search

jfrog / terraform-provider-xray

Terraform provider to manage JFrog Xray
https://jfrog.com/xray/
Apache License 2.0
151 stars 12 forks source link

TF plan shows deletion and recreation of policy rules on every run, even without changes to the configuration. #149

Closed nbaju1 closed 11 months ago

nbaju1 commented 12 months ago

Describe the bug Every time we run terraform plan the plan shows changes to rules in the severity policy. From the plan it seems like TF is just swapping the ordering of the two rules without doing any actual changes. No changes have been done manually in Xray prior to this,

Terraform config: 

resource "xray_security_policy" "severity_high_critical" {
  name = "severity_high_critical"
  type = "security"
  rule {
    name     = "high_severity"
    priority = 2
    criteria {
      min_severity = "High"
    }
    actions {
      notify_deployer                   = false
      notify_watch_recipients           = false
      block_release_bundle_distribution = false
      fail_build                        = false
      block_download {
        active    = false
        unscanned = false
      }
    }

  }
  rule {
    name     = "critical_severity"
    priority = 1
    criteria {
      min_severity = "Critical"
    }
    actions {
      notify_deployer         = true
      notify_watch_recipients = true
      block_release_bundle_distribution = false
      fail_build                        = false
      block_download {
        active    = false
        unscanned = false
      }
    }

  }
}

terraform plan output:

 # module.xray.xray_security_policy.severity_high_critical will be updated in-place
  ~ resource "xray_security_policy" "severity_high_critical" {
        id       = "severity_high_critical"
        name     = "severity_high_critical"
        # (4 unchanged attributes hidden)

      ~ rule {
          ~ name     = "critical_severity" -> "high_severity"
          ~ priority = 1 -> 2

          - actions {
              - block_release_bundle_distribution  = false -> null
              - build_failure_grace_period_in_days = 0 -> null
              - create_ticket_enabled              = false -> null
              - fail_build                         = false -> null
              - mails                              = [] -> null
              - notify_deployer                    = true -> null
              - notify_watch_recipients            = true -> null
              - webhooks                           = [] -> null

              - block_download {
                  - active    = false -> null
                  - unscanned = false -> null
                }
            }
          + actions {
              + block_release_bundle_distribution = false
              + create_ticket_enabled             = false
              + fail_build                        = false
              + mails                             = []
              + notify_deployer                   = false
              + notify_watch_recipients           = false
              + webhooks                          = []

              + block_download {
                  + active    = false
                  + unscanned = false
                }
            }

          - criteria {
              - fix_version_dependant = false -> null
              - malicious_package     = false -> null
              - min_severity          = "Critical" -> null
            }
          + criteria {
              + fix_version_dependant = false
              + malicious_package     = false
              + min_severity          = "High"
            }
        }
      ~ rule {
          ~ name     = "high_severity" -> "critical_severity"
          ~ priority = 2 -> 1

          - actions {
              - block_release_bundle_distribution  = false -> null
              - build_failure_grace_period_in_days = 0 -> null
              - create_ticket_enabled              = false -> null
              - fail_build                         = false -> null
              - mails                              = [] -> null
              - notify_deployer                    = false -> null
              - notify_watch_recipients            = false -> null
              - webhooks                           = [] -> null

              - block_download {
                  - active    = false -> null
                  - unscanned = false -> null
                }
            }
          + actions {
              + block_release_bundle_distribution = false
              + create_ticket_enabled             = false
              + fail_build                        = false
              + mails                             = []
              + notify_deployer                   = true
              + notify_watch_recipients           = true
              + webhooks                          = []

              + block_download {
                  + active    = false
                  + unscanned = false
                }
            }

          - criteria {
              - fix_version_dependant = false -> null
              - malicious_package     = false -> null
              - min_severity          = "High" -> null
            }
          + criteria {
              + fix_version_dependant = false
              + malicious_package     = false
              + min_severity          = "Critical"
            }
        }
    }

Artifactory and Xray: Cloud Terraform 1.4.6

Expected behavior No changes to the policy in question showing in the output of terraform plan.

nbaju1 commented 12 months ago

On a hunch I tried changing the order of the two rules in the TF config. The terraform plan output no longer shows changes to the policy after this. I'm guessing the ordering of the rules in the TF config must follow the priority numbering of the rules?

alexhung commented 11 months ago

@nbaju1 Thanks for the report. It does look like we are somehow depending on the ordering of the list. I'll investigate.