oci_cloud_guard_detector_recipe Fails When Detector Rule Order Changes

[indigo-saito]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version and Provider Version

Terraform v1.14.4
on linux_amd64
+ provider registry.terraform.io/oracle/oci v8.0.0

Affected Resource(s)

• "oci_cloud_guard_detector_recipe"

Terraform Configuration Files

terraform {
  required_providers {
    oci = {
      source  = "oracle/oci"
      version = "~> 8.0.0"
    }
  }
  required_version = ">= 1.5.0"
}

provider "oci" {
  region = var.region
}

variable "region" {
  type    = string
  default = "ap-tokyo-1"
}

variable "tenancy_ocid" {
  description = "Tenancy OCID"
  type        = string
}

Debug Output

https://gist.github.com/indigo-saito/7004a010620f9ff53d8227bc3a64c760

Expected Behavior

The detector_rules should be updated according to the Terraform code definition.

Actual Behavior

When setting oci_cloud_guard_detector_recipe.*.detector_rules,
if detector_rules is modified, oci_cloud_guard_detector_recipe returns an error.

Hypothesis for the cause:
Each time an update occurs, the order of items in the detector_rules array becomes non‑deterministic,
but the update process seems to assume that the array index does not change.

Steps to Reproduce

1. create main.tf

terraform {
  required_providers {
    oci = {
      source  = "oracle/oci"
      version = "~> 8.0.0"
    }
  }
  required_version = ">= 1.5.0"
}

provider "oci" {
  region = var.region
}

variable "region" {
  type    = string
  default = "ap-tokyo-1"
}

variable "tenancy_ocid" {
  description = "Tenancy OCID"
  type        = string
}

resource "oci_identity_policy" "cloud_guard_policy" {
  compartment_id = var.tenancy_ocid
  description    = "IAM Policy for Cloud Guard Self Managed"
  name           = "SelfManaged-DetectiveControl"
  statements = [
    "allow service cloudguard to manage cloudevents-rules in tenancy where target.rule.type='managed'",
    "allow service cloudguard to read vaults in tenancy",
    "allow service cloudguard to read keys in tenancy",
    "allow service cloudguard to read compartments in tenancy",
    "allow service cloudguard to read tenancies in tenancy",
    "allow service cloudguard to read audit-events in tenancy",
    "allow service cloudguard to read compute-management-family in tenancy",
    "allow service cloudguard to read instance-family in tenancy",
    "allow service cloudguard to read virtual-network-family in tenancy",
    "allow service cloudguard to read volume-family in tenancy",
    "allow service cloudguard to read database-family in tenancy",
    "allow service cloudguard to read object-family in tenancy",
    "allow service cloudguard to read load-balancers in tenancy",
    "allow service cloudguard to read users in tenancy",
    "allow service cloudguard to read groups in tenancy",
    "allow service cloudguard to read policies in tenancy",
    "allow service cloudguard to read dynamic-groups in tenancy",
    "allow service cloudguard to read authentication-policies in tenancy",
    "allow service cloudguard to use network-security-groups in tenancy",
    "allow service cloudguard to read data-safe-family in tenancy",
    "allow service cloudguard to read autonomous-database-family in tenancy",
    "allow service cloudguard to read log-groups in tenancy"
  ]
}

data "oci_cloud_guard_cloud_guard_configuration" "this" {
  compartment_id = var.tenancy_ocid
}

data "oci_cloud_guard_detector_recipes" "defaults" {
  compartment_id = var.tenancy_ocid
  display_name   = "OCI Configuration Detector Recipe"
  depends_on     = [oci_cloud_guard_cloud_guard_configuration.this]
}

resource "oci_cloud_guard_cloud_guard_configuration" "this" {
  compartment_id        = var.tenancy_ocid
  reporting_region      = var.region
  status                = "ENABLED"
  self_manage_resources = false
  depends_on            = [oci_identity_policy.cloud_guard_policy]
  lifecycle {
    ignore_changes = all
  }
}

resource "oci_identity_compartment" "my_compartment" {
  compartment_id = var.tenancy_ocid
  description    = "My Compartment for Cloud Guard in Self"
  name           = "MyCompartment"
}

resource "oci_cloud_guard_detector_recipe" "self_configuration_detector_recipe" {
  compartment_id            = oci_identity_compartment.my_compartment.id
  display_name              = "Configuration Detector Recipe (Self Managed)"
  description               = "Cloned from Oracle Managed Recipe for Self Managed Cloud Guard"
  detector                  = data.oci_cloud_guard_detector_recipes.defaults.detector_recipe_collection[0].items[0].detector
  source_detector_recipe_id = data.oci_cloud_guard_detector_recipes.defaults.detector_recipe_collection[0].items[0].id
  detector_rules {
    detector_rule_id = "PASSWORD_TOO_OLD"
    details {
      is_enabled = true
      risk_level = "LOW"
    }
  }
  detector_rules {
    detector_rule_id = "API_KEY_TOO_OLD"
    details {
      is_enabled = true
      risk_level = "MEDIUM"
    }
  }
  depends_on = [oci_cloud_guard_cloud_guard_configuration.this, oci_identity_compartment.my_compartment]
}

1. terraform apply

2. After applying this configuration, edit the detector rule in the console.
   (Change the Days value for "API key is too old" from 90 to 120.)

