Support Cloud Guard Target Detector Recipe Detector Rule updates (UpdateTargetDetectorRecipeDetectorRule) #2515
Description
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Description
Problem:
We need to manage Cloud Guard detector rule “Input Settings” / allowed ports (e.g., add 3389 for Windows jump hosts) in IaC. OCI provides an API/PowerShell cmdlet to update target detector recipe detector rules, but terraform-provider-oci does not expose this functionality. This prevents consistent tuning across environments.
Requested enhancement:
Add support for updating Target Detector Recipe Detector Rules, preferably via a dedicated Terraform resource (e.g., oci_cloud_guard_target_detector_recipe_detector_rule) that maps to the API operation.
Use case:
Oracle-managed Instance Security recipe triggers “Processes listening on open ports” findings
We require RDP (3389) on specific Windows servers
Want to add 3389 to allowed ports while leaving defaults intact
Also want to explicitly manage/track exceptions rather than manual console edits
API reference:
PowerShell: Update-OCICloudguardTargetDetectorRecipeDetectorRule (link)
New or Affected Resource(s)
resource "oci_cloud_guard_target_detector_recipe_detector_rule" "open_ports_allow_rdp" {
target_id = oci_cloud_guard_target.these["CG-TGT-ROOT-KEY"].id
detector_recipe_id = data.oci_cloud_guard_detector_recipes.instance_security_enterprise.detector_recipe_collection[0].items[0].id
detector_rule_id = "INSTANCE_OPEN_PORTS_LISTENING" # example placeholder
details {
configurations {
config_key = "allowedPortsConfig"
value = jsonencode({
allowedPorts = [22, XXX, ...] # keep defaults + adds port XXX (3389 for example)
})
}
}
}