filesystem,network,process,syscall} weren't exercised here — they're broken end-to-end against current backends, addressed separately in fix(secure): deprecate dead rule resources (container/filesystem/network/process/syscall) #734. This PR will rebase on top of that.
• sysdig_secure_rule_stateful is intentionally not wired (stateful rules don't go through the Falco static-analyzer path; backend doesn't emit warnings for them).

Test plan

• go build ./... — clean
• go vet ./sysdig/... — clean
• End-to-end on a current Sysdig backend (see matrix above)
• Negative rule (spawned_process filter) → no Diagnostics on that resource
• Update path on the positive rule → same Diagnostic shape echoed back (via direct backend curl)

🤖 Generated with Claude Code