These tests are running as part of the Monitor backend deployments to
integration environments, and they should not. They are failing and
causing noise, so lets remove them from this suite.

#690)

## Summary

- Change `components` field from `TypeList` to `TypeSet` in cloud auth
account feature schema
- Update code that reads components to handle `*schema.Set` instead of
`[]any`

## Problem

The `components` field in `sysdig_secure_cloud_auth_account` features
was defined as `TypeList`. However, the API returns components in
arbitrary order. This caused Terraform to detect spurious changes on
every plan:

```
# sysdig_secure_cloud_auth_account.example will be updated in-place
~ resource "sysdig_secure_cloud_auth_account" "example" {
    - feature {
        - secure_threat_detection {
            - components = [
                - "COMPONENT_WEBHOOK_DATASOURCE/secure-runtime",
                - "COMPONENT_SERVICE_PRINCIPAL/secure-runtime",
              ] -> null
          }
      }
    + feature {
        + secure_threat_detection {
            + components = [
                + "COMPONENT_SERVICE_PRINCIPAL/secure-runtime",
                + "COMPONENT_WEBHOOK_DATASOURCE/secure-runtime",
              ]
          }
      }
  }
```

## Solution

Change the schema type from `TypeList` to `TypeSet`. Sets compare
elements regardless of order, which matches the API's behavior.

## Files Changed

- `sysdig/resource_sysdig_secure_cloud_auth_account.go`
- `sysdig/resource_sysdig_secure_cloud_auth_account_feature.go`

…ch resources (#689)

## Summary

- Fix provider crash when `sysdig_secure_team.zone_ids` references IDs
from `sysdig_secure_zone` resources created with `for_each`
- Add `IsKnown()` checks before calling `AsValueSlice()` and `True()` on
cty values in `CustomizeDiff`

## Problem

When using dynamic zone wiring like this:

```hcl
resource "sysdig_secure_zone" "zones" {
  for_each = local.teams
  name     = "Zone-${each.key}"
  # ...
}

resource "sysdig_secure_team" "teams" {
  for_each = local.teams
  name     = "Team-${each.key}"
  zone_ids = [sysdig_secure_zone.zones[each.key].id]
}
```

The provider panics during `terraform plan`:

```
panic: value is not known
github.com/hashicorp/go-cty/cty.Value.AsValueSlice(...)
github.com/draios/terraform-provider-sysdig/sysdig/resource_sysdig_secure_team.go:34
```

## Root Cause

In `CustomizeDiff`, the code calls `AsValueSlice()` and `True()` on cty
values without checking if they are known first. When `zone_ids` depends
on resources being created in the same plan (via `for_each`), the value
is `cty.UnknownVal(cty.List(cty.Number))`. Calling `AsValueSlice()` on
an unknown value causes a panic.

## Solution

Add `IsKnown()` checks before accessing cty values:

```go
// Before
if !zoneIDsPlan.IsNull() && len(zoneIDsPlan.AsValueSlice()) > 0 {

// After  
if !zoneIDsPlan.IsNull() && zoneIDsPlan.IsKnown() && len(zoneIDsPlan.AsValueSlice()) > 0 {
```

When values are unknown during plan, the validation is safely skipped
and will execute during apply when values become known.

…#693)

## Summary

Replace individual user mentions (@airadier, @tembleking, @mateobur)
with the @sysdiglabs/sysdig-training team for easier maintenance and
team-based code ownership.

## Changes

All occurrences of `@airadier @tembleking @mateobur` have been replaced
with `@sysdiglabs/sysdig-training`.

