Giter VIP home page Giter VIP logo

terraform-provider-xray's Introduction

Terraform Provider Xray

Terraform & OpenTofu Acceptance Tests Actions Status Go Report Card

To use this provider in your Terraform module, follow the documentation here.

Xray general information

Xray API Documentation

Quick Start

Create a new Terraform file with xray resource (and artifactory resource as well):

HCL Example 
# Required for Terraform 0.13 and up (https://www.terraform.io/upgrade-guides/0-13.html)
terraform {
  required_providers {
    artifactory = {
      source  = "jfrog/artifactory"
      version = "10.1.2"
    }

    project = {
      source  = "jfrog/project"
      version = "1.3.4"
    }

    xray = {
      source  = "jfrog/xray"
      version = "2.2.0"
    }
  }
}
provider "artifactory" {
  // supply ARTIFACTORY_USERNAME, ARTIFACTORY_PASSWORD and ARTIFACTORY_URL as env vars
}

provider "project" {
  // supply PROJECT_URL, PROJECT_ACCESS_TOKEN as env vars
  url = "${var.project_url}"
  access_token = "${var.project_access_token}"
}

provider "xray" {
// Also user can supply the following env vars:
// JFROG_URL or XRAY_URL
// XRAY_ACCESS_TOKEN or JFROG_ACCESS_TOKEN
}

resource "random_id" "randid" {
  byte_length = 2
}

resource "artifactory_user" "user1" {
  name     = "user1"
  email    = "[email protected]"
  groups   = ["readers"]
  password = "Passw0rd!"
}

resource "artifactory_local_docker_v2_repository" "docker-local" {
  key             = "docker-local"
  description     = "hello docker-local"
  tag_retention   = 3
  max_unique_tags = 5
  xray_index = true # must be set to true to be able to assign the watch to the repo
}

resource "artifactory_local_gradle_repository" "local-gradle-repo" {
  key                             = "local-gradle-repo-basic"
  checksum_policy_type            = "client-checksums"
  snapshot_version_behavior       = "unique"
  max_unique_snapshots            = 10
  handle_releases                 = true
  handle_snapshots                = true
  suppress_pom_consistency_checks = true
  xray_index = true # must be set to true to be able to assign the watch to the repo
}

resource "project" "myproject" {
  key          = "test"
  display_name = "My Project"
  description  = "My Project"
  admin_privileges {
    manage_members   = true
    manage_resources = true
    index_resources  = true
  }
}

resource "project" "myproject1" {
  key          = "test1"
  display_name = "My Project"
  description  = "My Project"
  admin_privileges {
    manage_members   = true
    manage_resources = true
    index_resources  = true
  }
}


resource "xray_security_policy" "security1" {
  name        = "test-security-policy-severity-${random_id.randid.dec}"
  description = "Security policy description"
  type        = "security"

  rule {
    name     = "rule-name-severity"
    priority = 1

    criteria {
      min_severity = "High"
    }

    actions {
      webhooks = []
      mails    = ["[email protected]"]
      block_release_bundle_distribution  = true
      fail_build                         = true
      notify_watch_recipients            = true
      notify_deployer                    = true
      create_ticket_enabled              = false // set to true only if Jira integration is enabled
      build_failure_grace_period_in_days = 5     // use only if fail_build is enabled

      block_download {
        unscanned = true
        active    = true
      }
    }
  }
}

resource "xray_security_policy" "security2" {
  name        = "test-security-policy-cvss-${random_id.randid.dec}"
  description = "Security policy description"
  type        = "security"

  rule {
    name     = "rule-name-cvss"
    priority = 1

    criteria {

      cvss_range {
        from = 1.5
        to   = 5.3
      }
    }

    actions {
      webhooks = []
      mails    = ["[email protected]"]
      block_release_bundle_distribution  = true
      fail_build                         = true
      notify_watch_recipients            = true
      notify_deployer                    = true
      create_ticket_enabled              = false // set to true only if Jira integration is enabled
      build_failure_grace_period_in_days = 5     // use only if fail_build is enabled

      block_download {
        unscanned = true
        active    = true
      }
    }
  }
}

resource "xray_license_policy" "license1" {
  name        = "test-license-policy-allowed-${random_id.randid.dec}"
  description = "License policy, allow certain licenses"
  type        = "license"

  rule {
    name     = "License_rule"
    priority = 1

    criteria {
      allowed_licenses         = ["Apache-1.0", "Apache-2.0"]
      allow_unknown            = false
      multi_license_permissive = true
    }

    actions {
      webhooks = []
      mails    = ["[email protected]"]
      block_release_bundle_distribution  = false
      fail_build                         = true
      notify_watch_recipients            = true
      notify_deployer                    = true
      create_ticket_enabled              = false // set to true only if Jira integration is enabled
      custom_severity                    = "High"
      build_failure_grace_period_in_days = 5 // use only if fail_build is enabled

      block_download {
        unscanned = true
        active    = true
      }
    }
  }
}

resource "xray_license_policy" "license2" {
  name        = "test-license-policy-banned-${random_id.randid.dec}"
  description = "License policy, block certain licenses"
  type        = "license"

  rule {
    name     = "License_rule"
    priority = 1

    criteria {
      banned_licenses          = ["Apache-1.1", "APAFML"]
      allow_unknown            = false
      multi_license_permissive = false
    }

    actions {
      webhooks = []
      mails    = ["[email protected]"]
      block_release_bundle_distribution  = false
      fail_build                         = true
      notify_watch_recipients            = true
      notify_deployer                    = true
      create_ticket_enabled              = false // set to true only if Jira integration is enabled
      custom_severity                    = "Medium"
      build_failure_grace_period_in_days = 5 // use only if fail_build is enabled

      block_download {
        unscanned = true
        active    = true
      }
    }
  }
}

resource "xray_watch" "all-repos" {
  name        = "all-repos-watch-${random_id.randid.dec}"
  description = "Watch for all repositories, matching the filter"
  active      = true

  watch_resource {
    type = "all-repos"

    filter {
      type  = "regex"
      value = ".*"
    }
  }

  assigned_policy {
    name = xray_security_policy.security1.name
    type = "security"
  }

  assigned_policy {
    name = xray_license_policy.license1.name
    type = "license"
  }
  watch_recipients = ["[email protected]", "[email protected]"]
}

resource "xray_watch" "repository" {
  name        = "repository-watch-${random_id.randid.dec}"
  description = "Watch a single repo or a list of repositories"
  active      = true

  watch_resource {
    type       = "repository"
    bin_mgr_id = "default"
    name       = artifactory_local_docker_v2_repository.docker-local.key

    filter {
      type  = "regex"
      value = ".*"
    }
  }

  watch_resource {
    type       = "repository"
    bin_mgr_id = "default"
    name       = artifactory_local_gradle_repository.local-gradle-repo.key

    filter {
      type  = "package-type"
      value = "Docker"
    }
  }

  assigned_policy {
    name = xray_security_policy.security1.name
    type = "security"
  }

  assigned_policy {
    name = xray_license_policy.license1.name
    type = "license"
  }

  watch_recipients = ["[email protected]", "[email protected]"]
}

resource "xray_watch" "build" {
  name        = "build-watch-${random_id.randid.dec}"
  description = "Watch a single build or a list of builds"
  active      = true

  watch_resource {
    type       = "build"
    bin_mgr_id = "default"
    name       = "your-build-name"
  }

  watch_resource {
    type       = "build"
    bin_mgr_id = "default"
    name       = "your-other-build-name"
  }

  assigned_policy {
    name = xray_security_policy.security1.name
    type = "security"
  }
  assigned_policy {
    name = xray_license_policy.license1.name
    type = "license"
  }

  watch_recipients = ["[email protected]", "[email protected]"]
}

resource "xray_watch" "all-projects" {
  name        = "all-projects-watch-${random_id.randid.dec}"
  description = "Watch all the projects"
  active      = true

  watch_resource {
    type       	= "all-projects"
    bin_mgr_id  = "default"
  }

  assigned_policy {
    name = xray_security_policy.security1.name
    type = "security"
  }

  assigned_policy {
    name = xray_license_policy.license1.name
    type = "license"
  }

  watch_recipients = ["[email protected]", "[email protected]"]
}

resource "xray_watch" "project" {
  name        = "project-watch-${random_id.randid.dec}"
  description = "Watch selected projects"
  active      = true

  watch_resource {
    type       	= "project"
    name        = project.myproject.key
  }
  watch_resource {
    type       	= "project"
    name        = project.myproject1.key
  }

  assigned_policy {
    name = xray_security_policy.security1.name
    type = "security"
  }

  assigned_policy {
    name = xray_license_policy.license1.name
    type = "license"
  }

  watch_recipients = ["[email protected]", "[email protected]"]
}

License requirements:

This provider requires Xray to be added to your Artifactory installation. Xray requires minimum Pro Team license (Public Marketplace version or SaaS) or Pro X license (Self-hosted). See the details here You can determine which license you have by accessing the following Artifactory URL ${host}/artifactory/api/system/licenses/

Limitations of functionality

Currently, Xray provider is not supporting JSON objects in the Watch filter value. We are working on adding this functionality.

