ci(test): parallelize acceptance tests using dynamic matrix (#692)

## Summary

Parallelize Sysdig acceptance tests by running each test file in its own
GitHub Actions job using dynamic matrix strategy. **IBM tests remain
sequential due to API rate limiting issues.**

## Changes

| Suite | Before | After |
|-------|--------|-------|
| Sysdig Secure | 1 sequential job | Dynamic matrix (max 20 concurrent),
fail-fast |
| Sysdig Monitor | 1 sequential job | Dynamic matrix (max 20
concurrent), fail-fast |
| IBM Monitor | 1 sequential job | No change (sequential) |
| IBM Secure | 1 sequential job | No change (sequential) |

## How it works

1. `list-*-tests` jobs discover test files by searching for build tags
(`tf_acc_sysdig_secure`, `tf_acc_sysdig_monitor`)
2. Each file's tests run in parallel using `-run` flag to filter by test
name
3. `fail-fast: true` stops the matrix early if any test fails
4. Aggregator jobs (`sysdig-secure-result`, `sysdig-monitor-result`)
collect results for required status checks
5. IBM tests remain sequential to avoid API rate limiting (500/504
errors with parallelization)

## Additional changes

- Add `merge_group` trigger to `ci.yml` for merge queue support
- Handle empty grep results gracefully in list jobs
- Fix `data_source_sysdig_user_test` to use random email suffix (avoid
collisions in parallel runs)
- Fix `data_source_sysdig_secure_rule_stateful_count_test` to check
`rule_count >= 2` instead of exact match (avoid flaky failures)

Author: tembleking

.github/workflows/ci.yml

@@ -7,6 +7,9 @@ on:
   pull_request:
     branches:
       - master
+  merge_group:
+    branches:
+      - master
 
 jobs:
   build-multiarch:

.github/workflows/test.yml

@@ -7,11 +7,9 @@ jobs:
   lint:
     name: Lint
     runs-on: ubuntu-latest
-
     steps:
       - name: Check out code
         uses: actions/checkout@v4
-
       - name: Lint
         uses: golangci/golangci-lint-action@v8
         with:
@@ -20,75 +18,158 @@ jobs:
   test:
     name: Unit Tests
     runs-on: ubuntu-latest
-
     steps:
       - name: Check out code
         uses: actions/checkout@v4
-
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
-
       - name: Test
         run: make test
 
-  test-sysdig-monitor:
-    name: Sysdig Monitor Acceptance Tests
+  # ============================================
+  # Sysdig Secure - Dynamic Matrix
+  # ============================================
+  list-sysdig-secure-tests:
+    name: List Secure Tests
     runs-on: ubuntu-latest
     needs: test
-
+    outputs:
+      matrix: ${{ steps.list.outputs.matrix }}
     steps:
-      - name: Check out code
-        uses: actions/checkout@v4
+      - uses: actions/checkout@v4
+      - id: list
+        run: |
+          files=$(grep -l "tf_acc_sysdig_secure" sysdig/*_test.go | xargs -I{} basename {} .go || echo "")
+          if [ -z "$files" ]; then
+            echo "matrix=[]" >> $GITHUB_OUTPUT
+          else
+            matrix=$(echo "$files" | jq -R -s -c 'split("\n") | map(select(length > 0))')
+            echo "matrix=$matrix" >> $GITHUB_OUTPUT
+          fi
 
-      - name: Set up Go
-        uses: actions/setup-go@v5
+  test-sysdig-secure:
+    name: "Secure: ${{ matrix.file }}"
+    runs-on: ubuntu-latest
+    needs: list-sysdig-secure-tests
+    strategy:
+      fail-fast: true
+      max-parallel: 20
+      matrix:
+        file: ${{ fromJson(needs.list-sysdig-secure-tests.outputs.matrix) }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
-
-      - name: Test
-        run: make testacc
+      - name: Run tests from ${{ matrix.file }}
+        run: |
+          tests=$(grep -oh "func Test[A-Za-z0-9_]*" sysdig/${{ matrix.file }}.go | sed 's/func //' | tr '\n' '|' | sed 's/|$//')
+          if [ -n "$tests" ]; then
+            echo "Running tests: $tests"
+            CGO_ENABLED=1 TF_ACC=1 go test ./sysdig -v -tags=tf_acc_sysdig_secure -timeout 30m -race -run "^($tests)$"
+          else
+            echo "No tests found in file"
+          fi
         env:
-          TEST_SUITE: tf_acc_sysdig_monitor
           SYSDIG_MONITOR_API_TOKEN: ${{ secrets.KUBELAB_MONITOR_API_TOKEN }}
           SYSDIG_SECURE_API_TOKEN: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
 
