azurerm_sentinel_alert_rule_* - upgrade API version

[ziyeqf]

Community Note

• Please vote on this PR by adding a 👍 reaction to the original PR to help the community and maintainers prioritize for review
• Please do not leave comments along the lines of "+1", "me too" or "any updates", they generate extra noise for PR followers and do not help prioritize for review

Description

Upgrade API version to 2023-12-01-preview, which is consistent with Portal. And expanding the limitation on entity_mapping and sentinel_entity_mapping to 10.
The error message from service, when there are more than 10 entity_mapping is

unexpected status 400 (400 Bad Request) with error: BadRequest: Invalid data model. [: Invalid length of '11' for 'EntityMappings'. 'EntityMappings' length should be between '1' and '10']

As mentioned on #27832, Can we consider remove the maxItems limitation and let the service decide the limitation?

Also, other sentinel alert rules are upgraded to this API version, without further modification.

PR Checklist

• I have followed the guidelines in our Contributing Documentation.
• I have checked to ensure there aren't other open Pull Requests for the same update/change.
• I have checked if my changes close any open issues. If so please include appropriate closing keywords below.
• I have updated/added Documentation as required written in a helpful and kind way to assist users that may be unfamiliar with the resource / data source.
• I have used a meaningful PR title to help maintainers and other users understand this change and help prevent duplicate work.
  For example: “resource_name_here - description of change e.g. adding property new_property_name_here”

Changes to existing Resource / Data Source

• I have added an explanation of what my changes do and why I'd like you to include them (This may be covered by linking to an issue above, but may benefit from additional explanation).
• I have written new tests for my resource or datasource changes & updated any relevent documentation.
• I have successfully run tests with my changes locally. If not, please provide details on testing challenges that prevented you running the tests.
• (For changes that include a state migration only). I have manually tested the migration path between relevant versions of the provider.

Testing

• My submission includes Test coverage as described in the Contribution Guide and the tests pass. (if this is not possible for any reason, please include details of why you did or could not add test coverage)

