Skip to content

fix(secure): deprecate dead rule resources (container/filesystem/network/process/syscall)#734

Open
ivanlysiuk-sysdig wants to merge 2 commits into
masterfrom
ivanlysiuk/SSPROD-68481-deprecate-dead-rule-resources
Open

fix(secure): deprecate dead rule resources (container/filesystem/network/process/syscall)#734
ivanlysiuk-sysdig wants to merge 2 commits into
masterfrom
ivanlysiuk/SSPROD-68481-deprecate-dead-rule-resources

Conversation

@ivanlysiuk-sysdig
Copy link
Copy Markdown
Contributor

@ivanlysiuk-sysdig ivanlysiuk-sysdig commented May 21, 2026
edited
Loading

Summary

Five sub-type rule resources and their matching data sources — sysdig_secure_rule_container, _filesystem, _network, _process, _syscall — are broken end-to-end against current Sysdig backends. Their Create/Update calls hit POST /api/secure/rules with ruleType values (CONTAINER, FILESYSTEM, NETWORK, PROCESS, SYSCALL) that the backend stopped accepting when list-matching policy code was removed. The endpoint returns HTTP 400 "unknown ruleType: <type>".

This adds Schema.DeprecationMessage on the resource and data source definitions so users see a clear terraform plan/apply-time warning pointing them at sysdig_secure_rule_falco.

Repro

Against a fresh Sysdig stack:

$ curl -X POST .../api/secure/rules \
    -d '{"details":{"ruleType":"CONTAINER",...}}'
HTTP 400: "The field details has an unknown ruleType: CONTAINER"

Same for FILESYSTEM / NETWORK / PROCESS / SYSCALL.

The modern backend rule unmarshaller only accepts: FALCO, DRIFT, MACHINE_LEARNING, AWS_MACHINE_LEARNING, MALWARE, OKTA_MACHINE_LEARNING, FIM.

Changes

File Change
sysdig/resource_sysdig_secure_rule_{container,filesystem,network,process,syscall}.go Add DeprecationMessage on the returned schema.Resource.
sysdig/data_source_sysdig_secure_rule_{container,filesystem,network,process,syscall}.go Same on the data source.

Net: +35, -25. Pure metadata change — no behavior change beyond Terraform surfacing the deprecation banner.

What users see

When sysdig_secure_rule_container (etc.) appears in a config:

Warning: Argument is deprecated
  with sysdig_secure_rule_container.foo,
  on main.tf line 12, in resource "sysdig_secure_rule_container" "foo":

sysdig_secure_rule_container is deprecated and no longer functional
against current Sysdig backends — the backend rejects ruleType CONTAINER.
Migrate to sysdig_secure_rule_falco with an equivalent Falco condition.

Why not remove

Outright removal would be a breaking change for anyone with these resources in state (terraform plan would error out before they can migrate). Deprecation now warns users; a follow-up at a major-version bump can remove them.

Why not restore backend support

The structured ruleTypes were tied to the (now-removed) list-matching code path. Re-introducing them would resurrect that surface. Out of scope.

Test plan

  • go build ./... — clean
  • go vet ./sysdig/... — clean
  • gofmt -l sysdig/... — clean
  • Confirmed the 400 reproduction against a current Sysdig backend

🤖 Generated with Claude Code

@ivanlysiuk-sysdig @claude
SSPROD-68481: deprecate dead rule resources (container/filesystem/net…
55d5707 
…work/process/syscall)

These resources + data sources translate to ruleType values (CONTAINER /
FILESYSTEM / NETWORK / PROCESS / SYSCALL) that the Sysdig backend stopped
accepting when list-matching policy code was removed in SSPROD-66298 (see
draios/secure-backend#55421). The backend's RuntimePolicyRule.UnmarshalJSON
now rejects them with HTTP 400 "unknown ruleType: <type>".

Repro on a fresh OnPrem stack with secure/policies main HEAD:

    $ curl -X POST .../api/secure/rules \
        -d '{"details":{"ruleType":"CONTAINER",...}}'
    HTTP 400: "The field details has an unknown ruleType: CONTAINER"

Same for FILESYSTEM / NETWORK / PROCESS / SYSCALL.

Mark them deprecated via Schema.DeprecationMessage so users see a clear
plan/apply-time warning pointing at sysdig_secure_rule_falco. Existing
state plans aren't broken; new Create calls would still 400 (no way to
prevent that without removing the resources entirely, which is a bigger
breaking change that should land with a major version bump).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings May 21, 2026 20:45
@ivanlysiuk-sysdig ivanlysiuk-sysdig requested a review from a team as a code owner May 21, 2026 20:45
Copilot AI reviewed May 21, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR deprecates five legacy “sub-type” Secure rule resources and their matching data sources (container, filesystem, network, process, syscall) that no longer work with current Sysdig backends (backend rejects those ruleType values). Deprecation is implemented via schema.Resource.DeprecationMessage so Terraform surfaces an explicit warning and points users to sysdig_secure_rule_falco.

Changes:

  • Added DeprecationMessage to sysdig_secure_rule_{container,filesystem,network,process,syscall} resources.
  • Added DeprecationMessage to sysdig_secure_rule_{container,filesystem,network,process,syscall} data sources.
  • Deprecation messages include migration guidance and tracking reference (SSPROD-68481).

Reviewed changes

Copilot reviewed 10 out of 10 changed files in this pull request and generated no comments.

Show a summary per file
File Description
sysdig/resource_sysdig_secure_rule_container.go Deprecates the container rule resource with migration guidance to Falco rules.
sysdig/resource_sysdig_secure_rule_filesystem.go Deprecates the filesystem rule resource with migration guidance to Falco rules.
sysdig/resource_sysdig_secure_rule_network.go Deprecates the network rule resource with migration guidance to Falco rules.
sysdig/resource_sysdig_secure_rule_process.go Deprecates the process rule resource with migration guidance to Falco rules.
sysdig/resource_sysdig_secure_rule_syscall.go Deprecates the syscall rule resource with migration guidance to Falco rules.
sysdig/data_source_sysdig_secure_rule_container.go Deprecates the container rule data source and points to the Falco data source.
sysdig/data_source_sysdig_secure_rule_filesystem.go Deprecates the filesystem rule data source and points to the Falco data source.
sysdig/data_source_sysdig_secure_rule_network.go Deprecates the network rule data source and points to the Falco data source.
sysdig/data_source_sysdig_secure_rule_process.go Deprecates the process rule data source and points to the Falco data source.
sysdig/data_source_sysdig_secure_rule_syscall.go Deprecates the syscall rule data source and points to the Falco data source.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

@ivanlysiuk-sysdig @claude
drop internal tracker refs from deprecation messages
0c94daf 
Open-source repo convention — keep the user-visible warning focused on
what to migrate to, not on the internal ticket that motivated the change.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
@ivanlysiuk-sysdig ivanlysiuk-sysdig changed the title SSPROD-68481: deprecate dead rule resources (container/filesystem/network/process/syscall) fix(secure): deprecate dead rule resources (container/filesystem/network/process/syscall) May 21, 2026
@ivanlysiuk-sysdig ivanlysiuk-sysdig mentioned this pull request May 21, 2026
Draft
5 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@legobrick legobrick legobrick approved these changes

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@ivanlysiuk-sysdig @legobrick