jfrog · alexhung · Nov 19, 2024 · Nov 18, 2024 · Nov 18, 2024 · Nov 18, 2024
@@ -1,10 +1,19 @@
+## 3.0.0 (November 20, 2024). Tested on Artifactory 7.98.8 and Xray 3.104.18 with Terraform 1.9.8 and OpenTofu 1.8.5
+
+BREAKING CHANGES:
+
+* provider: Deprecated attribute `check_license` is removed.
+
+BUG FIXES:
+
+* resource/xray_license_policy: Switch `allowed_licenses` and `banned_licenses` attribute type from `TypeSet` to `TypeList` to resolve performance issue with large number of licenses. Add validation to ensure `allowed_licenses` and `banned_licenses` attributes cannot be set at the same time. Issue: [#262](https://github.com/jfrog/terraform-provider-xray/issues/262) and [#271](https://github.com/jfrog/terraform-provider-xray/issues/271) PR: [#274](https://github.com/jfrog/terraform-provider-xray/issues/274)
+
 ## 2.13.2 (November 11, 2024). Tested on Artifactory 7.98.8 and Xray 3.104.18 with Terraform 1.9.8 and OpenTofu 1.8.5
 
 BUG FIXES:
 
 * resource/xray_security_policy: Fix "Provider produced inconsistent result after apply" error after resource creation. Issue: [#265](https://github.com/jfrog/terraform-provider-xray/issues/265) PR: [#268](https://github.com/jfrog/terraform-provider-xray/issues/268)
 
-
 ## 2.13.1 (October 31, 2024). Tested on Artifactory 7.98.7 and Xray 3.104.18 with Terraform 1.9.8 and OpenTofu 1.8.4
 
 BUG FIXES:

@@ -537,7 +537,6 @@ provider "xray" {
 ### Optional
 
 - `access_token` (String, Sensitive) This is a bearer token that can be given to you by your admin under `Identity and Access`
-- `check_license` (Boolean, Deprecated) Toggle for pre-flight checking of Artifactory Pro and Enterprise license. Default to `true`.
 - `oidc_provider_name` (String) OIDC provider name. See [Configure an OIDC Integration](https://jfrog.com/help/r/jfrog-platform-administration-documentation/configure-an-oidc-integration) for more details.
 - `tfc_credential_tag_name` (String) Terraform Cloud Workload Identity Token tag name. Use for generating multiple TFC workload identity tokens. When set, the provider will attempt to use env var with this tag name as suffix. **Note:** this is case sensitive, so if set to `JFROG`, then env var `TFC_WORKLOAD_IDENTITY_TOKEN_JFROG` is used instead of `TFC_WORKLOAD_IDENTITY_TOKEN`. See [Generating Multiple Tokens](https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials/manual-generation#generating-multiple-tokens) on HCP Terraform for more details.
 - `url` (String) URL of Xray. This can also be sourced from the `XRAY_URL` or `JFROG_URL` environment variable. Default to 'http://localhost:8081' if not set.
@@ -132,7 +132,7 @@ Optional:
 - `block_download` (Block Set) Block download of artifacts that meet the Artifact Filter and Severity Filter specifications for this watch (see [below for nested schema](#nestedblock--rule--actions--block_download))
 - `block_release_bundle_distribution` (Boolean) Blocks Release Bundle distribution to Edge nodes if a violation is found. Default value is `false`.
 - `block_release_bundle_promotion` (Boolean) Blocks Release Bundle promotion if a violation is found. Default value is `false`.
-- `build_failure_grace_period_in_days` (Number) Allow grace period for certain number of days. All violations will be ignored during this time. To be used only if `fail_build` is enabled.
+- `build_failure_grace_period_in_days` (Number) Allow grace period for certain number of days. All violations will be ignored during this time. To be used only if `fail_build` is enabled. Default value is `0`
 - `create_ticket_enabled` (Boolean) Create Jira Ticket for this Policy Violation. Requires configured Jira integration. Default value is `false`.
 - `custom_severity` (String) The severity of violation to be triggered if the `criteria` are met.
 - `fail_build` (Boolean) Whether or not the related CI build should be marked as failed if a violation is triggered. This option is only available when the policy is applied to an `xray_watch` resource with a `type` of `builds`. Default value is `false`.
@@ -157,8 +157,8 @@ Optional:
 Optional:
 
 - `allow_unknown` (Boolean) A violation will be generated for artifacts with unknown licenses (`true` or `false`).
-- `allowed_licenses` (Set of String) A list of OSS license names that may be attached to a component. Supports custom licenses added by the user, but there is no verification if the license exists on the Xray side. If the added license doesn't exist, the policy won't trigger the violation.
-- `banned_licenses` (Set of String) A list of OSS license names that may not be attached to a component. Supports custom licenses added by the user, but there is no verification if the license exists on the Xray side. If the added license doesn't exist, the policy won't trigger the violation.
+- `allowed_licenses` (List of String) A list of OSS license names that may be attached to a component. Supports custom licenses added by the user, but there is no verification if the license exists on the Xray side. If the added license doesn't exist, the policy won't trigger the violation.
+- `banned_licenses` (List of String) A list of OSS license names that may not be attached to a component. Supports custom licenses added by the user, but there is no verification if the license exists on the Xray side. If the added license doesn't exist, the policy won't trigger the violation.
 - `multi_license_permissive` (Boolean) Do not generate a violation if at least one license is valid in cases whereby multiple licenses were detected on the component.
 
 ## Import

@@ -128,7 +128,7 @@ Optional:
 - `block_download` (Block Set) Block download of artifacts that meet the Artifact Filter and Severity Filter specifications for this watch (see [below for nested schema](#nestedblock--rule--actions--block_download))
 - `block_release_bundle_distribution` (Boolean) Blocks Release Bundle distribution to Edge nodes if a violation is found. Default value is `false`.
 - `block_release_bundle_promotion` (Boolean) Blocks Release Bundle promotion if a violation is found. Default value is `false`.
-- `build_failure_grace_period_in_days` (Number) Allow grace period for certain number of days. All violations will be ignored during this time. To be used only if `fail_build` is enabled.
+- `build_failure_grace_period_in_days` (Number) Allow grace period for certain number of days. All violations will be ignored during this time. To be used only if `fail_build` is enabled. Default value is `0`
 - `create_ticket_enabled` (Boolean) Create Jira Ticket for this Policy Violation. Requires configured Jira integration. Default value is `false`.
 - `fail_build` (Boolean) Whether or not the related CI build should be marked as failed if a violation is triggered. This option is only available when the policy is applied to an `xray_watch` resource with a `type` of `builds`. Default value is `false`.
 - `mails` (Set of String) A list of email addressed that will get emailed when a violation is triggered.

@@ -162,7 +162,7 @@ Optional:
 - `block_download` (Block Set) Block download of artifacts that meet the Artifact Filter and Severity Filter specifications for this watch (see [below for nested schema](#nestedblock--rule--actions--block_download))
 - `block_release_bundle_distribution` (Boolean) Blocks Release Bundle distribution to Edge nodes if a violation is found. Default value is `false`.
 - `block_release_bundle_promotion` (Boolean) Blocks Release Bundle promotion if a violation is found. Default value is `false`.
-- `build_failure_grace_period_in_days` (Number) Allow grace period for certain number of days. All violations will be ignored during this time. To be used only if `fail_build` is enabled.
+- `build_failure_grace_period_in_days` (Number) Allow grace period for certain number of days. All violations will be ignored during this time. To be used only if `fail_build` is enabled. Default value is `0`
 - `create_ticket_enabled` (Boolean) Create Jira Ticket for this Policy Violation. Requires configured Jira integration. Default value is `false`.
 - `fail_build` (Boolean) Whether or not the related CI build should be marked as failed if a violation is triggered. This option is only available when the policy is applied to an `xray_watch` resource with a `type` of `builds`. Default value is `false`.
 - `mails` (Set of String) A list of email addressed that will get emailed when a violation is triggered.
@@ -185,15 +185,15 @@ Optional:
 
 Optional:
 
-- `applicable_cves_only` (Boolean) Default value is `false`. Mark to skip CVEs that are not applicable in the context of the artifact. The contextual analysis operation might be long and affect build time if the `fail_build` action is set.
+- `applicable_cves_only` (Boolean) Mark to skip CVEs that are not applicable in the context of the artifact. The contextual analysis operation might be long and affect build time if the `fail_build` action is set.
 
 ~>Only supported by JFrog Advanced Security
 - `cvss_range` (Block List) The CVSS score range to apply to the rule. This is used for a fine-grained control, rather than using the predefined severities. The score range is based on CVSS v3 scoring, and CVSS v2 score is CVSS v3 score is not available. (see [below for nested schema](#nestedblock--rule--criteria--cvss_range))
 - `exposures` (Block List) Creates policy rules for specific exposures.
 