❯❯ tftest sentinel TestAccSentinelAlertRule                                      
=== RUN   TestAccSentinelAlertRuleAnomalyBuiltIn_basic
=== PAUSE TestAccSentinelAlertRuleAnomalyBuiltIn_basic
=== RUN   TestAccSentinelAlertRuleAnomalyDataSource_basicWithThreshold
=== PAUSE TestAccSentinelAlertRuleAnomalyDataSource_basicWithThreshold
=== RUN   TestAccSentinelAlertRuleAnomalyDataSource_basicWithSingleSelect
=== PAUSE TestAccSentinelAlertRuleAnomalyDataSource_basicWithSingleSelect
=== RUN   TestAccSentinelAlertRuleAnomalyDataSource_basicWithMultiSelect
=== PAUSE TestAccSentinelAlertRuleAnomalyDataSource_basicWithMultiSelect
=== RUN   TestAccSentinelAlertRuleAnomalyDataSource_basicWithPrioritized
=== PAUSE TestAccSentinelAlertRuleAnomalyDataSource_basicWithPrioritized
=== RUN   TestAccSentinelAlertRuleAnomalyDuplicate_basic
=== PAUSE TestAccSentinelAlertRuleAnomalyDuplicate_basic
=== RUN   TestAccSentinelAlertRuleAnomalyDuplicate_requiresImport
=== PAUSE TestAccSentinelAlertRuleAnomalyDuplicate_requiresImport
=== RUN   TestAccSentinelAlertRuleAnomalyDuplicate_thresholdWithCustomObservation
=== PAUSE TestAccSentinelAlertRuleAnomalyDuplicate_thresholdWithCustomObservation
=== RUN   TestAccSentinelAlertRuleAnomalyDuplicate_multiSelectWithCustomObservation
=== PAUSE TestAccSentinelAlertRuleAnomalyDuplicate_multiSelectWithCustomObservation
=== RUN   TestAccSentinelAlertRuleAnomalyDuplicate_singleSelectWithCustomObservation
=== PAUSE TestAccSentinelAlertRuleAnomalyDuplicate_singleSelectWithCustomObservation
=== RUN   TestAccSentinelAlertRuleAnomalyDuplicate_prioritizeExcludeWithCustomObservation
=== PAUSE TestAccSentinelAlertRuleAnomalyDuplicate_prioritizeExcludeWithCustomObservation
=== RUN   TestAccSentinelAlertRuleDataSource_basic
=== PAUSE TestAccSentinelAlertRuleDataSource_basic
=== RUN   TestAccSentinelAlertRuleFusion_basic
=== PAUSE TestAccSentinelAlertRuleFusion_basic
=== RUN   TestAccSentinelAlertRuleFusion_disable
=== PAUSE TestAccSentinelAlertRuleFusion_disable
=== RUN   TestAccSentinelAlertRuleFusion_sourceSetting
=== PAUSE TestAccSentinelAlertRuleFusion_sourceSetting
=== RUN   TestAccSentinelAlertRuleMLBehaviorAnalytics_basic
=== PAUSE TestAccSentinelAlertRuleMLBehaviorAnalytics_basic
=== RUN   TestAccSentinelAlertRuleMLBehaviorAnalytics_complete
=== PAUSE TestAccSentinelAlertRuleMLBehaviorAnalytics_complete
=== RUN   TestAccSentinelAlertRuleMLBehaviorAnalytics_update
=== PAUSE TestAccSentinelAlertRuleMLBehaviorAnalytics_update
=== RUN   TestAccSentinelAlertRuleMLBehaviorAnalytics_requiresImport
=== PAUSE TestAccSentinelAlertRuleMLBehaviorAnalytics_requiresImport
=== RUN   TestAccSentinelAlertRuleMsSecurityIncident_basic
=== PAUSE TestAccSentinelAlertRuleMsSecurityIncident_basic
=== RUN   TestAccSentinelAlertRuleMsSecurityIncident_complete
=== PAUSE TestAccSentinelAlertRuleMsSecurityIncident_complete
=== RUN   TestAccSentinelAlertRuleMsSecurityIncident_update
=== PAUSE TestAccSentinelAlertRuleMsSecurityIncident_update
=== RUN   TestAccSentinelAlertRuleMsSecurityIncident_requiresImport
=== PAUSE TestAccSentinelAlertRuleMsSecurityIncident_requiresImport
=== RUN   TestAccSentinelAlertRuleMsSecurityIncident_withAlertRuleTemplateGuid
=== PAUSE TestAccSentinelAlertRuleMsSecurityIncident_withAlertRuleTemplateGuid
=== RUN   TestAccSentinelAlertRuleMsSecurityIncident_withDisplayNameExcludeFilter
=== PAUSE TestAccSentinelAlertRuleMsSecurityIncident_withDisplayNameExcludeFilter
=== RUN   TestAccSentinelAlertRuleNrt_basic
=== PAUSE TestAccSentinelAlertRuleNrt_basic
=== RUN   TestAccSentinelAlertRuleNrt_complete
=== PAUSE TestAccSentinelAlertRuleNrt_complete
=== RUN   TestAccSentinelAlertRuleNrt_update
=== PAUSE TestAccSentinelAlertRuleNrt_update
=== RUN   TestAccSentinelAlertRuleNrt_requiresImport
=== PAUSE TestAccSentinelAlertRuleNrt_requiresImport
=== RUN   TestAccSentinelAlertRuleNrt_withAlertRuleTemplateGuid
=== PAUSE TestAccSentinelAlertRuleNrt_withAlertRuleTemplateGuid
=== RUN   TestAccSentinelAlertRuleNrt_updateEventGroupingSetting
=== PAUSE TestAccSentinelAlertRuleNrt_updateEventGroupingSetting
=== RUN   TestAccSentinelAlertRuleScheduled_basic
=== PAUSE TestAccSentinelAlertRuleScheduled_basic
=== RUN   TestAccSentinelAlertRuleScheduled_entityMapping
=== PAUSE TestAccSentinelAlertRuleScheduled_entityMapping
=== RUN   TestAccSentinelAlertRuleScheduled_upgrade
=== PAUSE TestAccSentinelAlertRuleScheduled_upgrade
=== RUN   TestAccSentinelAlertRuleScheduled_complete
=== PAUSE TestAccSentinelAlertRuleScheduled_complete
=== RUN   TestAccSentinelAlertRuleScheduled_update
=== PAUSE TestAccSentinelAlertRuleScheduled_update
=== RUN   TestAccSentinelAlertRuleScheduled_requiresImport
=== PAUSE TestAccSentinelAlertRuleScheduled_requiresImport
=== RUN   TestAccSentinelAlertRuleScheduled_withAlertRuleTemplateGuid
=== PAUSE TestAccSentinelAlertRuleScheduled_withAlertRuleTemplateGuid
=== RUN   TestAccSentinelAlertRuleScheduled_updateEventGroupingSetting
=== PAUSE TestAccSentinelAlertRuleScheduled_updateEventGroupingSetting
=== RUN   TestAccSentinelAlertRuleTemplateDataSource_fusion
=== PAUSE TestAccSentinelAlertRuleTemplateDataSource_fusion
=== RUN   TestAccSentinelAlertRuleTemplateDataSource_securityIncident
=== PAUSE TestAccSentinelAlertRuleTemplateDataSource_securityIncident
=== RUN   TestAccSentinelAlertRuleTemplateDataSource_scheduled
=== PAUSE TestAccSentinelAlertRuleTemplateDataSource_scheduled
=== RUN   TestAccSentinelAlertRuleTemplateDataSource_nrt
=== PAUSE TestAccSentinelAlertRuleTemplateDataSource_nrt
=== RUN   TestAccSentinelAlertRuleThreatIntelligence_basic
=== PAUSE TestAccSentinelAlertRuleThreatIntelligence_basic
=== RUN   TestAccSentinelAlertRuleThreatIntelligence_complete
=== PAUSE TestAccSentinelAlertRuleThreatIntelligence_complete
=== RUN   TestAccSentinelAlertRuleThreatIntelligence_update
=== PAUSE TestAccSentinelAlertRuleThreatIntelligence_update
=== RUN   TestAccSentinelAlertRuleThreatIntelligence_requiresImport
=== PAUSE TestAccSentinelAlertRuleThreatIntelligence_requiresImport
=== CONT  TestAccSentinelAlertRuleAnomalyBuiltIn_basic
=== CONT  TestAccSentinelAlertRuleMsSecurityIncident_withDisplayNameExcludeFilter
=== CONT  TestAccSentinelAlertRuleFusion_basic
=== CONT  TestAccSentinelAlertRuleMLBehaviorAnalytics_requiresImport
=== CONT  TestAccSentinelAlertRuleMsSecurityIncident_update
=== CONT  TestAccSentinelAlertRuleMsSecurityIncident_withAlertRuleTemplateGuid
=== CONT  TestAccSentinelAlertRuleMsSecurityIncident_requiresImport
=== CONT  TestAccSentinelAlertRuleMsSecurityIncident_complete
--- PASS: TestAccSentinelAlertRuleMsSecurityIncident_requiresImport (136.18s)
=== CONT  TestAccSentinelAlertRuleMsSecurityIncident_basic
--- PASS: TestAccSentinelAlertRuleMsSecurityIncident_withAlertRuleTemplateGuid (143.67s)
=== CONT  TestAccSentinelAlertRuleMLBehaviorAnalytics_basic
--- PASS: TestAccSentinelAlertRuleMsSecurityIncident_complete (145.89s)
=== CONT  TestAccSentinelAlertRuleMLBehaviorAnalytics_update
--- PASS: TestAccSentinelAlertRuleMLBehaviorAnalytics_requiresImport (147.70s)
=== CONT  TestAccSentinelAlertRuleMLBehaviorAnalytics_complete
--- PASS: TestAccSentinelAlertRuleAnomalyBuiltIn_basic (153.52s)
=== CONT  TestAccSentinelAlertRuleAnomalyDuplicate_requiresImport
--- PASS: TestAccSentinelAlertRuleFusion_basic (162.62s)
=== CONT  TestAccSentinelAlertRuleDataSource_basic
--- PASS: TestAccSentinelAlertRuleMsSecurityIncident_update (204.12s)
=== CONT  TestAccSentinelAlertRuleAnomalyDuplicate_prioritizeExcludeWithCustomObservation
--- PASS: TestAccSentinelAlertRuleMsSecurityIncident_withDisplayNameExcludeFilter (205.49s)
=== CONT  TestAccSentinelAlertRuleAnomalyDuplicate_singleSelectWithCustomObservation
--- PASS: TestAccSentinelAlertRuleDataSource_basic (124.79s)
=== CONT  TestAccSentinelAlertRuleAnomalyDuplicate_multiSelectWithCustomObservation
--- PASS: TestAccSentinelAlertRuleAnomalyDuplicate_requiresImport (140.65s)
=== CONT  TestAccSentinelAlertRuleAnomalyDuplicate_thresholdWithCustomObservation
--- PASS: TestAccSentinelAlertRuleMLBehaviorAnalytics_basic (156.09s)
=== CONT  TestAccSentinelAlertRuleAnomalyDataSource_basicWithMultiSelect
--- PASS: TestAccSentinelAlertRuleMsSecurityIncident_basic (165.28s)
=== CONT  TestAccSentinelAlertRuleAnomalyDuplicate_basic
--- PASS: TestAccSentinelAlertRuleMLBehaviorAnalytics_complete (154.89s)
