Error when creating policy and compliance with Terraform code

Reply
Highlighted
L1 Bithead

Error when creating policy and compliance with Terraform code

I have completed creating the compliance with Terraform code in Prisma Cloud. And it is possible to create policies with Terraform.

But I can't link the compliance metadata I created to the policy.

 

Initially, I tried to set up compliance while creating a policy in Terraform in the same way as the Prisma Cloud Console GUI, but it failed.

 

1. Failure Terraform code.

 

 

resource "prismacloud_policy" "p2" {
    policy_type = "config"
    cloud_type = "aws"
    name = "ACM - Manage unused certificates"
    severity = "medium"
    labels = ["AWS-ACM-05"]
    description = "Are you performing periodic checks on this, such as deleting obsolete or expired certificates?"
    rule {
        name = "ACM - Manage unused certificates"
        criteria = "config where cloud.type = 'aws' AND api.name = 'aws-acm-describe-certificate' AND json.rule = '(inUseBy[*] is empty or inUseBy does not exist)'"
        parameters = {
            savedSearch = "false"
            withIac = "false"
        }
        rule_type = "Config"
    }
    compliance_metadata { 
        compliance_id = "61bdbedb-49b3-436f-9f4a-798a30bcfb87"
        standard_name = "My Cloud Security"
        standard_description = "My Company Cloud Security"
        requirement_id = "13"
        requirement_name = "ACM"
        section_id = "13.5"
        section_description = "Manage unused certificates"
        custom_assigned = true
    }
}

 

 

 

Perhaps, Policy ID seems to be a prerequisite in compliance_metadata.

 

So, when I first created a policy, obtained the Policy ID, and then added it to the compliance_metadata, it turned out that the metadata was added without errors in Terraform.

 

2. Terraform code with Policy_ID added in compliance metadata

 

 

resource "prismacloud_policy" "p2" {
    policy_type = "config"
    cloud_type = "aws"
    name = "ACM - Manage unused certificates"
    severity = "medium"
    labels = ["AWS-ACM-05"]
    description = "Are you performing periodic checks on this, such as deleting obsolete or expired certificates?"
    rule {
        name = "ACM - Manage unused certificates"
        criteria = "config where cloud.type = 'aws' AND api.name = 'aws-acm-describe-certificate' AND json.rule = '(inUseBy[*] is empty or inUseBy does not exist)'"
        parameters = {
            savedSearch = "false"
            withIac = "false"
        }
        rule_type = "Config"
    }
    compliance_metadata {
        policy_id = "13697ac1-5e60-4b22-a8ac-a8dfae25bafa"
        compliance_id = "61bdbedb-49b3-436f-9f4a-798a30bcfb87"
        standard_name = "My Cloud Security"
        standard_description = "My Company Cloud Security"
        requirement_id = "13"
        requirement_name = "ACM"
        section_id = "13.5"
        section_description = "Manage unused certificates"
        custom_assigned = true
    }
}

 

 

 

but there was an error that the compliance was not connected in the actual Prisma Cloud Console GUI.

 

I would like to know how and how to apply compliance to policies with Terraform.

however, Both the Terraform page and the Prisma Cloud API documentation lack error details and explanations.

 

Reference

https://www.terraform.io/docs/providers/prismacloud/r/policy.html

https://api.docs.prismacloud.io/reference#add-policy

https://live.paloaltonetworks.com/t5/prisma-cloud-discussions/python-api-add-compliance-standard-to-...


Accepted Solutions
Highlighted
L1 Bithead

I solved the problem.

 

The problem was compliance_id in compliance_metadata. This was the same as the csrs_id in section.

 

And it was confirmed that Policy_id is not necessary.

View solution in original post


All Replies
Highlighted
L1 Bithead

I solved the problem.

 

The problem was compliance_id in compliance_metadata. This was the same as the csrs_id in section.

 

And it was confirmed that Policy_id is not necessary.

View solution in original post

Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the Live Community as a whole!

The Live Community thanks you for your participation!