-  test-sysdig-secure:
-    name: Sysdig Secure Acceptance Tests
+  sysdig-secure-result:
+    name: Sysdig Secure Tests Result
+    runs-on: ubuntu-latest
+    needs: [list-sysdig-secure-tests, test-sysdig-secure]
+    if: always()
+    steps:
+      - name: Check test results
+        run: |
+          if [ "${{ needs.test-sysdig-secure.result }}" == "success" ] || [ "${{ needs.test-sysdig-secure.result }}" == "skipped" ]; then
+            echo "All Sysdig Secure tests passed"
+            exit 0
+          else
+            echo "Some Sysdig Secure tests failed"
+            exit 1
+          fi
+
+  # ============================================
+  # Sysdig Monitor - Dynamic Matrix
+  # ============================================
+  list-sysdig-monitor-tests:
+    name: List Monitor Tests
     runs-on: ubuntu-latest
     needs: test
-
+    outputs:
+      matrix: ${{ steps.list.outputs.matrix }}
     steps:
-      - name: Check out code
-        uses: actions/checkout@v4
+      - uses: actions/checkout@v4
+      - id: list
+        run: |
+          files=$(grep -l "tf_acc_sysdig_monitor" sysdig/*_test.go | xargs -I{} basename {} .go || echo "")
+          if [ -z "$files" ]; then
+            echo "matrix=[]" >> $GITHUB_OUTPUT
+          else
+            matrix=$(echo "$files" | jq -R -s -c 'split("\n") | map(select(length > 0))')
+            echo "matrix=$matrix" >> $GITHUB_OUTPUT
+          fi
 
-      - name: Set up Go
-        uses: actions/setup-go@v5
+  test-sysdig-monitor:
+    name: "Monitor: ${{ matrix.file }}"
+    runs-on: ubuntu-latest
+    needs: list-sysdig-monitor-tests
+    strategy:
+      fail-fast: true
+      max-parallel: 20
+      matrix:
+        file: ${{ fromJson(needs.list-sysdig-monitor-tests.outputs.matrix) }}
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
-
-      - name: Test
-        run: make testacc
+      - name: Run tests from ${{ matrix.file }}
+        run: |
+          tests=$(grep -oh "func Test[A-Za-z0-9_]*" sysdig/${{ matrix.file }}.go | sed 's/func //' | tr '\n' '|' | sed 's/|$//')
+          if [ -n "$tests" ]; then
+            echo "Running tests: $tests"
+            CGO_ENABLED=1 TF_ACC=1 go test ./sysdig -v -tags=tf_acc_sysdig_monitor -timeout 30m -race -run "^($tests)$"
+          else
+            echo "No tests found in file"
+          fi
         env:
-          TEST_SUITE: tf_acc_sysdig_secure
           SYSDIG_MONITOR_API_TOKEN: ${{ secrets.KUBELAB_MONITOR_API_TOKEN }}
           SYSDIG_SECURE_API_TOKEN: ${{ secrets.KUBELAB_SECURE_API_TOKEN }}
 
+  sysdig-monitor-result:
+    name: Sysdig Monitor Tests Result
+    runs-on: ubuntu-latest
+    needs: [list-sysdig-monitor-tests, test-sysdig-monitor]
+    if: always()
+    steps:
+      - name: Check test results
+        run: |
+          if [ "${{ needs.test-sysdig-monitor.result }}" == "success" ] || [ "${{ needs.test-sysdig-monitor.result }}" == "skipped" ]; then
+            echo "All Sysdig Monitor tests passed"
+            exit 0
+          else
+            echo "Some Sysdig Monitor tests failed"
+            exit 1
+          fi
+
+  # ============================================
+  # IBM Monitor - Sequential (no parallelization)
+  # ============================================
   test-ibm-monitor:
     name: IBM Monitor Acceptance Tests
     runs-on: ubuntu-latest
     needs: test
-
     steps:
       - name: Check out code
         uses: actions/checkout@v4
-
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
-
       - name: Test
         run: make testacc
         env:
@@ -99,20 +180,20 @@ jobs:
           SYSDIG_MONITOR_URL: "https://eu-gb.monitoring.cloud.ibm.com"
           IBM_EVENT_NOTIFICATION_INSTANCE_ID: ${{ secrets.IBM_EVENT_NOTIFICATION_INSTANCE_ID }}
 
