feat(response actions) Onboarding full validation [SSPROD-64190]#716
Closed
fcracker79 wants to merge 25 commits intomasterfrom
Closed
feat(response actions) Onboarding full validation [SSPROD-64190]#716fcracker79 wants to merge 25 commits intomasterfrom
fcracker79 wants to merge 25 commits intomasterfrom
Conversation
These tests are running as part of the Monitor backend deployments to integration environments, and they should not. They are failing and causing noise, so lets remove them from this suite.
#690) ## Summary - Change `components` field from `TypeList` to `TypeSet` in cloud auth account feature schema - Update code that reads components to handle `*schema.Set` instead of `[]any` ## Problem The `components` field in `sysdig_secure_cloud_auth_account` features was defined as `TypeList`. However, the API returns components in arbitrary order. This caused Terraform to detect spurious changes on every plan: ``` # sysdig_secure_cloud_auth_account.example will be updated in-place ~ resource "sysdig_secure_cloud_auth_account" "example" { - feature { - secure_threat_detection { - components = [ - "COMPONENT_WEBHOOK_DATASOURCE/secure-runtime", - "COMPONENT_SERVICE_PRINCIPAL/secure-runtime", ] -> null } } + feature { + secure_threat_detection { + components = [ + "COMPONENT_SERVICE_PRINCIPAL/secure-runtime", + "COMPONENT_WEBHOOK_DATASOURCE/secure-runtime", ] } } } ``` ## Solution Change the schema type from `TypeList` to `TypeSet`. Sets compare elements regardless of order, which matches the API's behavior. ## Files Changed - `sysdig/resource_sysdig_secure_cloud_auth_account.go` - `sysdig/resource_sysdig_secure_cloud_auth_account_feature.go`
…ch resources (#689) ## Summary - Fix provider crash when `sysdig_secure_team.zone_ids` references IDs from `sysdig_secure_zone` resources created with `for_each` - Add `IsKnown()` checks before calling `AsValueSlice()` and `True()` on cty values in `CustomizeDiff` ## Problem When using dynamic zone wiring like this: ```hcl resource "sysdig_secure_zone" "zones" { for_each = local.teams name = "Zone-${each.key}" # ... } resource "sysdig_secure_team" "teams" { for_each = local.teams name = "Team-${each.key}" zone_ids = [sysdig_secure_zone.zones[each.key].id] } ``` The provider panics during `terraform plan`: ``` panic: value is not known github.com/hashicorp/go-cty/cty.Value.AsValueSlice(...) github.com/draios/terraform-provider-sysdig/sysdig/resource_sysdig_secure_team.go:34 ``` ## Root Cause In `CustomizeDiff`, the code calls `AsValueSlice()` and `True()` on cty values without checking if they are known first. When `zone_ids` depends on resources being created in the same plan (via `for_each`), the value is `cty.UnknownVal(cty.List(cty.Number))`. Calling `AsValueSlice()` on an unknown value causes a panic. ## Solution Add `IsKnown()` checks before accessing cty values: ```go // Before if !zoneIDsPlan.IsNull() && len(zoneIDsPlan.AsValueSlice()) > 0 { // After if !zoneIDsPlan.IsNull() && zoneIDsPlan.IsKnown() && len(zoneIDsPlan.AsValueSlice()) > 0 { ``` When values are unknown during plan, the validation is safely skipped and will execute during apply when values become known.
…#693) ## Summary Replace individual user mentions (@airadier, @tembleking, @mateobur) with the @sysdiglabs/sysdig-training team for easier maintenance and team-based code ownership. ## Changes All occurrences of `@airadier @tembleking @mateobur` have been replaced with `@sysdiglabs/sysdig-training`.
