search

PaloAltoNetworks / terraform-provider-prismacloudcompute

Terraform provider for Prisma Cloud Compute
https://registry.terraform.io/providers/PaloAltoNetworks/prismacloudcompute/latest
Mozilla Public License 2.0
24 stars 28 forks source link

Receiving 400 Error Deploying prismacloudcompute_custom_rule #67

Closed dwchowscalesec closed 1 year ago

dwchowscalesec commented 1 year ago

Describe the bug

Properly formatted resource for terraform post-authentication passes validate and plan. When trying to apply the error persists no matter the combination of quotes or commenting out anything that could possibly be an escape character.

Expected behavior

Using access keys on SaaS hosted prismacloud compute using provider in HCL should allow for creation of custom rule.

Current behavior

Receiving 400 error trying to deploy new resources.

` module.cwp-runtime-rule.prismacloudcompute_custom_rule.defender-runtime-usecase: Creating... ╷ │ Error: error creating custom rule '{Description: Id:0 Message: Name:cnacwpruntimeruleexample Script:proc.name='ncat' Type:processes}': Non-OK status: 400 │ │ with module.cwp-runtime-rule.prismacloudcompute_custom_rule.defender-runtime-usecase, │ on cwp-runtime-rule/main.tf line 17, in resource "prismacloudcompute_custom_rule" "defender-runtime-usecase": │ 17: resource "prismacloudcompute_custom_rule" "defender-runtime-usecase" { │

`

Possible solution

Unknown.

Steps to reproduce

  1. terraform fmt, terraform apply
  2. Verified role for access key has the view and update permissions. The create permissions seem blank or missing from the 22.06 console SaaS hosted.
  3. Attempted to add full write/create capabilities for permission and still receiving 400 error

Context

Code sample for the module ` terraform { required_version = ">= 1.2.0" required_providers { prismacloudcompute = { source = "PaloAltoNetworks/prismacloudcompute" version = "0.7.0" } } }

resource "prismacloudcompute_custom_rule" "defender-runtime-usecase" { name = "foo-cwp-runtime-rule-example" # <-- CHANGE

valid types: "processes, filesystem, network-outgoing, kubernetes-audit, waas-request, waas-response"

type = "processes" # <-- CHANGE description = "IOC of netcat running in the world writeable /tmp folder in the container filesystem" # <-- CHANGE message = "A suspicious process at %proc.path was executed." # <-- CHANGE

use the prismacloud compute expression from the KB. Mind the quote types.

script = "proc.path='/tmp/nc'" # <-- CHANGE } `

Your Environment

welcome-to-palo-alto-networks[bot] commented 1 year ago

:tada: Thanks for opening your first issue here! Welcome to the community!

dwchowscalesec commented 1 year ago

Nevermind, got it to work with extra escapes. For those wondering, export a sample JSON rule and see the syntax. Then replace in terraform example:

script = "proc.path=\"/tmp/nc\"" # <-- CHANGE