Versioning

In general, this project follows semver as closely as we can for tagging releases of the package. We've adopted the following versioning policy:

  • We increment the major version with any incompatible change to functionality, including changes to the exported Go API surface or behavior of the API.
  • We increment the minor version with any backwards-compatible changes to functionality.
  • We increment the patch version with any backwards-compatible bug fixes.

Contributors

See the contribution guide.

License

Copyright (c) 2024 JFrog.

Apache 2.0 licensed, see LICENSE file.

terraform-provider-xray's People

Contributors

alexanderrmcneill avatar alexhung avatar ax-taustgen avatar bendrucker avatar bodgit avatar cawilson avatar cbrgm avatar cgriggs01 avatar chb0github avatar danielmkn avatar dependabot[bot] avatar dillon-giacoppo avatar dortam888 avatar jamestoyer avatar jasonwbarnett avatar jfroche avatar jfrogsolutioncicd avatar josh-barker-coles avatar kierranm avatar ma-sdnshakya avatar michaelchristopherson avatar nagwag avatar rossedman avatar ryndaniels avatar trevorah avatar ttsangatlassian avatar turhsus avatar volkc-basf avatar wc-s avatar zymzxq avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar

Forkers

davidschile-automox jlyheden sqlhorizons ret2kw pwlandoll cawilson nagwag maneeshs alexhung dortam888 dimberr rbc

terraform-provider-xray's Issues

License requirements

Describe the bug
Hi there,
We have a Commercial type Artifactory license with X-Ray functionality up and running:

{
  "type" : "Commercial",
  "validThrough" : "Apr 22, 2023",
  "licensedTo" : "Redacted"
}

Are we eligible to use this terraform provider?

Error: Artifactory Projects requires Enterprise license to work with Terraform!

We have no issues using https://github.com/jfrog/terraform-provider-artifactory which allows setting check_license = false:
https://registry.terraform.io/providers/jfrog/artifactory/latest/docs#check_license

Add support for repository retention policies

In Xray v3.41.4 support for retention periods for scans was added. This allows for configuration of the number of days scans should be kept for, as well as being able to set retention periods based on specific ant patterns. The latter is useful for removing source jars from maven scans.

The Xray API supports this [1][2] and a resource (or resources) for this should be added to the Xray provider to support this.

[1] https://www.jfrog.com/confluence/display/JFROG/Xray+REST+API#XrayRESTAPI-UpdateRepositoriesConfigurations
[2] https://www.jfrog.com/confluence/display/JFROG/Xray+REST+API#XrayRESTAPI-GetRepositoriesConfigurations

Behavior of "all-repos" and "all-builds" when using project_key

This is more of question than an issue. Just want to confirm my understanding of the behavior of a watch when providing a project key. When using all-repos and all-builds based watch with a project_key means that the watch will watch all of the builds and all of the repos for the project? It will not watch any builds or repos outside of the project? If someone setup an all-repos and an all-builds watch without setting a project_key then the watch would watch every build and every repos in Artifactory?

resource "xray_watch" "alpha_security_watch" {
  name        = "alpha-security-watch"
  description = "Alpha Security Watch"
  active      = true
  project_key = "alpha"

  watch_resource {
    type = "all-repos"
  }

  watch_resource {
    type = "all-builds"

    ant_filter {
      include_patterns = ["**ALPHA**", "**alpha**"]
    }
  }

  assigned_policy {
    name = xray_security_policy.security_policy.name
    type = "security"
  }

  watch_recipients = []

  depends_on = [
    project.alpha_project,
    xray_security_policy.alpha_security_policy
  ]
}

Indexed Resources in terraform

Hey, please add the ability to add repositories to "Indexed Resources" in Xray. this will allow us to manage multiple clusters \ regions in a single location.

Running into state changes in policy when using All Severities

Describe the bug
I am using All Severities for the min_severity in our license and security policy. Every time I run terraform plan and terraform apply for code changes I see state changes to the security and license policy even though the resources were not touched. Getting the license and security policy using the REST API shows that the min_severity value to be unknown when selecting All Severities in the UI. Instead of passing the string "All Severities" to the REST API the provider can pass the string "unknown" to avoid state changes on each terraform plan and apply when using All Severities for the min_severity of license or security policy.

Requirements for and issue
Example of state change.

  # module.xray_security_policy.security_policy will be updated in-place
~ resource "xray_security_policy" "security_policy" {
        id          = "security-policy"
        name        = "security-policy"
        # (6 unchanged attributes hidden)

      ~ rule {
            name     = "severity-rule"
            # (1 unchanged attribute hidden)


          + criteria {
              + fix_version_dependant = false
              + min_severity          = "All Severities"
            }
          - criteria {
              - fix_version_dependant = false -> null
              - min_severity          = "unknown" -> null
            }
            # (1 unchanged block hidden)
        }
    }

Expected behavior
There should be no state changes to a license or security policy if the resources have not been modified.

Additional context
Add any other context about the problem here.

Support for XRAY webhooks

Is your feature request related to a problem? Please describe.
Not related to a problem. However, the ability to create webhooks in xray is important for other integrations

Describe the solution you'd like

resource "xray_webhook" "myotherservice" {
   url = "http://thing.com/hook"
   auth { // xor on these 3 methods
    bearer { // optional
       token = "marked as sensitive"
    }
    basic {
      username = "optional"
      password = "sensitive"
    }
    header {
     FooHeader = "sensitive"
     }
   }
   headers {
    MyHeader = "value"
   }
}

Additional context
There is no current "legit" api for this, so the UI endpoint will need to be used. Please talk to @alexhung or Karol where to find an example integration

make install broken

make install is currently broken. It errors with the following output:
sed: 1: "sample.tf": unterminated substitute pattern

I'm not super knowledgable about sed, but I was able to get make install to work successfully by changing this line to use sed -ie instead of just sed -i

bin_mgr_id documentation issue

The docs say to set bin_mgr_id to 'default' in the watch resource. However when you do this it makes it so that policies will not actually trigger an Xray violation on the resources they're watching. After some poking around I figured out that if you set bin_mgr_id to 'artifactory_saas' (this is what it gets set to when you manually create or edit a watch via the UI), then the violation triggering works as intended.

error message for incorrect policy type is not helpful

Describe the bug

  • when the xray_operational_risk_policy field type is set to the value "Operational_Risk" the error message is "Got Invalid Policy". The error message should provide more information about why the policy is invalid.

Requirements for and issue

resource "xray_operational_risk_policy" "op_risk" {
  name        = "operational-risk"
  description = "operational risk policy"
  type        = "Operational_Risk"  # terraform documentation says "Operational_Risk", which is wrong

  rule {
    name     = "the-rule"
    priority = 1

    criteria {
      op_risk_min_risk = "Medium"
    }

    actions {
      webhooks                          = []
      mails                             = []
      block_release_bundle_distribution = false
      fail_build                        = false
      notify_watch_recipients           = false
      notify_deployer                   = false
      create_ticket_enabled             = false

      block_download {
        unscanned = false
        active    = false
      }
    }
  }
}
  • artifactory version: 7.417
  • xray version: 3.60.2
  • terraform 1.1.3

Expected behavior

  • the error message should be "The value Operational_Risk is not a valid policy type. Did you mean operational_risk?"

Additional context

 Error: 
│ 400 PUT https://artifactory.katanagraph.io/xray/api/v2/policies/operational-risk
│ {"error":"Got Invalid Policy 'operational-risk'"}

Watch Resource - support for Property and Path Filters

I'd like to use this provider for the watch support, but we need the include/exclude filters.

I've tested jfrog/terraform-provider-artifactory#36 and also found that:

  • Property filters are not supported
  • Resource documentation is missing

I'd be happy to contribute, but it's unclear as to how the schema should be defined to support the filters.

One potential option would be to name specific filter types - property_filter and path_filter, but this goes against the generic filters block.

resource "xray_watch" "test" {
	name  = "%s"
	description = "%s"
	resources {
		type = "repository"
		name = "%s"
		bin_mgr_id = "%s"
		filters {
			type = "package-type"
			value = "%s"
		}
                property_filter { # 1 or more of these can be defined
                  key = "someKey"  # required field
                  value = "someValue" # required field
                }
                path_filter { # 0 or 1 of these can be defined.
                  exclude_patterns = ["some/path"] # default value of []
                  include_patterns = ["some/path"] # default value of []
                }
	}
	assigned_policies {
		name = xray_policy.test.name
		type = "security"
	}
}

Personally, I would consider changing the interface and have a specific filter parameters for each filter type, i.e. package_type, etc, as there are quite a few filter options because:

  • the filter type string isn't clear and obvious. For example, the path filter for builds is ant-patterns but for repositories it is path-ant-patterns.
  • There are different filters that apply to a repository or a build. I'm not sure how obvious/helpful the error message that artifactory/xray returns.

