Fixed PaloAltoNetworks#286 by forcing new a saved search resource if …

…the name changes — copy & delete search as expected by user, but update would copy without deletion. Fixed PaloAltoNetworks#181 by introducing support for updating search queries and documenting the need for the lifecycle create_before_destroy to be true.
comrumino · Apr 1, 2024 · d8b6845 · d8b6845
1 parent c1be22d
commit d8b6845
Show file tree

Hide file tree

Showing 7 changed files with 28 additions and 15 deletions.
diff --git a/README.md b/README.md
@@ -52,6 +52,8 @@ $ $GOPATH/bin/terraform-provider-prismacloud
 ...
 ```
 
+Since [vendoring](https://go.dev/ref/mod#vendoring) is used, make sure to execute `go mod vendor` as needed. If the `vendor` directory is not up-to-date, the `make build` command may return error messages containing `import lookup disabled by -mod=vendor`.
+
 To test the provider, you can run `make test`.
 
 ```sh

diff --git a/docs/resources/policy.md b/docs/resources/policy.md
@@ -87,9 +87,10 @@ resource "prismacloud_policy" "example" {
     rule_type = "Config"
     parameters = {
       savedSearch = true
-      withIac     = true
+      withIac     = false
     }
-    criteria = file("policies/aks/aks001.rql")
+    # Since search_id is not computed, make sure to use the id attribute so that terraform will track the dependency
+    criteria = prismacloud_saved_search.example.id
   }
 }
 
@@ -104,6 +105,9 @@ resource "prismacloud_saved_search" "example" {
       amount = prismacloud_rql_search.example.time_range.0.relative.0.amount
     }
   }
+  lifecycle {
+    create_before_destroy = true
+  }
 }
 
 resource "prismacloud_rql_search" "example" {
@@ -115,6 +119,9 @@ resource "prismacloud_rql_search" "example" {
       amount = 24
     }
   }
+  lifecycle {
+    create_before_destroy = true
+  }
 }
 ```
 

diff --git a/docs/resources/rql_search.md b/docs/resources/rql_search.md
@@ -133,4 +133,4 @@ The following attributes are supported:
 
 `exceptions` supports the following attributes:
 
-* `message_code` - Message code.
+* `message_code` - Message code.
diff --git a/docs/resources/saved_search.md b/docs/resources/saved_search.md
@@ -22,6 +22,10 @@ resource "prismacloud_saved_search" "example" {
             amount = prismacloud_rql_search.x.time_range.0.relative.0.amount
         }
     }
+    lifecycle {
+        # Dependent resources need to be updated before destroy happens
+        create_before_destroy = true
+    }
 }
 
 resource "prismacloud_rql_search" "x" {
@@ -82,4 +86,4 @@ Resources can be imported using the saved-search ID:
 
 ```
 $ terraform import prismacloud_saved_search.example 11111111-2222-3333-4444-555555555555
-```
+```
diff --git a/go.mod b/go.mod
@@ -70,4 +70,4 @@ require (
 
 //replace github.com/paloaltonetworks/prisma-cloud-go => ../prisma-cloud-go
 
-go 1.17
+go 1.18
diff --git a/go.sum b/go.sum
@@ -590,7 +590,6 @@ golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBc
 golang.org/x/sys v0.0.0-20220610221304-9f5ed59c137d/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220615213510-4f61da869c0c/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220624220833-87e55d714810/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220728004956-3c1f35247d10/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220803195053-6e608f9ce704 h1:Y7NOhdqIOU8kYI7BxsgL38d0ot0raxvcW+EMQU2QrT4=
 golang.org/x/sys v0.0.0-20220803195053-6e608f9ce704/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=

diff --git a/prismacloud/resource_saved_search.go b/prismacloud/resource_saved_search.go
@@ -36,6 +36,10 @@ func resourceSavedSearch() *schema.Resource {
 				Type:        schema.TypeString,
 				Required:    true,
 				Description: "Saved search name",
+				// Cannot be updated since the API copies the search and does not delete the original.
+				// ForceNew avoids cyclical issues and behaves more predictably for users (copy & delete).
+				// Assumes user sets lifecycle create_before_destroy to true
+				ForceNew:    true,
 			},
 			"description": {
 				Type:        schema.TypeString,
@@ -92,21 +96,18 @@ func createSavedSearch(ctx context.Context, d *schema.ResourceData, meta interfa
 		resp1 = resp2
 		return err
 	})
-
 	d.SetId(resp1.Id)
 
 	return readSavedSearch(ctx, d, meta)
 }
 
 func updateSavedSearch(ctx context.Context, d *schema.ResourceData, meta interface{}) diag.Diagnostics {
 	client := meta.(*pc.Client)
-	old, new := d.GetChange("name")
-	if old.(string) != new.(string) {
-		return diag.Errorf("saved search name is immutable")
-	}
-
+	// Note, search_id is ignored for updates
+	id := d.Id()
 	req := history.SavedSearch{
-		Id:          d.Get("search_id").(string),
+		Id:          id,
+		Saved:       true,
 		Name:        d.Get("name").(string),
 		Query:       d.Get("query").(string),
 		Description: d.Get("description").(string),
@@ -125,8 +126,8 @@ func updateSavedSearch(ctx context.Context, d *schema.ResourceData, meta interfa
 		resp1 = resp2
 		return err
 	})
-
-	d.SetId(resp1.Id)
+	// Any changes that result in a new Id, such as updating name, should force new
+	d.SetId(resp1.Id)  // noop
 
 	return readSavedSearch(ctx, d, meta)
 }