Skip to content

Chronicle Rule deployment issue #21347

New issue
New issue
Open
GoogleCloudPlatform/magic-modules
#13130
Open
Chronicle Rule deployment issue#21347
GoogleCloudPlatform/magic-modules
#13130
Labels
bugforward/reviewIn review; remove label to forwardservice/chronicle
@simonebruzzechesse

Description

@simonebruzzechesse
simonebruzzechesse
opened on Feb 11, 2025

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request.
  • Please do not leave +1 or me too comments, they generate extra noise for issue followers and do not help prioritize the request.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.
  • If an issue is assigned to a user, that user is claiming responsibility for the issue.
  • Customers working with a Google Technical Account Manager or Customer Engineer can ask them to reach out internally to expedite investigation and resolution of this issue.

Terraform Version & Provider Version(s)

Terraform v1.10.3 on MacOS

  • provider registry.terraform.io/hashicorp/google-beta v6.20.0

Affected Resource(s)

google_chronicle_rule
google_chronicle_rule_deployment

Terraform Configuration

Same code of the official documentation updating the rule_frequency to LIVE (which is the default of the rule created with the previous google_chronicle_rule resource.

resource "google_chronicle_rule" "my-rule" {
 provider = "google-beta"
 location = "us"
 instance = "00000000-0000-0000-0000-000000000000"
 text = <<-EOT
             rule test_rule { meta: events:  $userid = $e.principal.user.userid  match: $userid over 10m condition: $e }
         EOT
}

resource "google_chronicle_rule_deployment" "example" {
 provider = "google-beta"
 location = "us"
 instance = "00000000-0000-0000-0000-000000000000"
 rule = element(split("/", resource.google_chronicle_rule.my-rule.name), length(split("/", resource.google_chronicle_rule.my-rule.name)) - 1)
 enabled = true
 alerting = true
 archived = false
 run_frequency = "LIVE" # setting this to live is causing the issue cause that is already the frequency of the rule created (HOURLY works fine)
}

Currently there is no way not to specify the run_frequency (even if the documentation says it is optional).

Debug Output

No response

Expected Behavior

Creating the rule_deployment resource aligning the state of the rule deployment with the configuration available in terraform (even if the frequency is the same and there is no need to update it).

Actual Behavior


│ Error: Error creating RuleDeployment: googleapi: Error 409: run frequency already set to RUN_FREQUENCY_REALTIME

│ with google_chronicle_rule_deployment.example,
│ on main.tf line 58, in resource "google_chronicle_rule_deployment" "example":
│ 58: resource "google_chronicle_rule_deployment" "example" {

Steps to reproduce

  1. terraform apply

Important Factoids

No response

References

No response

Activity

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

No one assigned

    Labels

    bugforward/reviewIn review; remove label to forwardservice/chronicle

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions