Provider produced inconsistent result after apply on xray_security_policy resources after provider upgrade to 2.11.1

[mymasse]

Describe the bug
After a provider upgrade from 2.11.0 to 2.11.1 we started getting error when applying xray_security_policy resources even if they have not changed.

Terraform configuration:

resource "xray_security_policy" "high_severity_cve" {
  name        = "high-severity-cve"
  description = "This security policy generates a violation for high-severity CVEs with a CVSS score of 7.0-10.0"
  type        = "security"

  rule {
    name     = "high-severity-cve"
    priority = 1

    criteria {
      cvss_range {
        from = 7.0
        to   = 10.0
      }
    }
    actions {
      block_download {
        active = false
      }
    }
  }
}

Terraform apply output

# xray_security_policy.high_severity_cve will be updated in-place
  ~ resource "xray_security_policy" "high_severity_cve" {
      ~ author      = "terraform" -> (known after apply)
      ~ created     = "2024-06-05T12:58:20.859Z" -> (known after apply)
      ~ id          = "high-severity-cve" -> (known after apply)
      ~ modified    = "2024-09-20T17:40:14.042Z" -> (known after apply)
        name        = "high-severity-cve"
        # (2 unchanged attributes hidden)

      - rule {
          - name     = "high-severity-cve" -> null
          - priority = 1 -> null

          - actions {
              - block_release_bundle_distribution  = false -> null
              - block_release_bundle_promotion     = false -> null
              - build_failure_grace_period_in_days = 0 -> null
              - create_ticket_enabled              = false -> null
              - fail_build                         = false -> null
              - notify_deployer                    = false -> null
              - notify_watch_recipients            = false -> null

              - block_download {
                  - active    = false -> null
                  - unscanned = false -> null
                }
            }

          - criteria {
              - applicable_cves_only  = false -> null
              - fix_version_dependant = false -> null
              - malicious_package     = false -> null

              - cvss_range {
                  - from = 7 -> null
                  - to   = 10 -> null
                }
            }
        }
      + rule {
          + name     = "high-severity-cve"
          + priority = 1

          + actions {
              + block_release_bundle_distribution = false
              + block_release_bundle_promotion    = false
              + create_ticket_enabled             = false
              + fail_build                        = false
              + notify_deployer                   = false
              + notify_watch_recipients           = false

              + block_download {
                  + active    = false
                  + unscanned = false
                }
            }

          + criteria {
              + applicable_cves_only  = false
              + fix_version_dependant = false
              + malicious_package     = false

              + cvss_range {
                  + from = 7
                  + to   = 10
                }
            }
        }
    }

Error:

Error: Provider produced inconsistent result after apply
│ 
│ When applying changes to xray_security_policy.high_severity_cve, provider "provider[\"registry.terraform.io/jfrog/xray\"]" produced an unexpected new value: .rule: planned set
│ element
│ cty.ObjectVal(map[string]cty.Value{"actions":cty.SetVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"block_download":cty.SetVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"active":cty.False,
│ "unscanned":cty.False})}), "block_release_bundle_distribution":cty.False, "block_release_bundle_promotion":cty.False, "build_failure_grace_period_in_days":cty.NullVal(cty.Number),
│ "create_ticket_enabled":cty.False, "fail_build":cty.False, "mails":cty.NullVal(cty.Set(cty.String)), "notify_deployer":cty.False, "notify_watch_recipients":cty.False,
│ "webhooks":cty.NullVal(cty.Set(cty.String))})}), "criteria":cty.SetVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"applicable_cves_only":cty.False,
│ "cvss_range":cty.ListVal([]cty.Value{cty.ObjectVal(map[string]cty.Value{"from":cty.NumberIntVal(7), "to":cty.NumberIntVal(10)})}),
│ "exposures":cty.ListValEmpty(cty.Object(map[string]cty.Type{"applications":cty.Bool, "iac":cty.Bool, "min_severity":cty.String, "secrets":cty.Bool, "services":cty.Bool})),
│ "fix_version_dependant":cty.False, "malicious_package":cty.False, "min_severity":cty.NullVal(cty.String), "package_name":cty.NullVal(cty.String),
│ "package_type":cty.NullVal(cty.String), "package_versions":cty.NullVal(cty.Set(cty.String)), "vulnerability_ids":cty.NullVal(cty.Set(cty.String))})}),
│ "name":cty.StringVal("high-severity-cve"), "priority":cty.NumberIntVal(1)}) does not correlate with any element in actual.
│ 
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.

Requirements for and issue

• A fully functioning terraform snippet that can be copy&pasted (no outside files or ENV vars unless that's part of the issue)
• Your version of Artifactory and Xray (you can curl Artifactory version at $host/artifactory/api/system/version and Xray version at $host/xray/api/v1/system/version

  Artifactory: 7.90.10
  Xray: 3.104.11
  

• Your version of terraform

  Terraform v1.9.5
  on linux_amd64
  + provider registry.terraform.io/hashicorp/aws v5.68.0
  + provider registry.terraform.io/jfrog/artifactory v12.0.0
  + provider registry.terraform.io/jfrog/platform v1.12.0
  + provider registry.terraform.io/jfrog/xray v2.11.1
  

Expected behavior
We expected either no changes since the resource actually didn't change and definitly don't expect an error when it tries to change id

Additional context
N/A

[alexhung]

@mymasse Thanks for the report. I'll add this to our plan to fix.

[mymasse]

Thanks for the quick turnaround