feat(secure): add imageConfigLabelWithValueAndLabelsExist predicate to vulnerability rule bundles

tembleking · tembleking · commit c0a2f8e26093 · 2026-03-23T11:00:10.000+01:00
diff --git a/sysdig/internal/client/v2/vulnerability_rule_bundle_model.go b/sysdig/internal/client/v2/vulnerability_rule_bundle_model.go
@@ -21,15 +21,16 @@ type VulnerabilityRulePredicate struct {
 
 type VulnerabilityRulePredicateExtra struct {
 	// Common fields for different predicate types
-	Level    *Level    `json:"level,omitempty"`
-	Age      *int      `json:"age,omitempty"`
-	Days     *int      `json:"days,omitempty"`
-	PkgType  *string   `json:"pkgType,omitempty"`
-	VulnIDS  []string  `json:"vulnIds,omitempty"`
-	Packages []Package `json:"packages,omitempty"`
-	Key      *string   `json:"key,omitempty"`
-	User     *string   `json:"user,omitempty"`
-	Value    any       `json:"value,omitempty"` // For image labels or CVSS score
+	Level          *Level    `json:"level,omitempty"`
+	Age            *int      `json:"age,omitempty"`
+	Days           *int      `json:"days,omitempty"`
+	PkgType        *string   `json:"pkgType,omitempty"`
+	VulnIDS        []string  `json:"vulnIds,omitempty"`
+	Packages       []Package `json:"packages,omitempty"`
+	Key            *string   `json:"key,omitempty"`
+	User           *string   `json:"user,omitempty"`
+	Value          any       `json:"value,omitempty"` // For image labels or CVSS score
+	RequiredLabels []string  `json:"requiredLabels,omitempty"`
 
 	// Disclosure Date Range
 	StartDate *string `json:"startDate,omitempty"`
diff --git a/sysdig/resource_sysdig_secure_vulnerability_rule_bundle.go b/sysdig/resource_sysdig_secure_vulnerability_rule_bundle.go
@@ -56,6 +56,32 @@ func vulnerabilityRuleSchemaImageConfigLabel() *schema.Schema {
 						},
 					},
 				},
+				"label_with_value_and_required_labels": {
+					Type:        schema.TypeList,
+					Optional:    true,
+					MaxItems:    1,
+					Description: "A label key-value pair that must exist along with additional required labels.",
+					Elem: &schema.Resource{
+						Schema: map[string]*schema.Schema{
+							"target_label": {
+								Type:        schema.TypeString,
+								Required:    true,
+								Description: "Label key that must exist with the specified value.",
+							},
+							"target_value": {
+								Type:        schema.TypeString,
+								Required:    true,
+								Description: "Expected value for the target label. Can be empty.",
+							},
+							"required_labels": {
+								Type:        schema.TypeList,
+								Required:    true,
+								Description: "Additional label keys that must also exist.",
+								Elem:        &schema.Schema{Type: schema.TypeString},
+							},
+						},
+					},
+				},
 			},
 		},
 	}
@@ -574,6 +600,17 @@ func vulnerabilityRuleImageConfigLabelToData(ruleBundle v2.VulnerabilityRule) (m
 				}},
 			}},
 		}, nil
+	case "imageConfigLabelWithValueAndLabelsExist":
+		return map[string]any{
+			"image_label": []map[string]any{{
+				"id": ruleBundle.ID,
+				"label_with_value_and_required_labels": []map[string]any{{
+					"target_label":    ruleBundle.Predicates[0].Extra.Key,
+					"target_value":    ruleBundle.Predicates[0].Extra.Value,
+					"required_labels": ruleBundle.Predicates[0].Extra.RequiredLabels,
+				}},
+			}},
+		}, nil
 	}
 
 	return nil, fmt.Errorf("unsupported image config label rule for predicate: %s", ruleBundle.Predicates[0].Type)
@@ -765,6 +802,23 @@ func vulnerabilityRuleImageConfigLabelFromMap(ruleBody map[string]any) (v2.Vulne
 		})
 	}
 
