feat(zones): support v2 expression syntax for sysdig_secure_zone (#712)

<!--
Thank you for your contribution!

For a cleaner PR make sure you follow these recommendations:
- Add the **scope** of the affected area in the PR name, following
[Conventional Commit](https://www.conventionalcommits.
org/en/v1.0.0/) format
ex.: feat(secure-policy): Add runbook to policy resources
- If not there yet, add yourself and/or your team as the **Codeowners**
of the affected area
- Make sure to modify the respective **tests**
- Make sure to modify the respective **documentation**
-->
This pull request significantly enhances the `sysdig_secure_zone` data
source to support v2-compatible scope expressions, improves test
coverage, and updates dependency versions. The main focus is on allowing
richer scope filtering via expressions, ensuring backward compatibility,
and providing robust validation with new unit and acceptance tests.

Enhancements to scope expression support:

* Added support for v2-compatible scope expressions in the
`sysdig_secure_zone` data source by introducing new schema fields
(`expression`, `field`, `operator`, `value`, `values`) and merging
legacy rules with v2 expressions based on scope ID. This enables richer
and more flexible filtering in resource definitions.
[[1]](diffhunk://#diff-61c5dc355aa136849ccbeda35f10a0f35ecdd1a1964951638e4f674891f21f93R55-R60)
[[2]](diffhunk://#diff-a0229110cc4b1cae2cbc580b78c4dc26bad0bb035b9d7dcd578e40227fa2ac3dR53-R80)
[[3]](diffhunk://#diff-a0229110cc4b1cae2cbc580b78c4dc26bad0bb035b9d7dcd578e40227fa2ac3dL81-R107)
[[4]](diffhunk://#diff-a0229110cc4b1cae2cbc580b78c4dc26bad0bb035b9d7dcd578e40227fa2ac3dR118-R121)
[[5]](diffhunk://#diff-a0229110cc4b1cae2cbc580b78c4dc26bad0bb035b9d7dcd578e40227fa2ac3dR137-R140)
[[6]](diffhunk://#diff-a0229110cc4b1cae2cbc580b78c4dc26bad0bb035b9d7dcd578e40227fa2ac3dL120-R193)

Testing improvements:

* Added new acceptance tests
(`TestAccDataSourceSysdigSecureZone_ByName`,
`TestAccDataSourceSysdigSecureZone_ByID`) to verify expression support
and correct retrieval by name and ID, as well as helper methods for test
configurations.
* Introduced unit tests for the scope merging logic to ensure correct
handling of partial matches, missing IDs, and graceful degradation when
v2 data is unavailable.

Dependency and API updates:

* Updated multiple dependencies in `go.mod` to newer versions, including
`terraform-plugin-sdk`, `terraform-plugin-log`, and several indirect
dependencies for improved compatibility and security.
[[1]](diffhunk://#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6L10-R18)
[[2]](diffhunk://#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6L26-R27)
[[3]](diffhunk://#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6L40-R50)
[[4]](diffhunk://#diff-33ef32bf6c23acb95f5902d7097b7a1d5128ca061167ec0716715b0b9eeaa5f6L65-R82)
* Added a new `ZoneV2Interface` to the client and implemented a robust
`APIError` type with improved error extraction from API responses.
[[1]](diffhunk://#diff-3e543bee017248841b3c762241b5460f71986a4dac8ffcb87af8324adf237626R65)
[[2]](diffhunk://#diff-3e543bee017248841b3c762241b5460f71986a4dac8ffcb87af8324adf237626R78-R93)
[[3]](diffhunk://#diff-3e543bee017248841b3c762241b5460f71986a4dac8ffcb87af8324adf237626R118-R146)
* Introduced new model types for v2 zones in the client
(`ZonesV2Wrapper`, `ZoneV2`).

These changes collectively modernize the provider's handling of secure
zones, improve error reporting, and ensure comprehensive validation
through testing.

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: Shadow649

go.mod

@@ -19,6 +19,7 @@ require (
 )
 
 require (
+	dario.cat/mergo v1.0.1 // indirect
 	github.com/ProtonMail/go-crypto v1.4.0 // indirect
 	github.com/agext/levenshtein v1.2.3 // indirect
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
@@ -31,6 +32,7 @@ require (
 	github.com/docker/docker-credential-helpers v0.9.5 // indirect
 	github.com/fatih/color v1.18.0 // indirect
 	github.com/go-akka/configuration v0.0.0-20200606091224-a002c0330665 // indirect
+	github.com/go-test/deep v1.0.8 // indirect
 	github.com/golang/protobuf v1.5.4 // indirect
 	github.com/google/go-cmp v0.7.0 // indirect
 	github.com/google/go-containerregistry v0.21.2 // indirect
@@ -80,5 +82,6 @@ require (
 	google.golang.org/appengine v1.6.8 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20260226221140-a57be14db171 // indirect
 	google.golang.org/grpc v1.79.2 // indirect
+	gopkg.in/yaml.v2 v2.4.0 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -1,5 +1,5 @@
-dario.cat/mergo v1.0.0 h1:AGCNq9Evsj31mOgNPcLyXc+4PNABt905YmuqPYYpBWk=
-dario.cat/mergo v1.0.0/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
+dario.cat/mergo v1.0.1 h1:Ra4+bf83h2ztPIQYNP99R6m+Y7KfnARDfID+a+vLl4s=
+dario.cat/mergo v1.0.1/go.mod h1:uNxQE+84aUszobStD9th8a29P2fMDhsBdgRYvZOxGmk=
 github.com/Jeffail/gabs/v2 v2.7.0 h1:Y2edYaTcE8ZpRsR2AtmPu5xQdFDIthFG0jYhu5PY8kg=
 github.com/Jeffail/gabs/v2 v2.7.0/go.mod h1:dp5ocw1FvBBQYssgHsG7I1WYsiLRtkUaB1FEtSwvNUw=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
@@ -57,8 +57,8 @@ github.com/go-logr/logr v1.4.3 h1:CjnDlHq8ikf6E492q6eKboGOC0T8CDaOvkHCIg8idEI=
 github.com/go-logr/logr v1.4.3/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
-github.com/go-test/deep v1.0.3 h1:ZrJSEWsXzPOxaZnFteGEfooLba+ju3FYIbOrS+rQd68=
-github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
+github.com/go-test/deep v1.0.8 h1:TDsG77qcSprGbC6vTN8OuXp5g+J+b5Pcguhf7Zt61VM=
+github.com/go-test/deep v1.0.8/go.mod h1:5C2ZWiW0ErCdrYzpqxLbTX7MG14M9iiw8DgHncVwcsE=
 github.com/godbus/dbus/v5 v5.0.4/go.mod h1:xhWf0FNVPg57R7Z0UbKHbJfkEywrmjJnf7w5xrFpKfA=
 github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8 h1:f+oWsMOmNPc8JmEHVZIycC7hBoQxHH9pNKQORJNozsQ=
 github.com/golang/groupcache v0.0.0-20241129210726-2c02b8208cf8/go.mod h1:wcDNUvekVysuuOpQKo3191zZyTpiI6se1N1ULghS0sw=
@@ -295,8 +295,9 @@ gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c h1:Hei/4ADfdWqJk1ZMxUNpqntN
 gopkg.in/check.v1 v1.0.0-20201130134442-10cb98267c6c/go.mod h1:JHkPIbrfpd72SG/EVd6muEfDQjcINNoR0C8j2r3qZ4Q=
 gopkg.in/warnings.v0 v0.1.2 h1:wFXVbFY8DY5/xOe1ECiWdKCzZlxgshcYVNkBHstARME=
 gopkg.in/warnings.v0 v0.1.2/go.mod h1:jksf8JmL6Qr/oQM2OXTHunEvvTAsrWBLb6OOjuVWRNI=
-gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.4.0 h1:D8xgwECY7CYvx+Y2n4sBz93Jn9JRvxdiyyo8CTfuKaY=
+gopkg.in/yaml.v2 v2.4.0/go.mod h1:RDklbk79AGWmwhnvt/jBztapEOGDOx6ZbXqjP6csGnQ=
 gopkg.in/yaml.v3 v3.0.1 h1:fxVm/GzAzEWqLHuvctI91KS9hhNmmWOoWu0XTYJS7CA=
 gopkg.in/yaml.v3 v3.0.1/go.mod h1:K4uyk7z7BCEPqu6E+C64Yfv1cQ7kz7rIZviUmN+EgEM=
 gotest.tools/v3 v3.0.3 h1:4AuOwCGf4lLR9u3YOe2awrHygurzhO/HeQ6laiA6Sx0=

