Creating watches in a project - odd behavior (when using TF modules)

[emiledd-nbs]

Describe the bug
We are trying to create watches within a project that have all-repos as the resource. When we run the Terraform, the watch is created and the plan shows that it is adding all the resources and using a filter, however the watch itself has no configuration past the name and description; no resources and inactive (even though we pass through an active flag). If we then make a ghost commit to a comment in the watch creation, the resources are created and the watch is enabled.

We had this running using an input variable and thought that could be causing the issue, so we then hardcoded the module in and still got the same behaviour.

Requirements for and issue

resource "xray_watch" "project_watch" {
    name        = "CICD-Repo-Watch"
    description = "Watch for all repositories"
    active      = true
    project_key = "cicd"
       watch_resource {
       type = "all-repos"
       filter {
         type  = "regex"
         value = ".*"
      }
   }
  assigned_policy {
    name = "Global-Security-Policy"
    type = "security"
  }
}

• Artifactory version EnterpriseX license 7.35.2
• Xray version 3.65.2
• Terraform 1.0.7

Expected behavior
I expect a watch to be created first time with all configuration, and not have to run it a second time with ghost commits to add resources and enable it

Additional context
I have attached a file showing plan and UI
WORKING CODE.docx

[emiledd-nbs]

NB, all the other object (projects repos and policies exist at this point
the module call has dependencies on to enforce it

module "project_watches" {
  source       = "../../modules/xray/watches/project"
  for_each     = var.project_repo_watches != {} ? var.project_repo_watches : {}
  repo_watches = each.value
  depends_on   = [module.project, module.policies]
}

[emiledd-nbs]

Hello, any movement on this?

[danielmkn]

hi @emiledd-nbs! I'm starting to work on this ticket tomorrow.

[danielmkn]

I can confirm that the watch is not active, when it was created using modules. Thats weird, especially when I see that both POST and GET API calls have "active": true at the moment watch is created. Investigating.

[danielmkn]

Looks like I see the problem now - do you have any repositories, created in that particular project at the time you create a watch?
I've noticed, if you create a watch for all-repos in the new project when there are no repos assigned to that project, the watch is created as inactive (or will become inactive after several minutes). At the same time, if you have at least one repository in the project, the watch is created as active and stays active.

In my test, I'm using a fresh Artifactory instance, with no repositories assigned to the CICD project.

This is what I post:

And this is what I get:

If I remove the project attribute from the HCL, the watch is created just fine. Also, if I add one repository to the project, the watch is active.

It's a bug in Xray, I'll submit the issue with the Xray team. Thanks!

[emiledd-nbs]

Yep we do have repos created at the time. The repos exist, we create the project and then assign the repos to the project and create the watch.

We have tried a few ways, different TF applies so that the project is created, and repos assigned in one plan. Then the watch after and it doesnt seem to work

Great thanks :) When the bug is raised can you share so we can track progress

[danielmkn]

Please create a support ticket for this issue and mention Jira XRAY-17161, it's internal, but the support team will link your request to it and it will get more attention.

[emiledd-nbs]

Support ticket with jfrog directly?

[danielmkn]

Yes. Tell them that the watch switches to disabled, if created in the project, and tell them you need this functionality to work with Terraform Provider Artifactory. Also, that I've created the ticket for the Xray team. This way the ticket priority should be higher.
Note: In my testing, all the watches stay active, if the project has at least one repo assigned.

[emiledd-nbs]

Ours stay active if we run the terraform twice with a ghost commit - it just doesnt apply the resources or stay active on the initial run

[bravo2day]

Yes. Tell them that the watch switches to disabled, if created in the project, and tell them you need this functionality to work with Terraform Provider Artifactory. Also, that I've created the ticket for the Xray team. This way the ticket priority should be higher. Note: In my testing, all the watches stay active, if the project has at least one repo assigned.

Any movement here? I experience the same issues and have to say I find the whole "Jfrog customers are asked by Jfrog employees to contact another Jfrog department" thing a bit odd. Am I missing something?

[alexhung]

@emiledd-nbs I wasn't sure from reading previous messages here if you have HCL to create repos for this project at the same time as creating the watch? If so, you can use depends_on to ensure the repo is created first before the watch.