search

logzio / terraform-provider-logzio

Terraform provider for logz.io alerts, endpoints and users
Apache License 2.0
19 stars 17 forks source link

Missing filter_must_not configuration #115

Closed davops closed 2 years ago

davops commented 2 years ago

Affected Resource(s)

Terraform Configuration Files

resource "logzio_alert_v2" "secrets_admin" {
  title                        = "Secrets Role"
  search_timeframe_minutes     = 30
  is_enabled                   = true
  tags                         = ["aws", "terraform", "iam"]

  suppress_notifications_minutes = 5
  output_type                    = "JSON"
  sub_components {
    account_ids_to_query_on     = [123, ]
    query_string                = "type:cloudtrail"
    group_by_aggregation_fields = []
    filter_must = jsonencode(
      [
        {
          match_phrase = {
            eventName = {
              query = "Federate"
            }
          }
        },
      ]
    )
    filter_must_not = jsonencode(
      {
        bool = {
          minimum_should_match = 1
          should = [
            {
              match_phrase = {
                "serviceEventDetails.account_id" = "123456"
              }
            },
          ]
        }
      },
    )
    should_query_on_all_accounts = false
    operation                    = "GREATER_THAN"
    value_aggregation_type       = "COUNT"
    severity_threshold_tiers {
      severity  = "HIGH"
      threshold = 0
    }
    columns {
      field_name = "geoip.real_region_name"
    }
    columns {
      field_name = "@timestamp"
    }
  }
}

Expected Behavior

logzio_alert_v2.secrets_admin: Modifications complete after 1s [id=5665517]

Apply complete! Resources: 0 added, 2 changed, 0 destroyed.

The alert should be updated when it applies and match the configuration in Terraform.

Actual Behavior

logzio_alert_v2.secrets_admin: Modifications complete after 1s [id=5665517]

Apply complete! Resources: 0 added, 2 changed, 0 destroyed.

However, the alert itself doesn't have the filter_must_not configuration and Terraform will always show that it's missing.

Detailed log:

logzio_alert_v2.secrets_admin: Modifications complete after 1s [id=5665517]
2022-08-02T11:56:44.931-0400 [WARN]  Provider "provider[\"registry.terraform.io/logzio/logzio\"]" produced an unexpected new value for logzio_alert_v2.secrets_admin, but we are tolerating it because it is using the legacy plugin SDK.
    The following problems may be the cause of any confusing errors from downstream operations:
      - .updated_at: was cty.StringVal("2022-08-02T15:50:54.000Z"), but now cty.StringVal("2022-08-02T15:56:44.000Z")
      - .sub_components[0].filter_must_not: was cty.StringVal("{\"bool\":{\"minimum_should_match\":1,\"should\":[{\"match_phrase\":{\"serviceEventDetails.account_id\":\"123456\"}}]}}"), but now cty.StringVal("")

Steps to Reproduce

  1. terraform apply

Important Factoids

mirii1994 commented 2 years ago

Hi @davops 🙂 Note that filter_must_not expects an array of objects. In your config you inserted an object. I tried your config with the following modification (wrapped the object in array brackets):

resource "logzio_alert_v2" "secrets_admin" {
  title                        = "Secrets Role"
  search_timeframe_minutes     = 30
  is_enabled                   = true
  tags                         = ["aws", "terraform", "iam"]

  suppress_notifications_minutes = 5
  output_type                    = "JSON"
  sub_components {
    account_ids_to_query_on     = [123, ]
    query_string                = "type:cloudtrail"
    group_by_aggregation_fields = []
    filter_must = jsonencode(
      [
        {
          match_phrase = {
            eventName = {
              query = "Federate"
            }
          }
        },
      ]
    )
    filter_must_not = jsonencode(
      [
        {
          bool = {
            minimum_should_match = 1
            should = [
              {
                match_phrase = {
                  "serviceEventDetails.account_id" = "123456"
                }
              },
            ]
          }
        },
      ]
    )
    should_query_on_all_accounts = false
    operation                    = "GREATER_THAN"
    value_aggregation_type       = "COUNT"
    severity_threshold_tiers {
      severity  = "HIGH"
      threshold = 0
    }
    columns {
      field_name = "geoip.real_region_name"
    }
    columns {
      field_name = "@timestamp"
    }
  }
}

This config worked for me. Can you please try this, and let us know if this solves your issue?

mirii1994 commented 2 years ago

Hi @davops did you get a chance to check my suggestion?

davops commented 2 years ago

Yes, that worked. Thanks @mirii1994. It may be worth fixing up the plan so that it doesn't look like it's going to add those when it's not an array.

mirii1994 commented 2 years ago

Thank you for the feedback, we will work on improving it. Closing this issue :)