DET-728: Added back removed blocks for override tests

antonymartinsumo · antonymartinsumo · commit ca6dcd3eac28 · 2025-08-14T12:41:35.000+05:30
diff --git a/sumologic/resource_sumologic_cse_aggregation_rule_test.go b/sumologic/resource_sumologic_cse_aggregation_rule_test.go
@@ -93,13 +93,25 @@ func TestAccSumologicCSEAggregationRule_Override(t *testing.T) {
 					testCheckAggregationRuleOverrideValues(&aggregationRule, descriptionExpression),
 					resource.TestCheckResourceAttrSet(resourceName, "id"),
 					resource.TestCheckResourceAttr(resourceName, "id", "AGGREGATION-S00009"),
-					removeState("sumologic_cse_aggregation_rule.sumo_aggregation_rule_test"),
 				),
 			},
+			{
+				Config: getAggregationRuleRemovedBlock(),
+			},
 		},
 	})
 }
 
+func getAggregationRuleRemovedBlock() string {
+	return fmt.Sprintf(`
+	removed {
+		from = sumologic_cse_aggregation_rule.sumo_aggregation_rule_test
+		lifecycle {
+			destroy = false
+		}
+	}`)
+}
+
 func TestAccSumologicCSEAggregationRule_createAndUpdateToCustomWindowSize(t *testing.T) {
 	SkipCseTest(t)
 
diff --git a/sumologic/resource_sumologic_cse_chain_rule_test.go b/sumologic/resource_sumologic_cse_chain_rule_test.go
@@ -93,13 +93,26 @@ func TestAccSumologicCSEChainRule_Override(t *testing.T) {
 					testCheckChainRuleOverrideValues(&ChainRule, descriptionExpression),
 					resource.TestCheckResourceAttrSet(resourceName, "id"),
 					resource.TestCheckResourceAttr(resourceName, "id", "CHAIN-S00016"),
-					removeState("sumologic_cse_chain_rule.sumo_chain_rule_test"),
 				),
 			},
+			{
+				Config: getChainRuleRemovedBlock(),
+			},
 		},
 	})
 }
 
+func getChainRuleRemovedBlock() string {
+	return fmt.Sprintf(`
+	removed {
+		from = sumologic_cse_chain_rule.sumo_chain_rule_test
+		lifecycle {
+			destroy = false
+		}
+	}
+	`)
+}
+
 func TestAccSumologicCSEChainRule_createAndUpdateToCustomWindowSize(t *testing.T) {
 	SkipCseTest(t)
 
diff --git a/sumologic/resource_sumologic_cse_first_seen_rule_test.go b/sumologic/resource_sumologic_cse_first_seen_rule_test.go
@@ -108,13 +108,26 @@ func TestAccSumologicCSEFirstSeenRule_Override(t *testing.T) {
 					testCheckFirstSeenRuleOverrideValues(&FirstSeenRule, fmt.Sprintf(descriptionExpression)),
 					resource.TestCheckResourceAttrSet(resourceName, "id"),
 					resource.TestCheckResourceAttr(resourceName, "id", "FIRST-S00009"),
-					removeState("sumologic_cse_first_seen_rule.sumo_first_seen_rule_test"),
 				),
 			},
+			{
+				Config: getFirstSeenRuleRemovedBlock(),
+			},
 		},
 	})
 }
 
+func getFirstSeenRuleRemovedBlock() string {
+	return fmt.Sprintf(`
+	removed {
+		from = sumologic_cse_first_seen_rule.sumo_first_seen_rule_test
+		lifecycle {
+			destroy = false
+		}
+	}
+	`)
+}
+
 func testAccCSEFirstSeenRuleDestroy(s *terraform.State) error {
 	client := testAccProvider.Meta().(*Client)
 
diff --git a/sumologic/resource_sumologic_cse_match_rule_test.go b/sumologic/resource_sumologic_cse_match_rule_test.go
@@ -78,9 +78,8 @@ func TestAccSumologicCSEMatchRule_createAndUpdate(t *testing.T) {
 func TestAccSumologicCSEMatchRule_Override(t *testing.T) {
 	SkipCseTest(t)
 
+	descriptionExpression := "Observes for possible exploitation of CVE-2017-8759"
 	var matchRule CSEMatchRule
-	descriptionExpression := "Detects email addresses associated with known malicious actor(s) or campaign(s) as designated by a threat intelligence provider."
-
 	resourceName := "sumologic_cse_match_rule.sumo_match_rule_test"
 	resource.Test(t, resource.TestCase{
 		PreCheck:     func() { testAccPreCheck(t) },
@@ -91,7 +90,7 @@ func TestAccSumologicCSEMatchRule_Override(t *testing.T) {
 				Config:                  testOverrideCSEMatchRuleConfig(descriptionExpression),
 				ResourceName:            resourceName,
 				ImportState:             true,
-				ImportStateId:           "MATCH-S01020",
+				ImportStateId:           "MATCH-S00574",
 				ImportStateVerify:       false,
 				ImportStateVerifyIgnore: []string{"name"}, // Ignore fields that might differ
 				ImportStatePersist:      true,
@@ -102,7 +101,7 @@ func TestAccSumologicCSEMatchRule_Override(t *testing.T) {
 					testCheckCSEMatchRuleExists(resourceName, &matchRule),
 					testCheckMatchRuleOverrideValues(&matchRule, fmt.Sprintf("Updated %s", descriptionExpression)),
 					resource.TestCheckResourceAttrSet(resourceName, "id"),
-					resource.TestCheckResourceAttr(resourceName, "id", "MATCH-S01020"),
+					resource.TestCheckResourceAttr(resourceName, "id", "MATCH-S00574"),
 				),
 			},
 			{
@@ -111,14 +110,27 @@ func TestAccSumologicCSEMatchRule_Override(t *testing.T) {
 					testCheckCSEMatchRuleExists(resourceName, &matchRule),
 					testCheckMatchRuleOverrideValues(&matchRule, descriptionExpression),
 					resource.TestCheckResourceAttrSet(resourceName, "id"),
-					resource.TestCheckResourceAttr(resourceName, "id", "MATCH-S01020"),
-					removeState("sumologic_cse_match_rule.sumo_match_rule_test"),
+					resource.TestCheckResourceAttr(resourceName, "id", "MATCH-S00574"),
 				),
 			},
+			{
+				Config: getMatchRuleRemovedBlock(),
+			},
 		},
 	})
 }
 