=== CONT  TestAccSentinelAlertRuleAnomalyDataSource_basicWithPrioritized
--- PASS: TestAccSentinelAlertRuleAnomalyDuplicate_prioritizeExcludeWithCustomObservation (144.52s)
=== CONT  TestAccSentinelAlertRuleFusion_sourceSetting
--- PASS: TestAccSentinelAlertRuleAnomalyDuplicate_singleSelectWithCustomObservation (144.98s)
=== CONT  TestAccSentinelAlertRuleAnomalyDataSource_basicWithSingleSelect
--- PASS: TestAccSentinelAlertRuleMLBehaviorAnalytics_update (252.95s)
=== CONT  TestAccSentinelAlertRuleAnomalyDataSource_basicWithThreshold
--- PASS: TestAccSentinelAlertRuleAnomalyDataSource_basicWithPrioritized (121.59s)
=== CONT  TestAccSentinelAlertRuleFusion_disable
--- PASS: TestAccSentinelAlertRuleAnomalyDataSource_basicWithMultiSelect (124.84s)
=== CONT  TestAccSentinelAlertRuleScheduled_requiresImport
--- PASS: TestAccSentinelAlertRuleAnomalyDuplicate_multiSelectWithCustomObservation (141.20s)
=== CONT  TestAccSentinelAlertRuleThreatIntelligence_requiresImport
--- PASS: TestAccSentinelAlertRuleAnomalyDuplicate_thresholdWithCustomObservation (141.38s)
=== CONT  TestAccSentinelAlertRuleThreatIntelligence_update
--- PASS: TestAccSentinelAlertRuleAnomalyDuplicate_basic (140.73s)
=== CONT  TestAccSentinelAlertRuleThreatIntelligence_complete
--- PASS: TestAccSentinelAlertRuleAnomalyDataSource_basicWithSingleSelect (121.57s)
=== CONT  TestAccSentinelAlertRuleThreatIntelligence_basic
--- PASS: TestAccSentinelAlertRuleFusion_sourceSetting (179.18s)
=== CONT  TestAccSentinelAlertRuleTemplateDataSource_nrt
--- PASS: TestAccSentinelAlertRuleAnomalyDataSource_basicWithThreshold (129.28s)
=== CONT  TestAccSentinelAlertRuleTemplateDataSource_scheduled
--- PASS: TestAccSentinelAlertRuleScheduled_requiresImport (132.17s)
=== CONT  TestAccSentinelAlertRuleTemplateDataSource_securityIncident
=== CONT  TestAccSentinelAlertRuleTemplateDataSource_fusion
--- PASS: TestAccSentinelAlertRuleThreatIntelligence_requiresImport (137.79s)
--- PASS: TestAccSentinelAlertRuleThreatIntelligence_complete (150.03s)
=== CONT  TestAccSentinelAlertRuleScheduled_updateEventGroupingSetting
--- PASS: TestAccSentinelAlertRuleThreatIntelligence_basic (148.26s)
=== CONT  TestAccSentinelAlertRuleScheduled_withAlertRuleTemplateGuid
--- PASS: TestAccSentinelAlertRuleTemplateDataSource_scheduled (120.81s)
=== CONT  TestAccSentinelAlertRuleNrt_updateEventGroupingSetting
--- PASS: TestAccSentinelAlertRuleTemplateDataSource_nrt (122.47s)
=== CONT  TestAccSentinelAlertRuleScheduled_update
--- PASS: TestAccSentinelAlertRuleFusion_disable (230.52s)
=== CONT  TestAccSentinelAlertRuleScheduled_complete
--- PASS: TestAccSentinelAlertRuleThreatIntelligence_update (241.03s)
=== CONT  TestAccSentinelAlertRuleScheduled_upgrade
--- PASS: TestAccSentinelAlertRuleTemplateDataSource_securityIncident (124.00s)
=== CONT  TestAccSentinelAlertRuleScheduled_entityMapping
--- PASS: TestAccSentinelAlertRuleTemplateDataSource_fusion (134.96s)
=== CONT  TestAccSentinelAlertRuleScheduled_basic
--- PASS: TestAccSentinelAlertRuleScheduled_withAlertRuleTemplateGuid (136.18s)
=== CONT  TestAccSentinelAlertRuleNrt_update
--- PASS: TestAccSentinelAlertRuleScheduled_updateEventGroupingSetting (169.48s)
=== CONT  TestAccSentinelAlertRuleNrt_withAlertRuleTemplateGuid
--- PASS: TestAccSentinelAlertRuleScheduled_complete (135.85s)
=== CONT  TestAccSentinelAlertRuleNrt_requiresImport
--- PASS: TestAccSentinelAlertRuleNrt_updateEventGroupingSetting (167.08s)
=== CONT  TestAccSentinelAlertRuleNrt_complete
--- PASS: TestAccSentinelAlertRuleScheduled_basic (134.46s)
=== CONT  TestAccSentinelAlertRuleNrt_basic
--- PASS: TestAccSentinelAlertRuleScheduled_upgrade (167.33s)
--- PASS: TestAccSentinelAlertRuleScheduled_update (194.56s)
--- PASS: TestAccSentinelAlertRuleScheduled_entityMapping (179.40s)
--- PASS: TestAccSentinelAlertRuleNrt_withAlertRuleTemplateGuid (159.57s)
--- PASS: TestAccSentinelAlertRuleNrt_requiresImport (133.58s)
--- PASS: TestAccSentinelAlertRuleNrt_complete (138.36s)
--- PASS: TestAccSentinelAlertRuleNrt_update (202.75s)
--- PASS: TestAccSentinelAlertRuleNrt_basic (132.87s)
PASS
ok  	github.com/hashicorp/terraform-provider-azurerm/internal/services/sentinel	968.781s

