datadog_security_monitoring_rule 409 conflict

[chrislewis-fd]

Datadog Terraform Provider Version

v3.36.0

Terraform Version

v.1.5

What resources or data sources are affected?

datadog_security_monitoring_rule

Terraform Configuration Files

resource "datadog_security_monitoring_suppression" "okta_suppression_approved_clients" {
  name              = "Okta Approved Client Suppressions"
  description       = "Okta Approved Client Suppressions for approved EIT/CSD IP block names"
  enabled           = true
  rule_query        = "ruleId:oqn-z2v-zb0 OR ruleId:udl-try-rfr OR ruleId:iuw-gk5-8zb"
  suppression_query = "@network.client.geoip.as.name:(\"Netskope Inc\" OR \"Pulse Secure VPN\" OR \"Amazon.com, Inc.\")"
}

resource "datadog_security_monitoring_suppression" "okta_suppression_approved_app_ids" {
  name              = "Okta Approved App ID Suppressions"
  description       = "Okta Approved App ID Suppressions for EIT/CSD Apps"
  enabled           = true
  rule_query        = "ruleId:hdb-ydu-3kl"
  suppression_query = "@target.alternateId:(removed)"
}

resource "datadog_security_monitoring_suppression" "okta_suppression_approved_users" {
  name              = "Okta Approved User Suppressions"
  description       = "Okta Approved User Suppressions for EIT/CSD service accounts"
  enabled           = true
  rule_query        = "ruleId:oqn-z2v-zb0 OR ruleId:iuw-gk5-8zb"
  suppression_query = "@usr.email:(removed)"
}

resource "datadog_security_monitoring_suppression" "okta_suppression_approved_ips" {
  name              = "Okta Approved IP Suppressions"
  description       = "Okta Approved IP Suppressions for EIT/CSD Approved Services"
  enabled           = true
  rule_query        = "ruleId:oqn-z2v-zb0 OR ruleId:iuw-gk5-8zb"
  suppression_query = "@network.client.ip:(removed)"
}

resource "datadog_security_monitoring_suppression" "okta_suppression_mfa_events" {
  name              = "Okta MFA Event Suppressions"
  description       = "Okta MFA Event Suppressions that are not relevant"
  enabled           = true
  rule_query        = "ruleId:m8j-tb3-2ee"
  suppression_query = "@evt.name:(user.mfa.factor.update OR user.mfa.factor.activate) AND @evt.name:(user.mfa.factor.deactivate OR user.mfa.factor.reset_all)"
}

resource "datadog_security_monitoring_suppression" "okta_suppression_zcaler_ppb" {
  name              = "Okta PPB ZScaler Suppressions"
  description       = "CSD-16212"
  enabled           = true
  rule_query        = "ruleId:udl-try-rfr OR ruleId:oqn-z2v-zb0 OR ruleId:iuw-gk5-8zb"
  suppression_query = "source:okta @network.client.geoip.as.number:removed AND @usr.email:(*ppb.com OR *paddypowerbetfair.com)"
}

resource "datadog_security_monitoring_suppression" "okta_suppression_S2G_office" {
  name              = "Okta S2G Office IP suppressions"
  description       = "CSD-16347"
  enabled           = true
  rule_query        = "ruleId:udl-try-rfr OR ruleId:oqn-z2v-zb0 OR ruleId:iuw-gk5-8zb"
  suppression_query = "source:okta @network.client.ip:removed.* @usr.email:removed"
}

resource "datadog_security_monitoring_suppression" "okta_suppression_behaviour_mfa" {
  name              = "Okta Behaviours MFA events suppression"
  description       = "CSD-16486"
  enabled           = true
  rule_query        = "ruleId:udl-try-rfr"
  suppression_query = "source:okta @evt.name:(system.push.send_factor_verify_push OR user.authentication.auth_via_mfa)"
}

resource "datadog_security_monitoring_suppression" "okta_suppression_user_agent_strings" {
  name              = "Okta Behaviours, travel and new country various User Agent String"
  description       = "CSD-16500 and CSD-16707"
  enabled           = true
  rule_query        = "ruleId:udl-try-rfr OR  ruleId:mub-wvj-mvl OR ruleId:oqn-z2v-zb0 OR ruleId:iuw-gk5-8zb"
  suppression_query = "source:okta @http.useragent:(\"Windows-AzureAD-Authentication-Provider/1.0\" OR SecurityAgentHelper* OR Jamf*)"
}

