Unable to apply xray_security_policy when create_ticket_enabled is set to true

[mymasse]

Describe the bug
Whenever we try to apply our configuration to create a policy with the create_ticket_enabled flag set to true it fails with the following error

│ Error: Provider produced inconsistent result after apply
│ 
│ When applying changes to module.xray_configuration.xray_security_policy.create_issue_high_severity_cve_with_fix, provider "provider[\"registry.terraform.io/jfrog/xray\"]" produced an unexpected new value: .rule: planned set element
│ cty.ObjectVal(map[string]cty.Value{"actions":cty.SetVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"block_download":cty.SetVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"active":cty.False, "unscanned":cty.False})}),
│ "block_release_bundle_distribution":cty.False, "block_release_bundle_promotion":cty.False, "build_failure_grace_period_in_days":cty.NumberIntVal(0), "create_ticket_enabled":cty.True, "fail_build":cty.False, "mails":cty.NullVal(cty.Set(cty.String)),
│ "notify_deployer":cty.False, "notify_watch_recipients":cty.False, "webhooks":cty.NullVal(cty.Set(cty.String))})}), "criteria":cty.SetVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"applicable_cves_only":cty.NullVal(cty.Bool),
│ "cvss_range":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"from":cty.MustParseNumberVal("9.3"), "to":cty.NumberIntVal(10)})}), "exposures":cty.ListValEmpty(cty.Object(map[string]cty.Type{"applications":cty.Bool, "iac":cty.Bool, "min_severity":cty.String,
│ "secrets":cty.Bool, "services":cty.Bool})), "fix_version_dependant":cty.True, "malicious_package":cty.NullVal(cty.Bool), "min_severity":cty.NullVal(cty.String), "package_name":cty.NullVal(cty.String), "package_type":cty.NullVal(cty.String),
│ "package_versions":cty.NullVal(cty.Set(cty.String)), "vulnerability_ids":cty.NullVal(cty.Set(cty.String))})}), "name":cty.StringVal("create-issue-high-severity-cve-with-fix"), "priority":cty.NumberIntVal(1)}) does not correlate with any element in actual.
│ 
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.

Note Policy is actually created in Xray, on subsequent terraform apply it is detected as tainted and when applying will throw the same error.

Sample terraform configuration causing the issue:

resource "xray_security_policy" "this" {
  name        = "create-issue"
  description = "Create JIRA issues"
  type        = "security"

  rule {
    name     = "create-issue"
    priority = 1

    criteria {
      fix_version_dependant = true
      cvss_range {
        from = 9.3
        to   = 10
      }
    }

    actions {
      create_ticket_enabled = true
      block_download {
        active    = false
        unscanned = false
      }
    }
  }
}

Requirements for and issue

• A fully functioning terraform snippet that can be copy&pasted (no outside files or ENV vars unless that's part of the issue)
• Your version of Artifactory and Xray (you can curl Artifactory version at $host/artifactory/api/system/version and Xray version at
  $host/xray/api/v1/system/version
• Your version of terraform

Expected behavior
Expecting no error

Additional context
Terraform versions:

Terraform v1.10.4
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v5.83.1
+ provider registry.terraform.io/jfrog/artifactory v12.8.1
+ provider registry.terraform.io/jfrog/platform v2.2.1
+ provider registry.terraform.io/jfrog/xray v3.0.3

Artifactory/Xray versions:

Artifactory: 7.98.13
Xray: 3.107.21

[alexhung]

@mymasse Thanks for the report! I've added this to our plan to investigate and fix.

[alexhung]

@mymasse This looks like a bug in the Xray policy REST API. It is not returning the field create_ticket_enabled in the API response even though it is clearly checked in the UI. I've opened a bug ticket with the Xray team. I'll update you when there's news.