TF plan shows deletion and recreation of policy rules on every run, even without changes to the configuration.

[nbaju1]

Describe the bug
Every time we run terraform plan the plan shows changes to rules in the severity policy. From the plan it seems like TF is just swapping the ordering of the two rules without doing any actual changes. No changes have been done manually in Xray prior to this,

Terraform config:

resource "xray_security_policy" "severity_high_critical" {
  name = "severity_high_critical"
  type = "security"
  rule {
    name     = "high_severity"
    priority = 2
    criteria {
      min_severity = "High"
    }
    actions {
      notify_deployer                   = false
      notify_watch_recipients           = false
      block_release_bundle_distribution = false
      fail_build                        = false
      block_download {
        active    = false
        unscanned = false
      }
    }

  }
  rule {
    name     = "critical_severity"
    priority = 1
    criteria {
      min_severity = "Critical"
    }
    actions {
      notify_deployer         = true
      notify_watch_recipients = true
      block_release_bundle_distribution = false
      fail_build                        = false
      block_download {
        active    = false
        unscanned = false
      }
    }

  }
}

terraform plan output:

 # module.xray.xray_security_policy.severity_high_critical will be updated in-place
  ~ resource "xray_security_policy" "severity_high_critical" {
        id       = "severity_high_critical"
        name     = "severity_high_critical"
        # (4 unchanged attributes hidden)

      ~ rule {
          ~ name     = "critical_severity" -> "high_severity"
          ~ priority = 1 -> 2

          - actions {
              - block_release_bundle_distribution  = false -> null
              - build_failure_grace_period_in_days = 0 -> null
              - create_ticket_enabled              = false -> null
              - fail_build                         = false -> null
              - mails                              = [] -> null
              - notify_deployer                    = true -> null
              - notify_watch_recipients            = true -> null
              - webhooks                           = [] -> null

              - block_download {
                  - active    = false -> null
                  - unscanned = false -> null
                }
            }
          + actions {
              + block_release_bundle_distribution = false
              + create_ticket_enabled             = false
              + fail_build                        = false
              + mails                             = []
              + notify_deployer                   = false
              + notify_watch_recipients           = false
              + webhooks                          = []

              + block_download {
                  + active    = false
                  + unscanned = false
                }
            }

          - criteria {
              - fix_version_dependant = false -> null
              - malicious_package     = false -> null
              - min_severity          = "Critical" -> null
            }
          + criteria {
              + fix_version_dependant = false
              + malicious_package     = false
              + min_severity          = "High"
            }
        }
      ~ rule {
          ~ name     = "high_severity" -> "critical_severity"
          ~ priority = 2 -> 1

          - actions {
              - block_release_bundle_distribution  = false -> null
              - build_failure_grace_period_in_days = 0 -> null
              - create_ticket_enabled              = false -> null
              - fail_build                         = false -> null
              - mails                              = [] -> null
              - notify_deployer                    = false -> null
              - notify_watch_recipients            = false -> null
              - webhooks                           = [] -> null

              - block_download {
                  - active    = false -> null
                  - unscanned = false -> null
                }
            }
          + actions {
              + block_release_bundle_distribution = false
              + create_ticket_enabled             = false
              + fail_build                        = false
              + mails                             = []
              + notify_deployer                   = true
              + notify_watch_recipients           = true
              + webhooks                          = []

              + block_download {
                  + active    = false
                  + unscanned = false
                }
            }

          - criteria {
              - fix_version_dependant = false -> null
              - malicious_package     = false -> null
              - min_severity          = "High" -> null
            }
          + criteria {
              + fix_version_dependant = false
              + malicious_package     = false
              + min_severity          = "Critical"
            }
        }
    }

Artifactory and Xray: Cloud
Terraform 1.4.6

Expected behavior
No changes to the policy in question showing in the output of terraform plan.

[nbaju1]

On a hunch I tried changing the order of the two rules in the TF config. The terraform plan output no longer shows changes to the policy after this. I'm guessing the ordering of the rules in the TF config must follow the priority numbering of the rules?

[alexhung]

@nbaju1 Thanks for the report. It does look like we are somehow depending on the ordering of the list. I'll investigate.