+	if label, ok := ruleBody["label_with_value_and_required_labels"]; ok && len(label.([]any)) > 0 {
+		contents := label.([]any)[0].(map[string]any)
+		rawLabels := contents["required_labels"].([]any)
+		requiredLabels := make([]string, len(rawLabels))
+		for i, v := range rawLabels {
+			requiredLabels[i] = v.(string)
+		}
+		rule.Predicates = append(rule.Predicates, v2.VulnerabilityRulePredicate{
+			Type: "imageConfigLabelWithValueAndLabelsExist",
+			Extra: &v2.VulnerabilityRulePredicateExtra{
+				Key:            new(contents["target_label"].(string)),
+				Value:          new(contents["target_value"].(string)),
+				RequiredLabels: requiredLabels,
+			},
+		})
+	}
+
 	if len(rule.Predicates) == 0 {
 		return v2.VulnerabilityRule{}, errors.New("no predicate has been specified for image label rule")
 	}
diff --git a/sysdig/resource_sysdig_secure_vulnerability_rule_bundle_test.go b/sysdig/resource_sysdig_secure_vulnerability_rule_bundle_test.go
@@ -94,6 +94,16 @@ func TestAccVulnerabilityRuleBundle(t *testing.T) {
 					resource.TestCheckResourceAttr("sysdig_secure_vulnerability_rule_bundle.sample", "rule.0.image_label.0.label_must_exist_and_contain_value.0.required_value", "required-value"),
 				),
 			},
+			{
+				Config: singleRuleConfig_label_with_value_and_required_labels(random()),
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr("sysdig_secure_vulnerability_rule_bundle.sample", "rule.0.image_label.0.label_with_value_and_required_labels.0.target_label", "Vendor"),
+					resource.TestCheckResourceAttr("sysdig_secure_vulnerability_rule_bundle.sample", "rule.0.image_label.0.label_with_value_and_required_labels.0.target_value", "BNPP"),
+					resource.TestCheckResourceAttr("sysdig_secure_vulnerability_rule_bundle.sample", "rule.0.image_label.0.label_with_value_and_required_labels.0.required_labels.#", "2"),
+					resource.TestCheckResourceAttr("sysdig_secure_vulnerability_rule_bundle.sample", "rule.0.image_label.0.label_with_value_and_required_labels.0.required_labels.0", "Team"),
+					resource.TestCheckResourceAttr("sysdig_secure_vulnerability_rule_bundle.sample", "rule.0.image_label.0.label_with_value_and_required_labels.0.required_labels.1", "Org"),
+				),
+			},
 			{
 				Config: fullVulnerabilityRuleBundleConfig_Severities(random()),
 				Check: resource.ComposeTestCheckFunc(
@@ -259,6 +269,24 @@ resource "sysdig_secure_vulnerability_rule_bundle" "sample" {
 `, suffix)
 }
 
+func singleRuleConfig_label_with_value_and_required_labels(suffix string) string {
+	return fmt.Sprintf(`
+resource "sysdig_secure_vulnerability_rule_bundle" "sample" {
+  name        = "TERRAFORM TEST %s"
+  description = "rule with label_with_value_and_required_labels"
+  rule {
+    image_label {
+      label_with_value_and_required_labels {
+        target_label    = "Vendor"
+        target_value    = "BNPP"
+        required_labels = ["Team", "Org"]
+      }
+    }
+  }
+}
+`, suffix)
+}
+
 func fullVulnerabilityRuleBundleConfig_Severities(suffix string) string {
 	return fmt.Sprintf(`
 resource "sysdig_secure_vulnerability_rule_bundle" "sample" {
@@ -469,6 +497,16 @@ resource "sysdig_secure_vulnerability_rule_bundle" "sample" {
     }
   }
 
+  rule {
+    image_label {
+      label_with_value_and_required_labels {
+        target_label    = "Vendor"
+        target_value    = "BNPP"
+        required_labels = ["Team", "Org"]
+      }
+    }
+  }
+
   rule {
     severities_and_threats {
       severity_at_least                   = "high"
diff --git a/website/docs/r/secure_vulnerability_rule_bundle.md b/website/docs/r/secure_vulnerability_rule_bundle.md
@@ -47,6 +47,17 @@ resource "sysdig_secure_vulnerability_rule_bundle" "example_image_label" {
       }
     }
   }
+
+  # Rule to ensure a label exists with a value AND other labels also exist
+  rule {
+    image_label {
+      label_with_value_and_required_labels {
+        target_label    = "Vendor"
+        target_value    = "BNPP"
+        required_labels = ["Team", "Org"]
+      }
+    }
+  }
 }
 ```
 
@@ -114,6 +125,10 @@ Defines rules based on image labels to evaluate image configuration. Only one of
 * `label_must_exist_and_contain_value` - (Optional) A block specifying a label key and value that must exist in the image configuration.
   * `required_label` - (Required) The label key that must exist.
   * `required_value` - (Required) The expected value for the given label key.
+* `label_with_value_and_required_labels` - (Optional) A block specifying a label key-value pair that must exist along with additional required labels.
+  * `target_label` - (Required) The label key that must exist with the specified value.
+  * `target_value` - (Required) The expected value for the target label. Can be empty.
+  * `required_labels` - (Required) A list of additional label keys that must also exist.
 
 #### `severities_and_threats`
 