sysdig/common.go

@@ -52,6 +52,11 @@ const (
 	SchemaScopeKey                      = "scope"
 	SchemaScopesKey                     = "scopes"
 	SchemaTargetTypeKey                 = "target_type"
+	SchemaExpressionKey                 = "expression"
+	SchemaFieldKey                      = "field"
+	SchemaOperatorKey                   = "operator"
+	SchemaValueKey                      = "value"
+	SchemaValuesKey                     = "values"
 	SchemaRoleKey                       = "role"
 	SchemaSystemRoleKey                 = "system_role"
 	SchemaRulesKey                      = "rules"

sysdig/data_source_sysdig_secure_zone.go

@@ -50,13 +50,34 @@ func dataSourceSysdigSecureZone() *schema.Resource {
 							Type:     schema.TypeString,
 							Computed: true,
 						},
+						// Not marked Deprecated: rules with v2-compatible syntax are fully supported.
+						// Only v1 syntax (labels, labelValues, agentTags) is deprecated, but since
+						// this is a Computed field, SDK v2 has no mechanism for conditional deprecation.
+						// The resource-side ValidateDiagFunc handles the v1-only warning.
 						SchemaRulesKey: {
 							Type:     schema.TypeString,
 							Computed: true,
 						},
+						SchemaExpressionKey: {
+							Type:     schema.TypeList,
+							Computed: true,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									SchemaFieldKey:    {Type: schema.TypeString, Computed: true},
+									SchemaOperatorKey: {Type: schema.TypeString, Computed: true},
+									SchemaValueKey:    {Type: schema.TypeString, Computed: true},
+									SchemaValuesKey: {
+										Type:     schema.TypeList,
+										Computed: true,
+										Elem:     &schema.Schema{Type: schema.TypeString},
+									},
+								},
+							},
+						},
 					},
 				},
 			},
+
 			"id": {
 				Type:         schema.TypeString,
 				Optional:     true,
@@ -74,52 +95,80 @@ func dataSourceSysdigSecureZone() *schema.Resource {
 }
 
 func dataSourceSysdigSecureZoneRead(ctx context.Context, d *schema.ResourceData, m any) diag.Diagnostics {
-	client, err := getZoneClient(m.(SysdigClients))
+	clientV2, err := getZoneV2Client(m.(SysdigClients))
 	if err != nil {
 		return diag.FromErr(err)
 	}
-
-	var zone *v2.Zone
+	var zoneV2 *v2.ZoneV2
 	zoneIDRaw, hasZoneID := d.GetOk("id")
 	if hasZoneID {
 		zoneID, err := strconv.Atoi(zoneIDRaw.(string))
 		if err != nil {
 			return diag.FromErr(fmt.Errorf("invalid zone id: %s", err))
 		}
-		zone, err = client.GetZoneByID(ctx, zoneID)
+		zoneV2, err = clientV2.GetZoneV2(ctx, zoneID)
 		if err != nil {
-			return diag.FromErr(fmt.Errorf("error fetching zone by ID: %s", err))
+			return diag.FromErr(fmt.Errorf("error fetching zone v2 by ID: %s", err))
 		}
 	} else if nameRaw, hasName := d.GetOk("name"); hasName {
 		name := nameRaw.(string)
-		zones, err := client.GetZones(ctx, name)
+		zones, err := clientV2.GetZonesV2(ctx, name)
 		if err != nil {
 			return diag.FromErr(fmt.Errorf("error fetching zones: %s", err))
 		}
 		for _, z := range zones {
 			if z.Name == name {
-				zone = &z
+				zoneV2 = &z
 				break
 			}
 		}
-		if zone == nil {
+		if zoneV2 == nil {
 			return diag.FromErr(fmt.Errorf("zone with name '%s' not found", name))
 		}
+		zoneV2, err = clientV2.GetZoneV2(ctx, zoneV2.ID)
+		if err != nil {
+			return diag.FromErr(fmt.Errorf("error fetching zone by name: %s", err))
+		}
 	} else {
 		return diag.FromErr(fmt.Errorf("either id or name must be specified"))
 	}
 
