Sandbox rule order issue

[snowman386]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v1.10.5
on windows_amd64

• provider registry.terraform.io/zscaler/zia v4.0.8

Affected Resource(s)

• zia_zia_sandbox_rules

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp
# __generated__ by Zscaler Terraformer from Default BA Rule
resource "zia_sandbox_rules" "resource_zia_sandbox_rules_19861" {
  ba_policy_categories = ["ADWARE_BLOCK", "BOTMAL_BLOCK", "ANONYP2P_BLOCK"]
  ba_rule_action       = "BLOCK"
  description          = "Default Rule Created during the company creation"
  file_types           = ["FTCATEGORY_WINDOWS_LIBRARY", "FTCATEGORY_ZIP", "FTCATEGORY_WINDOWS_EXECUTABLES"]
  first_time_enable    = true
  first_time_operation = "ALLOW_SCAN"
  ml_action_enabled    = false
  name                 = "Default BA Rule"
  order                = 127
  protocols            = ["ANY_RULE"]
  rank                 = 7
  state                = "ENABLED"
  url_categories       = ["NUDITY", "PORNOGRAPHY", "ANONYMIZER", "FILE_HOST", "SHAREWARE_DOWNLOAD", "WEB_HOST", "MISCELLANEOUS_OR_UNKNOWN"]
}

# __generated__ by Zscaler Terraformer from Quarantine Executables
resource "zia_sandbox_rules" "resource_zia_sandbox_rules_27949" {
  ba_policy_categories = ["ADWARE_BLOCK", "BOTMAL_BLOCK", "ANONYP2P_BLOCK", "RANSOMWARE_BLOCK", "OFFSEC_TOOLS_BLOCK", "SUSPICIOUS_BLOCK"]
  ba_rule_action       = "BLOCK"
  file_types           = ["FTCATEGORY_WINDOWS_LIBRARY", "FTCATEGORY_ZIP", "FTCATEGORY_WINDOWS_EXECUTABLES"]
  first_time_enable    = true
  first_time_operation = "QUARANTINE"
  ml_action_enabled    = true
  name                 = "Quarantine Executables"
  order                = 1
  protocols            = ["ANY_RULE"]
  rank                 = 7
  state                = "ENABLED"
  url_categories       = ["NUDITY", "PORNOGRAPHY", "ANONYMIZER", "FILE_HOST", "SHAREWARE_DOWNLOAD", "WEB_HOST", "OTHER_MISCELLANEOUS", "MISCELLANEOUS_OR_UNKNOWN"]
}

# __generated__ by Zscaler Terraformer from Quarantine Unknown Office Files
resource "zia_sandbox_rules" "resource_zia_sandbox_rules_27950" {
  ba_policy_categories = ["ADWARE_BLOCK", "BOTMAL_BLOCK", "ANONYP2P_BLOCK", "RANSOMWARE_BLOCK", "OFFSEC_TOOLS_BLOCK", "SUSPICIOUS_BLOCK"]
  ba_rule_action       = "BLOCK"
  file_types           = ["FTCATEGORY_MS_EXCEL", "FTCATEGORY_MS_POWERPOINT", "FTCATEGORY_MS_WORD", "FTCATEGORY_MS_RTF"]
  first_time_enable    = true
  first_time_operation = "QUARANTINE"
  ml_action_enabled    = true
  name                 = "Quarantine Unknown Office Files"
  order                = 2
  protocols            = ["ANY_RULE"]
  rank                 = 7
  state                = "ENABLED"
  url_categories       = ["OTHER_MISCELLANEOUS", "MISCELLANEOUS_OR_UNKNOWN"]
}

# __generated__ by Zscaler Terraformer from Quarantine Unknown PDF Files
resource "zia_sandbox_rules" "resource_zia_sandbox_rules_27951" {
  ba_policy_categories = ["ADWARE_BLOCK", "BOTMAL_BLOCK", "ANONYP2P_BLOCK", "RANSOMWARE_BLOCK", "OFFSEC_TOOLS_BLOCK", "SUSPICIOUS_BLOCK"]
  ba_rule_action       = "BLOCK"
  file_types           = ["FTCATEGORY_PDF_DOCUMENT"]
  first_time_enable    = true
  first_time_operation = "QUARANTINE"
  ml_action_enabled    = true
  name                 = "Quarantine Unknown PDF Files"
  order                = 3
  protocols            = ["ANY_RULE"]
  rank                 = 7
  state                = "ENABLED"
  url_categories       = ["OTHER_MISCELLANEOUS", "MISCELLANEOUS_OR_UNKNOWN"]
}

resource "zia_sandbox_rules" "sandbox_scan_all" {
  ba_policy_categories = ["ADWARE_BLOCK", "BOTMAL_BLOCK", "RANSOMWARE_BLOCK"]
  ba_rule_action       = "BLOCK"
  first_time_enable    = true
  first_time_operation = "ALLOW_SCAN"
  ml_action_enabled    = true
  name                 = "Scan Every File"
  order                = 4
  protocols            = ["ANY_RULE"]
  rank                 = 7
  state                = "ENABLED"
}

Debug Output

https://gist.github.com/snowman386/5ee1949426de3165010aac872ec25ab9

Panic Output

Expected Behavior

Add a new rule 4 to the sandbox inspection policies

Actual Behavior

The debug shows it is trying to modify the default rule 127 instead of creating a new rule 4

Steps to Reproduce

1. terraform apply

Important Factoids

Imported ZIA config using terraformer. Trying to add an additional sandbox rule. Tried many different configurations of the new rule #4 but all show they are trying to modify rule 127 instead. Also tried setting default_rule which is described in the documentation, but I get an unexpected error with that.

References

[willguibr]

You have to account for any pre-defined or pre-existing rule no managed via Terraform when setting your order numbers. Otherwise, Terraform will always attempt to reorder only the rules that in the desired state, while ignoring any existing rule. Also, rule 127 show in your configuration is named: Default BA Rule; however it's unclear if this rule is part of your HCL configuration. If it's not then we recommend to import this rule directly via terraform import, as it must be part of your HCL config, so that Terraform is aware of its pre-existence.
Either way the problem seems to be related to pre-existence of the default rule at order 127, but not having it present in the desired state.

If you have further questions, pleas raise a support case with Zscaler Support.

Zscaler DevRel.

[snowman386]

Hi @willguibr
The default rule is in the HCL. It is the top one shown above. It was imported by terraformer. It has order 127 and is managed by TF. I was able to make changes to this default rule in the HCL. I am not sure why TF is trying to set the new rule with order 127 when the HCL has order 4. You can see in the debug that the http post contains order 127 for the sandbox rule that contains order 4 in the HCL. I was able to apply the terraform plan without issues before adding the new sandbox rule with order 4.

[willguibr]

How many rules do you have in total including the default? We should not have gaps between the rules you're creating and the default rule.

[snowman386]

There are 4 in the portal: 3 custom, 1 default. Trying to deploy a 4th custom.
The imported hcl from terraformer had rules 1-3 and 127. Now I'm adding rule 4 in the HCL.

[snowman386]

@willguibr I just commented out the new rule 4 for now so I can apply other settings. Let me know if you need me to gather any other debugs to figure out what is going on.
Thanks

[willguibr]

There is a bug with the API behavior which returns the default rule with a fixed rule order of 127. Typically, default rules are supposed to be returned with a negative number i.e -1. We have raised the following BUG-208047 with out engineering team.
Please if this is impacting your ability to implement the resources in production, please contact Zscaler Support and provide the above BUG and GitHub Issue number requesting an escalation.

Zscaler DevRel

[snowman386]

Hey @willguibr ,

Nothing life or death. We have survived without this tooling for a decade. Just trying to set up some pipelines from dev to prod and also have deployable templates for different customers. If we can't do sandbox rules right now, then we do them in the web console. We are still saving a lot of manual effort. Appreciate your support and help with the tools.

Thanks