IAM policies with compliance mapping fail to create

[jasonckeating]

Describe the bug

IAM policies with compliance metadata fail when creating via Terraform The rql_search and saved_search create without issue.

The policy creation failed on several runs, my first error was the 400, consecutive failures were 500s.

│ Error: 400/https://api3.prismacloud.io/policy Error(msg:compliance_mapping_update_disallowed_for_policy_type severity:error subject:compliance_mapping_update_disallowed_for_policy_type)
│
│   with prismacloud_policy.this["AWS effective permissions granting wildcard resource access - created by terraform"],
│   on policies.tf line 62, in resource "prismacloud_policy" "this":
│   62: resource "prismacloud_policy" "this" {

│ Error: 500 error without the "X-Redlock-Status" header - returned HTML:
│ {"timestamp":"2021-10-14T16:06:17.613+00:00","status":500,"error":"Internal Server Error","message":"","path":"/api/v1/permission"}
│
│   with prismacloud_rql_search.this["AWS effective permissions granting wildcard resource access - created by terraform"],
│   on policies.tf line 34, in resource "prismacloud_rql_search" "this":
│   34: resource "prismacloud_rql_search" "this" {

API documentation shows that iam type policies can be hooked up to standards. https://prisma.pan.dev/api/cloud/cspm/policy/#operation/add-policy

Expected behavior

Policy should create

Current behavior

400 error is thrown with the error: compliance_mapping_update_disallowed_for_policy_type

Possible solution

Steps to reproduce

Define a Prisma policy of type iam and use compliance_metadata {} to attach it to a standard.

Screenshots

Context

Cannot get IAM policies into our Prisma instance.

Your Environment

• Version used: TF 1.0.8
• Environment name and version (e.g. Chrome 59, node.js 5.4, python 3.7.3):
• Operating System and version (desktop or mobile):
• Link to your project:

[jasonckeating]

• Update, iam policies do not currently support compliance mappings in the UI or API. This functionality is being added by Palo Alto.

Awaiting a timeline.

[ebeuerle]

Closing ticket for time being until functionality is added.