feat(zones): support v2 expression syntax for sysdig_secure_zone

Author: Shadow649

go.mod

@@ -7,14 +7,15 @@ require (
 	github.com/aws/aws-sdk-go v1.55.7
 	github.com/hashicorp/go-cty v1.5.0
 	github.com/hashicorp/go-retryablehttp v0.7.8
-	github.com/hashicorp/terraform-plugin-log v0.9.0
-	github.com/hashicorp/terraform-plugin-sdk/v2 v2.37.0
+	github.com/hashicorp/terraform-plugin-log v0.10.0
+	github.com/hashicorp/terraform-plugin-sdk/v2 v2.38.1
+	github.com/hashicorp/terraform-plugin-testing v1.14.0
 	github.com/jmespath/go-jmespath v0.4.0
 	github.com/rs/zerolog v1.34.0
 	github.com/spf13/cast v1.9.2
 	github.com/stretchr/testify v1.10.0
 	github.com/sysdiglabs/agent-kilt v1.0.0
-	google.golang.org/protobuf v1.36.6
+	google.golang.org/protobuf v1.36.9
 )
 
 require (
@@ -23,7 +24,7 @@ require (
 	github.com/apparentlymart/go-textseg/v15 v15.0.0 // indirect
 	github.com/cloudflare/circl v1.6.1 // indirect
 	github.com/containerd/stargz-snapshotter/estargz v0.16.3 // indirect
-	github.com/davecgh/go-spew v1.1.1 // indirect
+	github.com/davecgh/go-spew v1.1.2-0.20180830191138-d8f796af33cc // indirect
 	github.com/docker/cli v28.3.2+incompatible // indirect
 	github.com/docker/distribution v2.8.3+incompatible // indirect
 	github.com/docker/docker-credential-helpers v0.9.3 // indirect
@@ -37,16 +38,16 @@ require (
 	github.com/hashicorp/go-cleanhttp v0.5.2 // indirect
 	github.com/hashicorp/go-hclog v1.6.3 // indirect
 	github.com/hashicorp/go-multierror v1.1.1 // indirect
-	github.com/hashicorp/go-plugin v1.6.3 // indirect
+	github.com/hashicorp/go-plugin v1.7.0 // indirect
 	github.com/hashicorp/go-uuid v1.0.3 // indirect
 	github.com/hashicorp/go-version v1.7.0 // indirect
 	github.com/hashicorp/hc-install v0.9.2 // indirect
 	github.com/hashicorp/hcl/v2 v2.24.0 // indirect
 	github.com/hashicorp/logutils v1.0.0 // indirect
-	github.com/hashicorp/terraform-exec v0.23.0 // indirect
-	github.com/hashicorp/terraform-json v0.25.0 // indirect
-	github.com/hashicorp/terraform-plugin-go v0.28.0 // indirect
-	github.com/hashicorp/terraform-registry-address v0.3.0 // indirect
+	github.com/hashicorp/terraform-exec v0.24.0 // indirect
+	github.com/hashicorp/terraform-json v0.27.2 // indirect
+	github.com/hashicorp/terraform-plugin-go v0.29.0 // indirect
+	github.com/hashicorp/terraform-registry-address v0.4.0 // indirect
 	github.com/hashicorp/terraform-svchost v0.1.1 // indirect
 	github.com/hashicorp/yamux v0.1.2 // indirect
 	github.com/klauspost/compress v1.18.0 // indirect
@@ -62,22 +63,22 @@ require (
 	github.com/opencontainers/go-digest v1.0.0 // indirect
 	github.com/opencontainers/image-spec v1.1.1 // indirect
 	github.com/pkg/errors v0.9.1 // indirect
-	github.com/pmezard/go-difflib v1.0.0 // indirect
+	github.com/pmezard/go-difflib v1.0.1-0.20181226105442-5d4384ee4fb2 // indirect
 	github.com/sirupsen/logrus v1.9.3 // indirect
 	github.com/vbatts/tar-split v0.12.1 // indirect
 	github.com/vmihailenco/msgpack v4.0.4+incompatible // indirect
 	github.com/vmihailenco/msgpack/v5 v5.4.1 // indirect
 	github.com/vmihailenco/tagparser/v2 v2.0.0 // indirect
-	github.com/zclconf/go-cty v1.16.3 // indirect
-	golang.org/x/crypto v0.39.0 // indirect
-	golang.org/x/mod v0.25.0 // indirect
-	golang.org/x/net v0.41.0 // indirect
-	golang.org/x/sync v0.16.0 // indirect
-	golang.org/x/sys v0.34.0 // indirect
-	golang.org/x/text v0.26.0 // indirect
-	golang.org/x/tools v0.34.0 // indirect
+	github.com/zclconf/go-cty v1.17.0 // indirect
+	golang.org/x/crypto v0.45.0 // indirect
+	golang.org/x/mod v0.29.0 // indirect
+	golang.org/x/net v0.47.0 // indirect
+	golang.org/x/sync v0.18.0 // indirect
+	golang.org/x/sys v0.38.0 // indirect
+	golang.org/x/text v0.31.0 // indirect
+	golang.org/x/tools v0.38.0 // indirect
 	google.golang.org/appengine v1.6.8 // indirect
 	google.golang.org/genproto/googleapis/rpc v0.0.0-20250707201910-8d1bb00bc6a7 // indirect
-	google.golang.org/grpc v1.73.0 // indirect
+	google.golang.org/grpc v1.75.1 // indirect
 	gopkg.in/yaml.v3 v3.0.1 // indirect
 )