## Summary

Parallelize Sysdig acceptance tests by running each test file in its own
GitHub Actions job using dynamic matrix strategy. **IBM tests remain
sequential due to API rate limiting issues.**

## Changes

| Suite | Before | After |
|-------|--------|-------|
| Sysdig Secure | 1 sequential job | Dynamic matrix (max 20 concurrent),
fail-fast |
| Sysdig Monitor | 1 sequential job | Dynamic matrix (max 20
concurrent), fail-fast |
| IBM Monitor | 1 sequential job | No change (sequential) |
| IBM Secure | 1 sequential job | No change (sequential) |

## How it works

1. `list-*-tests` jobs discover test files by searching for build tags
(`tf_acc_sysdig_secure`, `tf_acc_sysdig_monitor`)
2. Each file's tests run in parallel using `-run` flag to filter by test
name
3. `fail-fast: true` stops the matrix early if any test fails
4. Aggregator jobs (`sysdig-secure-result`, `sysdig-monitor-result`)
collect results for required status checks
5. IBM tests remain sequential to avoid API rate limiting (500/504
errors with parallelization)

## Additional changes

- Add `merge_group` trigger to `ci.yml` for merge queue support
- Handle empty grep results gracefully in list jobs
- Fix `data_source_sysdig_user_test` to use random email suffix (avoid
collisions in parallel runs)
- Fix `data_source_sysdig_secure_rule_stateful_count_test` to check
`rule_count >= 2` instead of exact match (avoid flaky failures)

## Summary

- Add `sysdig_sso_openid` resource for OpenID Connect SSO configuration
- Add `sysdig_sso_saml` resource for SAML SSO configuration

Both resources use the `/platform/v1/sso-settings/` endpoint with
different `type` discriminators.

### sysdig_sso_openid features:
- Issuer URL with optional metadata discovery
- Client ID/Secret authentication
- Manual metadata configuration when discovery is disabled
- Additional OAuth scopes support

### sysdig_sso_saml features:
- Metadata via URL or inline XML (mutually exclusive)
- Email parameter mapping
- Security settings (signature validation, signed assertions,
destination verification, encryption)

### Common SSO features (both resources):
- Product selection (monitor/secure)
- Group mapping configuration
- Single logout support
- Auto user creation on login
- Optimistic locking via version field

## Test plan

- [ ] Run acceptance tests for OpenID: `go test ./sysdig -v -run
TestAccSSOOpenID -tags=tf_acc_sysdig_secure -timeout 120m`
- [ ] Run acceptance tests for SAML: `go test ./sysdig -v -run
TestAccSSOSaml -tags=tf_acc_sysdig_secure -timeout 120m`
- [ ] Verify import functionality for both resources
- [ ] Test update operations with version-based optimistic locking

…Es (#696)

## Summary

Update Go version from 1.24.4 to 1.25.7 to fix **17+ security
vulnerabilities** in the standard library, including **3 critical
RCE/code injection** vulnerabilities.

## Vulnerabilities Fixed

### Go 1.24.5 (July 2025)
| CVE | Component | Severity | Description |
|-----|-----------|----------|-------------|
| CVE-2025-4674 | `cmd/go` | High | Unexpected command execution in
untrusted VCS repositories |

### Go 1.24.6 (August 2025)
| CVE | Component | Severity | Description |
|-----|-----------|----------|-------------|
| CVE-2025-47906 | `os/exec` | Medium | `LookPath` returns unexpected
paths when PATH contains executables |
| CVE-2025-47907 | `database/sql` | Medium | Race condition in
`Rows.Scan()` can overwrite parallel query results |

### Go 1.24.8 / 1.25.2 (October 2025)
| CVE | Component | Severity | Description |
|-----|-----------|----------|-------------|
| CVE-2025-58186 | `net/http` | High | Memory exhaustion: no limit on
number of cookies parsed |
| CVE-2025-58187 | `crypto/x509` | High | DoS: name constraint checking
scales non-linearly with cert size |
| CVE-2025-61724 | `net/textproto` | Medium | CPU exhaustion in
`Reader.ReadResponse` with many short lines |

### Go 1.24.11 / 1.25.5 (December 2025)
| CVE | Component | Severity | Description |
|-----|-----------|----------|-------------|
| CVE-2025-61727 | `crypto/x509` | High | Excluded subdomain constraints
don't restrict wildcard SANs |
| CVE-2025-61729 | `crypto/x509` | Medium | DoS: `HostnameError.Error()`
O(n²) string concatenation |