## Summary Parallelize Sysdig acceptance tests by running each test file in its own GitHub Actions job using dynamic matrix strategy. **IBM tests remain sequential due to API rate limiting issues.** ## Changes | Suite | Before | After | |-------|--------|-------| | Sysdig Secure | 1 sequential job | Dynamic matrix (max 20 concurrent), fail-fast | | Sysdig Monitor | 1 sequential job | Dynamic matrix (max 20 concurrent), fail-fast | | IBM Monitor | 1 sequential job | No change (sequential) | | IBM Secure | 1 sequential job | No change (sequential) | ## How it works 1. `list-*-tests` jobs discover test files by searching for build tags (`tf_acc_sysdig_secure`, `tf_acc_sysdig_monitor`) 2. Each file's tests run in parallel using `-run` flag to filter by test name 3. `fail-fast: true` stops the matrix early if any test fails 4. Aggregator jobs (`sysdig-secure-result`, `sysdig-monitor-result`) collect results for required status checks 5. IBM tests remain sequential to avoid API rate limiting (500/504 errors with parallelization) ## Additional changes - Add `merge_group` trigger to `ci.yml` for merge queue support - Handle empty grep results gracefully in list jobs - Fix `data_source_sysdig_user_test` to use random email suffix (avoid collisions in parallel runs) - Fix `data_source_sysdig_secure_rule_stateful_count_test` to check `rule_count >= 2` instead of exact match (avoid flaky failures)
## Summary - Add `sysdig_sso_openid` resource for OpenID Connect SSO configuration - Add `sysdig_sso_saml` resource for SAML SSO configuration Both resources use the `/platform/v1/sso-settings/` endpoint with different `type` discriminators. ### sysdig_sso_openid features: - Issuer URL with optional metadata discovery - Client ID/Secret authentication - Manual metadata configuration when discovery is disabled - Additional OAuth scopes support ### sysdig_sso_saml features: - Metadata via URL or inline XML (mutually exclusive) - Email parameter mapping - Security settings (signature validation, signed assertions, destination verification, encryption) ### Common SSO features (both resources): - Product selection (monitor/secure) - Group mapping configuration - Single logout support - Auto user creation on login - Optimistic locking via version field ## Test plan - [ ] Run acceptance tests for OpenID: `go test ./sysdig -v -run TestAccSSOOpenID -tags=tf_acc_sysdig_secure -timeout 120m` - [ ] Run acceptance tests for SAML: `go test ./sysdig -v -run TestAccSSOSaml -tags=tf_acc_sysdig_secure -timeout 120m` - [ ] Verify import functionality for both resources - [ ] Test update operations with version-based optimistic locking
…Es (#696) ## Summary Update Go version from 1.24.4 to 1.25.7 to fix **17+ security vulnerabilities** in the standard library, including **3 critical RCE/code injection** vulnerabilities. ## Vulnerabilities Fixed ### Go 1.24.5 (July 2025) | CVE | Component | Severity | Description | |-----|-----------|----------|-------------| | CVE-2025-4674 | `cmd/go` | High | Unexpected command execution in untrusted VCS repositories | ### Go 1.24.6 (August 2025) | CVE | Component | Severity | Description | |-----|-----------|----------|-------------| | CVE-2025-47906 | `os/exec` | Medium | `LookPath` returns unexpected paths when PATH contains executables | | CVE-2025-47907 | `database/sql` | Medium | Race condition in `Rows.Scan()` can overwrite parallel query results | ### Go 1.24.8 / 1.25.2 (October 2025) | CVE | Component | Severity | Description | |-----|-----------|----------|-------------| | CVE-2025-58186 | `net/http` | High | Memory exhaustion: no limit on number of cookies parsed | | CVE-2025-58187 | `crypto/x509` | High | DoS: name constraint checking scales non-linearly with cert size | | CVE-2025-61724 | `net/textproto` | Medium | CPU exhaustion in `Reader.ReadResponse` with many short lines | ### Go 1.24.11 / 1.25.5 (December 2025) | CVE | Component | Severity | Description | |-----|-----------|----------|-------------| | CVE-2025-61727 | `crypto/x509` | High | Excluded subdomain constraints don't restrict wildcard SANs | | CVE-2025-61729 | `crypto/x509` | Medium | DoS: `HostnameError.Error()` O(n²) string concatenation | ### Go 1.24.12 / 1.25.6 (January 2026) | CVE | Component | Severity | Description | |-----|-----------|----------|-------------| | CVE-2025-61726 | `net/url` | High | Memory exhaustion: no limit on query parameters | | CVE-2025-61728 | `archive/zip` | Medium | DoS: super-linear filename indexing with malicious ZIPs | | CVE-2025-61730 | `crypto/tls` | Medium | TLS 1.3 messages processed at incorrect encryption level | | CVE-2025-61731 | `cmd/go` | **Critical** | Arbitrary file write via `#cgo pkg-config:` directive | | CVE-2025-68119 | `cmd/go` | **Critical** | RCE via malicious version strings in Mercurial/Git | | CVE-2025-68121 | `crypto/tls` | High | Session hijacking: ticket keys copied in `Config.Clone()` | ### Go 1.24.13 / 1.25.7 (February 2026) | CVE | Component | Severity | Description | |-----|-----------|----------|-------------| | CVE-2025-61732 | `cmd/cgo` | **Critical** | Code smuggling via Go/C++ comment parsing discrepancy | ## Verification ``` $ govulncheck ./... === Symbol Results === No vulnerabilities found. Your code is affected by 0 vulnerabilities. ``` ## Test plan - [x] `govulncheck ./...` reports 0 vulnerabilities - [ ] CI build passes - [ ] Unit tests pass - [ ] Acceptance tests pass