Change Log

Below please provide what should go into the changelog (if anything) conforming to the Changelog Format documented here.

• azurerm_sentinel_alert_rule_scheduled - upgrade API version [azurerm_sentinel_alert_rule_* - upgrade API version #28195]
• azurerm_sentinel_alert_rule_fusion - upgrade API version [azurerm_sentinel_alert_rule_* - upgrade API version #28195]
• azurerm_sentinel_alert_rule_machine_learning_behavior_analytics - upgrade API version [azurerm_sentinel_alert_rule_* - upgrade API version #28195]
• azurerm_sentinel_alert_rule_ms_security_incident - upgrade API version [azurerm_sentinel_alert_rule_* - upgrade API version #28195]
• azurerm_sentinel_alert_rule_nrt - upgrade API version [azurerm_sentinel_alert_rule_* - upgrade API version #28195]

This is a (please select all that apply):

• Bug Fix
• New Feature (ie adding a service, resource, or data source)
• Enhancement
• Breaking Change

Related Issue(s)

Fixes #27722

Note

If this PR changes meaningfully during the course of review please update the title and description as required.

[stephybun]

@ziyeqf we always ask that updating the go-azure-sdk is done in a separate PR because this gets updated often and ends up causing conflicts for PRs which prevent su from running the tests. Going forward can you please make sure to update the go-azure-sdk in a separate PR, please also resolve the merge conflict so we can run the tests.

[ziyeqf]

Hey @stephybun, thanks.

May I confirm updating the go-azure-sdk means update the version of go-azure-sdk or update API version?

[stephybun]

By updating the go-azure-sdk I mean only updating the version of hashicorp/go-azure-sdk and nothing else.