 ~>Only supported by JFrog Advanced Security (see [below for nested schema](#nestedblock--rule--criteria--exposures))
-- `fix_version_dependant` (Boolean) Default value is `false`. Issues that do not have a fixed version are not generated until a fixed version is available. Must be `false` with `malicious_package` enabled.
-- `malicious_package` (Boolean) Default value is `false`. Generating a violation on a malicious package.
+- `fix_version_dependant` (Boolean) Issues that do not have a fixed version are not generated until a fixed version is available. Must be `false` with `malicious_package` enabled.
+- `malicious_package` (Boolean) Generating a violation on a malicious package.
 - `min_severity` (String) The minimum security vulnerability severity that will be impacted by the policy. Valid values: `All Severities`, `Critical`, `High`, `Medium`, `Low`
 - `package_name` (String) The package name to create a rule for
 - `package_type` (String) The package type to create a rule for

@@ -1,12 +1,12 @@
-module github.com/jfrog/terraform-provider-xray
+module github.com/jfrog/terraform-provider-xray/v3
 
 // if you need to do local dev, literally just uncomment the line below
 // replace github.com/jfrog/terraform-provider-shared => ../terraform-provider-shared
 
 go 1.22.7
 
 require (
-	github.com/go-resty/resty/v2 v2.16.0
+	github.com/go-resty/resty/v2 v2.15.3
 	github.com/hashicorp/go-version v1.7.0
 	github.com/hashicorp/terraform-plugin-docs v0.20.0
 	github.com/hashicorp/terraform-plugin-framework v1.13.0

@@ -47,8 +47,8 @@ github.com/go-git/go-billy/v5 v5.5.0 h1:yEY4yhzCDuMGSv83oGxiBotRzhwhNr8VZyphhiu+
 github.com/go-git/go-billy/v5 v5.5.0/go.mod h1:hmexnoNsr2SJU1Ju67OaNz5ASJY3+sHgFRpCtpDCKow=
 github.com/go-git/go-git/v5 v5.12.0 h1:7Md+ndsjrzZxbddRDZjF14qK+NN56sy6wkqaVrjZtys=
 github.com/go-git/go-git/v5 v5.12.0/go.mod h1:FTM9VKtnI2m65hNI/TenDDDnUf2Q9FHnXYjuz9i5OEY=
-github.com/go-resty/resty/v2 v2.16.0 h1:qpKalHWI2bpp9BIKlyT8TYWEJXOk1NuKbfiT3RRnzWc=
-github.com/go-resty/resty/v2 v2.16.0/go.mod h1:0fHAoK7JoBy/Ch36N8VFeMsK7xQOHhvWaC3iOktwmIU=
+github.com/go-resty/resty/v2 v2.15.3 h1:bqff+hcqAflpiF591hhJzNdkRsFhlB96CYfBwSFvql8=
+github.com/go-resty/resty/v2 v2.15.3/go.mod h1:0fHAoK7JoBy/Ch36N8VFeMsK7xQOHhvWaC3iOktwmIU=
 github.com/go-test/deep v1.0.3 h1:ZrJSEWsXzPOxaZnFteGEfooLba+ju3FYIbOrS+rQd68=
 github.com/go-test/deep v1.0.3/go.mod h1:wGDj63lr65AM2AQyKZd/NYHGb0R+1RLqB8NKt3aSFNA=
 github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=

@@ -6,7 +6,7 @@ import (
 	"log"
 
 	"github.com/hashicorp/terraform-plugin-framework/providerserver"
-	"github.com/jfrog/terraform-provider-xray/pkg/xray"
+	"github.com/jfrog/terraform-provider-xray/v3/pkg/xray"
 )
 
 // Run the docs generation tool, check its repository for more information on how it works and how docs

@@ -13,7 +13,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-testing/terraform"
 	"github.com/jfrog/terraform-provider-shared/client"
 	"github.com/jfrog/terraform-provider-shared/testutil"
-	"github.com/jfrog/terraform-provider-xray/pkg/xray"
+	"github.com/jfrog/terraform-provider-xray/v3/pkg/xray"
 )
 
 // Provider PreCheck(t) must be called before using this provider instance.