- Add Nix flake configuration for reproducible development environment - Include all required tools: go, terraform, goreleaser, golangci-lint, gofumpt, pre-commit, etc. - Update `.envrc` to automatically use the flake when nix is available - Remove `testacc` from pre-commit hooks (too slow for local commits)
## Summary - Use random suffixes to generate unique names in tests that create resources with unique name constraints - Prevents name collisions when tests run in parallel or when previous test runs don't clean up properly ### Fixed tests: - `resource_sysdig_secure_managed_ruleset_test.go`: Use `randomText(10)` for managed ruleset names - `data_source_sysdig_secure_custom_policy_test.go`: Add missing `fmt.Sprintf` call to properly interpolate random suffix ### Root cause Tests were using hardcoded names or format placeholders without `fmt.Sprintf`, causing: - `"The field 'name' must be unique per policy type"` errors - Test failures in CI when running in parallel Fixes: https://github.com/sysdiglabs/terraform-provider-sysdig/actions/runs/21728344935/job/62676378457
…source (#699) - Adds customer_id, customer_name, and customer_external_id computed attributes to sysdig_current_user - Clarifies sysdig_secure_tenant_external_id docs to distinguish cloud onboarding external ID from customer-level external ID --------- Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com> Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
## Summary - Add `hashicorp/setup-terraform@v3` step to all 4 acceptance test jobs (`test-sysdig-secure`, `test-sysdig-monitor`, `test-ibm-monitor`, `test-ibm-secure`) - Uses `terraform_wrapper: false` to avoid interference with programmatic CLI usage from Go tests - Fixes flaky CI failures caused by `terraform-plugin-testing` trying to dynamically download Terraform CLI from `checkpoint-api.hashicorp.com`, which returns timeouts and 502 errors ## Context All 3 test failures in [this CI run](https://github.com/sysdiglabs/terraform-provider-sysdig/actions/runs/21869038206) share the same root cause: ``` failed to find or install Terraform CLI: Get "https://checkpoint-api.hashicorp.com/v1/check/terraform?...": context deadline exceeded ``` ## Test plan - [ ] CI acceptance tests pass without checkpoint-api.hashicorp.com availability issues
…#698) ## Summary - Add `sysdig_sso_group_mapping` resource for managing SSO group-to-team mappings via Platform API (`/platform/v1/group-mappings`) - Add `sysdig_sso_group_mapping_settings` singleton resource for no-mapping and role-conflict strategies (`/platform/v1/group-mappings-settings`) - Add `sysdig_sso_global_settings` per-product singleton for password login configuration (`/platform/v1/global-sso-settings/{product}`) - Deprecate legacy `sysdig_group_mapping` and `sysdig_group_mapping_config` resources in favor of the new Platform API resources - Include acceptance tests and documentation for all three resources Closes #694
…resources (#702) The Sysdig Monitor API returns `type = "dashboardTemplate"` for alert links referencing dashboard templates, but the provider only validates `dashboard` and `runbook` as accepted values. This causes permanent drift on every `terraform plan` for any alert with dashboard template links, forcing users to add `lifecycle { ignore_changes }` workarounds. This PR adds `dashboardTemplate` as an accepted link type alongside the existing `dashboard` and `runbook` types, eliminating the state drift. Closes #700
…#703) `TestAccSecurePostureZone` fails intermittently in CI (IBM Secure Acceptance Tests) at Step 3/4 with "plan was not empty" on `policy_ids`. The test used `data.sysdig_secure_posture_policies.all.policies[0].id` to get a policy ID, but the data source returns policies in non-deterministic order from the API. Between apply and refresh, the data source is re-read and `policies[0]` can resolve to a different policy, causing drift. This replaces the data source lookup with a test-owned `sysdig_secure_posture_policy` resource so the ID is stable across reads.
## Summary The `resource_kind` field in `sysdig_secure_posture_control` only showed a single example (`AWS_S3_BUCKET`) with no guidance on valid values for other platforms. This left users — especially on IBM Cloud, GCP, or Azure — guessing what to pass. This adds per-platform examples, the CSPM API endpoint to discover all valid kinds, and links to relevant Sysdig docs. Also fixes a stray `c` in the import example that made it invalid. Closes #684 --------- Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>
… resources (#709) ## Summary Investigated #707 and found the reported behavior is **not reproducible**. The Sysdig API (`us2.app.sysdig.com`) accepts `conditionOperator: "="` and returns it unchanged — there is no normalization to `"=="`. Curl testing confirmed: - `conditionOperator: "="` → **200 OK**, stored and returned as `=` - `conditionOperator: "=="` → **422 "Wrong grammar for condition"** (only valid for PromQL/form_based_prometheus alerts) This PR adds acceptance test coverage for the `=` and `!=` operators across all three affected alert types (metric, change, event) to prevent regressions and document the expected behavior. Closes #707
) Fixed `TestRuleFalcoWithExceptions` to comply with stricter validator enforcement of list field operators. The test was failing with validation error: ``` filter error: '=' operator not supported list filters. Location: rule: TERRAFORM TEST ... - Attach to cluster-admin Role ``` This was caused by recent deployment of stricter validators that enforce the use of compatible operators for list fields. List fields (like `ka.req.binding.subjects`) must use compatible operators (`in`, `exists`, `intersects`) rather than the `=` operator.
- Updates the serverless agent example. - Deletes obsolete examples related to the orchestrator. --------- Signed-off-by: francesco-racciatti <francesco.racciatti@sysdig.com>
…tric (#710) ## Summary Legacy metric alerts (pre-2024 API schema) store the metric identifier in a flat `metricId` JSON field instead of the nested `metric: {id: "..."}` object used by the current schema. When these alerts are imported, the provider read `metric.id` as empty, making them unmanageable — any subsequent `terraform apply` sent `metric.id = ""` to the API, which rejected it with a cryptic `422 "Wrong grammar for condition"`. This PR: - Adds a `MetricID` field to the model to capture the legacy `metricId` JSON field - Falls back to `metricId` in the Read path when `metric.id` is empty - Adds `StringIsNotEmpty` validation on the `metric` schema field for a clear plan-time error Closes #708
…` resources (#714) In onprem installations regular sso settings are not usable, but users should use system sso settings for the same purpuse. System sso settings are identical to regular sso settings but they work at a different permission level. For this reason, we introduce a new attribute, `is_system`, to let onprem users create system sso settings.
fcracker79
requested review from
a team,
draraksysdig,
filiptubic and
mbarbieri
as code owners
fcracker79
requested review from
DagDigg,
Shadow649,
antonio-cuomo,
daniel-almeida,
dbonf,
dkutsanov,
francesco-racciatti,
gnosek,
ivanlysiuk-sysdig,
jbainbridgesysdig,
marojor,
michelevergnano,
ombellare,
pgcrooks-sysdig,
rosenbloomb-sysdig and
vojindj
as code owners
Contributor
Author
|
Messed up something. |
Contributor
There was a problem hiding this comment.
Pull request overview
Adds new Platform API-backed SSO resources (SAML/OpenID, group mappings, and global/group-mapping settings) and rounds out onboarding/response-actions validation work with accompanying docs, tests, and CI/dev tooling updates.
