search

PaloAltoNetworks / terraform-provider-prismacloud

Terraform PrismaCloud provider
https://www.terraform.io/docs/providers/prismacloud/
Mozilla Public License 2.0
54 stars 65 forks source link

prismacloud_policy resource doesn't create policy with subtypes build and run #265

Closed tommynsong closed 11 months ago

tommynsong commented 11 months ago

Describe the bug

When a prismacloud_policy resource declared with attribute of policy_subtypes = ["run", "build"] - including children rule - the policy is only created with "run" rule where "build" rule is completely omitted.

Expected behavior

We expected the policy created with both "run" and "build" checked in the console and the "build" rule tab exist with the build yaml

Current behavior

The policy is created, but only the "run" is being checked while "build" is unchecked. This obviously means that the "build" tab in the "Create Rule" section is not available

Possible solution

Steps to reproduce

create a resource block with the following:

  1. create a resource block with the following code resource "prismacloud_policy" "tommy_test_policy" { name = "Tommy Test Policy Name" recommendation = "some recommandation" policy_type = "config" cloud_type = "azure" severity = "high" policy_subtypes = ["run", "build"] rule { name = "Tommy Test Run Rule Name" rule_type = "Config" cloud_type = "azure" api_name = "azure-api-management-service" criteria = "config from cloud.resource where cloud.type = 'azure' and api.name = 'azure-api-management-service' AND json.rule = properties.virtualNetworkType does not equal ignore case Internal" parameters = { savedSearch = false withIac = false } children { type = "build" recommendation = "Consider hosting APIM within a virtual network for improved isolation" metadata = { "code" : file("build.yaml"), } } } }
  2. create a build.yaml with the following code metadata: name: "Tommy Test Build Rule Name" guidelines: "In case of non-compliant resources consider hosting APIM within a virtual network for improved isolation" category: "general" severity: "high" scope: provider: "azure" definition: cond_type: "attribute" resource_types: "azurerm_api_management" attribute: "virtual_network_type" operator: "equals_ignore_case" value: "none"
  3. run terraform plan and apply

Screenshots

Screenshot 2023-10-04 at 4 16 35 PM Screenshot 2023-10-04 at 4 16 49 PM

Context

Impacting adoption of prismacloud visibility capability due to inability to define custom policies via code

Your Environment

welcome-to-palo-alto-networks[bot] commented 11 months ago

:tada: Thanks for opening your first issue here! Welcome to the community!

AnushreeHS commented 11 months ago

@tommynsong The resource block you are using to create a build-and-run policy is not configured correctly. To fix this, you need to set withIac to true, and make sure that the name in the policy and the build.yaml file are the same. The guidelines in the build.yaml file must also be the same as the description in the policy. The API overwrites the user's suggested subTypes if it’s incorrect and sets up the correct ones. Please make these changes and try again. Let me know if it works.

tommynsong commented 11 months ago

@AnushreeHS thank you for pointing that out, I was using a scrubbed version of a customer's sample, so the name inconsistency was introduced by me. However, the withIac and guideline match to the description in the policy is definitely the culprit here.