Fix: Instance ruleset rule handling for OWASP logging

[anaghajoshiibm]

Community Note

• Please vote on this pull request by adding a 👍 reaction to the original pull request comment to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for pull request followers and do not help prioritize the request

Relates OR Closes #0000

Output from acceptance testing:

$ make testacc TESTARGS='-run=TestAccXXX'

...

[anaghajoshiibm]

PR Summary:

Enhanced OWASP logging in CIS is implemented by Cloudflare as an instance-level ruleset rule, using a managed OWASP ruleset executed with a logging override. Although this behavior is supported via API, Terraform users were unable to reliably automate Enhanced OWASP logging due to incorrect lifecycle handling of instance-level ruleset rules in the Terraform provider.

This resulted in rules being created but not correctly tracked, positioned, or activated, leading to confusion and inconsistent behavior compared to zone-level ruleset rules.

The changes in this PR:

• Fix incorrect rule position handling during instance rule creation
• Implement position-aware rule ID resolution (before, after, index)
• Align instance-level update behavior with zone-level logic
• Ensure stable rule ID tracking and prevent Terraform state drift

How This Enables Enhanced OWASP Logging:

With the fixes in place, Terraform can now reliably manage instance-level ruleset rules that enable Enhanced OWASP logging using the supported Cloudflare model

• action = "execute"
• OWASP managed ruleset ID
• overrides.action = "log"
• Domain scoping via expression

Terraform validation:

main.tf -
`############################################

READ INSTANCE (ROOT) RULESET

############################################

data "ibm_cis_ruleset_entrypoint_versions" "instance" {
cis_id = "crn:v1:staging:public:internet-svcs-ci:global:a/ce12845bf2914ca18db35bedcd9aefa2:5b61007a-db01-446f-a148-c26cd21dedb2::"
phase = "http_request_firewall_managed"
}

############################################

INSTANCE LEVEL – ENHANCED OWASP LOGGING

############################################

resource "ibm_cis_ruleset_rule" "instance_owasp" {

cis_id = "crn:v1:staging:public:internet-svcs-ci:global:a/ce12845bf2914ca18db35bedcd9aefa2:5b61007a-db01-446f-a148-c26cd21dedb2::"
ruleset_id = data.ibm_cis_ruleset_entrypoint_versions.instance.rulesets[0].ruleset_id

rule {
action = "execute"
description = "Enhanced OWASP Logging"
enabled = true

expression = "((cf.zone.name eq \"cis.devintro.tech\")) and (cf.zone.plan eq \"ENT\")"

action_parameters {
  id = "4814384a9e5d4991b9815dcfc25d2f1f"

  overrides {
    action = "log"
  }
}

}

depends_on = [
data.ibm_cis_ruleset_entrypoint_versions.instance
]
}
`

terraform plan correctly shows instance-level ruleset rule creation -

terraform apply completes successfully -

terraform show -