Changes:
- Introduces new SSO Terraform resources (SAML, OpenID Connect, group mapping, group mapping settings, global settings) with v2 client support and acceptance tests.
- Extends alerting + onboarding related behavior (dashboardTemplate alert links, additional alert operators, metric field validation, current_user customer fields) and updates docs accordingly.
- Updates repo tooling/ops (dynamic acceptance test matrix in GitHub Actions, Nix flake dev shell, CODEOWNERS, examples cleanup/refresh).
Reviewed changes
Copilot reviewed 81 out of 85 changed files in this pull request and generated 2 comments.
Show a summary per file
| File | Description |
|---|---|
| website/docs/r/sso_saml.md | New registry docs for sysdig_sso_saml. |
| website/docs/r/sso_openid.md | New registry docs for sysdig_sso_openid. |
| website/docs/r/sso_group_mapping_settings.md | New registry docs for singleton group-mapping settings. |
| website/docs/r/sso_group_mapping.md | New registry docs for SSO group mappings. |
| website/docs/r/sso_global_settings.md | New registry docs for per-product global SSO settings singleton. |
| website/docs/r/secure_posture_control.md | Expands resource_kind documentation and fixes import example. |
| website/docs/r/monitor_alert_v2_prometheus.md | Documents dashboardTemplate link type. |
| website/docs/r/monitor_alert_v2_metric.md | Documents dashboardTemplate link type. |
| website/docs/r/monitor_alert_v2_group_outlier.md | Documents dashboardTemplate link type. |
| website/docs/r/monitor_alert_v2_form_based_prometheus.md | Documents dashboardTemplate link type. |
| website/docs/r/monitor_alert_v2_event.md | Documents dashboardTemplate link type. |
| website/docs/r/monitor_alert_v2_downtime.md | Documents dashboardTemplate link type. |
| website/docs/r/monitor_alert_v2_change.md | Documents dashboardTemplate link type. |
| website/docs/d/secure_tenant_external_id.md | Clarifies “cloud onboarding external ID” vs customer external ID. |
| website/docs/d/current_user.md | Documents new customer fields on sysdig_current_user. |
| sysdig/resource_sysdig_sso_saml_test.go | New acceptance tests for SAML SSO (SaaS). |
| sysdig/resource_sysdig_sso_saml_onprem_test.go | New acceptance tests for SAML SSO (on-prem). |
| sysdig/resource_sysdig_sso_saml.go | New sysdig_sso_saml resource implementation. |
| sysdig/resource_sysdig_sso_openid_test.go | New acceptance tests for OpenID SSO (SaaS). |
| sysdig/resource_sysdig_sso_openid_onprem_test.go | New acceptance tests for OpenID SSO (on-prem). |
| sysdig/resource_sysdig_sso_openid.go | New sysdig_sso_openid resource implementation. |
| sysdig/resource_sysdig_sso_group_mapping_test.go | New acceptance tests for sysdig_sso_group_mapping. |
| sysdig/resource_sysdig_sso_group_mapping_settings_test.go | New acceptance tests for sysdig_sso_group_mapping_settings. |
| sysdig/resource_sysdig_sso_group_mapping_settings.go | New singleton settings resource implementation. |
| sysdig/resource_sysdig_sso_group_mapping.go | New SSO group mapping resource implementation. |
| sysdig/resource_sysdig_sso_global_settings_test.go | New acceptance tests for sysdig_sso_global_settings. |
| sysdig/resource_sysdig_sso_global_settings.go | New global SSO settings resource implementation. |
| sysdig/resource_sysdig_secure_team.go | Tightens plan-value checks (IsKnown) for zones/all_zones validation. |
| sysdig/resource_sysdig_secure_rule_falco_test.go | Removes some exceptions blocks from an acceptance test fixture. |
| sysdig/resource_sysdig_secure_posture_zone_test.go | Updates posture zone test to create a policy resource instead of relying on a data source. |
| sysdig/resource_sysdig_secure_managed_ruleset_test.go | Stabilizes/randomizes managed ruleset names via shared helper. |
| sysdig/resource_sysdig_secure_cloud_auth_account_test.go | Adjusts build tags/formatting for acceptance test file. |
| sysdig/resource_sysdig_secure_cloud_auth_account_feature.go | Changes components field to TypeSet and adapts read/write logic. |
| sysdig/resource_sysdig_secure_cloud_auth_account.go | Changes account components field to TypeSet and adapts update logic. |
| sysdig/resource_sysdig_monitor_alert_v2_metric_test.go | Adds acceptance coverage for =/!= operators and empty metric validation. |
| sysdig/resource_sysdig_monitor_alert_v2_metric.go | Validates non-empty metric and adds metric ID fallback when API omits Metric.ID. |
| sysdig/resource_sysdig_monitor_alert_v2_event_test.go | Adds acceptance coverage for =/!= operators. |
| sysdig/resource_sysdig_monitor_alert_v2_common.go | Allows dashboardTemplate as an alert link type. |
| sysdig/resource_sysdig_monitor_alert_v2_change_test.go | Adds acceptance coverage for =/!= operators. |
| sysdig/resource_sysdig_group_mapping_config.go | Deprecates legacy group mapping config resource in favor of SSO settings resource. |
| sysdig/resource_sysdig_group_mapping.go | Deprecates legacy group mapping resource in favor of SSO group mapping. |
| sysdig/provider.go | Registers new SSO resources. |
| sysdig/internal/client/v2/sysdig.go | Extends common client interface with new SSO interfaces. |
| sysdig/internal/client/v2/sso_saml.go | Adds v2 client endpoints for SAML SSO settings. |
| sysdig/internal/client/v2/sso_openid.go | Adds v2 client endpoints for OpenID SSO settings. |
| sysdig/internal/client/v2/sso_group_mapping_settings.go | Adds v2 client endpoints for group mapping settings. |
| sysdig/internal/client/v2/sso_group_mapping.go | Adds v2 client endpoints for group mappings. |
| sysdig/internal/client/v2/sso_global_settings.go | Adds v2 client endpoints for global SSO settings. |
| sysdig/internal/client/v2/model.go | Adds models for SSO resources, customer info on user, and metricId fallback field. |
| sysdig/internal/client/v2/alerts_v2.go | Adds dashboardTemplate link type constant. |
| sysdig/data_source_sysdig_user_test.go | Makes user test email unique to reduce collisions. |
| sysdig/data_source_sysdig_secure_rule_stateful_count_test.go | Makes rule-count assertion resilient (>=) instead of exact match. |
| sysdig/data_source_sysdig_secure_custom_policy_test.go | Fixes formatting + uses stable policy naming for data source test. |
| sysdig/data_source_sysdig_current_user_test.go | Adds acceptance assertion for new customer_id field. |
| sysdig/data_source_sysdig_current_user.go | Exposes customer fields on sysdig_current_user. |
| go.mod | Updates Go version directive. |
| flake.nix | Adds Nix flake dev shell for Go/Terraform tooling + pre-commit. |
| flake.lock | Locks flake inputs. |
| examples/serverless-agent/fargate/workload/versions.tf | Removes old example file (deleted). |
| examples/serverless-agent/fargate/workload/providers.tf | Removes old example file (deleted). |
| examples/serverless-agent/fargate/workload/output.tf | Removes old example file (deleted). |
| examples/serverless-agent/fargate/workload/README.md | Removes old example file (deleted). |
| examples/serverless-agent/fargate/workload-legacy/versions.tf | Removes legacy example file (deleted). |
| examples/serverless-agent/fargate/workload-legacy/variables.tf | Removes legacy example file (deleted). |
| examples/serverless-agent/fargate/workload-legacy/instrumented_load.tf | Removes legacy example file (deleted). |
| examples/serverless-agent/fargate/workload-legacy/README.md | Removes legacy example file (deleted). |
| examples/serverless-agent/fargate/orchestrator/variables.tf | Removes orchestrator example file (deleted). |
| examples/serverless-agent/fargate/orchestrator/providers.tf | Removes orchestrator example file (deleted). |
| examples/serverless-agent/fargate/orchestrator/output.tf | Removes orchestrator example file (deleted). |
| examples/serverless-agent/fargate/orchestrator/orchestrator.tf | Removes orchestrator example file (deleted). |
| examples/serverless-agent/fargate/orchestrator/README.md | Removes orchestrator example file (deleted). |
| examples/serverless-agent/ecs-fargate/versions.tf | Updates example provider constraints. |
| examples/serverless-agent/ecs-fargate/variables.tf | Simplifies/updates example variables (subnet handling, defaults). |
| examples/serverless-agent/ecs-fargate/resources.tf | Updates example resources (log group naming, sizing, subnet list). |
| examples/serverless-agent/ecs-fargate/providers.tf | Adds explicit AWS provider config back to example. |
| examples/serverless-agent/ecs-fargate/output.tf | Adds outputs to example. |
| examples/serverless-agent/ecs-fargate/README.md | Adds refreshed example documentation. |
| CODEOWNERS | Updates ownership mappings. |
| CLAUDE.md | Adds agent entrypoint referencing AGENTS.md. |
| AGENTS.md | Adds detailed agent/developer guidance for this repo. |
| .pre-commit-config.yaml | Removes pre-commit acceptance-test hook. |
| .github/workflows/test.yml | Refactors CI to dynamically shard Sysdig acceptance tests by file. |
| .github/workflows/ci.yml | Adds merge_group trigger. |
| .envrc | Enables Nix flake usage and reorders TF_ACC/TF_LOG exports. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Comment on lines
+74
to
+80
| _ = d.Set("customer_id", user.Customer.ID) | ||
| _ = d.Set("customer_name", user.Customer.Name) | ||
| _ = d.Set("customer_external_id", user.Customer.ExternalID) | ||
| } else { | ||
| _ = d.Set("customer_id", nil) | ||
| _ = d.Set("customer_name", nil) | ||
| _ = d.Set("customer_external_id", nil) |
There was a problem hiding this comment.
In the else branch, d.Set is called with nil for customer_id/customer_name/customer_external_id. For SDK v2 schemas like TypeInt/TypeString, setting nil typically returns an error (and here it is ignored), which can leave stale values in state. Prefer either omitting the Set calls when user.Customer is nil, or setting explicit zero/empty values and handling any returned errors.
Suggested change
| _ = d.Set("customer_id", user.Customer.ID) | |
| _ = d.Set("customer_name", user.Customer.Name) | |
| _ = d.Set("customer_external_id", user.Customer.ExternalID) | |
| } else { | |
| _ = d.Set("customer_id", nil) | |
| _ = d.Set("customer_name", nil) | |
| _ = d.Set("customer_external_id", nil) | |
| if err := d.Set("customer_id", user.Customer.ID); err != nil { | |
| return diag.FromErr(err) | |
| } | |
| if err := d.Set("customer_name", user.Customer.Name); err != nil { | |
| return diag.FromErr(err) | |
| } | |
| if err := d.Set("customer_external_id", user.Customer.ExternalID); err != nil { | |
| return diag.FromErr(err) | |
| } | |
| } else { | |
| if err := d.Set("customer_id", 0); err != nil { | |
| return diag.FromErr(err) | |
| } | |
| if err := d.Set("customer_name", ""); err != nil { | |
| return diag.FromErr(err) | |
| } | |
| if err := d.Set("customer_external_id", ""); err != nil { | |
| return diag.FromErr(err) | |
| } |
Comment on lines
+34
to
+45
| "metadata_url": { | ||
| Type: schema.TypeString, | ||
| Optional: true, | ||
| Description: "The URL to fetch SAML metadata from the IdP", | ||
| ExactlyOneOf: []string{"metadata_url", "metadata_xml"}, | ||
| }, | ||
| "metadata_xml": { | ||
| Type: schema.TypeString, | ||
| Optional: true, | ||
| Description: "The raw SAML metadata XML from the IdP", | ||
| ExactlyOneOf: []string{"metadata_url", "metadata_xml"}, | ||
| }, |
There was a problem hiding this comment.
metadata_url/metadata_xml are mutually exclusive via ExactlyOneOf, but empty strings can still satisfy the constraint (e.g., metadata_url = ""), leading to an API request with invalid metadata. Add a non-empty validation (e.g., validation.StringIsNotEmpty) to both fields so the provider fails fast with a clear error before calling the API.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.