go.sum

@@ -52,6 +52,12 @@ const (
 	SchemaScopeKey                      = "scope"
 	SchemaScopesKey                     = "scopes"
 	SchemaTargetTypeKey                 = "target_type"
+	SchemaResourceTypeKey               = "resource_type"
+	SchemaExpressionKey                 = "expression"
+	SchemaFieldKey                      = "field"
+	SchemaOperatorKey                   = "operator"
+	SchemaValueKey                      = "value"
+	SchemaValuesKey                     = "values"
 	SchemaRoleKey                       = "role"
 	SchemaSystemRoleKey                 = "system_role"
 	SchemaRulesKey                      = "rules"

sysdig/common.go

@@ -50,13 +50,34 @@ func dataSourceSysdigSecureZone() *schema.Resource {
 							Type:     schema.TypeString,
 							Computed: true,
 						},
+						// Not marked Deprecated: rules with v2-compatible syntax are fully supported.
+						// Only v1 syntax (labels, labelValues, agentTags) is deprecated, but since
+						// this is a Computed field, SDK v2 has no mechanism for conditional deprecation.
+						// The resource-side ValidateDiagFunc handles the v1-only warning.
 						SchemaRulesKey: {
 							Type:     schema.TypeString,
 							Computed: true,
 						},
+						SchemaExpressionKey: {
+							Type:     schema.TypeList,
+							Computed: true,
+							Elem: &schema.Resource{
+								Schema: map[string]*schema.Schema{
+									SchemaFieldKey:    {Type: schema.TypeString, Computed: true},
+									SchemaOperatorKey: {Type: schema.TypeString, Computed: true},
+									SchemaValueKey:    {Type: schema.TypeString, Computed: true},
+									SchemaValuesKey: {
+										Type:     schema.TypeList,
+										Computed: true,
+										Elem:     &schema.Schema{Type: schema.TypeString},
+									},
+								},
+							},
+						},
 					},
 				},
 			},
+
 			"id": {
 				Type:         schema.TypeString,
 				Optional:     true,
@@ -78,8 +99,12 @@ func dataSourceSysdigSecureZoneRead(ctx context.Context, d *schema.ResourceData,
 	if err != nil {
 		return diag.FromErr(err)
 	}
-
+	clientv2, err := getZoneV2Client(m.(SysdigClients))
+	if err != nil {
+		return diag.FromErr(err)
+	}
 	var zone *v2.Zone
+	var zoneV2 *v2.ZoneV2
 	zoneIDRaw, hasZoneID := d.GetOk("id")
 	if hasZoneID {
 		zoneID, err := strconv.Atoi(zoneIDRaw.(string))
@@ -90,6 +115,10 @@ func dataSourceSysdigSecureZoneRead(ctx context.Context, d *schema.ResourceData,
 		if err != nil {
 			return diag.FromErr(fmt.Errorf("error fetching zone by ID: %s", err))
 		}
