Closed Osazz closed 10 months ago
@Osazz In your example, since you don't want to have any cves
then you should omit it in the TF configuration. This will also match the imported value of null
.
@Osazz In your example, since you don't want to have any
cves
then you should omit it in the TF configuration. This will also match the imported value ofnull
.
Here is my full use case , I have existing ignore rules that were created from the UI that I would like to manage using Terraform. Here are the steps I took and how I endup here :
Import existing resource into IAC and state file looks like this :
"instances": [
{
"schema_version": 0,
"attributes": {
...
"cves": null,
...
}
}
]
Do a terraform plan ( this should returns no changes)
Terraform will perform the following actions:
# xray_ignore_rule.ignore_rule must be replaced
-/+ resource "xray_ignore_rule" "ignore_rule" {
~ author = "dosagie" -> (known after apply)
~ created = "2023-11-17T18:10:49Z" -> (known after apply)
+ cves = (known after apply) # forces replacement
~ id = "d169e985-87f8-43f5-4bb8-67f73c76f0ef" -> (known after apply)
~ is_expired = false -> (known after apply)
# (4 unchanged attributes hidden)
# (3 unchanged blocks hidden)
}
Plan: 1 to add, 0 to change, 1 to destroy.
N.B running apply means new destroying existing resources and creating new one. Not ideal
- Do terraform apply and then check the state file
"instances": [ { "schema_version": 0, "attributes": { ... "cves": [], ... } } ]
So that is why I setting `cves as []` in the resources so that I dont have to destroy existing resource and I think it should be allowed
@Osazz Just so I understand correctly, the TF config you have before you import the resource contains cves: []
? i.e.
resource "xray_ignore_rule" "ignore_rule" {
notes = "delete me now test ignore rule iac"
vulnerabilities = ["XRAY-170461"]
cves = []
}
If you omit cves
attribute in your config, like:
resource "xray_ignore_rule" "ignore_rule" {
notes = "delete me now test ignore rule iac"
vulnerabilities = ["XRAY-170461"]
}
Then import the resource. After that terraform plan
shows updates for cves
attribute?
The Xray APIs don't allow updating an existing ignore rule. Thus any mismatch of TF configuration and API data will mean the provider destroys and recreates new resource.
@alexhung No that understanding is not correct. I have a TF config like this :
resource "xray_ignore_rule" "ignore_rule" {
notes = "delete me now test ignore rule iac"
vulnerabilities = ["XRAY-170461"]
}
I do an import and then i get state file like this
"instances": [
{
"schema_version": 0,
"attributes": {
...
"cves": null,
...
}
}
]
then I do plan to make sure thing align and I get
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement
Terraform will perform the following actions:
-/+ resource "xray_ignore_rule" "ignore_rule" { ~ author = "someauthor" -> (known after apply) ~ created = "2023-11-17T18:30:29Z" -> (known after apply)
cves = (known after apply) # forces replacement ~ id = "91ced9b-bb1e-4d9c-488c-6bf093a36d64" -> (known after apply) ~ is_expired = false -> (known after apply)
# (3 unchanged blocks hidden)
}
Plan: 1 to add, 0 to change, 1 to destroy.
Changes to Outputs: ~ author = "someauthor" -> (known after apply) ~ created = "2023-11-17T18:30:29Z" -> (known after apply) ~ id = "91ced9b-bb1e-4d9c-488c-6bf093a36d64" -> (known after apply) ~ is_expired = false -> (known after apply)
- When I go ahead to apply : I get this state file
``` Terraform
"instances": [
{
"schema_version": 0,
"attributes": {
...
"cves": [],
...
}
}
]
What could have stopped the difference would have been me been able to give cves
value as []
but then I am running into that conflict error which does not seems to be a conflict as cves = []
is not same as vulnerabilities = ["XRAY-170461"]
The only work around which I could think of was to change the state file manual by making cves=[]
. that resulted in No changes. Your infrastructure matches the configuration.
but of course this is a bad practice and state file should never be manually updated.
@Osazz I see. Thanks for the clarification! I'll investigate this issue.
@alexhung any update on this issue?
Describe the bug TF resource xray_ignore_rule fails on plan when cves = [] and vulnerabilities = ["XRAY-170461"] with Conflicting configuration arguments
Requirements for and issue
Xray Provider version
Terraform Version
Terraform Code
Terraform Plan Output + Error
Expected Behaviour