resource "datadog_security_monitoring_suppression" "okta_suppression_approved_vpns" {
  name              = "Okta Approved VPNs Suppressions"
  description       = "CSD-16609"
  enabled           = true
  rule_query        = "ruleId:udl-try-rfr OR ruleId:mub-wvj-mvl OR ruleId:oqn-z2v-zb0 OR ruleId:iuw-gk5-8zb"
  suppression_query = "source:okta (@displayName.group:\"Palo Alto Networks - GlobalProtect\" OR @target.displayName:\"Palo Alto Networks - GlobalProtect\")"
}

resource "datadog_security_monitoring_suppression" "okta_suppression_preview_env" {
  name              = "Okta Preview env Suppressions"
  description       = "CSD-16580"
  enabled           = true
  rule_query        = "source:okta"
  suppression_query = "source:okta env:preview"
}

resource "datadog_security_monitoring_suppression" "okta_suppression_inflight_travel" {
  name              = "Okta Allowed InFlight Wifi Provider Suppressions"
  description       = "CSD-16231"
  enabled           = true
  rule_query        = "ruleId:mub-wvj-mvl OR ruleId:iuw-gk5-8zb"
  suppression_query = "source:okta @network.client.geoip.as.number:(removed)"
}

Relevant debug or panic output

module.okta_rules.datadog_security_monitoring_rule.okta_new_country_login: Modifications complete after 0s [id=oqn-z2v-zb0]

  | ╷
  | │ Error: error creating security monitoring suppression
  | │
  | │ with module.suppressions.datadog_security_monitoring_suppression.okta_suppression_approved_clients,
  | │ on suppressions/okta_suppression.tf line 1, in resource "datadog_security_monitoring_suppression" "okta_suppression_approved_clients":
  | │ 1: resource "datadog_security_monitoring_suppression" "okta_suppression_approved_clients" {
  | │
  | │ 409 Conflict: {"errors":["already_exists(Concurrent modifications detected, please reload and try again)"]}
  | │
  | ╵
  | ╷
  | │ Error: error creating security monitoring suppression
  | │
  | │ with module.suppressions.datadog_security_monitoring_suppression.okta_suppression_zcaler_ppb,
  | │ on suppressions/okta_suppression.tf line 41, in resource "datadog_security_monitoring_suppression" "okta_suppression_zcaler_ppb":
  | │ 41: resource "datadog_security_monitoring_suppression" "okta_suppression_zcaler_ppb" {
  | │
  | │ 409 Conflict: {"errors":["already_exists(Concurrent modifications detected, please reload and try again)"]}
  | │
  | ╵
  | ╷
  | │ Error: error creating security monitoring suppression
  | │
  | │ with module.suppressions.datadog_security_monitoring_suppression.okta_suppression_behaviour_mfa,
  | │ on suppressions/okta_suppression.tf line 57, in resource "datadog_security_monitoring_suppression" "okta_suppression_behaviour_mfa":
  | │ 57: resource "datadog_security_monitoring_suppression" "okta_suppression_behaviour_mfa" {
  | │
  | │ 409 Conflict: {"errors":["already_exists(Concurrent modifications detected, please reload and try again)"]}
  | │
  | ╵
  | ╷
  | │ Error: error creating security monitoring suppression
  | │
  | │ with module.suppressions.datadog_security_monitoring_suppression.okta_suppression_approved_vpns,
  | │ on suppressions/okta_suppression.tf line 73, in resource "datadog_security_monitoring_suppression" "okta_suppression_approved_vpns":
  | │ 73: resource "datadog_security_monitoring_suppression" "okta_suppression_approved_vpns" {
  | │
  | │ 409 Conflict: {"errors":["already_exists(Concurrent modifications detected, please reload and try again)"]}
  | │
  | ╵
  | Error: Process exit code: 1

Expected Behavior

The build should pass.

Actual Behavior

The build fails then subsequent runs clear one error each time until the build passes.

Steps to Reproduce

Happens in the terraform apply stage

Important Factoids

No response

References

No response

[nkzou]

Closed with PR #2442