alexhung
commented
2 weeks ago @jan-huso If you wish to have an empty patterns, have you tried omitting the attribute completely?
Closed jan-huso closed 1 week ago
alexhung
commented
2 weeks ago @jan-huso If you wish to have an empty patterns, have you tried omitting the attribute completely?
jan-huso
commented
2 weeks ago @alexhung yes, but I get an error with terraform, that the attribute is required
alexhung
commented
2 weeks ago @jan-huso Thanks! I'll investigate.
alexhung
commented
2 weeks ago @jan-huso Using the following TF configuration, I am able to create the policy and watch without the exclude_patterns attribute:
terraform {
required_providers {
xray = {
source = "jfrog/xray"
version = "2.11.0"
}
}
}
resource "xray_security_policy" "security" {
name = "test-policy"
description = "Security policy description"
type = "security"
rule {
name = "rule-name-severity"
priority = 1
criteria {
min_severity = "High"
}
actions {
mails = ["test@email.com"]
block_download {
unscanned = true
active = true
}
block_release_bundle_distribution = true
fail_build = true
notify_watch_recipients = true
notify_deployer = true
create_ticket_enabled = false
build_failure_grace_period_in_days = 5
}
}
}
resource "xray_watch" "test-watch" {
name = "test-watch"
active = true
watch_resource {
type = "all-builds"
bin_mgr_id = "default"
ant_filter {
include_patterns = ["**/*.js"]
}
}
assigned_policy {
name = xray_security_policy.security.name
type = "security"
}
watch_recipients = [
"test@email.com",
]
}Running this with Terraform 1.9.5, provider 2.11.0, Xray 3.014.10:
alexh@alexh-mac terraform-provider-xray % terraform init --upgrade
Initializing the backend...
Initializing provider plugins...
- Finding jfrog/xray versions matching "2.11.0"...
- Installing jfrog/xray v2.11.0...
- Installed jfrog/xray v2.11.0 (signed by a HashiCorp partner, key ID 2FA4D2A520237FA7)
Partner and community providers are signed by their developers.
If you'd like to know more about provider signing, you can read about it here:
https://www.terraform.io/docs/cli/plugins/signing.html
Terraform has made some changes to the provider dependency selections recorded
in the .terraform.lock.hcl file. Review those changes and commit them to your
version control system if they represent changes you intended to make.
Terraform has been successfully initialized!
You may now begin working with Terraform. Try running "terraform plan" to see
any changes that are required for your infrastructure. All Terraform commands
should now work.
If you ever set or change modules or backend configuration for Terraform,
rerun this command to reinitialize your working directory. If you forget, other
commands will detect it and remind you to do so if necessary.
alexh@alexh-mac terraform-provider-xray % terraform plan
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# xray_security_policy.security will be created
+ resource "xray_security_policy" "security" {
+ author = (known after apply)
+ created = (known after apply)
+ description = "Security policy description"
+ id = (known after apply)
+ modified = (known after apply)
+ name = "test-policy"
+ type = "security"
+ rule {
+ name = "rule-name-severity"
+ priority = 1
+ actions {
+ block_release_bundle_distribution = true
+ block_release_bundle_promotion = false
+ build_failure_grace_period_in_days = 5
+ create_ticket_enabled = false
+ fail_build = true
+ mails = [
+ "test@email.com",
]
+ notify_deployer = true
+ notify_watch_recipients = true
+ webhooks = []
+ block_download {
+ active = true
+ unscanned = true
}
}
+ criteria {
+ applicable_cves_only = false
+ fix_version_dependant = false
+ malicious_package = false
+ min_severity = "High"
+ package_versions = []
+ vulnerability_ids = []
# (2 unchanged attributes hidden)
}
}
}
# xray_watch.test-watch will be created
+ resource "xray_watch" "test-watch" {
+ active = true
+ name = "test-watch"
+ watch_recipients = [
+ "test@email.com",
]
+ assigned_policy {
+ name = "test-policy"
+ type = "security"
}
+ watch_resource {
+ bin_mgr_id = "default"
+ type = "all-builds"
+ ant_filter {
+ include_patterns = [
+ "**/*.js",
]
}
}
}
Plan: 2 to add, 0 to change, 0 to destroy.
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now.
alexh@alexh-mac terraform-provider-xray % terraform apply
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# xray_security_policy.security will be created
+ resource "xray_security_policy" "security" {
+ author = (known after apply)
+ created = (known after apply)
+ description = "Security policy description"
+ id = (known after apply)
+ modified = (known after apply)
+ name = "test-policy"
+ type = "security"
+ rule {
+ name = "rule-name-severity"
+ priority = 1
+ actions {
+ block_release_bundle_distribution = true
+ block_release_bundle_promotion = false
+ build_failure_grace_period_in_days = 5
+ create_ticket_enabled = false
+ fail_build = true
+ mails = [
+ "test@email.com",
]
+ notify_deployer = true
+ notify_watch_recipients = true
+ webhooks = []
+ block_download {
+ active = true
+ unscanned = true
}
}
+ criteria {
+ applicable_cves_only = false
+ fix_version_dependant = false
+ malicious_package = false
+ min_severity = "High"
+ package_versions = []
+ vulnerability_ids = []
# (2 unchanged attributes hidden)
}
}
}
# xray_watch.test-watch will be created
+ resource "xray_watch" "test-watch" {
+ active = true
+ name = "test-watch"
+ watch_recipients = [
+ "test@email.com",
]
+ assigned_policy {
+ name = "test-policy"
+ type = "security"
}
+ watch_resource {
+ bin_mgr_id = "default"
+ type = "all-builds"
+ ant_filter {
+ include_patterns = [
+ "**/*.js",
]
}
}
}
Plan: 2 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
xray_security_policy.security: Creating...
xray_security_policy.security: Creation complete after 0s [id=test-policy]
xray_watch.test-watch: Creating...
xray_watch.test-watch: Creation complete after 0s [name=test-watch]
Apply complete! Resources: 2 added, 0 changed, 0 destroyed.
alexh@alexh-mac terraform-provider-xray % terraform plan
xray_security_policy.security: Refreshing state... [id=test-policy]
xray_watch.test-watch: Refreshing state... [name=test-watch]
No changes. Your infrastructure matches the configuration.
Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.@jan-huso I repeated the same configuration but with a project_key set and result is same. I am able to create the watch resource without the exclude_patterns attribute.
jan-huso
commented
2 weeks ago @alexhung thx for the example, I will try to reproduce it on my side :)
jan-huso
commented
1 week ago @alexhung i tested your code and it worked on my side as well. I did not declare my variable as optional. Thx for the help and sorry for the wrong bug report! :)
I'm creating an xray_watch resource and define an include_pattern in the ant_filter. The exclude_pattern should be empty so I use
[]. The resource is created succesfully but on every new run tf wants to recreate the watch_resource because the exclude_pattern is "missing".Tested on TF 1.9.5 and xray 2.11
TF source code:
TF plan after the resource is already created