feat(kyverno): add support for message exclusions in error pattern filtering

filippolmt · filippolmt · commit bca549920634 · 2026-02-05T08:34:55.000+01:00
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -8,6 +8,14 @@ to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+## [0.13.1] - 2026-02-05
+
+[Compare with previous version](https://github.com/sparkfabrik/terraform-google-services-monitoring/compare/0.13.0...0.13.1)
+
+### Changed
+
+- Extend `error_patterns_exclude` behavior: excluded patterns now also generate `NOT jsonPayload.message=~"pattern"` conditions, allowing exclusion of logs where the pattern appears in the message field (not just the error field).
+
 ## [0.13.0] - 2026-02-04
 
 [Compare with previous version](https://github.com/sparkfabrik/terraform-google-services-monitoring/compare/0.12.0...0.13.0)
diff --git a/kyverno.tf b/kyverno.tf
@@ -56,6 +56,12 @@ locals {
     "jsonPayload.error=~\"(?i)${pattern}\""
   ]) : ""
 
+  # Build NOT conditions for excluded patterns on jsonPayload.message
+  kyverno_message_exclusions = length(var.kyverno.error_patterns_exclude) > 0 ? join("\n    ", [
+    for pattern in var.kyverno.error_patterns_exclude :
+    "AND NOT jsonPayload.message=~\"(?i)${pattern}\""
+  ]) : ""
+
   kyverno_log_filter = local.kyverno_cluster_name != "" && length(local.kyverno_active_error_patterns) > 0 ? (<<-EOT
     resource.type="k8s_container"
     AND resource.labels.project_id="${local.kyverno_project_id}"
@@ -68,6 +74,7 @@ locals {
     AND (
       ${local.kyverno_error_patterns_filter}
     )
+    ${local.kyverno_message_exclusions}
   EOT
   ) : ""
 }