You can go to jfrog/terraform-provider-artifactory#6 to view some fuller examples.

Add project key attribute to resources where the API supports projectKey parameter

Our use case for Xray requires granting access to resources without the global "manage" permissions that would grant access to all Xray resources. To do this, we need to use the limited access granted with Projects to allow Xray resources to be created with the same limited access.

It appears that the Xray API provides the ability to create watches (see sample 5) and policies (see sample 4) in projects. From what I can tell, this is different than creating e.g. a watch that uses a watch resource of type project, since that would not grant users who have permissions in the project to manage the watch in the UI. So, we would like to be able to create Projects, grant users access to resources in that project, and create watches and policies in that project.

We would like to be able to do this all within Terraform. Right now, the xray provider does not support the projectKey query parameter that would allow this.

For example, using some sample code from the documentation:

resource "xray_watch" "repository" {
  name        = "repository-watch"
  description = "Watch a single repo or a list of repositories"
  active      = true

  # new attribute
  project_key = "test"

  watch_resource {
    type       = "repository"
    bin_mgr_id = "default"
    name       = "your-repository-name"
    repo_type  = "local"

    filter {
      type  = "regex"
      value = ".*"
    }
  }

  watch_recipients = ["[email protected]", "[email protected]"]
}

See jfrog/terraform-provider-project#39 for previous discussion.

XRAY - CVSS range doesn't support decimals

Description
Hello Artifactory devs, I am trying to create new policy set for Xray. I found small problem in policy definition. I am using CVSS3 scoring system and it works with decimals.

Example:

resource "artifactory_xray_policy" "my_severity_policy" {
  name        = "my-severity"
  description = "Managed by Terraform"
  type        = "security"
  rules {
    name     = "high-severity-rule"
    priority = 1
    criteria {
      cvss_range {
        from = 7
        to   = 10
      }
    }
    actions {
      fail_build = false
      mails      = []
      webhooks   = []
      block_download {
        active    = false
        unscanned = false
      }
    }
  }
}

Requirements for and issue

  • I need to be able to work with decimals in code block like this:
     cvss_range {
        from = 7.1
        to   = 9.4
      }
    }
  • My version of Artifactory is 7.15.4 rev
  • My version of Terraform (Terraform v1.0.4)

Expected behavior
I want to be able to work with more granular ranges then whole numbers. Its possible via console but not via Terraform.

Additional context
This issue affects all the companies working with proper CVSS scoring and especially with https://www.first.org/cvss/calculator/3.0 . Working with granular policies allows to setup proper blocking, notification and watcher setup for X-Ray.

Add `fix_version_dependant` flag to Xray policies. Added since Xray 3.44.1

Exclude Violations with No Available Fixed Version
Introducing a new capability in Xray Policies, where you can set a policy rule to not generate violations for security issues that do not contain a fixed version. This new capability will help you improve your security workflow in enabling you to exclude violations at the Policy level by not failing builds for issues that do not contain a fixed version. Whenever a fixed version is available, the violation will be generated. For more information, see Triggering Violations Using Policy Rules.

This feature is also supported through the Create Policy REST API.

API body example:

"criteria": { "min_severity": "medium", "fix_version_dependant": true, },

Add support for Xray Ignore Rules

Xray does container scanning, and supports Ignore rules for allowing exceptions.

We have many containers that are reporting critical vulerabilities that are not actually critical due to other compensating controls we have in place.

We want the ability to programatically define ignore rules using terraform as infrastructure as code

Documentation
Rest API Documentation

POST /api/v1/ignore_rules
“vulnerabilities”/“licenses”/“cves”/“policies”/“watches”/“docker-layers”  - []string

licenses endpoint 400 response

I'm a JFrog customer with the following license info: { "type" : "Enterprise", "validThrough" : "N/R", "licensedTo" : "Artifactory Online Dedicated", "subscriptionType" : "enterprise_xray_team" }

When I try to use this provider I get the following error:
Error: 400 GET https://opploans.jfrog.io/artifactory/api/system/licenses/ { "errors" : [ { "status" : 400, "message" : "Artifactory Online does not require license, Please contact [email protected] for further assistance if required." } ] }

If I change

terraform-provider-xray/pkg/xray/provider.go

Line 158 in 94fbbb8

_, err := client.R().SetResult(&license).Get("/artifactory/api/system/licenses/")
to be _, err := client.R().SetResult(&license).Get("/artifactory/api/system/license/") (singular), and re-install the provider it works without error. The JFrog API docs reference "/licenses" not "/license" so I'm not sure if the docs are wrong or what's up with that.

xray_ignore_rule errors out on apply

Describe the bug
TF resource xray_ignore_rule fails on apply

Requirements for and issue

  • Artifactory version
{
  "version" : "7.43.1",
  "revision" : "74301900",
  "addons" : [ "aol", "ha", "build", "docker", "vagrant", "replication", "filestore", "plugins", "gems", "composer", "npm", "bower", "git-lfs", "nuget", "debian", "opkg", "rpm", "cocoapods", "conan", "vcs", "pypi", "release-bundle", "jf-connect", "jf-event", "replicator", "keys", "alpine", "cargo", "chef", "federated", "git", "observability", "pub", "rest", "swift", "conda", "terraform", "tracker", "license", "puppet", "ldap", "sso", "layouts", "properties", "search", "securityresourceaddon", "filtered-resources", "p2", "watch", "webstart", "support", "xray", "retention" ],
  "license" : "5f9df6071ac09d605be66ff4193b62e06cdb28b04",
  "entitlements" : {
    "EVENT_BASED_PULL_REPLICATION" : true,
    "SMART_REMOTE_TARGET_FOR_EDGE" : false,
    "REPO_REPLICATION" : true,
    "MULTIPUSH_REPLICATION" : true
  }
}
  • Xray Version
{"xray_version":"3.59.4","xray_revision":"c932c00"}
  • Terraform Version
 1.3.6.
  • Relevant Terraform Code - Very Minimal
resource "xray_ignore_rule" "this" {
  notes        = var.notes
  cves         = var.cves
  watches      = var.watches
}
  • Terraform Plan/apply Output + Error
$ terraform apply 
Acquiring state lock. This may take a few moments...
data.vault_generic_secret.tf_af_rw_user: Reading...
data.vault_generic_secret.tf_af_rw_user: Read complete after 0s [id=secret/common/artifactory_saas/automation/tf-af-rw-user]
module.xray_security_policy_image_promotion.xray_security_policy.this: Refreshing state... [id=tf-policy-image-promotion]
module.xray_security_watch_image_promotion.xray_watch.this: Refreshing state... [id=tf-watch-image-promotion]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.xray_ignore_rule.xray_ignore_rule.this will be created
  + resource "xray_ignore_rule" "this" {
      + author           = (known after apply)
      + created          = (known after apply)
      + cves             = [
          + "CVE-2021-43616",
        ]
      + docker_layers    = (known after apply)
      + id               = (known after apply)
      + is_expired       = (known after apply)
      + licenses         = (known after apply)
      + notes            = "Ignore rule"
      + operational_risk = (known after apply)
      + policies         = (known after apply)
      + vulnerabilities  = (known after apply)
      + watches          = [
          + "tf-watch-image-promotion",
        ]

      + artifact {
          + name    = (known after apply)
          + path    = (known after apply)
          + version = (known after apply)
        }

      + build {
          + name    = (known after apply)
          + version = (known after apply)
        }

      + component {
          + name    = (known after apply)
          + version = (known after apply)
        }

      + release_bundle {
          + name    = (known after apply)
          + version = (known after apply)
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions in workspace "shared"?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

module.xray_ignore_rule.xray_ignore_rule.this: Creating...
╷
│ Error: Plugin did not respond
│ 
│   with module.xray_ignore_rule.xray_ignore_rule.this,
│   on ../modules/ignore-rules/main.tf line 14, in resource "xray_ignore_rule" "this":
│   14: resource "xray_ignore_rule" "this" {
│ 
│ The plugin encountered an error, and failed to respond to the plugin.(*GRPCProvider).ApplyResourceChange call. The plugin logs may contain more details.
╵
Releasing state lock. This may take a few moments...

Stack trace from the terraform-provider-xray_v1.9.4 plugin:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x2 addr=0x0 pc=0x1050a6650]

goroutine 53 [running]:
github.com/jfrog/terraform-provider-xray/pkg/xray.resourceXrayIgnoreRule.func3({{0x1400003c420, 0x24}, {0x0, 0x0}, {0x1400003a1c0, 0xd}, 0x1400000c150, 0x0, {0x1400003a1d0, 0xb}, ...}, ...)
        github.com/jfrog/terraform-provider-xray/pkg/xray/resource_xray_ignore_rule.go:312 +0x2a0
github.com/jfrog/terraform-provider-xray/pkg/xray.resourceXrayIgnoreRule.func7({0x105360d50, 0x140001704e0}, 0x140004b8300, {0x105350620?, 0x140005ca1e0})
        github.com/jfrog/terraform-provider-xray/pkg/xray/resource_xray_ignore_rule.go:455 +0x4f8
github.com/jfrog/terraform-provider-xray/pkg/xray.resourceXrayIgnoreRule.func8({0x105360d50, 0x140001704e0}, 0x1400055cef8?, {0x105350620?, 0x140005ca1e0?})
        github.com/jfrog/terraform-provider-xray/pkg/xray/resource_xray_ignore_rule.go:494 +0x2e8
github.com/jfrog/terraform-provider-shared/util.applyTelemetry.func1({0x105360d50?, 0x140001704e0}, 0x0?, {0x105350620?, 0x140005ca1e0})
        github.com/jfrog/[email protected]/util/util.go:225 +0x1d4
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).create(0x140002afea0, {0x105360d88, 0x140004ac270}, 0xd?, {0x105350620, 0x140005ca1e0})
        github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:707 +0xec
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).Apply(0x140002afea0, {0x105360d88, 0x140004ac270}, 0x1400013ab60, 0x140004b8200, {0x105350620, 0x140005ca1e0})
        github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:837 +0x874
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*GRPCProviderServer).ApplyResourceChange(0x140003fe5a0, {0x105360ce0?, 0x1400010f9c0?}, 0x14000537540)
        github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/grpc_provider.go:1021 +0xb94
github.com/hashicorp/terraform-plugin-go/tfprotov5/tf5server.(*server).ApplyResourceChange(0x14000399720, {0x105360d88?, 0x14000565a70?}, 0x14000542af0)
        github.com/hashicorp/[email protected]/tfprotov5/tf5server/server.go:812 +0x38c
github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_ApplyResourceChange_Handler({0x10532c360?, 0x14000399720}, {0x105360d88, 0x14000565a70}, 0x140001712c0, 0x0)
        github.com/hashicorp/[email protected]/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:385 +0x174
google.golang.org/grpc.(*Server).processUnaryRPC(0x1400027c8c0, {0x105363728, 0x140001024e0}, 0x14000575e60, 0x14000413b30, 0x1057da8e0, 0x0)
        google.golang.org/[email protected]/server.go:1282 +0xb3c
google.golang.org/grpc.(*Server).handleStream(0x1400027c8c0, {0x105363728, 0x140001024e0}, 0x14000575e60, 0x0)
        google.golang.org/[email protected]/server.go:1619 +0x840
google.golang.org/grpc.(*Server).serveStreams.func1.2()
        google.golang.org/[email protected]/server.go:921 +0x88
created by google.golang.org/grpc.(*Server).serveStreams.func1
        google.golang.org/[email protected]/server.go:919 +0x298

Error: The terraform-provider-xray_v1.9.4 plugin crashed!

This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.

Expected behavior
Expected Ignore rule to be created, but fails with above error.

Error 400 when adding remote repository to xray_watch

Hi Team,

I'm getting 400 error when creating an xray_watch resource which includes remote repositories.

Here is a watch created manually through the GUI:

{
    "general_data": {
      "id": "bac6529a90896cba473f2000",
      "name": "local-and-remote-repos-TF",
      "active": true
    },
    "project_resources": {
      "resources": [
        {
          "type": "repository",
          "name": "pypi-local",
          "bin_mgr_id": "default",
          "repo_type": "local"
        },
        {
          "type": "repository",
          "name": "pypi-remote",
          "bin_mgr_id": "default",
          "repo_type": "remote"
        }
      ]
    },
    "assigned_policies": [
      {
        "name": "Remote-and-Local-Repos-Policy-Manual",
        "type": "security"
      }
    ]
}

Now I successfully create the following xray_watch which contains local repository only:

resource "xray_watch" "remote_and_local_repo" {
  name   = "local-and-remote-repos-TF"
  active = true

  watch_resource {
    type = "repository"
    name = "pypi-local"
  }
  assigned_policy {
    name = xray_security_policy.xray_remote_and_local_repo.name
    type = "security"
  }
}

terraform apply --target xray_watch.remote_and_local_repo
xray_security_policy.xray_remote_and_local_repo: Refreshing state... [id=Remote-and-Local-Repos-Policy-TF]

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # xray_watch.remote_and_local_repo will be created
  + resource "xray_watch" "remote_and_local_repo" {
      + active = true
      + id     = (known after apply)
      + name   = "local-and-remote-repos-TF"

      + assigned_policy {
          + name = "Remote-and-Local-Repos-Policy-TF"
          + type = "security"
        }

      + watch_resource {
          + bin_mgr_id = "default"
          + name       = "pypi-local"
          + type       = "repository"
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Warning: Resource targeting is in effect
xray_watch.remote_and_local_repo: Creating...
xray_watch.remote_and_local_repo: Creation complete after 1s [id=local-and-remote-repos-TF]

Then I try to add a remote repository:

resource "xray_watch" "remote_and_local_repo" {
  name   = "local-and-remote-repos-TF"
  active = true

  watch_resource {
    type = "repository"
    name = "pypi-local"
  }
  watch_resource {
    type = "repository"
    name = "pypi-remote"
  }  
  assigned_policy {
    name = xray_security_policy.xray_remote_and_local_repo.name
    type = "security"
  }
}

terraform apply --target xray_watch.remote_and_local_repo
xray_security_policy.xray_remote_and_local_repo: Refreshing state... [id=Remote-and-Local-Repos-Policy-TF]
xray_watch.remote_and_local_repo: Refreshing state... [id=local-and-remote-repos-TF]

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # xray_watch.remote_and_local_repo will be updated in-place
  ~ resource "xray_watch" "remote_and_local_repo" {
        id     = "local-and-remote-repos-TF"
        name   = "local-and-remote-repos-TF"
        # (1 unchanged attribute hidden)


      + watch_resource {
          + bin_mgr_id = "default"
          + name       = "pypi-remote"
          + type       = "repository"
        }
        # (2 unchanged blocks hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.


Warning: Resource targeting is in effect

xray_watch.remote_and_local_repo: Modifying... [id=local-and-remote-repos-TF]
Error:
400 PUT https://artifactory.px.tools/xray/api/v2/watches/local-and-remote-repos-TF
{"error":"Watch is not valid"}

  on xray_watch.tf line 1, in resource "xray_watch" "remote_and_local_repo":
   1: resource "xray_watch" "remote_and_local_repo" {

Below are software versions:

Terraform v0.14.5
+ provider registry.terraform.io/jfrog/artifactory v6.7.2
+ provider registry.terraform.io/jfrog/xray v1.1.4

{"xray_version":"3.45.2","xray_revision":"6261583"}

artifactory:   "version" : "7.35.2",  "revision" : "73502900",

Re-work DB sync time resource implementation

Based on the community contribution we need to re-work the implementation of xray_settings resource, which provides DB sync time updates.
The object can't be deleted or created, it exists in the Xrya instance by default. Based on this we need to change the behavior of Create and Delete functions.

xray_violations report crashes without a security_filters nested block

Describe the bug
terraform documentation indicates that the security_filters nested block in the filters block of xray_violations_report is optional. Without a security_filters the provider crashes,

Requirements for and issue
Code snippet

resource "xray_violations_report" "report" {
  name = "violations"
  resources {
    dynamic "repository" {
      for_each = local.repos_watched_local
      content {
        name                  = repository.value
        include_path_patterns = [".*"]
        exclude_path_patterns = []
      }
    }
  }

  filters {
    type           = "security"
    severities     = ["High", "Medium"]
    watch_patterns = [".*"]
    policy_names = [
      "my-policy"
    ]

    updated {
      start = local.scan_start_date
      end   = local.scan_end_date
    }

    license_filters {
      unknown      = true
      unrecognized = true
    }
  }
}
  • artifactory version: 7.417
  • xray version: 3.60.2
  • terraform 1.1.3

Expected behavior

  • if the block is optional, then provider should create the resource
  • if the block is required, then provider should not crash. It should fail with an error message.

Additional context

Error: Plugin did not respond
│ 
│   with xray_violations_report.report,
│   on xray-reports.tf line 53, in resource "xray_violations_report" "report":
│   53: resource "xray_violations_report" "report" {
│ 
│ The plugin encountered an error, and failed to respond to the plugin.(*GRPCProvider).ApplyResourceChange call. The plugin logs may contain more details.
╵

Stack trace from the terraform-provider-xray_v1.9.5 plugin:

panic: runtime error: index out of range [0] with length 0

goroutine 16 [running]:
github.com/jfrog/terraform-provider-xray/pkg/xray.unpackViolationsSecurityFilters(0x100e5bae0?)
	github.com/jfrog/terraform-provider-xray/pkg/xray/reports.go:481 +0x324
github.com/jfrog/terraform-provider-xray/pkg/xray.unpackViolationsFilters(0x140004d4db8?)
	github.com/jfrog/terraform-provider-xray/pkg/xray/reports.go:533 +0x598
github.com/jfrog/terraform-provider-xray/pkg/xray.unpackReport(0x140004d4e38?, {0x100c96d4b, 0xa})
	github.com/jfrog/terraform-provider-xray/pkg/xray/reports.go:305 +0x2f0
github.com/jfrog/terraform-provider-xray/pkg/xray.createReport({0x100c96d4b, 0xa}, 0x100689b70?, {0x100f28660?, 0x140002d8000})
	github.com/jfrog/terraform-provider-xray/pkg/xray/reports.go:672 +0x54
github.com/jfrog/terraform-provider-xray/pkg/xray.resourceXrayViolationsReportCreate({0x100c99489?, 0xe?}, 0x140004d4ef8?, {0x100f28660?, 0x140002d8000?})
	github.com/jfrog/terraform-provider-xray/pkg/xray/reports.go:620 +0x34
github.com/jfrog/terraform-provider-shared/util.applyTelemetry.func1({0x100f38d90?, 0x140004d6960}, 0x0?, {0x100f28660?, 0x140002d8000})
	github.com/jfrog/[email protected]/util/util.go:225 +0x1d4
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).create(0x140004982a0, {0x100f38dc8, 0x14000268510}, 0xd?, {0x100f28660, 0x140002d8000})
	github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:707 +0xec
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).Apply(0x140004982a0, {0x100f38dc8, 0x14000268510}, 0x1400049d2b0, 0x14000320500, {0x100f28660, 0x140002d8000})
	github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:837 +0x874
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*GRPCProviderServer).ApplyResourceChange(0x140001219b0, {0x100f38d20?, 0x1400021ddc0?}, 0x14000125f90)
	github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/grpc_provider.go:1021 +0xb94
github.com/hashicorp/terraform-plugin-go/tfprotov5/tf5server.(*server).ApplyResourceChange(0x140003b1860, {0x100f38dc8?, 0x1400001dc20?}, 0x140000b27e0)
	github.com/hashicorp/[email protected]/tfprotov5/tf5server/server.go:812 +0x38c
github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_ApplyResourceChange_Handler({0x100f04380?, 0x140003b1860}, {0x100f38dc8, 0x1400001dc20}, 0x14000081e60, 0x0)
	github.com/hashicorp/[email protected]/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:385 +0x174
google.golang.org/grpc.(*Server).processUnaryRPC(0x14000138700, {0x100f3b768, 0x14000314680}, 0x140002a2000, 0x140004905a0, 0x1013b2920, 0x0)
	google.golang.org/[email protected]/server.go:1282 +0xb3c
google.golang.org/grpc.(*Server).handleStream(0x14000138700, {0x100f3b768, 0x14000314680}, 0x140002a2000, 0x0)
	google.golang.org/[email protected]/server.go:1619 +0x840
google.golang.org/grpc.(*Server).serveStreams.func1.2()
	google.golang.org/[email protected]/server.go:921 +0x88
created by google.golang.org/grpc.(*Server).serveStreams.func1
	google.golang.org/[email protected]/server.go:919 +0x298

resource "xray_watch" "repository" for creating xray_watch policy does not accepts list of repositories

Hi , I am using jfrog x-ray provider and using the resource "xray_watch" "repository" for creating xray_watch policy. In the description of the block it clearly mentioned that we can either watch a single repo or list of repositories, however when i pass the list of repositories it errors out with the below message. it is accepting only one string value(one repository to watch) and not the list of repositories

Error: Incorrect attribute value type
on modules/jfrog/policies.tf line 40, in resource "xray_watch" "repository":
name = var.repositories
var.repositories is a list of dynamic, known only after apply
Inappropriate value for attribute "name": string required.

This is the block used

resource "xray_watch" "repository" {
name = "repository-watch"
description = "Watch a single repo or a list of repositories". --> it says list of repositories
active = true
project_key = "testproj"

watch_resource {
type = "repository"
bin_mgr_id = "default"
name = "your-repository-name". --> am passing list of repositories here (var.repositories)
repo_type = "local"

https://registry.terraform.io/providers/jfrog/xray/latest/docs/resources/watch

can you please advise how can i pass the list of repositories for this watch_resource block?

Ability to configure `Allow download and distribute when Xray is unavailable` setting

Is your feature request related to a problem? Please describe.
Ensuring that the Allow download and distribute when Xray is unavailable setting is as expected and consistent across installations is tedious since it is not available in the terraform provider.

Describe the solution you'd like
A new resource (maybe artifactory_xray_settings) that has a boolean for allow_download_when_unavailable that controls this setting.

Describe alternatives you've considered
Scripting API calls. This is less than ideal since the rest of our configuration is handled by terraform.

Additional context

Include pattern and exclude pattern are both required when using path_ant_filter.

Describe the bug
I am doing some testing of path_ant_filter. I am trying to setup a xray that excludes a path. The provider is requiring both include_patterns and exlude_patterns. When creating the xray watch using the UI both are not required. Pulling the watch configuration using the REST API shows that include_patterns is an empty list.

Requirements for and issue

resource "xray_watch" "jf_license_watch" {
  name        = "jf-license-watch"
  active      = true
  project_key = "jf"

  watch_resource {
  type       = "repository"
  name       = artifactory_local_maven_repository.jf_mvn_snapshots.key
  
  path_ant_filter {
    exclude_patterns = ["org/apache/**", "org.apache.**"]
    include_patterns = ["**"]
    # include_patterns should not be required if exclude_patterns is provided.
    # default value of include_patterns and exclude_patterns could be an empty list []
  }

  assigned_policy {
    name = xray_license_policy.jf_license_policy.name
    type = "license"
  }

  watch_recipients = []
}

# Validation error when not providing include_patterns
Error: Missing required argument

  on ../modules/xray/watch_license.tf line 14, in resource "xray_watch" "license_watch":
  14:       path_ant_filter {

The argument "include_patterns" is required, but no definition was found.

# Validation error when using an empty list for include_patterns
Error: Not enough list items

  with module.xray.xray_watch.license_watch,
  on ../modules/xray/watch_license.tf line 1, in resource "xray_watch" "license_watch":
   1: resource "xray_watch" "license_watch" {

Attribute requires 1 item minimum, but config has only 0 declared.

Expected behavior
Create a xray watch using the provider that only requires include_patterns or exlude_patterns if path_ant_filter is used.

Automate configuration to index and scan all builds using Jfrog Terraform Artifactory and Xray providers

Is your feature request related to a problem? Please describe.
Not all builds are added to be indexed and scanned automatically.

Describe the solution you'd like
For all builds to be indexed, we have to go to Build --> Manage Builds --> and add "*/**" for 'Build Name Include Pattern" manually. Hence need to automate this configuration using the Jfrog Terraform Artifactory and Xray providers

Describe alternatives you've considered
Need to perform the steps manually : go to Build --> Manage Builds --> and add "*/**" for 'Build Name Include Pattern"

Ability to specify Jira integration

Currently both the xray_license_policy and xray_security_policy resources have the create_ticket_enabled parameter for the rule.actions object, but there is not a parameter to specify which Jira integration should be used.

Requested solution:
Implement a jira_integration_name parameter (or some other name) for the xray_license_policy.rule.actions and xray_security_policy.rule.actions objects.

Additional Context:
I want to be able to send different policy findings to different teams Jira projects at my company.

Cheers

License policy with manually added licenses

Describe the bug
License policy that includes manually added licenses is not working.
The list of licenses in Xray was not up to date with SPDX .
So I manually added the licenses for AGPL-1.0-only and AGPL-1.0-or-later following the documentation.
terraform plan threw errors indicating that AGPL-1.0-only and AGPL-1.0-or-later were not valid.

Example

resource "xray_license_policy" "kc_license_policy" {
  name        = "xray-license-policy"
  description = "Xray License Policy"
  type        = "license"
  project_key = "test"

  rule {
    name     = "xray-license-rule"
    priority = 1

    criteria {
      allowed_licenses         = ["AGPL-1.0-only", "AGPL-1.0-or-later"]
      allow_unknown            = false
      multi_license_permissive = true
    }

    actions {
      webhooks                          = []
      mails                             = []
      block_release_bundle_distribution = false
      fail_build                        = false
      notify_watch_recipients           = false
      notify_deployer                   = false
      create_ticket_enabled             = false // set to true only if Jira integration is enabled
      custom_severity                   = "High"
      //build_failure_grace_period_in_days = 5     // use only if fail_build is enabled

      block_download {
        unscanned = false
        active    = false
      }
    }
  }
}

Errors
Errors list out all of the default licenses.
Seems like the manually added licenses are not included in this list for validation.
List is cropped to reduce the amount of scrolling.

Error: expected allowed_licenses to be one of [0BSD AAL Abstyles Adobe-2006 Adobe-Glyph ADSL AFL-1.1 AFL-1.2 AFL-2.0 AFL-2.1 AFL-3.0 Afmparse AGPL-1.0 AGPL-3.0 AGPL-3.0-only AGPL-3.0-or-later Aladdin AMDPLPA AML AMPAS ANTLR-PD Apache-1.0 Apache-1.1 Apache-2.0 APAFML APL-1.0 APSL-1.0 APSL-1.1 APSL-1.2 APSL-2.0 Artistic-1.0 Artistic-1.0-cl8 Artistic-1.0-Perl Artistic-2.0 ... UPL-1.0 Vim VIM License wxWindows X11 Xerox XFree86-1.1 Zimbra-1.4 ZLIB Zlib zlib-acknowledgement ZPL-1.1 ZPL-2.0 ZPL-2.1], got AGPL-1.0-or-later
Error: expected allowed_licenses to be one of [0BSD AAL Abstyles Adobe-2006 Adobe-Glyph ADSL AFL-1.1 AFL-1.2 AFL-2.0 AFL-2.1 AFL-3.0 Afmparse AGPL-1.0 AGPL-3.0 AGPL-3.0-only AGPL-3.0-or-later Aladdin AMDPLPA AML AMPAS ANTLR-PD Apache-1.0 Apache-1.1 Apache-2.0 APAFML APL-1.0 APSL-1.0 APSL-1.1 APSL-1.2 APSL-2.0 Artistic-1.0 Artistic-1.0-cl8 Artistic-1.0-Perl Artistic-2.0 ... UPL-1.0 Vim VIM License wxWindows X11 Xerox XFree86-1.1  Zimbra-1.4 ZLIB Zlib zlib-acknowledgement ZPL-1.1 ZPL-2.0 ZPL-2.1], got AGPL-1.0-only

Versions
Artifactory version: 7.35.2
Xray version: 3.32.2
Terraform version: 1.2.5
Provider version: 1.5.1

Expected behavior
License policy will be created when the list of allowed licenses includes default licenses and manually added licenses.

Screenshots
AGPL-1 0-licenses
AGPL-1 0-or-later
AGPL-1 0-only

Creating watches in a project - odd behavior (when using TF modules)

Describe the bug
We are trying to create watches within a project that have all-repos as the resource. When we run the Terraform, the watch is created and the plan shows that it is adding all the resources and using a filter, however the watch itself has no configuration past the name and description; no resources and inactive (even though we pass through an active flag). If we then make a ghost commit to a comment in the watch creation, the resources are created and the watch is enabled.

We had this running using an input variable and thought that could be causing the issue, so we then hardcoded the module in and still got the same behaviour.

Requirements for and issue

resource "xray_watch" "project_watch" {
    name        = "CICD-Repo-Watch"
    description = "Watch for all repositories"
    active      = true
    project_key = "cicd"
       watch_resource {
       type = "all-repos"
       filter {
         type  = "regex"
         value = ".*"
      }
   }
  assigned_policy {
    name = "Global-Security-Policy"
    type = "security"
  }
}
  • Artifactory version EnterpriseX license 7.35.2
  • Xray version 3.65.2
  • Terraform 1.0.7

Expected behavior
I expect a watch to be created first time with all configuration, and not have to run it a second time with ghost commits to add resources and enable it

Additional context
I have attached a file showing plan and UI
WORKING CODE.docx

Import leading to 'Error looking up workspace'

I'm trying to import a policy using from an existing deployment done manually with

terraform import xray_license_policy.test-lic test-lic

but I'm getting the following error

│ Error: Error looking up workspace
│ 
│ Invalid Terraform version: Malformed version:

terraform apply commands with the same setup works fine if I rename the policy.

Requirements for and issue

Artifactory v7.55.8 / Xray 3.69.3
Terraform & provider version

Terraform v1.4.5
on linux_amd64
+ provider registry.terraform.io/jfrog/xray v1.12.

main.tf

terraform {
  required_providers {
    xray = {
      source  = "registry.terraform.io/jfrog/xray"
      version = "1.12.0"
    }
  }
}

terraform {
    backend "remote" {
        hostname      = "artifactory.somedomain"
        organization  = "somerepo_terraform_be"
        workspaces {
            name = "xray-dev"
        }
    }
}

provider "xray" {
  url          = "https://artifactory.somedomain/xray"
  access_token = var.ARTIFACTORY_TOKEN  
}

resource "xray_license_policy" "test-lic" {
  name        = "test-lic"
  description = "Managed by terraform"
  type        = "license"
  rule {
    name     = "aal"
    priority = 1
    actions {
      block_download {
        unscanned = false
        active    = false
      }
      custom_severity = "High"
      fail_build = false
      build_failure_grace_period_in_days = 0
    }
    criteria {
      allow_unknown           = true
      banned_licenses         = ["AAL"]
      multi_license_permissive = false
    }
  }
}

Logs

2023-04-18T14:15:40.418+0200 [INFO]  CLI command args: []string{"import", "xray_license_policy.test-lic", "test-lic"}
2023-04-18T14:15:40.421+0200 [TRACE] Meta.Backend: built configuration for "remote" backend with hash value 3925355522
2023-04-18T14:15:40.421+0200 [TRACE] Preserving existing state lineage "04656c7b-cf37-8b1c-66e0-b11379ad2e41"
2023-04-18T14:15:40.421+0200 [TRACE] Preserving existing state lineage "04656c7b-cf37-8b1c-66e0-b11379ad2e41"
2023-04-18T14:15:40.422+0200 [TRACE] Meta.Backend: working directory was previously initialized for "remote" backend
2023-04-18T14:15:40.422+0200 [TRACE] Meta.Backend: using already-initialized, unchanged "remote" backend configuration
2023-04-18T14:15:40.422+0200 [DEBUG] Service discovery for artifactory.somedomain at https://artifactory.somedomain/.well-known/terraform.json
2023-04-18T14:15:40.422+0200 [TRACE] HTTP client GET request to https://artifactory.somedomain/.well-known/terraform.json
2023-04-18T14:15:40.522+0200 [DEBUG] Service discovery for artifactory.somedomain aliased as localterraform.com
2023-04-18T14:15:40.631+0200 [TRACE] Meta.Backend: instantiated backend of type *remote.Remote
2023-04-18T14:15:40.632+0200 [TRACE] providercache.fillMetaCache: scanning directory .terraform/providers
2023-04-18T14:15:40.632+0200 [TRACE] getproviders.SearchLocalDirectory: found registry.terraform.io/jfrog/xray v1.12.0 for linux_amd64 at .terraform/providers/registry.terraform.io/jfrog/xray/1.12.0/linux_amd64
2023-04-18T14:15:40.632+0200 [TRACE] providercache.fillMetaCache: including .terraform/providers/registry.terraform.io/jfrog/xray/1.12.0/linux_amd64 as a candidate package for registry.terraform.io/jfrog/xray 1.12.0
2023-04-18T14:15:40.691+0200 [DEBUG] checking for provisioner in "."
2023-04-18T14:15:40.691+0200 [DEBUG] checking for provisioner in "/home/linuxbrew/.linuxbrew/Cellar/terraform/1.4.5/bin"
2023-04-18T14:15:40.691+0200 [TRACE] Meta.Backend: backend *remote.Remote supports operations
2023-04-18T14:15:40.692+0200 [TRACE] backend/remote: looking up workspace for somerepo_terraform_be/xray-dev
╷
│ Error: Error looking up workspace
│ 
│ Invalid Terraform version: Malformed version: 
╵

Expected behavior
Last Trace log indicates a path for the workspace at somerepo_terraform_be/xray-dev on Artifactory while the effective path on Artifactory is somerepo_terraform_be/workspaces/xray-dev/

Support "multi_license_permissive" attribute for xray license policies

Describe the bug
Current version of provider does not allow passing attribute 'multi_license_permssive' as documented in the xray v2 restful apis.

Requirements for and issue

  • A fully functioning terraform snippet that can be copy&pasted (no outside files or ENV vars unless that's part of the issue)
resource "xray_policy" "lic_policy" {
  name = "lic_policy"
  description = "License policy"
  type = "license"

  rules {
    name = "lic_rule"
    criteria {
      banned_licenses = [
      ...
      ]
      multi_license_permissive = true
    }
    actions {
      ...
    }
  }
}
  • Your version of artifactory (you can curl it at $host/artifactory/api/system/version
7.17.5
  • Your version of terraform
Terraform v.0.15.4
+ provider registry.terraform.io/jfrog/artifactory v2.3.1

Expected behavior
Provider should support latest restful APIs and attributes. Allow to pass "multi_license_permissive" attribute for license xray policies.

Additional context
https://www.jfrog.com/confluence/display/JFROG/Xray+REST+API#XrayRESTAPI-CreatePolicy
License sample jfrog/terraform-provider-artifactory#3

{
    “name”: “lic_policy”,
    “description”: “License policy”,
    “type”: “license”,
    “rules”: [
         {
            “name”: “lic_rule”,
            “criteria”: {
                “banned_licenses”: [
                    “Apache-1.0",
                    “Apache-2.0”
                ],
                “allow_unknown”: true,
                “multi_license_permissive”: true
            },
            “actions”: {
                 “webhooks”: [],
                 “block_download”: {
                     “active”: true
                     “unscanned”: true
                 },
                 “block_release_bundle_distribution”: true,
                 “fail_build”: true,
                 “custom_severity”: “high”
             },
             “priority”: 1
         }
    ]
}```

Provider crashes

Describe the bug
I want to update a policy which I created manually. The plan looks fine, but in apply phase the plugin crashes.

resource "xray_security_policy" "all-critical" {
  name        = "all_critical_vulnerabilities"
  type        = "security"

  rule {
    name     = "all_critical_vulnerabilities"
    priority = 1

    criteria {
      min_severity = "Critical"
    }
  }

  rule {
    name     = "cvss9+"
    priority = 2

    criteria {

      cvss_range {
        from = 9.0
        to   = 10.0
      }
    }
  }
}
  • [{"xray_version":"3.73.8","xray_revision":"b9b2c47"}
Terraform v1.4.6
on linux_amd64
+ provider registry.terraform.io/jfrog/xray v1.13.0

Expected behavior
Output of tf plan:

  # xray_security_policy.all-critical will be updated in-place
  ~ resource "xray_security_policy" "all-critical" {
        id          = "all_critical_vulnerabilities"
        name        = "all_critical_vulnerabilities"
        # (4 unchanged attributes hidden)

      ~ rule {
            name     = "all_critical_vulnerabilities"
            # (1 unchanged attribute hidden)

          - actions {
              - block_release_bundle_distribution  = false -> null
              - build_failure_grace_period_in_days = 0 -> null
              - create_ticket_enabled              = false -> null
              - fail_build                         = false -> null
              - mails                              = [] -> null
              - notify_deployer                    = false -> null
              - notify_watch_recipients            = false -> null
              - webhooks                           = [] -> null

              - block_download {
                  - active    = false -> null
                  - unscanned = false -> null
                }
            }

          - criteria {
              - fix_version_dependant = true -> null
              - malicious_package     = false -> null
              - min_severity          = "Critical" -> null
              - vulnerability_ids     = [] -> null
            }
          + criteria {
              + fix_version_dependant = false
              + malicious_package     = false
              + min_severity          = "Critical"
              + vulnerability_ids     = []
            }
        }
      ~ rule {
            name     = "cvss9+"
            # (1 unchanged attribute hidden)

          - actions {
              - block_release_bundle_distribution  = false -> null
              - build_failure_grace_period_in_days = 0 -> null
              - create_ticket_enabled              = false -> null
              - fail_build                         = false -> null
              - mails                              = [] -> null
              - notify_deployer                    = false -> null
              - notify_watch_recipients            = false -> null
              - webhooks                           = [] -> null

              - block_download {
                  - active    = false -> null
                  - unscanned = false -> null
                }
            }

            # (1 unchanged block hidden)
        }
    }

Additional context

Stack trace from the terraform-provider-xray_v1.13.0 plugin:

panic: runtime error: index out of range [0] with length 0

goroutine 68 [running]:
github.com/jfrog/terraform-provider-xray/pkg/xray.unpackActions(0x0?)
github.com/jfrog/terraform-provider-xray/pkg/xray/policies.go:460 +0x836
github.com/jfrog/terraform-provider-xray/pkg/xray.unpackRules({0xc00068bde0?, 0x2, 0x48cb8a?}, {0xc00028fda0, 0x8})
github.com/jfrog/terraform-provider-xray/pkg/xray/policies.go:296 +0x28e
github.com/jfrog/terraform-provider-xray/pkg/xray.unpackPolicy(0x203000?)
github.com/jfrog/terraform-provider-xray/pkg/xray/policies.go:278 +0x225
github.com/jfrog/terraform-provider-xray/pkg/xray.resourceXrayPolicyUpdate({0xd7c320, 0xc00068d740}, 0xc0000c9600, {0xb9e820?, 0xc0002923f0?})
github.com/jfrog/terraform-provider-xray/pkg/xray/policies.go:754 +0x65
github.com/jfrog/terraform-provider-shared/util.applyTelemetry.func1({0xd7c320?, 0xc00068d740}, 0xb65d60?, {0xb9e820?, 0xc0002923f0})
github.com/jfrog/[email protected]/util/util.go:233 +0x223
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).update(0xc00012ec40, {0xd7c358, 0xc00019a4e0}, 0xd?, {0xb9e820, 0xc0002923f0})
github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:741 +0x12e
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).Apply(0xc00012ec40, {0xd7c358, 0xc00019a4e0}, 0xc000438c30, 0xc0000c8000, {0xb9e820, 0xc0002923f0})
github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:847 +0x82c
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*GRPCProviderServer).ApplyResourceChange(0xc0001279b0, {0xd7c2b0?, 0xc000285740?}, 0xc0003d0b90)
github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/grpc_provider.go:1021 +0xe3c
github.com/hashicorp/terraform-plugin-go/tfprotov5/tf5server.(*server).ApplyResourceChange(0xc000337900, {0xd7c358?, 0xc000423a70?}, 0xc000271f10)
github.com/hashicorp/[email protected]/tfprotov5/tf5server/server.go:812 +0x515
github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_ApplyResourceChange_Handler({0xc0f6a0?, 0xc000337900}, {0xd7c358, 0xc000423a70}, 0xc00028be00, 0x0)
github.com/hashicorp/[email protected]/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:385 +0x170
google.golang.org/grpc.(*Server).processUnaryRPC(0xc000140700, {0xd7ed30, 0xc00029c9c0}, 0xc0004caa20, 0xc000422900, 0x1206ce0, 0x0)
google.golang.org/[email protected]/server.go:1282 +0xccf
google.golang.org/grpc.(*Server).handleStream(0xc000140700, {0xd7ed30, 0xc00029c9c0}, 0xc0004caa20, 0x0)
google.golang.org/[email protected]/server.go:1619 +0xa1b
google.golang.org/grpc.(*Server).serveStreams.func1.2()
google.golang.org/[email protected]/server.go:921 +0x98
created by google.golang.org/grpc.(*Server).serveStreams.func1
google.golang.org/[email protected]/server.go:919 +0x28a

Error: The terraform-provider-xray_v1.13.0 plugin crashed!

This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.

Cannot create an Xray security policy rule with "Contains malicious packages" option enabled.

Describe the bug
Cannot create an Xray security policy rule with "Contains malicious packages" option enabled using Terraform. The request returns following error.

400 POST https://artifactory-dev.skoda.vwgroup.com/xray/api/v2/policies
│ {"error":"Found Invalid Policy"}

When we create that rule using JFROG web UI everything works fine. After that we can import that rule to Terraform state and running Terraform apply returns no error. We tried copying the code directly from Terraform state to our script, deleting our policy from JFROG and Terraform state and running Terraform apply but we again ended with the error above.

Requirements for and issue

terraform {
  required_providers {
    artifactory = {
      source  = "registry.terraform.io/jfrog/artifactory"
      version = "6.15.1"
    }
    project = {
      source  = "registry.terraform.io/jfrog/project"
      version = "1.1.7"
    }
    xray = {
      source  = "registry.terraform.io/jfrog/xray"
      version = "1.6.0"
    }
  }
}

variable "artifactory_url" {
  type = string
}
variable "token" {
  type = string
}

provider "xray" {
  url          = var.artifactory_url
  access_token = var.token
}
provider "artifactory" {
  url          = var.artifactory_url
  access_token = var.token
}
provider "project" {
  url          = var.artifactory_url
  access_token = var.token
}

resource "xray_security_policy" "policy" {
  description = "Security-Test"
  name = "Security-Test"
  type = "security"

  rule {
    name     = "malicious"
    priority = 1

    actions {
      block_release_bundle_distribution  = false
      build_failure_grace_period_in_days = 0
      create_ticket_enabled              = false
      fail_build                         = true
      mails                              = []
      notify_deployer                    = false
      notify_watch_recipients            = true
      webhooks                           = []

      block_download {
        active    = false
        unscanned = false
      }
    }

    criteria {
      fix_version_dependant = false
    }
  }
}

Expected behavior
Creating Xray security policy with one rule which has the "Contains malicious packages" option enabled.

Support ant-patterns filter types for watch resources

I tried to use ant-pattern filters in the watch resource configuration but seams that the implementation is yet not done.

Tried to circumvent by using in the watch resource something like:

 watch_resource {
    type       = "all-builds"
    bin_mgr_id = "default"
    filter {
      type  = "ant-patterns"
      value = "{ \"IncludePatterns\": [\"*my_build*/**\"]}"
    }
}

but without success. (I saw that value is defined as string)

Support for Xray Mime Type and Property filters for Watch

Is your feature request related to a problem? Please describe.

Xray Watch is missing the Mime Type and Property filters. https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray+Watches#ConfiguringXrayWatches-Step3SetFiltersonRepositories

Screenshot 2023-02-28 at 8 59 17 AM

Describe the solution you'd like

Add support for both types of filter to watch resource. e.g.

resource "xray_watch" "mime_type_property" {
  name   = "mime-property-example"
  active = true

  watch_resource {
    type = "repository"

    filter {
      type  = "mime-type"
      value = "application/json"
    }

    kv_filter {
      type  = "property"
      value {
        key = "prop-name"
        value = "prop-value"
    }
  }
}

Describe alternatives you've considered

N/A

Additional context

Include support for import

Add resource/data for DB Sync Daily Update Time

Is your feature request related to a problem? Please describe.
Our DB usage spikes during the sync and it causes alerts to be produced for the database.

Describe the solution you'd like
I would like to be able to set the sync time to a lower utilization time. I would also like to be able to query the sync time in order to set up expected maintenance periods in our alerting using terraform.

Describe alternatives you've considered
Manually setting the sync time via the API and hard coding it as needed in terraform.

Additional context
https://www.jfrog.com/confluence/display/JFROG/Xray+REST+API#XrayRESTAPI-UpdateDBSyncDailyUpdateTime

Validation fails for custom license in `allowed_licenses` for `xray_license_policy`

Describe the bug
A custom license has been added through the portal: Xray Settings -> Compliance Licenses.

Attempting to validate the terraform configuration where this license is added to allowed_licenses of the xray_license_policy resource does not work.

resource "xray_license_policy" "allowed_licenses" {
  name = "allowed-licenses"
  type = "license"
  rule {
    name     = "allowed-licenses"
    priority = 1
    criteria {
      allowed_licenses = ["custom license"]
      allow_unknown    = false
    }
    actions {
      custom_severity = "Medium"
      block_download {
        active    = false
        unscanned = false
      }
    }
  }

}
Error: expected allowed_licenses to be one of ...

Artifactory version: suggested url does not work, getting "Authentication is required"
Xray version: {"xray_version":"3.73.8","xray_revision":"b9b2c47"}
Terraform version: 1.4.2

Requirements for and issue

  • A fully functioning terraform snippet that can be copy&pasted (no outside files or ENV vars unless that's part of the issue)
  • Your version of Artifactory and Xray (you can curl Artifactory version at $host/artifactory/api/system/version and Xray version at
    $host/xray/api/v1/system/version
  • Your version of terraform

Expected behavior
Able to allow usage of a custom license.

Add Xray Compliance License Resource

Is your feature request related to a problem? Please describe.
As a security person, I would like to use Terraform to describe my entire xray configuration. The provider doesn't support the ability to create custom compliance licenses which need to be defined prior to creating my license policies ( it doesn't appear the API is documented either)

Describe the solution you'd like
Add a resource for xray compliance license in order to create the license prior to creating the policy.

Describe alternatives you've considered
None - as the api isn't even documented using other terraform provider to call the raw api doesn't seem viable.

Additional context
None

Makefile doesn't install properly

Describe the bug
make install produces and error:

mv: rename dist/terraform-provider-xray_darwin_arm64/terraform-provider-xray_v1.2.1* to terraform.d/plugins/registry.terraform.io/jfrog/xray/1.2.1/darwin_arm64/terraform-provider-xray_v1.2.1*: No such file or directo

In addition, it should be consistent in implementation to the artifactory provider

Requirements for and issue
provider version 1.2.1

Expected behavior
make install should install the provider locally and be ready for use

Additional context
Add any other context about the problem here.

documentation says operational risk policy type is Operational_Risk

Describe the bug
terraform documentation says that the type field for xray_operational_risk_policy should have value "Operational_Risk". This causes a failure with an invalid policy error. The correct value is "operational_risk"

Requirements for and issue

  • use the code sample in the terraform documentation
  • artifactory version: 7.417
  • xray version: 3.60.2
  • terraform 1.1.3

Expected behavior
A clear and concise description of what you expected to happen.

Additional context
Add any other context about the problem here.

terraform apply -replace generate a 404

I deleted a terraform managed resources directly on xray and I'm not trying to recreate it from terraform but even the -replace option, I'm still getting a 404 error

> terraform apply -target=module.xray-common.xray_watch.ban-cl-strong -replace=module.xray-common.xray_watch.ban-cl-strong
│ Error: 
│ 404 GET https://artifactory.dev.elca.ch/xray/api/v2/watches/ban-cl-strong
│ {"error":"Watch was not found"}
│ 
│   with module.xray-common.xray_watch.ban-cl-strong,
│   on ../../../modules/terraform-xray-common/licenses_copyleft_watches.tf line 70, in resource "xray_watch" "ban-cl-strong":
│   70: resource "xray_watch" "ban-cl-strong" {

Requirements for and issue
Setup identical to #117
Create a resource with terraform, delete it on Xray and try to recover it.

Expected behavior
The -replace option should force the creation of the resource without even if the resource is missing.

Additional context
Taint command has also been tried but lead to the same error as #117

Change HCL for adding resources to watches

Currently the API for adding a repository (or any type of resource) is like so:

resource "artifactory_xray_watch" "test" {
  name        = "watch-npm-local-repo"
  description = "apply a severity-based policy to the npm local repo"

  resources {
    type       = "repository"
    name       = "npm-local"
    bin_mgr_id = "default"
    repo_type  = "local"
  }
}

I strongly believe that the resources key should be singular (i.e. resource) since it is intended to be specified once per resource you intend to add to the xray watch. This would make this more consistent with the core terraform modules. Given that resource is

resource "artifactory_xray_watch" "test" {
  name        = "watch-npm-local-repo"
  description = "apply a severity-based policy to the npm local repo"

  resource {
    type       = "repository"
    name       = "npm-local"
    bin_mgr_id = "default"
    repo_type  = "local"
  }

  resource {
    type       = "repository"
    name       = "npm-remote"
    bin_mgr_id = "default"
    repo_type  = "remote"
  }
}

Support issues API in terraform resources

Is your feature request related to a problem? Please describe.
The xray provider does not (as far as I can tell) implement the issues/events api as described in https://jfrog.com/help/r/jfrog-rest-apis/issues.

Describe the solution you'd like
The provider supports custom issue creation/edits/deletes. It would be excellent if issues were codified in terraform rather than managed by some bespoke automation or handled only in the UI.

Project key with hyphen support

Describe the bug
Project key with a hyphen is throwing an error.

@alexhung I am testing jfrog/terraform-provider-shared#21.
The project provider does not have an issue with a project key with a hyphen.
The xray provider does not like it and throws a 500 error on the terraform apply.

500 POST https://artifactory-server.com/xray/api/v2/policies?projectKey=tst-test
{"error":"Failed to create Policy"}

Requirements for and issue

resource "project" "tst_project" {
  key          = "tst-test"
  display_name = "Test Project"

  admin_privileges {
    manage_members   = true
    manage_resources = true
    index_resources  = true
  }
  
}


resource "xray_security_policy" "tst_security_policy" {
  name        = "tst-security-policy"
  description = "Test Security Policy"
  type        = "security"
  project_key = "tst-test"

  rule {
    name     = "tst-severity-rule"
    priority = 1

    criteria {
      cvss_range {
        from = 7.0
        to   = 10.0
      }
    }

    actions {
      webhooks                          = []
      mails                             = []
      block_release_bundle_distribution = false
      fail_build                        = false
      notify_watch_recipients           = false
      notify_deployer                   = false
      create_ticket_enabled             = false // set to true only if Jira integration is enabled
      //build_failure_grace_period_in_days = 5     // use only if fail_build is enabled

      block_download {
        unscanned = false
        active    = false
      }
    }
  }

  depends_on = [
    project.tst_project
  ]
}

Expected behavior
Project key with a hyphen does not cause an error.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.