@@ -14,11 +14,11 @@ import (
 	"github.com/jfrog/terraform-provider-shared/client"
 	"github.com/jfrog/terraform-provider-shared/util"
 	validatorfw_string "github.com/jfrog/terraform-provider-shared/validator/fw/string"
-	xray_datasource "github.com/jfrog/terraform-provider-xray/pkg/xray/datasource"
-	xray_resource "github.com/jfrog/terraform-provider-xray/pkg/xray/resource"
+	xray_datasource "github.com/jfrog/terraform-provider-xray/v3/pkg/xray/datasource"
+	xray_resource "github.com/jfrog/terraform-provider-xray/v3/pkg/xray/resource"
 )
 
-var Version = "2.11.1"
+var Version = "3.0.0"
 var productId = "terraform-provider-xray/" + Version
 
 // Ensure the implementation satisfies the provider.Provider interface.
@@ -34,7 +34,6 @@ type XrayProviderModel struct {
 	AccessToken          types.String `tfsdk:"access_token"`
 	OIDCProviderName     types.String `tfsdk:"oidc_provider_name"`
 	TFCCredentialTagName types.String `tfsdk:"tfc_credential_tag_name"`
-	CheckLicense         types.Bool   `tfsdk:"check_license"`
 }
 
 // Metadata satisfies the provider.Provider interface for ArtifactoryProvider
@@ -76,11 +75,6 @@ func (p *XrayProvider) Schema(ctx context.Context, req provider.SchemaRequest, r
 				},
 				Description: "Terraform Cloud Workload Identity Token tag name. Use for generating multiple TFC workload identity tokens. When set, the provider will attempt to use env var with this tag name as suffix. **Note:** this is case sensitive, so if set to `JFROG`, then env var `TFC_WORKLOAD_IDENTITY_TOKEN_JFROG` is used instead of `TFC_WORKLOAD_IDENTITY_TOKEN`. See [Generating Multiple Tokens](https://developer.hashicorp.com/terraform/cloud-docs/workspaces/dynamic-provider-credentials/manual-generation#generating-multiple-tokens) on HCP Terraform for more details.",
 			},
-			"check_license": schema.BoolAttribute{
-				Optional:           true,
-				Description:        "Toggle for pre-flight checking of Artifactory Pro and Enterprise license. Default to `true`.",
-				DeprecationMessage: "Remove this attribute from your provider configuration as it is no longer used and the attribute will be removed in the next major version of the provider.",
-			},
 		},
 	}
 }

@@ -10,7 +10,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-testing/terraform"
 	"github.com/jfrog/terraform-provider-shared/testutil"
 	"github.com/jfrog/terraform-provider-shared/util"
-	"github.com/jfrog/terraform-provider-xray/pkg/acctest"
+	"github.com/jfrog/terraform-provider-xray/v3/pkg/acctest"
 	"github.com/samber/lo"
 )
 

@@ -10,7 +10,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-testing/terraform"
 	"github.com/jfrog/terraform-provider-shared/testutil"
 	"github.com/jfrog/terraform-provider-shared/util"
-	"github.com/jfrog/terraform-provider-xray/pkg/acctest"
+	"github.com/jfrog/terraform-provider-xray/v3/pkg/acctest"
 	"github.com/samber/lo"
 )
 

@@ -7,7 +7,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
 	"github.com/jfrog/terraform-provider-shared/testutil"
 	"github.com/jfrog/terraform-provider-shared/util"
-	"github.com/jfrog/terraform-provider-xray/pkg/acctest"
+	"github.com/jfrog/terraform-provider-xray/v3/pkg/acctest"
 	"github.com/samber/lo"
 )
 

@@ -9,7 +9,7 @@ import (
 	"github.com/jfrog/terraform-provider-shared/testutil"
 	"github.com/jfrog/terraform-provider-shared/util"
 	"github.com/jfrog/terraform-provider-shared/util/sdk"
-	"github.com/jfrog/terraform-provider-xray/pkg/acctest"
+	"github.com/jfrog/terraform-provider-xray/v3/pkg/acctest"
 )
 
 func TestAccCustomIssue_UpgradeFromSDKv2(t *testing.T) {

@@ -12,7 +12,7 @@ import (
 	"github.com/jfrog/terraform-provider-shared/client"
 	"github.com/jfrog/terraform-provider-shared/testutil"
 	"github.com/jfrog/terraform-provider-shared/util"
-	"github.com/jfrog/terraform-provider-xray/pkg/acctest"
+	"github.com/jfrog/terraform-provider-xray/v3/pkg/acctest"
 )
 
 func TestAccIgnoreRule_UpgradeFromSDKv2(t *testing.T) {

@@ -3,9 +3,11 @@ package xray
 import (
 	"context"
 