[stephybun]

Minor, but spacing consistency

Suggested change

	entity_mapping {
	entity_type = "Account"
	field_mapping {
	identifier = "Name"
	column_name = "Computer"
	}
	}
	entity_mapping {
	entity_type = "Account"
	field_mapping {
	identifier = "Name"
	column_name = "Category"
	}
	}
	entity_mapping {
	entity_type = "Account"
	field_mapping {
	identifier = "Name"
	column_name = "OSType"
	}
	}
	entity_mapping {
	entity_type = "Account"
	field_mapping {
	identifier = "Name"
	column_name = "Computer"
	}
	}
	entity_mapping {
	entity_type = "Account"
	field_mapping {
	identifier = "Name"
	column_name = "Category"
	}
	}
	entity_mapping {
	entity_type = "Account"
	field_mapping {
	identifier = "Name"
	column_name = "OSType"
	}
	}

[stephybun]

Although the error message provided by the API is descriptive and it seems like it makes sense to hand off the validation to the API, I think we should actually keep the MaxItems validation in the schema here because there's value in informing the user earlier of any config issues at plan time, instead of at apply time. WDYT?

[ziyeqf]

agree!

[stephybun]

There are also new test failures:

------- Stdout: -------
=== RUN   TestAccSentinelAlertRuleAnomalyDataSource_basicWithMultiSelect
=== PAUSE TestAccSentinelAlertRuleAnomalyDataSource_basicWithMultiSelect
=== CONT  TestAccSentinelAlertRuleAnomalyDataSource_basicWithMultiSelect
    testcase.go:173: Step 1/1 error: Error running apply: exit status 1
        Error: reading Sentinel Anomaly Rule (Display Name "Attempted user account bruteforce per logon type") was not found
          with data.azurerm_sentinel_alert_rule_anomaly.test,
          on terraform_plugin_test.tf line 49, in data "azurerm_sentinel_alert_rule_anomaly" "test":
          49: data "azurerm_sentinel_alert_rule_anomaly" "test" {
        reading Sentinel Anomaly Rule (Display Name "Attempted user account
        bruteforce per logon type") was not found
--- FAIL: TestAccSentinelAlertRuleAnomalyDataSource_basicWithMultiSelect (164.09s)
FAIL

------- Stdout: -------
=== RUN   TestAccSentinelAlertRuleAnomalyDataSource_basicWithPrioritized
=== PAUSE TestAccSentinelAlertRuleAnomalyDataSource_basicWithPrioritized
=== CONT  TestAccSentinelAlertRuleAnomalyDataSource_basicWithPrioritized
    testcase.go:173: Step 1/1 error: Error running apply: exit status 1
        Error: reading Sentinel Anomaly Rule (Display Name "Rare privileged process calls on a daily basis") was not found
          with data.azurerm_sentinel_alert_rule_anomaly.test,
          on terraform_plugin_test.tf line 49, in data "azurerm_sentinel_alert_rule_anomaly" "test":
          49: data "azurerm_sentinel_alert_rule_anomaly" "test" {
        reading Sentinel Anomaly Rule (Display Name "Rare privileged process calls on
        a daily basis") was not found
--- FAIL: TestAccSentinelAlertRuleAnomalyDataSource_basicWithPrioritized (181.55s)
FAIL

Also quite a few failures with a quota/capacity error:

------- Stdout: -------
=== RUN   TestAccSentinelAlertRuleNrt_basic
=== PAUSE TestAccSentinelAlertRuleNrt_basic
=== CONT  TestAccSentinelAlertRuleNrt_basic
    testcase.go:173: Step 1/3 error: Error running apply: exit status 1
        Error: creating "Alert Rule (Subscription: \"*******\"\nResource Group Name: \"acctestRG-sentinel-241211091031520920\"\nWorkspace Name: \"acctestLAW-241211091031520920\"\nRule: \"acctest-SentinelAlertRule-NRT-241211091031520920\")": unexpected status 400 (400 Bad Request) with error: BadRequest: Maximum rules count per tenant exceeds the allowed limit 10000. please contact support if this an intentional action.
          with azurerm_sentinel_alert_rule_nrt.test,
          on terraform_plugin_test.tf line 49, in resource "azurerm_sentinel_alert_rule_nrt" "test":
          49: resource "azurerm_sentinel_alert_rule_nrt" "test" {
--- FAIL: TestAccSentinelAlertRuleNrt_basic (177.92s)
FAIL

Is there anything we can do about these? ☝️ maybe run certain tests sequentially instead of in parallel so we don't hit the limit?

[ziyeqf]

For the testing result, I'm suspecting, different tenants/subscriptions have different available rule template...