### Go 1.24.12 / 1.25.6 (January 2026)
| CVE | Component | Severity | Description |
|-----|-----------|----------|-------------|
| CVE-2025-61726 | `net/url` | High | Memory exhaustion: no limit on
query parameters |
| CVE-2025-61728 | `archive/zip` | Medium | DoS: super-linear filename
indexing with malicious ZIPs |
| CVE-2025-61730 | `crypto/tls` | Medium | TLS 1.3 messages processed at
incorrect encryption level |
| CVE-2025-61731 | `cmd/go` | **Critical** | Arbitrary file write via
`#cgo pkg-config:` directive |
| CVE-2025-68119 | `cmd/go` | **Critical** | RCE via malicious version
strings in Mercurial/Git |
| CVE-2025-68121 | `crypto/tls` | High | Session hijacking: ticket keys
copied in `Config.Clone()` |

### Go 1.24.13 / 1.25.7 (February 2026)
| CVE | Component | Severity | Description |
|-----|-----------|----------|-------------|
| CVE-2025-61732 | `cmd/cgo` | **Critical** | Code smuggling via Go/C++
comment parsing discrepancy |

## Verification

```
$ govulncheck ./...
=== Symbol Results ===
No vulnerabilities found.
Your code is affected by 0 vulnerabilities.
```

## Test plan

- [x] `govulncheck ./...` reports 0 vulnerabilities
- [ ] CI build passes
- [ ] Unit tests pass
- [ ] Acceptance tests pass

- Add Nix flake configuration for reproducible development environment
- Include all required tools: go, terraform, goreleaser, golangci-lint,
gofumpt, pre-commit, etc.
- Update `.envrc` to automatically use the flake when nix is available
- Remove `testacc` from pre-commit hooks (too slow for local commits)

## Summary

- Use random suffixes to generate unique names in tests that create
resources with unique name constraints
- Prevents name collisions when tests run in parallel or when previous
test runs don't clean up properly

### Fixed tests:
- `resource_sysdig_secure_managed_ruleset_test.go`: Use `randomText(10)`
for managed ruleset names
- `data_source_sysdig_secure_custom_policy_test.go`: Add missing
`fmt.Sprintf` call to properly interpolate random suffix

### Root cause
Tests were using hardcoded names or format placeholders without
`fmt.Sprintf`, causing:
- `"The field 'name' must be unique per policy type"` errors
- Test failures in CI when running in parallel

Fixes:
https://github.com/sysdiglabs/terraform-provider-sysdig/actions/runs/21728344935/job/62676378457

…source (#699)

- Adds customer_id, customer_name, and customer_external_id computed
attributes to sysdig_current_user
- Clarifies sysdig_secure_tenant_external_id docs to distinguish cloud
onboarding external ID from customer-level external ID

---------

Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

## Summary
- Add `hashicorp/setup-terraform@v3` step to all 4 acceptance test jobs
(`test-sysdig-secure`, `test-sysdig-monitor`, `test-ibm-monitor`,
`test-ibm-secure`)
- Uses `terraform_wrapper: false` to avoid interference with
programmatic CLI usage from Go tests
- Fixes flaky CI failures caused by `terraform-plugin-testing` trying to
dynamically download Terraform CLI from `checkpoint-api.hashicorp.com`,
which returns timeouts and 502 errors

## Context
All 3 test failures in [this CI
run](https://github.com/sysdiglabs/terraform-provider-sysdig/actions/runs/21869038206)
share the same root cause:
```
failed to find or install Terraform CLI: Get "https://checkpoint-api.hashicorp.com/v1/check/terraform?...": context deadline exceeded
```

## Test plan
- [ ] CI acceptance tests pass without checkpoint-api.hashicorp.com
availability issues

…#698)

## Summary

- Add `sysdig_sso_group_mapping` resource for managing SSO group-to-team
mappings via Platform API (`/platform/v1/group-mappings`)
- Add `sysdig_sso_group_mapping_settings` singleton resource for
no-mapping and role-conflict strategies
(`/platform/v1/group-mappings-settings`)
- Add `sysdig_sso_global_settings` per-product singleton for password
login configuration (`/platform/v1/global-sso-settings/{product}`)
- Deprecate legacy `sysdig_group_mapping` and
`sysdig_group_mapping_config` resources in favor of the new Platform API
resources
- Include acceptance tests and documentation for all three resources

Closes #694

…resources (#702)

The Sysdig Monitor API returns `type = "dashboardTemplate"` for alert
links referencing dashboard templates, but the provider only validates
`dashboard` and `runbook` as accepted values. This causes permanent
drift on every `terraform plan` for any alert with dashboard template
links, forcing users to add `lifecycle { ignore_changes }` workarounds.