-	d.SetId(fmt.Sprintf("%d", zone.ID))
-	_ = d.Set(SchemaNameKey, zone.Name)
-	_ = d.Set(SchemaDescriptionKey, zone.Description)
-	_ = d.Set(SchemaIsSystemKey, zone.IsSystem)
-	_ = d.Set(SchemaAuthorKey, zone.Author)
-	_ = d.Set(SchemaLastModifiedBy, zone.LastModifiedBy)
-	_ = d.Set(SchemaLastUpdated, time.UnixMilli(zone.LastUpdated).Format(time.RFC3339))
+	d.SetId(fmt.Sprintf("%d", zoneV2.ID))
+	_ = d.Set(SchemaNameKey, zoneV2.Name)
+	_ = d.Set(SchemaDescriptionKey, zoneV2.Description)
+	_ = d.Set(SchemaIsSystemKey, zoneV2.IsSystem)
+	_ = d.Set(SchemaAuthorKey, zoneV2.Author)
+	_ = d.Set(SchemaLastModifiedBy, zoneV2.LastModifiedBy)
+	_ = d.Set(SchemaLastUpdated, time.UnixMilli(zoneV2.LastUpdated).Format(time.RFC3339))
 
-	if err := d.Set(SchemaScopeKey, fromZoneScopesResponse(zone.Scopes)); err != nil {
+	if err := d.Set(SchemaScopeKey, getZoneScopes(zoneV2)); err != nil {
 		return diag.FromErr(fmt.Errorf("error setting scope: %s", err))
 	}
 
 	return nil
 }
+
+func getZoneScopes(zoneV2 *v2.ZoneV2) []any {
+	// Build expression lookup by filter ID from the v2 response.
+	out := make([]any, 0)
+	if zoneV2 != nil {
+		for _, s := range zoneV2.Scopes {
+			for _, f := range s.Filters {
+				if f.ID != 0 && (len(f.Expressions) > 0 || f.Rules != "") {
+					var exprs []any
+					for _, e := range f.Expressions {
+						exprs = append(exprs, flattenExpressionV2(e))
+					}
+					m := map[string]any{
+						SchemaIDKey:         f.ID,
+						SchemaTargetTypeKey: f.ResourceType,
+						SchemaRulesKey:      f.Rules,
+					}
+					m[SchemaExpressionKey] = exprs
+					out = append(out, m)
+				}
+			}
+		}
+	}
+	return out
+}

sysdig/data_source_sysdig_secure_zone_test.go

@@ -3,6 +3,7 @@
 package sysdig_test
 
 import (
+	"fmt"
 	"testing"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
@@ -43,6 +44,125 @@ func TestAccDataSourceSysdigSecureZone(t *testing.T) {
 	})
 }
 
