Error when creating policy and compliance with Terraform code

KRyu — Wed, 02 Sep 2020 17:43:45 GMT

I have completed creating the compliance with Terraform code in Prisma Cloud. And it is possible to create policies with Terraform.

But I can't link the compliance metadata I created to the policy.

Initially, I tried to set up compliance while creating a policy in Terraform in the same way as the Prisma Cloud Console GUI, but it failed.

1. Failure Terraform code.

resource "prismacloud_policy" "p2" { policy_type = "config" cloud_type = "aws" name = "ACM - Manage unused certificates" severity = "medium" labels = ["AWS-ACM-05"] description = "Are you performing periodic checks on this, such as deleting obsolete or expired certificates?" rule { name = "ACM - Manage unused certificates" criteria = "config where cloud.type = 'aws' AND api.name = 'aws-acm-describe-certificate' AND json.rule = '(inUseBy[*] is empty or inUseBy does not exist)'" parameters = { savedSearch = "false" withIac = "false" } rule_type = "Config" } compliance_metadata { compliance_id = "61bdbedb-49b3-436f-9f4a-798a30bcfb87" standard_name = "My Cloud Security" standard_description = "My Company Cloud Security" requirement_id = "13" requirement_name = "ACM" section_id = "13.5" section_description = "Manage unused certificates" custom_assigned = true } }

Perhaps, Policy ID seems to be a prerequisite in compliance_metadata.

So, when I first created a policy, obtained the Policy ID, and then added it to the compliance_metadata, it turned out that the metadata was added without errors in Terraform.

2. Terraform code with Policy_ID added in compliance metadata

resource "prismacloud_policy" "p2" { policy_type = "config" cloud_type = "aws" name = "ACM - Manage unused certificates" severity = "medium" labels = ["AWS-ACM-05"] description = "Are you performing periodic checks on this, such as deleting obsolete or expired certificates?" rule { name = "ACM - Manage unused certificates" criteria = "config where cloud.type = 'aws' AND api.name = 'aws-acm-describe-certificate' AND json.rule = '(inUseBy[*] is empty or inUseBy does not exist)'" parameters = { savedSearch = "false" withIac = "false" } rule_type = "Config" } compliance_metadata { policy_id = "13697ac1-5e60-4b22-a8ac-a8dfae25bafa" compliance_id = "61bdbedb-49b3-436f-9f4a-798a30bcfb87" standard_name = "My Cloud Security" standard_description = "My Company Cloud Security" requirement_id = "13" requirement_name = "ACM" section_id = "13.5" section_description = "Manage unused certificates" custom_assigned = true } }

but there was an error that the compliance was not connected in the actual Prisma Cloud Console GUI.

I would like to know how and how to apply compliance to policies with Terraform.

however, Both the Terraform page and the Prisma Cloud API documentation lack error details and explanations.

Reference

https://www.terraform.io/docs/providers/prismacloud/r/policy.html

https://api.docs.prismacloud.io/reference#add-policy

https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/python-api-add-compliance-standard-to-policy/m-p/261425

Re: Error when creating policy and compliance with Terraform code

KRyu — Fri, 28 Aug 2020 05:41:23 GMT

I solved the problem.

The problem was compliance_id in compliance_metadata. This was the same as the csrs_id in section.

And it was confirmed that Policy_id is not necessary.

topic Error when creating policy and compliance with Terraform code in Prisma Cloud Discussions

Error when creating policy and compliance with Terraform code

Re: Error when creating policy and compliance with Terraform code