+  # ============================================
+  # IBM Secure - Sequential (no parallelization)
+  # ============================================
   test-ibm-secure:
     name: IBM Secure Acceptance Tests
     runs-on: ubuntu-latest
     needs: test
-
     steps:
       - name: Check out code
         uses: actions/checkout@v4
-
       - name: Set up Go
         uses: actions/setup-go@v5
         with:
           go-version-file: go.mod
-
       - name: Test
         run: make testacc
         env:

sysdig/data_source_sysdig_secure_rule_stateful_count_test.go

@@ -5,11 +5,13 @@ package sysdig_test
 import (
 	"fmt"
 	"os"
+	"strconv"
 	"strings"
 	"testing"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
+	"github.com/hashicorp/terraform-plugin-sdk/v2/terraform"
 
 	"github.com/draios/terraform-provider-sysdig/sysdig"
 )
@@ -35,13 +37,31 @@ func TestAccRuleStatefulCountDataSource(t *testing.T) {
 			{
 				Config: ruleStatefulCountDataSource(),
 				Check: resource.ComposeTestCheckFunc(
-					resource.TestCheckResourceAttr("data.sysdig_secure_rule_stateful_count.data_stateful_rule_append", "rule_count", "2"),
+					testCheckRuleCountAtLeast("data.sysdig_secure_rule_stateful_count.data_stateful_rule_append", 2),
 				),
 			},
 		},
 	})
 }
 
+func testCheckRuleCountAtLeast(resourceName string, minCount int) resource.TestCheckFunc {
+	return func(s *terraform.State) error {
+		rs, ok := s.RootModule().Resources[resourceName]
+		if !ok {
+			return fmt.Errorf("resource not found: %s", resourceName)
+		}
+		countStr := rs.Primary.Attributes["rule_count"]
+		count, err := strconv.Atoi(countStr)
+		if err != nil {
+			return fmt.Errorf("rule_count is not a valid integer: %s", countStr)
+		}
+		if count < minCount {
+			return fmt.Errorf("rule_count expected >= %d, got %d", minCount, count)
+		}
+		return nil
+	}
+}
+
 func ruleStatefulCountDataSource() string {
 	return fmt.Sprintf(`
 %s

sysdig/data_source_sysdig_user_test.go

@@ -3,15 +3,18 @@
 package sysdig_test
 
 import (
+	"fmt"
 	"testing"
 
+	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/acctest"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema"
 
 	"github.com/draios/terraform-provider-sysdig/sysdig"
 )
 
 func TestAccDataUser(t *testing.T) {
+	randomSuffix := acctest.RandStringFromCharSet(10, acctest.CharSetAlphaNum)
 	resource.ParallelTest(t, resource.TestCase{
 		PreCheck: preCheckAnyEnv(t, SysdigMonitorApiTokenEnv, SysdigSecureApiTokenEnv),
 		ProviderFactories: map[string]func() (*schema.Provider, error){
@@ -21,21 +24,21 @@ func TestAccDataUser(t *testing.T) {
 		},
 		Steps: []resource.TestStep{
 			{
-				Config: getUser(),
+				Config: getUser(randomSuffix),
 			},
 		},
 	})
 }
 
-func getUser() string {
-	return `
+func getUser(suffix string) string {
+	return fmt.Sprintf(`
 resource "sysdig_user" "sample" {
-  email = "terraform-test+user@sysdig.com"
+  email = "terraform-test+user-%s@sysdig.com"
 }
 
 data "sysdig_user" "me" {
 	depends_on = ["sysdig_user.sample"]
 	email = sysdig_user.sample.email
 }
-`
+`, suffix)
 }