Unable to create CI Vulnerability rules

[jhabikal21]

Describe the bug

I am using terraform resource prismacloudcompute_ci_image_vulnerability_policy to provision CI image vulnerability rules however its not working correct with loop.

Expected behavior

It should provision multiple rules based on input provided.

Current behavior

Only the 0th index element gets created and the terraform destroy doesn't work.

Steps to reproduce

1. main.tf `locals { ci_image_vulnerability_policy_map = { "NOC Test" = { effect = "alert" collections = ["All"] alert_threshold_disabled = false alert_threshold_value = 1 block_threshold_enabled = false block_threshold_value = 1 }, "Fail high and critical vulnerabilities, alert the rest" = { effect = "ignore" collections = ["All"] alert_threshold_disabled = false alert_threshold_value = 1 block_threshold_enabled = false block_threshold_value = 7 }, // Add more entries as needed } }

resource "prismacloudcompute_ci_image_vulnerability_policy" "ruleset" { for_each = local.ci_image_vulnerability_policy_map

rule { name = each.key effect = each.value.effect collections = each.value.collections

alert_threshold {
  disabled = lookup(each.value, "alert_threshold_disabled", false)
  value    = lookup(each.value, "alert_threshold_value", 1)
}
block_threshold {
  enabled = lookup(each.value, "block_threshold_enabled", false)
  value   = lookup(each.value, "block_threshold_value", 7)
}

} } `

2. terraform init, terraform plan and terraform apply.
3. Terraform output ` terraform apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:

• create

Terraform will perform the following actions:

prismacloudcompute_ci_image_vulnerability_policy.ruleset["Fail high and critical vulnerabilities, alert the rest"] will be created

• resource "prismacloudcompute_ci_image_vulnerability_policy" "ruleset" {

  • id = (known after apply)

  • rule {

    • collections = [

      • "All", ]

    • effect = "ignore"

    • name = "Fail high and critical vulnerabilities, alert the rest"

    • alert_threshold {

      • disabled = false
      • value = 1 }

    • block_threshold {

      • enabled = false
      • value = 7 } } }

  prismacloudcompute_ci_image_vulnerability_policy.ruleset["NOC Test"] will be created

• resource "prismacloudcompute_ci_image_vulnerability_policy" "ruleset" {

  • id = (known after apply)

  • rule {

    • collections = [

      • "All", ]

    • name = "NOC Test"

    • alert_threshold {

      • disabled = false
      • value = 1 }

    • block_threshold {

      • enabled = false
      • value = 1 } } }

Plan: 2 to add, 0 to change, 0 to destroy.

Do you want to perform these actions? Terraform will perform the actions described above. Only 'yes' will be accepted to approve.

Enter a value: yes

prismacloudcompute_ci_image_vulnerability_policy.ruleset["NOC Test"]: Creating... prismacloudcompute_ci_image_vulnerability_policy.ruleset["Fail high and critical vulnerabilities, alert the rest"]: Creating... prismacloudcompute_ci_image_vulnerability_policy.ruleset["Fail high and critical vulnerabilities, alert the rest"]: Creation complete after 1s [id=ciImagesVulnerability] prismacloudcompute_ci_image_vulnerability_policy.ruleset["NOC Test"]: Creation complete after 2s [id=ciImagesVulnerability]

Apply complete! Resources: 2 added, 0 changed, 0 destroyed. PS C:\Users\253905\OneDrive - Resideo\Data-Backup\Bikal-downloads\prisma-cloud-tar\prisma-saas-onboarding> terraform version Terraform v1.6.6 on windows_amd64

• provider registry.terraform.io/hashicorp/local v2.4.1
• provider registry.terraform.io/paloaltonetworks/prismacloud v1.5.1
• provider registry.terraform.io/paloaltonetworks/prismacloudcompute v0.8.0

Your version of Terraform is out of date! The latest version is 1.7.2. You can update by downloading from https://www.terraform.io/downloads.html `

4. Terraform returns success but UI doesn't show the data This is from state file "instances": [ { "index_key": "Fail high and critical vulnerabilities, alert the rest", "schema_version": 0, "attributes": { "id": "ciImagesVulnerability", "rule": [ { "alert_threshold": [ { "disabled": false, "value": 1 } ], "block_message": "", "block_threshold": [ { "enabled": false, "value": 1 } ], "collections": [ "All" ], "cve_rule": [], "disabled": false, "effect": "alert", "grace_days": 0, "grace_days_policy": [ { "critical": 0, "high": 0, "low": 0, "medium": 0 } ], "name": "NOC Test", "notes": "", "only_fixed": false, "tag_rule": [], "verbose": false } ] }, "sensitive_attributes": [], "private": "bnVsbA==" }, { "index_key": "NOC Test", "schema_version": 0, "attributes": { "id": "ciImagesVulnerability", "rule": [ { "alert_threshold": [ { "disabled": false, "value": 1 } ], "block_message": "", "block_threshold": [ { "enabled": false, "value": 1 } ], "collections": [ "All" ], "cve_rule": [], "disabled": false, "effect": "alert", "grace_days": 0, "grace_days_policy": [ { "critical": 0, "high": 0, "low": 0, "medium": 0 } ], "name": "NOC Test", "notes": "", "only_fixed": false, "tag_rule": [], "verbose": false } ] }, "sensitive_attributes": [], "private": "bnVsbA==" } ]

Screenshots

![Uploading image.png…]()

[hi-artem]

This is a feature not a bug. You are suppose to use dynamic field to generate rules within policy.

For example:

resource "prismacloudcompute_container_runtime_policy" "ruleset" {
  learning_disabled = var.disable_container_learning
  dynamic "rule" {
    for_each = local.my_apps
    content {
      name  = "${rule.value.name}-runtime-policy"
    }
  }
}