`alert_rule_policy_filter` causes a dummy change show up in `plan`

[kostty]

Describe the bug

Since recently we're experiencing configuration drift that's caused by the provider trying to change the configuration of alert_rule_policy_filter in a defined alert rule.

We don't have any alert_rule_policy_filter defined as we don't need one. However, now if we run plan against the current configuration, the proposed plan comes up with a change that looks like the following:

~ target {
            # (3 unchanged attributes hidden)
          - alert_rule_policy_filter {
              - cloud_type                 = [] -> null
              - policy_compliance_standard = [] -> null
              - policy_label               = [] -> null
              - policy_severity            = [] -> null
            }

Expected behavior

Running plan against the current configuration should result in a 0 change plan

Current behavior

Running plan against the current configuration results in plan that contains a change to a resource

Possible solution

I guess, the default value for an empty/undefined alert_rule_policy_filter should match what terraform plan detects during the refresh stage.

Steps to reproduce

1. Define an alert rule that doesn't contain alert_rule_policy_filter and apply it.
2. Run terraform plan against the already applied code

Context

The drift detection check triggers an alert due to a non-zero change plan. To resolve the drift, an empty alert_rule_policy_filter has to be added to the code for no other reason than to reconcile the code with the state.

Your Environment

• Version used: Terraform v1.9.3, registry.terraform.io/paloaltonetworks/prismacloud v1.5.7

[hi-artem]

As a workaround, you can use ignore_changes attribute from the resource lifecycle.

For example:

resource "prismacloud_alert_rule" "example" {
  name           = "terraform-example-rule"
  description    = "Made by Terraform"
  enabled        = true
  target {
    account_groups = [data.prismacloud_account_group.example.group_id]
  }
  policies = local.example_policies
  notification_config {
    enabled         = true
    frequency       = "as_it_happens"
    config_type     = "webhook"
    detailed_report = true
    recipients      = [data.prismacloud_integration.datadog_webhook.integration_id]
  }
  lifecycle {
    ignore_changes = [
      # Ignore changes to account group's policy filter
      # due to usage of policies field
      target[0].alert_rule_policy_filter
    ]
  }
}

[kostty]

We use terraform plan to detect potential drifts between the actual state of the infrastructure and the defined configuration, so we don't want to ignore changes to defined resources.

We did implement another workaround, i.e. defining an empty alert_rule_policy_filter. But ultimately we would love to see it fixed in the provider, so that we don't have to keep the workaround in our repository.

[hi-artem]

We use terraform plan to detect potential drifts between the actual state of the infrastructure and the defined configuration, so we don't want to ignore changes to defined resources.

We did implement another workaround, i.e. defining an empty alert_rule_policy_filter. But ultimately we would love to see it fixed in the provider, so that we don't have to keep the workaround in our repository.

Please review Terraform documentation to have a better understanding of how ignore_changes work. It won't cause drift in your case, since you are ignoring the empty attribute.

Let me know if you have further questions.