3. Then terraform apply

$ terraform apply
oci_identity_policy.cloud_guard_policy: Refreshing state... [id=ocid1.policy.oc1..aaaaaaaaio623znnqosinomvfzye7bwnzm2zqzllul7nmv3cmuqldvypfj6a]
oci_identity_compartment.my_compartment: Refreshing state... [id=ocid1.compartment.oc1..aaaaaaaas6ushoxrfdaofxoupu46f62sq4eurcxfpqklffbvm3y4xrtt7mua]
data.oci_cloud_guard_cloud_guard_configuration.this: Reading...
data.oci_cloud_guard_cloud_guard_configuration.this: Read complete after 0s [id=CloudGuardCloudGuardConfigurationDataSource-1321995376]
oci_cloud_guard_cloud_guard_configuration.this: Refreshing state... [id=configuration]
data.oci_cloud_guard_detector_recipes.defaults: Reading...
data.oci_cloud_guard_detector_recipes.defaults: Read complete after 0s [id=CloudGuardDetectorRecipesDataSource-2820811517]
oci_cloud_guard_detector_recipe.self_configuration_detector_recipe: Refreshing state... [id=ocid1.cloudguarddetectorrecipe.oc1.ap-tokyo-1.amaaaaaahabslsaadb63d6ddw5tg4u5i72rqmgedqzlf5nqhfgkgaqfvxrna]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # oci_cloud_guard_detector_recipe.self_configuration_detector_recipe will be updated in-place
  ~ resource "oci_cloud_guard_detector_recipe" "self_configuration_detector_recipe" {
        id                        = "ocid1.cloudguarddetectorrecipe.oc1.ap-tokyo-1.amaaaaaahabslsaadb63d6ddw5tg4u5i72rqmgedqzlf5nqhfgkgaqfvxrna"
        # (15 unchanged attributes hidden)

      ~ detector_rules {
          ~ detector_rule_id          = "API_KEY_TOO_OLD" -> "PASSWORD_TOO_OLD"
            # (16 unchanged attributes hidden)

          ~ details {
              ~ risk_level               = "MEDIUM" -> "LOW"
                # (7 unchanged attributes hidden)

                # (1 unchanged block hidden)
            }
        }
      ~ detector_rules {
          ~ detector_rule_id          = "PASSWORD_TOO_OLD" -> "API_KEY_TOO_OLD"
            # (16 unchanged attributes hidden)

          ~ details {
              ~ risk_level               = "LOW" -> "MEDIUM"
                # (7 unchanged attributes hidden)
            }
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

oci_cloud_guard_detector_recipe.self_configuration_detector_recipe: Modifying... [id=ocid1.cloudguarddetectorrecipe.oc1.ap-tokyo-1.amaaaaaahabslsaadb63d6ddw5tg4u5i72rqmgedqzlf5nqhfgkgaqfvxrna]
╷
│ Error: 400-InvalidParameter, Invalid Configuration Key : apiKeyTooOldConfig for detector id : PASSWORD_TOO_OLD
│ Suggestion: Please update the parameter(s) in the Terraform config as per error message Invalid Configuration Key : apiKeyTooOldConfig for detector id : PASSWORD_TOO_OLD
│ Documentation: https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/cloud_guard_detector_recipe
│ API Reference: https://docs.oracle.com/iaas/api/#/en/cloud-guard/20200131/DetectorRecipe/UpdateDetectorRecipe
│ Request Target: PUT https://cloudguard-cp-api.ap-tokyo-1.oci.oraclecloud.com/20200131/detectorRecipes/ocid1.cloudguarddetectorrecipe.oc1.ap-tokyo-1.amaaaaaahabslsaadb63d6ddw5tg4u5i72rqmgedqzlf5nqhfgkgaqfvxrna
│ Provider version: 8.0.0, released on 2026-02-04.
│ Service: Cloud Guard Detector Recipe
│ Operation Name: UpdateDetectorRecipe
│ OPC request ID: f1cf24f8c1a047f140a5645aac747dd3/116991F5F13F62917A048C694E525486/F37E2BAC53BA2E1C47EDF21C6F87DBAB
│
│
│   with oci_cloud_guard_detector_recipe.self_configuration_detector_recipe,
│   on cloud_guard.tf line 83, in resource "oci_cloud_guard_detector_recipe" "self_configuration_detector_recipe":
│   83: resource "oci_cloud_guard_detector_recipe" "self_configuration_detector_recipe" {
│
╵

Important Factoids

References

[tf-oci-pub]

Thank you for reporting the issue. We have raised an internal ticket to track this. Our service engineers will get back to you.