-
Notifications
You must be signed in to change notification settings - Fork 12
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
plugin crash everytime on tf plan when upgrading to version >= 1.15.0 #141
Comments
@malamin I'm unable to reproduce this crash yet. The error message shows the crash is caused by resource This is the HCL I'm using with Terraform CLI 1.5.6 on a JFrog instance (Artifactory 7.69.4, Xray 3.82.10) that does not have Advanced Security. terraform {
required_providers {
xray = {
source = "jfrog/xray"
version = "1.15.0"
}
}
}
provider "xray" {
}
resource "random_id" "randid" {
byte_length = 2
}
resource "xray_security_policy" "security1" {
name = "test-security-policy-severity-${random_id.randid.dec}"
description = "Security policy description"
type = "security"
rule {
name = "rule-name-severity"
priority = 1
criteria {
min_severity = "High"
fix_version_dependant = false
}
actions {
webhooks = []
mails = ["[email protected]"]
block_release_bundle_distribution = true
fail_build = true
notify_watch_recipients = true
notify_deployer = true
create_ticket_enabled = false // set to true only if Jira integration is enabled
build_failure_grace_period_in_days = 5 // use only if fail_build is enabled
block_download {
unscanned = true
active = true
}
}
}
}
resource "xray_security_policy" "security2" {
name = "test-security-policy-cvss-${random_id.randid.dec}"
description = "Security policy description"
type = "security"
rule {
name = "rule-name-cvss"
priority = 1
criteria {
cvss_range {
from = 1.5
to = 5.3
}
}
actions {
webhooks = []
mails = ["[email protected]"]
block_release_bundle_distribution = true
fail_build = true
notify_watch_recipients = true
notify_deployer = true
create_ticket_enabled = false // set to true only if Jira integration is enabled
build_failure_grace_period_in_days = 5 // use only if fail_build is enabled
block_download {
unscanned = true
active = true
}
}
}
}
resource "xray_license_policy" "license1" {
name = "test-license-policy-allowed-${random_id.randid.dec}"
description = "License policy, allow certain licenses"
type = "license"
rule {
name = "License_rule"
priority = 1
criteria {
allowed_licenses = ["Apache-1.0", "Apache-2.0"]
allow_unknown = false
multi_license_permissive = true
}
actions {
webhooks = []
mails = ["[email protected]"]
block_release_bundle_distribution = false
fail_build = true
notify_watch_recipients = true
notify_deployer = true
create_ticket_enabled = false // set to true only if Jira integration is enabled
custom_severity = "High"
build_failure_grace_period_in_days = 5 // use only if fail_build is enabled
block_download {
unscanned = true
active = true
}
}
}
}
resource "xray_license_policy" "license2" {
name = "test-license-policy-banned-${random_id.randid.dec}"
description = "License policy, block certain licenses"
type = "license"
rule {
name = "License_rule"
priority = 1
criteria {
banned_licenses = ["Apache-1.1", "APAFML"]
allow_unknown = false
multi_license_permissive = false
}
actions {
webhooks = []
mails = ["[email protected]"]
block_release_bundle_distribution = false
fail_build = true
notify_watch_recipients = true
notify_deployer = true
create_ticket_enabled = false // set to true only if Jira integration is enabled
custom_severity = "Medium"
build_failure_grace_period_in_days = 5 // use only if fail_build is enabled
block_download {
unscanned = true
active = true
}
}
}
}
resource "xray_watch" "all-repos" {
name = "all-repos-watch-${random_id.randid.dec}"
description = "Watch for all repositories, matching the filter"
active = true
watch_resource {
type = "all-repos"
filter {
type = "regex"
value = ".*"
}
filter {
type = "package-type"
value = "Docker"
}
}
assigned_policy {
name = xray_security_policy.security1.name
type = "security"
}
assigned_policy {
name = xray_license_policy.license1.name
type = "license"
}
watch_recipients = ["[email protected]", "[email protected]"]
}
resource "xray_repository_config" "xray-repo-config-pattern" {
repo_name = "example-repo-local"
paths_config {
pattern {
include = "core/**"
exclude = "core/internal/**"
index_new_artifacts = true
retention_in_days = 60
}
pattern {
include = "core/**"
exclude = "core/external/**"
index_new_artifacts = true
retention_in_days = 45
}
all_other_artifacts {
index_new_artifacts = true
retention_in_days = 60
}
}
}
resource "xray_repository_config" "xray-repo-config" {
repo_name = "example-repo-local"
config {
vuln_contextual_analysis = true
retention_in_days = 90
exposures {
scanners_category {
services = true
secrets = true
applications = true
}
}
}
} Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
random_id.randid: Creating...
random_id.randid: Creation complete after 0s [id=TNA]
xray_repository_config.xray-repo-config-pattern: Creating...
xray_repository_config.xray-repo-config: Creating...
xray_license_policy.license2: Creating...
xray_license_policy.license1: Creating...
xray_security_policy.security1: Creating...
xray_security_policy.security2: Creating...
xray_security_policy.security1: Creation complete after 0s [id=test-security-policy-severity-19664]
xray_license_policy.license2: Creation complete after 0s [id=test-license-policy-banned-19664]
xray_license_policy.license1: Creation complete after 0s [id=test-license-policy-allowed-19664]
xray_security_policy.security2: Creation complete after 0s [id=test-security-policy-cvss-19664]
xray_watch.all-repos: Creating...
xray_repository_config.xray-repo-config-pattern: Creation complete after 0s [id=example-repo-local]
xray_repository_config.xray-repo-config: Creation complete after 0s [id=example-repo-local]
xray_watch.all-repos: Creation complete after 1s [id=all-repos-watch-19664] |
@malamin I've also attempted creating the resources from last message using provider 1.14.2, upgrade provider to 1.15.0, then run |
sorry, I forgot to paste that resource "xray_repository_config" "xray_config" {
repo_name = "example-repo-local"
config {
retention_in_days = 90
}
} We have no advanced security so I guess that |
@malamin Just re-test with the |
Hello, I also have problems with Xray provider upgrade from version to 1.12 to any version from 1.15 to 2.0.0. In the plan I have a lot of UpgradeResourceState errors like this:
And as a result:
And x-ray config of repository is like this:
|
I'm seeing exactly the same thing as others on this. Upgrading an xray_repository_config from the provider version 1.14.2 to 1.15.0 or greater breaks this provider internally. I'm on Artifactory 7.59.12, Xray 3.61.5 I just tried deleting the resources and recreating them with the latest version of the provider. Looks like that re-creation run is failing with "{"error":"Request payload is invalid as vuln contextual analysis config was not expected"}" Possibly my version of Artifactory or Xray is too old? |
That error message suggests you don't have JFrog Advanced Security enabled. I tested this against an internal instance that doesn't have JAS enabled and did not get the error. I'll take another look. |
@aserzhankou The error message in your message suggest a separate issue. Please open a separate GitHub issue. |
@alexhung, that makes sense; I'm only on the regular Enterprise license, so I don't have JAS. |
@twoodhouse ok, I managed to reproduce this issue. Working on a fix. |
Awesome! That's a fast turnaround. I'll try this out today. |
@twoodhouse It was a typical lifecycle of a bug. Take a long time to figure out what's wrong, and barely any time to fix the actual issue! 😄 |
I am happy to confirm that the upgrade to v.2.0.2 works fine :) thanks for
resolving that!
…On Wed, 1 Nov 2023, 16:23 Alex Hung, ***@***.***> wrote:
@twoodhouse <https://github.com/twoodhouse> It was a typical lifecycle of
a bug. Take a long time to figure out what's wrong, and barely any time to
fix the actual issue! 😄
—
Reply to this email directly, view it on GitHub
<#141 (comment)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ADWONM3XHSOCM27H6QFPFHDYCJSPRAVCNFSM6AAAAAA53W5IK6VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTOOBZGE2TANJYGU>
.
You are receiving this because you were mentioned.Message ID:
***@***.***>
|
Describe the bug
Terraform plan crashes after upgrade from 1.14.2 to any other higher versions (tested with v.2.0.0 incl.)
Requirements for and issue
code snippet:
Expected behavior
Works still after the upgrade :)
Additional context
The text was updated successfully, but these errors were encountered: