Unable to create CI Vulnerability rules

[jhabikal21]

Describe the bug

I am using terraform resource prismacloudcompute_ci_image_vulnerability_policy to provision CI image vulnerability rules however its not working correct with loop.

Expected behavior

It should provision multiple rules based on input provided.

Current behavior

Only the 0th index element gets created and the terraform destroy doesn't work.

Steps to reproduce

1. main.tf
   `locals {
   ci_image_vulnerability_policy_map = {
   "NOC Test" = {
   effect = "alert"
   collections = ["All"]
   alert_threshold_disabled = false
   alert_threshold_value = 1
   block_threshold_enabled = false
   block_threshold_value = 1
   },
   "Fail high and critical vulnerabilities, alert the rest" = {
   effect = "ignore"
   collections = ["All"]
   alert_threshold_disabled = false
   alert_threshold_value = 1
   block_threshold_enabled = false
   block_threshold_value = 7
   },
   // Add more entries as needed
   }
   }

resource "prismacloudcompute_ci_image_vulnerability_policy" "ruleset" {
for_each = local.ci_image_vulnerability_policy_map

rule {
name = each.key
effect = each.value.effect
collections = each.value.collections

alert_threshold {
  disabled = lookup(each.value, "alert_threshold_disabled", false)
  value    = lookup(each.value, "alert_threshold_value", 1)
}
block_threshold {
  enabled = lookup(each.value, "block_threshold_enabled", false)
  value   = lookup(each.value, "block_threshold_value", 7)
}

}
}
2. terraform init, terraform plan and terraform apply. 3. Terraform output terraform apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following
symbols:

• create

Terraform will perform the following actions:

prismacloudcompute_ci_image_vulnerability_policy.ruleset["Fail high and critical vulnerabilities, alert the rest"] will be created

• resource "prismacloudcompute_ci_image_vulnerability_policy" "ruleset" {

  • id = (known after apply)

  • rule {

    • collections = [

      • "All",
        ]

    • effect = "ignore"

    • name = "Fail high and critical vulnerabilities, alert the rest"

    • alert_threshold {

      • disabled = false
      • value = 1
        }

    • block_threshold {

      • enabled = false
      • value = 7
        }
        }
        }

prismacloudcompute_ci_image_vulnerability_policy.ruleset["NOC Test"] will be created

• resource "prismacloudcompute_ci_image_vulnerability_policy" "ruleset" {

  • id = (known after apply)

  • rule {

    • collections = [

      • "All",
        ]

    • name = "NOC Test"

    • alert_threshold {

      • disabled = false
      • value = 1
        }

    • block_threshold {

      • enabled = false
      • value = 1
        }
        }
        }

Plan: 2 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.

Enter a value: yes

prismacloudcompute_ci_image_vulnerability_policy.ruleset["NOC Test"]: Creating...
prismacloudcompute_ci_image_vulnerability_policy.ruleset["Fail high and critical vulnerabilities, alert the rest"]: Creating...
prismacloudcompute_ci_image_vulnerability_policy.ruleset["Fail high and critical vulnerabilities, alert the rest"]: Creation complete after 1s [id=ciImagesVulnerability]
prismacloudcompute_ci_image_vulnerability_policy.ruleset["NOC Test"]: Creation complete after 2s [id=ciImagesVulnerability]

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.
PS C:\Users\253905\OneDrive - Resideo\Data-Backup\Bikal-downloads\prisma-cloud-tar\prisma-saas-onboarding> terraform version
Terraform v1.6.6
on windows_amd64

• provider registry.terraform.io/hashicorp/local v2.4.1
• provider registry.terraform.io/paloaltonetworks/prismacloud v1.5.1
• provider registry.terraform.io/paloaltonetworks/prismacloudcompute v0.8.0

Your version of Terraform is out of date! The latest version
is 1.7.2. You can update by downloading from https://www.terraform.io/downloads.html
4. Terraform returns success but UI doesn't show the dataThis is from state file
"instances": [
{
"index_key": "Fail high and critical vulnerabilities, alert the rest",
"schema_version": 0,
"attributes": {
"id": "ciImagesVulnerability",
"rule": [
{
"alert_threshold": [
{
"disabled": false,
"value": 1
}
],
"block_message": "",
"block_threshold": [
{
"enabled": false,
"value": 1
}
],
"collections": [
"All"
],
"cve_rule": [],
"disabled": false,
"effect": "alert",
"grace_days": 0,
"grace_days_policy": [
{
"critical": 0,
"high": 0,
"low": 0,
"medium": 0
}
],
"name": "NOC Test",
"notes": "",
"only_fixed": false,
"tag_rule": [],
"verbose": false
}
]
},
"sensitive_attributes": [],
"private": "bnVsbA=="
},
{
"index_key": "NOC Test",
"schema_version": 0,
"attributes": {
"id": "ciImagesVulnerability",
"rule": [
{
"alert_threshold": [
{
"disabled": false,
"value": 1
}
],
"block_message": "",
"block_threshold": [
{
"enabled": false,
"value": 1
}
],
"collections": [
"All"
],
"cve_rule": [],
"disabled": false,
"effect": "alert",
"grace_days": 0,
"grace_days_policy": [
{
"critical": 0,
"high": 0,
"low": 0,
"medium": 0
}
],
"name": "NOC Test",
"notes": "",
"only_fixed": false,
"tag_rule": [],
"verbose": false
}
]
},
"sensitive_attributes": [],
"private": "bnVsbA=="
}
]`

Screenshots

[hi-artem]

This is a feature not a bug. You are suppose to use dynamic field to generate rules within policy.

For example:

resource "prismacloudcompute_container_runtime_policy" "ruleset" {
  learning_disabled = var.disable_container_learning
  dynamic "rule" {
    for_each = local.my_apps
    content {
      name  = "${rule.value.name}-runtime-policy"
    }
  }
}