Can't create sysdig_secure_rule_falco with append = true

[N0zz]

I've tried to create and append some existing rules and policies. While I was able to create new custom policy, custom rule and append existing policy, while I try to append managed falco rule, I'm unable to make it work.

Minimalistic resource example (condition is fetched from existing managed rule):

    resource "sysdig_secure_rule_falco" "falco_rule" {
      name      = "Change thread namespace"
      condition = <<-EOT
        evt.type=setns and evt.dir=< and proc_name_exists and not proc.name startswith "runc" and not proc.cmdline startswith "containerd" and not user_known_change_thread_namespace_activities and not java_running_sdjagent and not sysdig_java and not thousandeyes and not sysdig_dragent and not rancher_images_endswith and proc_exepath_exists and pname_exists
      EOT
      append    = true
    }

But the validation fails with:

╷
│ Error: File failed to pass validation with the following linux agents: 13.9.1, 14.1.0, 14.1.1. 
│ Validation failed: linux 14.1.1. Reason: expected a ')' token

Even tried to make condition a bit simplier, with just evt.type = setns and proc.name exists, but it doesn't help, still the same error.

For resources with append = false, there is no issue, I was able to create new custom falco rules with with different conditions, outputs, tags etc.

Versions details:

Terraform v1.5.6
on darwin_arm64
+ provider registry.terraform.io/sysdiglabs/sysdig v1.59.0

terragrunt version v0.42.7

[N0zz]

The issue was with documentation which stated that condition field is required. It is actually reverse, condition field is optional, and for managed rules appends with exceptions, we have to omit "required" condition field.

https://registry.terraform.io/providers/sysdiglabs/sysdig/latest/docs/resources/secure_rule_falco#condition-1

Since managed rule are read only, it makes sense. But instead of setting condition field with exact value from existing rule, we just have to omit this field.