search

splunk / terraform-provider-splunk

Terraform Provider for Splunk
Mozilla Public License 2.0
102 stars 75 forks source link

Terraform applies splunk_saved_searches changes but does not apply splunk_saved_searches changes #164

Closed cbaxtersf closed 1 year ago

cbaxtersf commented 1 year ago

I have a project that contains numerous splunk_saved_searches. On the initial creation/apply of the resources everything creates just fine. When I go to update one of the resources, Terraform locally shows that there are changes via a plan. Terraform cloud then shows the same changes and applies them fine. After the apply, looking at the resources, I can see that the apply did not actually happen. Then running a plan either locally or within Terraform Cloud, shows the same changes needing to be applied again. I can do plan/apply over and over in Terraform cloud and nothing changes in Splunk. In order to fix the issue, I have to delete the resources in Splunk and then remove the modules from the Terraform state file. After that, the next apply re-creates the resources correctly.

Example resource:

  name        = "${var.name}"
  description = var.description

  # These must be provided to show up as an alert
  # https://github.com/splunk/terraform-provider-splunk/issues/79
  # https://github.com/splunk/terraform-provider-splunk/issues/150
  alert_condition   = ""
  alert_digest_mode = true
  is_scheduled      = true
  alert_track       = var.alert
  alert_severity    = var.alert_severity

  search = trimspace(var.search)

  cron_schedule          = var.cron_schedule
  dispatch_earliest_time = var.dispatch_earliest_time
  dispatch_latest_time   = "now"

  actions                           = "email"
  action_email_format               = "table"
  action_email_to                   = var.notify_email_address
  action_email_subject              = "Splunk Alert: $name$"
  action_email_message_alert        = "The alert condition for '$name$' was triggered."
  action_email_include_search       = 1
  action_email_include_results_link = 1
  action_email_send_csv             = 1

  acl {
    owner   = ...
    sharing = ...
    app     = ...
  }
}

What is changing between applies is the search or creating as an alert vs a report. In either case, the apply says it worked but it actually didn't change anything within Splunk.

This is running on provider version v1.4.9.

cbaxtersf commented 1 year ago

Figured out that this is related to permission issue and schedule_priority. Once either removing schedule_priority or setting right permissions it worked. Related to https://github.com/splunk/terraform-provider-splunk/pull/153