Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Attachment RG scope causes terraform error #186

Open
in-1911 opened this issue Sep 6, 2024 · 5 comments
Open

Attachment RG scope causes terraform error #186

in-1911 opened this issue Sep 6, 2024 · 5 comments
Assignees

Comments

@in-1911
Copy link

in-1911 commented Sep 6, 2024

Tried to use an RG scope for an attachment.
I set the resource_groups_scope with one resource group name in the array. This was done after the SCC instance with a profile attachment for "AI Security Guardrails 2.0" has been deployed (originally using [] for the RG scope). When trying to update the deployment with the new RG scope, I got an error on apply (plan was successful):

2024/09/06 18:11:48 Terraform apply | Terraform will perform the following actions:
 2024/09/06 18:11:48 Terraform apply | 
 2024/09/06 18:11:48 Terraform apply |   # module.create_profile_attachment["AI Security Guardrails 2.0"].ibm_scc_profile_attachment.scc_profile_attachment will be updated in-place
 2024/09/06 18:11:48 Terraform apply |   ~ resource "ibm_scc_profile_attachment" "scc_profile_attachment" {
 2024/09/06 18:11:48 Terraform apply |         id                    = "42f*****94/7e0*****f13ea/38-****6d"
 2024/09/06 18:11:48 Terraform apply |         name                  = "1 daily full account attachment"
 2024/09/06 18:11:48 Terraform apply |       ~ schedule              = "daily" -> "every_30_days"
 2024/09/06 18:11:48 Terraform apply |       ~ status                = "disabled" -> "enabled"
 2024/09/06 18:11:48 Terraform apply |         # (12 unchanged attributes hidden)
 2024/09/06 18:11:48 Terraform apply | 
 2024/09/06 18:11:48 Terraform apply |       + scope {
 2024/09/06 18:11:48 Terraform apply |           + environment = "ibm-cloud"
 2024/09/06 18:11:48 Terraform apply | 
 2024/09/06 18:11:48 Terraform apply |           + properties {
 2024/09/06 18:11:48 Terraform apply |               + name  = "scope_type"
 2024/09/06 18:11:48 Terraform apply |               + value = "account.resource_group"
 2024/09/06 18:11:48 Terraform apply |             }
 2024/09/06 18:11:48 Terraform apply |           + properties {
 2024/09/06 18:11:48 Terraform apply |               + name  = "scope_id"
 2024/09/06 18:11:48 Terraform apply |               + value = "06****6f1"
 2024/09/06 18:11:48 Terraform apply |             }
 2024/09/06 18:11:48 Terraform apply |         }
 2024/09/06 18:11:48 Terraform apply | 
 2024/09/06 18:11:48 Terraform apply |         # (31 unchanged blocks hidden)
 2024/09/06 18:11:48 Terraform apply |     }
 2024/09/06 18:11:48 Terraform apply | 
 2024/09/06 18:11:48 Terraform apply | Plan: 0 to add, 1 to change, 0 to destroy.
......
2024/09/06 18:11:56 Terraform apply | module.create_profile_attachment["AI Security Guardrails 2.0"].ibm_scc_profile_attachment.scc_profile_attachment: Modifying... [id=42f*****94/7e0*****f13ea/38-****6d]

Error: ReplaceProfileAttachmentWithContext failed Necessary attachment parameters are not available to create or update attachment.

So I tried to change the RG scope back to [] but then somehow the schematics state got the module.create_profile_attachment["AI Security Guardrails 2.0"].ibm_scc_profile_attachment.scc_profile_attachment resource stuck with a non-empty value that it cannot refresh and I cannot even undeploy the config:

2024/09/06 21:16:31 Terraform refresh | module.create_profile_attachment["AI Security Guardrails 2.0"].ibm_scc_profile_attachment.scc_profile_attachment: Refreshing state... [id=42f*****94/7e0*****f13ea/38-****6d]
 2024/09/06 21:16:33 Terraform refresh | Error: Error setting scope: scope.0.properties.2.value: '' expected type 'string', got unconvertible type '[]interface {}', value: '[]'
 2024/09/06 21:16:33 Terraform refresh | 
 2024/09/06 21:16:33 Terraform refresh |   with module.create_profile_attachment["AI Security Guardrails 2.0"].ibm_scc_profile_attachment.scc_profile_attachment,
 2024/09/06 21:16:33 Terraform refresh |   on .terraform/modules/create_profile_attachment/modules/attachment/main.tf line 64, in resource "ibm_scc_profile_attachment" "scc_profile_attachment":

Affected modules

Terraform CLI and Terraform provider versions

  • Terraform version:
  • Provider version:

Terraform output

Debug output

Expected behavior

Actual behavior

Steps to reproduce (including links and screen captures)

  1. Run terraform apply

Anything else


By submitting this issue, you agree to follow our Code of Conduct

@in-1911
Copy link
Author

in-1911 commented Sep 11, 2024

A variation of this problem also happens in the following scenario:

  • Deploy the DA with a profile attachment (e.g. ["AI Security Guardrails 2.0"]) with default value for RG scope (i.e. [])
  • Once SCC is deployed, go to SCC instance and modify the scope on the created attachment by adding some RG exclusions (I have more than 3, the number may need to be sufficiently large to trigger the error), but keep the main scope as "account".
  • Try to undeploy the DA - it fails on resource refresh

I get an error indicating that there is an issue in the provider itself when it tries to read/map the scope parameters and gets the new values from the RG exclusion entries:

2024/09/11 18:32:31 Terraform refresh | Error: Error setting scope: scope.0.properties.2.value: '' 
expected type 'string', got unconvertible type '[]interface {}', value: 
'[map[scope_id:a1***39 scope_type:account.resource_group] 
map[scope_id:5b***09 scope_type:account.resource_group] 
map[scope_id:8e***f3 scope_type:account.resource_group] 
map[scope_id:ea***cc scope_type:account.resource_group] 
map[scope_id:07***f4 scope_type:account.resource_group] 
map[scope_id:5d***51 scope_type:account.resource_group] 
map[scope_id:70***18 scope_type:account.resource_group]]'
 2024/09/11 18:32:31 Terraform refresh | 
 2024/09/11 18:32:31 Terraform refresh |   with module.create_profile_attachment["AI Security Guardrails 2.0"].ibm_scc_profile_attachment.scc_profile_attachment,
 2024/09/11 18:32:31 Terraform refresh |   on .terraform/modules/create_profile_attachment/modules/attachment/main.tf line 64, in resource "ibm_scc_profile_attachment" "scc_profile_attachment":
 2024/09/11 18:32:31 Terraform refresh |   64: resource "ibm_scc_profile_attachment" "scc_profile_attachment" {

@in-1911
Copy link
Author

in-1911 commented Sep 11, 2024

It looks like any change to the attachment in SCC after deployment will cause the scope to get updated with [] as exclusion list and it will make the schematics state effectively invalid because now it cannot be refreshed - that [] value will always cause a read error.

Then the SCC DA cannot be undeployed or its inputs updated, the only way out is to clean up schematics workspace and delete the DA.

@ocofaigh ocofaigh assigned jor2 and unassigned ocofaigh Oct 10, 2024
@jor2
Copy link
Member

jor2 commented Oct 10, 2024

@in-1911
Copy link
Author

in-1911 commented Oct 10, 2024

@jor2 - the case that you submitted above is a different issue. The error you show in the output indicates that you did not supply a parameter that is required, but no default value is in the profile. This is not the same as the scope read error above.

@jor2
Copy link
Member

jor2 commented Nov 8, 2024

@jor2 - the case that you submitted above is a different issue. The error you show in the output indicates that you did not supply a parameter that is required, but no default value is in the profile. This is not the same as the scope read error above.

@in-1911 are you still able to reproduce this error? I wasn't able to.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants