Add Falco Rule/Macro/List validation at terraform validation

[ukitazume]

Writing Falco rules on Terraform file is hard without validation.
It's useful to validate Falco rules before terraform apply/plan by terraform validate.

https://www.terraform.io/docs/extend/schemas/schema-behaviors.html#validatefunc
falcosecurity/falco#322

[tembleking]

Hi @ukitazume, thanks for the feedback, unfortunately, there are some limitations to keep in mind:

• We cannot make the assumption that Docker or Falco is installed in the host machine where the validations are run.
• Even if Docker is installed in the host machine, making a validation through Docker with Go would add a lot of complexity.
• The functions can only evaluate the current data of the resource that are creating/updating, and since they don't have the context of the other resources, the rules can't be fully composed to validate.

One approach that could be followed is creating all the rules, with macros and lists in a file, then validate this file, and then migrating them to Terraform.

[ukitazume]

Thank you for the comment @tembleking.
It sounds very complex.

In the future, I hope Falco has a validation library independently as a module/library of golang and runs on the terraform providers.

As you mentioned, it's hard to validate rules/macros/lists include dependency with creating/updating/deleting actions. So it should be easy, imperfection validation. But it's better than without it.

At this time, I think applying to a test environment is a workaround before applying to production.
Thank you for your kind reply.

[tembleking]

Closing this issue since this cannot be implemented yet.