chore: CPS-6447 update visionone_crm_profile 'exceptions' handling (#109) (#51)

junedutrend · web-flow · commit 26474df7ddbd · 2026-03-24T10:09:55.000+11:00
diff --git a/internal/trendmicro/cloud_risk_management/utils/profile_converters_from_dto.go b/internal/trendmicro/cloud_risk_management/utils/profile_converters_from_dto.go
@@ -23,18 +23,10 @@ const (
 )
 
 // UpdatePlanFromProfile updates the Terraform plan/state model with data from the API response.
-// It preserves original plan values where the API doesn't return certain fields (like exceptions)
-// and maintains consistency between the user's configuration and the actual state.
 func UpdatePlanFromProfile(plan *ProfileResourceModel, profile *cloud_risk_management_dto.Profile) {
-	// Create a map of original plan's scan rules by ID for reference
-	originalExceptions := make(map[string]*RuleExceptionsModel)
 	// Create a map of original extra_settings by rule ID -> setting name
 	originalExtraSettings := make(map[string]map[string]*ExtraSettingModel)
 	for _, rule := range plan.ScanRules {
-		// Preserve exceptions to maintain user's config structure (even if empty)
-		if rule.Exceptions != nil {
-			originalExceptions[rule.ID.ValueString()] = rule.Exceptions
-		}
 		if len(rule.ExtraSettings) > 0 {
 			ruleID := rule.ID.ValueString()
 			originalExtraSettings[ruleID] = make(map[string]*ExtraSettingModel)
@@ -60,34 +52,39 @@ func UpdatePlanFromProfile(plan *ProfileResourceModel, profile *cloud_risk_manag
 				RiskLevel: types.StringValue(rule.RiskLevel),
 			}
 
-			// Convert exceptions: start with user's original (preserves nil vs empty), then override with API values
-			if originalExc := originalExceptions[rule.ID]; originalExc != nil {
-				plan.ScanRules[i].Exceptions = &RuleExceptionsModel{
-					FilterTags:  originalExc.FilterTags,
-					ResourceIds: originalExc.ResourceIds,
-				}
-			}
-			if rule.Exceptions != nil {
-				if plan.ScanRules[i].Exceptions == nil {
-					plan.ScanRules[i].Exceptions = &RuleExceptionsModel{}
-				}
+		// Convert exceptions directly from API response
+		if rule.Exceptions != nil {
+			plan.ScanRules[i].Exceptions = &RuleExceptionsModel{}
 
+			// Only set FilterTags if the API returned it (even if empty)
+			// nil means the field was not sent/returned, [] means it was sent as empty
+			if rule.Exceptions.FilterTags != nil {
 				if len(rule.Exceptions.FilterTags) > 0 {
 					filterTags := make([]types.String, len(rule.Exceptions.FilterTags))
 					for j, ft := range rule.Exceptions.FilterTags {
 						filterTags[j] = types.StringValue(ft)
 					}
 					plan.ScanRules[i].Exceptions.FilterTags = filterTags
+				} else {
+					// Empty array was explicitly sent/returned
+					plan.ScanRules[i].Exceptions.FilterTags = []types.String{}
 				}
+			}
 
+			// Only set ResourceIds if the API returned it (even if empty)
+			if rule.Exceptions.ResourceIds != nil {
 				if len(rule.Exceptions.ResourceIds) > 0 {
 					resourceIds := make([]types.String, len(rule.Exceptions.ResourceIds))
 					for j, rid := range rule.Exceptions.ResourceIds {
 						resourceIds[j] = types.StringValue(rid)
 					}
 					plan.ScanRules[i].Exceptions.ResourceIds = resourceIds
+				} else {
+					// Empty array was explicitly sent/returned
+					plan.ScanRules[i].Exceptions.ResourceIds = []types.String{}
 				}
 			}
+		}
 
 			// Convert extra settings - always convert to match plan structure
 			if len(rule.ExtraSettings) > 0 {
diff --git a/internal/trendmicro/cloud_risk_management/utils/profile_converters_to_dto.go b/internal/trendmicro/cloud_risk_management/utils/profile_converters_to_dto.go
@@ -92,19 +92,21 @@ func ConvertScanRulesToDTO(_ context.Context, rules []ScanRuleModel) ([]cloud_ri
 			RiskLevel: rule.RiskLevel.ValueString(),
 		}
 
-		// Convert exceptions - only create if there are actual values
-		if rule.Exceptions != nil && (len(rule.Exceptions.FilterTags) > 0 || len(rule.Exceptions.ResourceIds) > 0) {
+		// Convert exceptions - send to API if user specified them (even if empty)
+		if rule.Exceptions != nil {
 			result[i].Exceptions = &cloud_risk_management_dto.RuleExceptions{}
 
-			if len(rule.Exceptions.FilterTags) > 0 {
+			// Send FilterTags if it's not nil (user specified it)
+			if rule.Exceptions.FilterTags != nil {
 				filterTags := make([]string, len(rule.Exceptions.FilterTags))
 				for j, ft := range rule.Exceptions.FilterTags {
 					filterTags[j] = ft.ValueString()
 				}
 				result[i].Exceptions.FilterTags = filterTags
 			}
 
-			if len(rule.Exceptions.ResourceIds) > 0 {
+			// Send ResourceIds if it's not nil (user specified it)
+			if rule.Exceptions.ResourceIds != nil {
 				resourceIds := make([]string, len(rule.Exceptions.ResourceIds))
 				for j, rid := range rule.Exceptions.ResourceIds {
 					resourceIds[j] = rid.ValueString()
diff --git a/pkg/dto/cloud_risk_management/profile.go b/pkg/dto/cloud_risk_management/profile.go
@@ -21,8 +21,8 @@ type ScanRule struct {
 
 // RuleExceptions represents exceptions for a scan rule
 type RuleExceptions struct {
-	FilterTags  []string `json:"tags,omitempty"`
-	ResourceIds []string `json:"resourceIds,omitempty"`
+	FilterTags  []string `json:"tags"`
+	ResourceIds []string `json:"resourceIds"`
 }
 
 // RuleExtraSetting represents additional configuration for a scan rule

Original file line number	Diff line number	Diff line change
`@@ -21,8 +21,8 @@ type ScanRule struct {`
`21`	`21`
`22`	`22`	`// RuleExceptions represents exceptions for a scan rule`
`23`	`23`	`type RuleExceptions struct {`
`24`		- FilterTags []string `json:"tags,omitempty"`
`25`		- ResourceIds []string `json:"resourceIds,omitempty"`
	`24`	+ FilterTags []string `json:"tags"`
	`25`	+ ResourceIds []string `json:"resourceIds"`
`26`	`26`	`}`
`27`	`27`
`28`	`28`	`// RuleExtraSetting represents additional configuration for a scan rule`