fix(secure): validate mutual exclusivity of image_label sub-blocks

tembleking · tembleking · commit 8755d309ef95 · 2026-03-23T11:23:25.000+01:00
Combining multiple sub-blocks in a single image_label block caused
silent state drift because the read path only reads Predicates[0].
This converts the silent data-loss bug into a clear validation error.
diff --git a/sysdig/resource_sysdig_secure_vulnerability_rule_bundle.go b/sysdig/resource_sysdig_secure_vulnerability_rule_bundle.go
@@ -766,7 +766,31 @@ func validateSeveritiesAndThreatsRule(ruleBody map[string]any) error {
 	return nil
 }
 
+func validateImageLabelRule(ruleBody map[string]any) error {
+	count := 0
+	if val, ok := ruleBody["label_must_exist"]; ok && val.(string) != "" {
+		count++
+	}
+	if val, ok := ruleBody["label_must_not_exist"]; ok && val.(string) != "" {
+		count++
+	}
+	if val, ok := ruleBody["label_must_exist_and_contain_value"]; ok && len(val.([]any)) > 0 {
+		count++
+	}
+	if val, ok := ruleBody["label_with_value_and_required_labels"]; ok && len(val.([]any)) > 0 {
+		count++
+	}
+	if count > 1 {
+		return errors.New("only one image label predicate can be set per image_label block")
+	}
+	return nil
+}
+
 func vulnerabilityRuleImageConfigLabelFromMap(ruleBody map[string]any) (v2.VulnerabilityRule, error) {
+	if err := validateImageLabelRule(ruleBody); err != nil {
+		return v2.VulnerabilityRule{}, err
+	}
+
 	rule := v2.VulnerabilityRule{
 		ID:         new(ruleBody["id"].(string)),
 		Type:       v2.VulnerabilityRuleTypeImageConfigLabel,
diff --git a/sysdig/resource_sysdig_secure_vulnerability_rule_bundle_test.go b/sysdig/resource_sysdig_secure_vulnerability_rule_bundle_test.go
@@ -63,6 +63,10 @@ func TestAccVulnerabilityRuleBundle(t *testing.T) {
 				Config:      errorVulnerabilityRuleBundleConfig_ExploitConflict(random()),
 				ExpectError: regexp.MustCompile("`public_exploit_available` and `public_exploit_available_since_days` are mutually exclusive"),
 			},
+			{
+				Config:      errorVulnerabilityRuleBundleConfig_ImageLabelConflict(random()),
+				ExpectError: regexp.MustCompile("only one image label predicate can be set"),
+			},
 			{
 				Config: minimalVulnerabilityRuleBundleConfig_ImageLabel(random()),
 				Check: resource.ComposeTestCheckFunc(
@@ -428,6 +432,24 @@ resource "sysdig_secure_vulnerability_rule_bundle" "sample" {
 `, suffix)
 }
 
+func errorVulnerabilityRuleBundleConfig_ImageLabelConflict(suffix string) string {
+	return fmt.Sprintf(`
+resource "sysdig_secure_vulnerability_rule_bundle" "sample" {
+  name    = "TERRAFORM TEST %s"
+  rule {
+    image_label {
+      label_must_exist = "required-label"
+      label_with_value_and_required_labels {
+        target_label    = "Vendor"
+        target_value    = "BNPP"
+        required_labels = ["Team", "Org"]
+      }
+    }
+  }
+}
+`, suffix)
+}
+
 func variantVulnerabilityRuleBundleConfig_DisclosureDate(suffix string) string {
 	return fmt.Sprintf(`
 resource "sysdig_secure_vulnerability_rule_bundle" "sample" {