+		zoneV2, err = clientv2.GetZoneV2(ctx, zoneID)
+		if err != nil {
+			return diag.FromErr(fmt.Errorf("error fetching zone v2 by ID: %s", err))
+		}
 	} else if nameRaw, hasName := d.GetOk("name"); hasName {
 		name := nameRaw.(string)
 		zones, err := client.GetZones(ctx, name)
@@ -105,6 +134,10 @@ func dataSourceSysdigSecureZoneRead(ctx context.Context, d *schema.ResourceData,
 		if zone == nil {
 			return diag.FromErr(fmt.Errorf("zone with name '%s' not found", name))
 		}
+		zoneV2, err = clientv2.GetZoneV2(ctx, zone.ID)
+		if err != nil {
+			return diag.FromErr(fmt.Errorf("error fetching zones: %s", err))
+		}
 	} else {
 		return diag.FromErr(fmt.Errorf("either id or name must be specified"))
 	}
@@ -117,9 +150,44 @@ func dataSourceSysdigSecureZoneRead(ctx context.Context, d *schema.ResourceData,
 	_ = d.Set(SchemaLastModifiedBy, zone.LastModifiedBy)
 	_ = d.Set(SchemaLastUpdated, time.UnixMilli(zone.LastUpdated).Format(time.RFC3339))
 
-	if err := d.Set(SchemaScopeKey, fromZoneScopesResponse(zone.Scopes)); err != nil {
+	if err := d.Set(SchemaScopeKey, getZoneScopes(zone.Scopes, zoneV2)); err != nil {
 		return diag.FromErr(fmt.Errorf("error setting scope: %s", err))
 	}
 
 	return nil
 }
+
+func getZoneScopes(legacyScopes []v2.ZoneScope, zoneV2 *v2.ZoneV2) []any {
+	// Build expression lookup by filter ID from the v2 response.
+	exprByID := make(map[int][]any)
+	if zoneV2 != nil {
+		for _, s := range zoneV2.Scopes {
+			for _, f := range s.Filters {
+				if f.ID != 0 && len(f.Expressions) > 0 {
+					var exprs []any
+					for _, e := range f.Expressions {
+						exprs = append(exprs, flattenExpressionV21(e))
+					}
+					exprByID[f.ID] = exprs
+				}
+			}
+		}
+	}
+
+	// Merge: v1 scope ← v2 expressions by ID.
+	// If a scope's ID has no v2 match (rollout not complete, or filter has no
+	// expressions), the scope gets rules only — graceful degradation.
+	out := make([]any, 0, len(legacyScopes))
+	for _, scope := range legacyScopes {
+		m := map[string]any{
+			SchemaIDKey:         scope.ID,
+			SchemaTargetTypeKey: scope.TargetType,
+			SchemaRulesKey:      scope.Rules,
+		}
+		if exprs, ok := exprByID[scope.ID]; ok {
+			m[SchemaExpressionKey] = exprs
+		}
+		out = append(out, m)
+	}
+	return out
+}

sysdig/data_source_sysdig_secure_zone.go

@@ -3,6 +3,7 @@
 package sysdig_test
 
 import (
+	"fmt"
 	"testing"
 
 	"github.com/hashicorp/terraform-plugin-sdk/v2/helper/resource"
@@ -43,6 +44,144 @@ func TestAccDataSourceSysdigSecureZone(t *testing.T) {
 	})
 }
 
+func TestAccDataSourceSysdigSecureZone_ByName(t *testing.T) {
+	zoneName := "Zone_DS_" + randomText(5)
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck: preCheckAnyEnv(t, SysdigSecureApiTokenEnv, SysdigIBMSecureAPIKeyEnv),
+		ProviderFactories: map[string]func() (*schema.Provider, error){
+			"sysdig": func() (*schema.Provider, error) {
+				return sysdig.Provider(), nil
+			},
+		},
+		Steps: []resource.TestStep{
+			{
+				Config: testAccDataSourceSecureZoneByName(zoneName),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(
+						"data.sysdig_secure_zone.test",
+						"name",
+						zoneName,
+					),
+					resource.TestCheckResourceAttr(
+						"data.sysdig_secure_zone.test",
+						"scope.0.target_type",
+						"aws",
+					),
+
+					// v2 expressions
+					resource.TestCheckResourceAttr(
+						"data.sysdig_secure_zone.test",
+						"scope.0.expression.#",
+						"1",
+					),
+					resource.TestCheckResourceAttr(
+						"data.sysdig_secure_zone.test",
+						"scope.0.expression.0.field",
+						"organization",
+					),
+				),
+			},
+		},
+	})
+}
+
+func TestAccDataSourceSysdigSecureZone_ByID(t *testing.T) {
+	zoneName := "Zone_DS_ID_" + randomText(5)
+
+	resource.ParallelTest(t, resource.TestCase{
+		PreCheck: preCheckAnyEnv(t, SysdigSecureApiTokenEnv, SysdigIBMSecureAPIKeyEnv),
+		ProviderFactories: map[string]func() (*schema.Provider, error){
+			"sysdig": func() (*schema.Provider, error) {
+				return sysdig.Provider(), nil
+			},
+		},
+		Steps: []resource.TestStep{
+			{
+				Config: testAccDataSourceSecureZoneByID(zoneName),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttrSet(
+						"data.sysdig_secure_zone.test",
+						"id",
+					),
+					resource.TestCheckResourceAttr(
+						"data.sysdig_secure_zone.test",
+						"scope.0.expression.#",
+						"1",
+					),
+				),
+			},
+		},
+	})
+}
+
+func testAccSecureZoneWithExpression(name string) string {
+	return fmt.Sprintf(`
+resource "sysdig_secure_zone" "test" {
+  name        = "%s"
+  description = "ds acceptance test"
+
+  scope {
+    target_type = "aws"
+
+    expression {
+      field    = "organization"
+      operator = "in"
+      values   = ["o1", "o2"]
+    }
+  }
+}
+`, name)
+}
+
+func testAccDataSourceSecureZoneByName(name string) string {
+	return fmt.Sprintf(`
+resource "sysdig_secure_zone" "test" {
+  name        = "%s"
+  description = "ds acceptance test"
+
+  scope {
+    target_type = "aws"
+
+    expression {
+      field    = "organization"
+      operator = "in"
+      values   = ["o1", "o2"]
+    }
+  }
+}
+
+data "sysdig_secure_zone" "test" {
+  depends_on = [sysdig_secure_zone.test]
+  name = "%s"
+}
+`, name, name)
+}
+
+func testAccDataSourceSecureZoneByID(name string) string {
+	return fmt.Sprintf(`
+resource "sysdig_secure_zone" "test" {
+  name        = "%s"
+  description = "ds acceptance test"
+
+  scope {
+    target_type = "aws"
+
+    expression {
+      field    = "organization"
+      operator = "in"
+      values   = ["o1", "o2"]
+    }
+  }
+}
+
+data "sysdig_secure_zone" "test" {
+  depends_on = [sysdig_secure_zone.test]
+  id = sysdig_secure_zone.test.id
+}
+`, name)
+}
+
 func testAccDataSourceSysdigSecureZoneConfig() string {
 	return `
 resource "sysdig_secure_zone" "sample" {