+	"github.com/hashicorp/terraform-plugin-framework-validators/listvalidator"
 	"github.com/hashicorp/terraform-plugin-framework-validators/stringvalidator"
 	"github.com/hashicorp/terraform-plugin-framework/attr"
 	"github.com/hashicorp/terraform-plugin-framework/diag"
+	"github.com/hashicorp/terraform-plugin-framework/path"
 	"github.com/hashicorp/terraform-plugin-framework/resource"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema/booldefault"
@@ -42,13 +44,13 @@ func (r LicensePolicyResource) toCriteriaAPIModel(ctx context.Context, criteriaE
 		attrs := criteriaElems[0].(types.Object).Attributes()
 
 		var allowedLicenses []string
-		d := attrs["allowed_licenses"].(types.Set).ElementsAs(ctx, &allowedLicenses, false)
+		d := attrs["allowed_licenses"].(types.List).ElementsAs(ctx, &allowedLicenses, false)
 		if d.HasError() {
 			diags.Append(d...)
 		}
 
 		var bannedLicenses []string
-		d = attrs["banned_licenses"].(types.Set).ElementsAs(ctx, &bannedLicenses, false)
+		d = attrs["banned_licenses"].(types.List).ElementsAs(ctx, &bannedLicenses, false)
 		if d.HasError() {
 			diags.Append(d...)
 		}
@@ -82,8 +84,8 @@ func (r LicensePolicyResource) toAPIModel(ctx context.Context, plan PolicyResour
 var licenseCriteriaAttrTypes = lo.Assign(
 	map[string]attr.Type{
 		"allow_unknown":            types.BoolType,
-		"allowed_licenses":         types.SetType{ElemType: types.StringType},
-		"banned_licenses":          types.SetType{ElemType: types.StringType},
+		"allowed_licenses":         types.ListType{ElemType: types.StringType},
+		"banned_licenses":          types.ListType{ElemType: types.StringType},
 		"multi_license_permissive": types.BoolType,
 	},
 )
@@ -97,12 +99,12 @@ func (r *LicensePolicyResource) fromCriteriaAPIModel(ctx context.Context, criter
 
 	criteriaSet := types.SetNull(licenseCriteriaSetElementType)
 	if criteraAPIModel != nil {
-		allowedLicenses, d := types.SetValueFrom(ctx, types.StringType, criteraAPIModel.AllowedLicenses)
+		allowedLicenses, d := types.ListValueFrom(ctx, types.StringType, criteraAPIModel.AllowedLicenses)
 		if d.HasError() {
 			diags.Append(d...)
 		}
 
-		bannedLicenses, d := types.SetValueFrom(ctx, types.StringType, criteraAPIModel.BannedLicenses)
+		bannedLicenses, d := types.ListValueFrom(ctx, types.StringType, criteraAPIModel.BannedLicenses)
 		if d.HasError() {
 			diags.Append(d...)
 		}
@@ -232,14 +234,20 @@ var licenseRuleSetElementType = types.ObjectType{
 }
 
 var licensePolicyCriteriaAttrs = map[string]schema.Attribute{
-	"banned_licenses": schema.SetAttribute{
+	"banned_licenses": schema.ListAttribute{
 		ElementType: types.StringType,
 		Optional:    true,
+		Validators: []validator.List{
+			listvalidator.ConflictsWith(path.MatchRelative().AtParent().AtName("allowed_licenses")),
+		},
 		Description: "A list of OSS license names that may not be attached to a component. Supports custom licenses added by the user, but there is no verification if the license exists on the Xray side. If the added license doesn't exist, the policy won't trigger the violation.",
 	},
-	"allowed_licenses": schema.SetAttribute{
+	"allowed_licenses": schema.ListAttribute{
 		ElementType: types.StringType,
 		Optional:    true,
+		Validators: []validator.List{
+			listvalidator.ConflictsWith(path.MatchRelative().AtParent().AtName("banned_licenses")),
+		},
 		Description: "A list of OSS license names that may be attached to a component. Supports custom licenses added by the user, but there is no verification if the license exists on the Xray side. If the added license doesn't exist, the policy won't trigger the violation.",
 	},
 	"allow_unknown": schema.BoolAttribute{