This PR adds `dashboardTemplate` as an accepted link type alongside the
existing `dashboard` and `runbook` types, eliminating the state drift.

Closes #700

…#703)

`TestAccSecurePostureZone` fails intermittently in CI (IBM Secure
Acceptance Tests) at Step 3/4 with "plan was not empty" on `policy_ids`.

The test used `data.sysdig_secure_posture_policies.all.policies[0].id`
to get a policy ID, but the data source returns policies in
non-deterministic order from the API. Between apply and refresh, the
data source is re-read and `policies[0]` can resolve to a different
policy, causing drift.

This replaces the data source lookup with a test-owned
`sysdig_secure_posture_policy` resource so the ID is stable across
reads.

## Summary

The `resource_kind` field in `sysdig_secure_posture_control` only showed
a single example (`AWS_S3_BUCKET`) with no guidance on valid values for
other platforms. This left users — especially on IBM Cloud, GCP, or
Azure — guessing what to pass.

This adds per-platform examples, the CSPM API endpoint to discover all
valid kinds, and links to relevant Sysdig docs. Also fixes a stray `c`
in the import example that made it invalid.

Closes #684

---------

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

… resources (#709)

## Summary

Investigated #707 and found the reported behavior is **not
reproducible**. The Sysdig API (`us2.app.sysdig.com`) accepts
`conditionOperator: "="` and returns it unchanged — there is no
normalization to `"=="`.

Curl testing confirmed:
- `conditionOperator: "="` → **200 OK**, stored and returned as `=`
- `conditionOperator: "=="` → **422 "Wrong grammar for condition"**
(only valid for PromQL/form_based_prometheus alerts)

This PR adds acceptance test coverage for the `=` and `!=` operators
across all three affected alert types (metric, change, event) to prevent
regressions and document the expected behavior.

Closes #707

)

Fixed `TestRuleFalcoWithExceptions` to comply with stricter validator
enforcement of list field operators.

The test was failing with validation error:
```
filter error: '=' operator not supported list filters.
Location: rule: TERRAFORM TEST ... - Attach to cluster-admin Role
```

This was caused by recent deployment of stricter validators that enforce
the use of compatible operators for list fields. List fields (like
`ka.req.binding.subjects`) must use compatible operators (`in`,
`exists`, `intersects`) rather than the `=` operator.

- Updates the serverless agent example.
- Deletes obsolete examples related to the orchestrator.

---------

Signed-off-by: francesco-racciatti <francesco.racciatti@sysdig.com>

…tric (#710)

## Summary

Legacy metric alerts (pre-2024 API schema) store the metric identifier
in a flat `metricId` JSON field instead of the nested `metric: {id:
"..."}` object used by the current schema. When these alerts are
imported, the provider read `metric.id` as empty, making them
unmanageable — any subsequent `terraform apply` sent `metric.id = ""` to
the API, which rejected it with a cryptic `422 "Wrong grammar for
condition"`.

This PR:
- Adds a `MetricID` field to the model to capture the legacy `metricId`
JSON field
- Falls back to `metricId` in the Read path when `metric.id` is empty
- Adds `StringIsNotEmpty` validation on the `metric` schema field for a
clear plan-time error

Closes #708

…` resources (#714)

In onprem installations regular sso settings are not usable, but users
should use system sso settings for the same purpuse.

System sso settings are identical to regular sso settings but they work
at a different permission level.

For this reason, we introduce a new attribute, `is_system`, to let
onprem users create system sso settings.