+func TestAccDataSourceSysdigSecureZone_ByName(t *testing.T) {
+	zoneName := "Zone_DS_" + randomText(5)
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck: preCheckAnyEnv(t, SysdigSecureApiTokenEnv, SysdigIBMSecureAPIKeyEnv),
+		ProviderFactories: map[string]func() (*schema.Provider, error){
+			"sysdig": func() (*schema.Provider, error) {
+				return sysdig.Provider(), nil
+			},
+		},
+		Steps: []resource.TestStep{
+			{
+				Config: testAccDataSourceSecureZoneByName(zoneName),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(
+						"data.sysdig_secure_zone.test",
+						"name",
+						zoneName,
+					),
+					resource.TestCheckResourceAttr(
+						"data.sysdig_secure_zone.test",
+						"scope.0.target_type",
+						"aws",
+					),
+
+					// v2 expressions
+					resource.TestCheckResourceAttr(
+						"data.sysdig_secure_zone.test",
+						"scope.0.expression.#",
+						"1",
+					),
+					resource.TestCheckResourceAttr(
+						"data.sysdig_secure_zone.test",
+						"scope.0.expression.0.field",
+						"organization",
+					),
+				),
+			},
+		},
+	})
+}
+
+func TestAccDataSourceSysdigSecureZone_ByID(t *testing.T) {
+	zoneName := "Zone_DS_ID_" + randomText(5)
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck: preCheckAnyEnv(t, SysdigSecureApiTokenEnv, SysdigIBMSecureAPIKeyEnv),
+		ProviderFactories: map[string]func() (*schema.Provider, error){
+			"sysdig": func() (*schema.Provider, error) {
+				return sysdig.Provider(), nil
+			},
+		},
+		Steps: []resource.TestStep{
+			{
+				Config: testAccDataSourceSecureZoneByID(zoneName),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttrSet(
+						"data.sysdig_secure_zone.test",
+						"id",
+					),
+					resource.TestCheckResourceAttr(
+						"data.sysdig_secure_zone.test",
+						"scope.0.expression.#",
+						"1",
+					),
+				),
+			},
+		},
+	})
+}
+
+func testAccDataSourceSecureZoneByName(name string) string {
+	return fmt.Sprintf(`
+resource "sysdig_secure_zone" "test" {
+  name        = "%s"
+  description = "ds acceptance test"
+
+  scope {
+    target_type = "aws"
+
+    expression {
+      field    = "organization"
+      operator = "in"
+      values   = ["o1", "o2"]
+    }
+  }
+}
+
+data "sysdig_secure_zone" "test" {
+  depends_on = [sysdig_secure_zone.test]
+  name = "%s"
+}
+`, name, name)
+}
+
+func testAccDataSourceSecureZoneByID(name string) string {
+	return fmt.Sprintf(`
+resource "sysdig_secure_zone" "test" {
+  name        = "%s"
+  description = "ds acceptance test"
+
+  scope {
+    target_type = "aws"
+
+    expression {
+      field    = "organization"
+      operator = "in"
+      values   = ["o1", "o2"]
+    }
+  }
+}
+
+data "sysdig_secure_zone" "test" {
+  depends_on = [sysdig_secure_zone.test]
+  id = sysdig_secure_zone.test.id
+}
+`, name)
+}
+
 func testAccDataSourceSysdigSecureZoneConfig() string {
 	return `
 resource "sysdig_secure_zone" "sample" {

sysdig/data_source_sysdig_secure_zone_unit_test.go

@@ -0,0 +1,55 @@
+package sysdig
+
+import (
+	"testing"
+
+	v2 "github.com/draios/terraform-provider-sysdig/sysdig/internal/client/v2"
+)
+
+func TestGetZoneScopes_MatchByID(t *testing.T) {
+	zoneV2 := &v2.ZoneV2{
+		Scopes: []v2.ScopeV2{
+			{
+				Filters: []v2.FilterV2{
+					{
+						ID:           10,
+						ResourceType: "kubernetes",
+						Expressions: []v2.ExpressionV2{
+							{Field: "cluster", Operator: "in", Values: []string{"a"}},
+						},
+					},
+					{
+						ID:           20,
+						ResourceType: "kubernetes",
+						Expressions: []v2.ExpressionV2{
+							{Field: "cluster", Operator: "in", Values: []string{"b"}},
+						},
+					},
+				},
+			},
+		},
+	}
+
+	result := getZoneScopes(zoneV2)
+	if len(result) != 2 {
+		t.Fatalf("expected 2 scopes, got %d", len(result))
+	}
+
+	// Verify each scope got its own expressions by checking the ID-expression pairing.
+	for _, raw := range result {
+		scope := raw.(map[string]any)
+		id := scope[SchemaIDKey].(int)
+		exprs, ok := scope[SchemaExpressionKey].([]any)
+		if !ok || len(exprs) != 1 {
+			t.Fatalf("scope ID=%d: expected 1 expression, got %v", id, scope[SchemaExpressionKey])
+		}
+		expr := exprs[0].(map[string]any)
+		vals := expr["values"].([]string)
+		if id == 10 && vals[0] != "a" {
+			t.Errorf("scope ID=10: expected values [a], got %v", vals)
+		}
+		if id == 20 && vals[0] != "b" {
+			t.Errorf("scope ID=20: expected values [b], got %v", vals)
+		}
+	}
+}