+func getMatchRuleRemovedBlock() string {
+	return fmt.Sprintf(`
+	removed {
+		from = sumologic_cse_match_rule.sumo_match_rule_test
+		lifecycle {
+			destroy = false
+		}
+	}
+`)
+}
+
 func TestAccSumologicCSEMatchRule_failSuppressionValidation(t *testing.T) {
 	SkipCseTest(t)
 
@@ -210,32 +222,28 @@ func testOverrideCSEMatchRuleConfig(descriptionExpression string) string {
 resource "sumologic_cse_match_rule" "sumo_match_rule_test" {
     description_expression = "%s"
     enabled                = true
-    expression             = "hasThreatMatch([targetUser_email], confidence > 1 AND type='email-addr')"
-    is_prototype           = true
-    name                   = "Threat Intel - Matched Target Email"
-    name_expression        = "Threat Intel - Matched Target Email"
-    summary_expression     = "The record contains a target email address associated with a threat intelligence feed: {{targetUser_email}}"
-    tags                   = []
+    is_prototype           = false
+    name                   = ".NET Framework Remote Code Execution Vulnerability"
+    name_expression        = ".NET Framework Remote Code Execution Vulnerability"
+    summary_expression     = "Observed possible CVE-2017-8759 exploit on {{device_hostname}}"
+    tags                   = [
+        "_mitreAttackTactic:TA0002",
+        "_mitreAttackTactic:TA0001",
+        "_mitreAttackTechnique:T1203",
+    ]
 
     entity_selectors {
-        entity_type = "_username"
-        expression  = "user_username"
-    }
-    entity_selectors {
-        entity_type = "_email"
-        expression  = "user_email"
+        entity_type = "_hostname"
+        expression  = "device_hostname"
     }
     entity_selectors {
         entity_type = "_username"
-        expression  = "targetUser_username"
-    }
-    entity_selectors {
-        entity_type = "_email"
-        expression  = "targetUser_email"
+        expression  = "user_username"
     }
 
     severity_mapping {
-        default = 1
+        default = 3
+        field   = null
         type    = "constant"
     }
 }
diff --git a/sumologic/resource_sumologic_cse_outlier_rule_test.go b/sumologic/resource_sumologic_cse_outlier_rule_test.go
@@ -112,13 +112,25 @@ func TestAccSumologicCSEOutlierRule_Override(t *testing.T) {
 					testCheckOutlierRuleOverrideValues(&OutlierRule, descriptionExpression),
 					resource.TestCheckResourceAttrSet(resourceName, "id"),
 					resource.TestCheckResourceAttr(resourceName, "id", "OUTLIER-S00007"),
-					removeState("sumologic_cse_outlier_rule.sumo_outlier_rule_test"),
 				),
 			},
+			{
+				Config: getOutlierRuleRemovedBlock(),
+			},
 		},
 	})
 }
 
+func getOutlierRuleRemovedBlock() string {
+	return fmt.Sprintf(`
+	removed {
+		from = sumologic_cse_outlier_rule.sumo_outlier_rule_test
+		lifecycle {
+			destroy = false
+		}
+	}`)
+}
+
 func testAccCSEOutlierRuleDestroy(s *terraform.State) error {
 	client := testAccProvider.Meta().(*Client)
 
diff --git a/sumologic/resource_sumologic_cse_threshold_rule_test.go b/sumologic/resource_sumologic_cse_threshold_rule_test.go
@@ -94,13 +94,26 @@ func TestAccSumologicCSEThresholdRule_Override(t *testing.T) {
 					testCheckThresholdRuleOverrideValues(&thresholdRule, descriptionExpression),
 					resource.TestCheckResourceAttrSet(resourceName, "id"),
 					resource.TestCheckResourceAttr(resourceName, "id", "THRESHOLD-S00059"),
-					removeState("sumologic_cse_threshold_rule.sumo_threshold_rule_test"),
 				),
 			},
+			{
+				Config: getThresholdRuleRemovedBlock(),
+			},
 		},
 	})
 }
 
+func getThresholdRuleRemovedBlock() string {
+	return fmt.Sprintf(`
+	removed {
+		from = sumologic_cse_threshold_rule.sumo_threshold_rule_test
+		lifecycle {
+			destroy = false
+		}
+	}
+	`)
+}
+
 func TestAccSumologicCSEThresholdRule_createAndUpdateToCustomWindowSize(t *testing.T) {
 	SkipCseTest(t)
 
