search

trendmicro / terraform-provider-conformity

Conformity Terraform provider
https://registry.terraform.io/providers/trendmicro/conformity/latest/docs
Mozilla Public License 2.0
10 stars 12 forks source link

conformity_azure_account: Rule settings are not applied if no settings are defined #23

Open jbrmg opened 2 years ago

jbrmg commented 2 years ago

Hi,

we face the issue that rule settings are not updated when terraform apply is executed (provider version 0.3.9). Here is a description on how to reproduce the issue:

  1. Define an conformity_azure_account resource without rule settings

Example:

resource "conformity_azure_account" "test" {
  name                = "test"
  environment         = "env"
  active_directory_id = "ad-id"
  subscription_id     = "sub-id"
}
  1. Define a profile with manual rule manual rule configurations

Example:

image
  1. Apply the profile to the Azure account with strategy replace
  2. Run terraform apply

Terraform will detect the manual rule configurations and wants to remove them:

image

After applying the changes and running terraform plan, Terraform will plan the same changes as the manual rule configurations are still present in the backend.

The logs indicate that no update request is sent to the backend:

2022-06-07T07:43:35.060Z [INFO]  Starting apply for conformity_azure_account.test
2022-06-07T07:43:35.063Z [DEBUG] conformity_azure_account.test: applying the planned Update change
2022-06-07T07:43:35.471Z [INFO]  provider.terraform-provider-conformity_v0.3.9: 2022/06/07 07:43:35 [DEBUG] Request URL: https://conformity.de-1.cloudone.trendmicro.com/api/accounts/<account-id> timestamp=2022-06-07T07:43:35.471Z
2022-06-07T07:43:35.473Z [INFO]  provider.terraform-provider-conformity_v0.3.9: 2022/06/07 07:43:35 [DEBUG] Method: GET: timestamp=2022-06-07T07:43:35.471Z
2022-06-07T07:43:35.474Z [INFO]  provider.terraform-provider-conformity_v0.3.9: 2022/06/07 07:43:35 [DEBUG] -----RA+5YKL+m3qN54ho102L6AuoPfkw+XFmmkaFziGph6jbfrdiir3LktPuo+Y9cJ9jBqT2EuEwjhYqFWzgHWB2808DNM9spSO8oXvbicKqFZ2NjVZx4xQW0Khws311SaQHEyiCd8kD/7hYo1QBwO0bRCeaS8hXj8h74/Mz+cJjZ+8u8CSNKHcn8wMX+p5SONPSaeN5TqCBmE/pyxSN2REZinoiWXcSBGXigtFK4eU4d0WvtZRTs62VlU2fc+MK7h6Lm11x9F/Z5vJ+cyzv/RbE+JC4VzbsGz0ApUlYOpfjwTocmloRsU7xpUEBa1YEsjZki9/qB2EL7Zyhn7pp0mJdkg==-----: timestamp=2022-06-07T07:43:35.471Z
2022-06-07T07:43:35.971Z [INFO]  provider.terraform-provider-conformity_v0.3.9: 2022/06/07 07:43:35 [DEBUG] Response Body of accountDetails: timestamp=2022-06-07T07:43:35.971Z
2022-06-07T07:43:35.973Z [INFO]  provider.terraform-provider-conformity_v0.3.9: 2022/06/07 07:43:35 0x6b6340: timestamp=2022-06-07T07:43:35.971Z
2022-06-07T07:43:35.975Z [INFO]  provider.terraform-provider-conformity_v0.3.9: 2022/06/07 07:43:35 [DEBUG] ----------: timestamp=2022-06-07T07:43:35.972Z
2022-06-07T07:43:35.977Z [INFO]  provider.terraform-provider-conformity_v0.3.9: 2022/06/07 07:43:35 [DEBUG] Request URL: https://conformity.de-1.cloudone.trendmicro.com/api/accounts/<account-id>/settings/rules: timestamp=2022-06-07T07:43:35.975Z
2022-06-07T07:43:35.979Z [INFO]  provider.terraform-provider-conformity_v0.3.9: 2022/06/07 07:43:35 [DEBUG] Method: GET: timestamp=2022-06-07T07:43:35.975Z
2022-06-07T07:43:35.980Z [INFO]  provider.terraform-provider-conformity_v0.3.9: 2022/06/07 07:43:35 [DEBUG] -----PD/4vMjGx5WLvBiuIp+G02LJixds6i4QXZvWuHosHpcLRFD5XdN+t0Bq8qC2cqBjRbMVw/AOi6Iu2SKc7S9+RVjodQnFX9WkViXy13GQ8dScN5VZoyIfU9yaLvwG15VaV7H3F3wRnEDBNbC9hOrZ4vKzEsCu6rB5oK5qxirSAm0jAIvalVuPdyU8Mklt1l02w5DgIywgzyd+8Pan4f7Sc9ruQUS4fy7dGJA1eB7gdfRMZv3POyhaAd7v6jei7XcqsecbhLjxYVI4Qvi3WNtkM2c+QHa9t16Hwb0z5rEPze1stNuIpA/Nghyb9KEzJUbIFEW/VIxNSP08GvnkqrmfAQ==-----: timestamp=2022-06-07T07:43:35.976Z
2022-06-07T07:43:36.438Z [INFO]  provider.terraform-provider-conformity_v0.3.9: 2022/06/07 07:43:36 [DEBUG] Response Body of GetAccountRuleSettings: timestamp=2022-06-07T07:43:36.437Z
2022-06-07T07:43:36.440Z [INFO]  provider.terraform-provider-conformity_v0.3.9: 2022/06/07 07:43:36 0x6b6340: timestamp=2022-06-07T07:43:36.437Z
2022-06-07T07:43:36.443Z [INFO]  provider.terraform-provider-conformity_v0.3.9: 2022/06/07 07:43:36 [DEBUG] ----------: timestamp=2022-06-07T07:43:36.438Z
mustafa-qamaruddin commented 2 years ago

I have encountered the same issue in the latest release v.0.4.5

  # conformity_azure_account.test will be updated in-place
  ~ resource "conformity_azure_account" "test" {
        id                  = "xxxx-xxxx-xxxxx-xxxx-xxxx"
        name                = "test"
      ~ tags                = [
          - "env",
        ]
        # (3 unchanged attributes hidden)

      - settings {

          - rule {
              - rule_id = "SecurityCenter-020" -> null

              - settings {
                  - enabled     = true -> null
                  - rule_exists = false -> null

                  - extra_settings {
                      - name    = "complianceStandards" -> null
                      - regions = [] -> null
                      - type    = "choice-multiple-value" -> null

                      - values {
                          - enabled = true -> null
                          - label   = "Azure CIS 1.1.0" -> null
                          - value   = "Azure-CIS-1.1.0" -> null
                        }
                    }
                }
            }
          - rule {
              - rule_id = "VirtualMachines-004" -> null

              - settings {
                  - enabled     = true -> null
                  - risk_level  = "HIGH" -> null
                  - rule_exists = false -> null

                  - extra_settings {
                      - name    = "approvedExtensions" -> null
                      - regions = [] -> null
                      - type    = "multiple-string-values" -> null

                      - values {
                          - enabled = false -> null
                          - value   = "AzureDiskEncryptionForLinux" -> null
                        }
                    }
                }
            }
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy.