search

IBM-Cloud / terraform-provider-ibm

https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs
Mozilla Public License 2.0
341 stars 670 forks source link

ibm_resource_group data source failure on Plan submitted by Schematics API #1035

Closed stevestrutt closed 3 years ago

stevestrutt commented 4 years ago

After successful create of ibm_resource_group resource using a ServiceID (via Schematics using CLI or API), rerunning the plan fails on the refresh step with:

 2020/01/27 12:24:26 Terraform plan | Error: Error refreshing state: 1 error occurred:
 2020/01/27 12:24:26 Terraform plan |   * ibm_resource_group.all_rg1: 1 error occurred:
 2020/01/27 12:24:26 Terraform plan |   * ibm_resource_group.all_rg1: ibm_resource_group.all_rg1: Error communicating with the API: Request failed with status code: 403, ServerErrorResponse: {"trace":"57553692886","errors":[{"code":"CAN_NOT_PERFORM_ACTION","message":"No permission","more_info":"n/a"}]}

The ServiceID (Schematics-Dev-Op...) has all permissions for resources and Schematics in the account. It has successfully created the resource using the provider with the ServiceID credentials, but on the next plan the provider has insufficient permissions to read the resource it originally created.

This looks to be an issue with the way that the provider handles IAM permissions for ServiceIDs.

Failure

2020/01/27 12:24:25 -----  Terraform SHOW  -----
 2020/01/27 12:24:25 Starting command: terraform show -no-color
 2020/01/27 12:24:25 Terraform show | ibm_resource_group.all_rg1:
 2020/01/27 12:24:25 Terraform show |   id = ddef1de2ec1e4d6e849abf229c4bf7ad
 2020/01/27 12:24:25 Terraform show |   default = false
 2020/01/27 12:24:25 Terraform show |   name = Default1
 2020/01/27 12:24:25 Terraform show |   state = ACTIVE
 2020/01/27 12:24:25 Terraform show | 
 2020/01/27 12:24:25 Command finished successfully.

 2020/01/27 12:24:25 -----  Terraform PLAN  -----
 2020/01/27 12:24:25 Starting command: terraform plan -input=false -refresh=true -state=terraform.tfstate -var-file=schematics.tfvars -no-color
 2020/01/27 12:24:26 Terraform plan | Refreshing Terraform state in-memory prior to plan...
 2020/01/27 12:24:26 Terraform plan | The refreshed state will be used to calculate this plan, but will not be
 2020/01/27 12:24:26 Terraform plan | persisted to local or remote state storage.
 2020/01/27 12:24:26 Terraform plan | 
 2020/01/27 12:24:26 Terraform plan | ibm_resource_group.all_rg1: Refreshing state... (ID: ddef1de2ec1e4d6e849abf229c4bf7ad)
 2020/01/27 12:24:26 Terraform plan | 
 2020/01/27 12:24:26 Terraform plan | Error: Error refreshing state: 1 error occurred:
 2020/01/27 12:24:26 Terraform plan |   * ibm_resource_group.all_rg1: 1 error occurred:
 2020/01/27 12:24:26 Terraform plan |   * ibm_resource_group.all_rg1: ibm_resource_group.all_rg1: Error communicating with the API: Request failed with status code: 403, ServerErrorResponse: {"trace":"57553692886","errors":[{"code":"CAN_NOT_PERFORM_ACTION","message":"No permission","more_info":"n/a"}]}
 2020/01/27 12:24:26 Terraform plan | 
 2020/01/27 12:24:26 Terraform plan |

HCL 

provider "ibm" {}

resource "ibm_resource_group" "all_rg1" {
  name = "${var.resource_group_name}"
}

variable resource_group_name {
  description = "ID for IBM Cloud Resource Group"
  default     = "Default1"
}

Successful

2020/01/27 12:37:41 -----  Terraform SHOW  -----
 2020/01/27 12:37:41 Starting command: terraform show -no-color
 2020/01/27 12:37:41 Terraform show | ibm_resource_group.all_rg1:
 2020/01/27 12:37:41 Terraform show |   id = ddef1de2ec1e4d6e849abf229c4bf7ad
 2020/01/27 12:37:41 Terraform show |   default = false
 2020/01/27 12:37:41 Terraform show |   name = Default1
 2020/01/27 12:37:41 Terraform show |   state = ACTIVE
 2020/01/27 12:37:41 Terraform show | 
 2020/01/27 12:37:41 Command finished successfully.

 2020/01/27 12:37:41 -----  Terraform PLAN  -----
 2020/01/27 12:37:41 Starting command: terraform plan -input=false -refresh=true -state=terraform.tfstate -var-file=schematics.tfvars -no-color
 2020/01/27 12:37:42 Terraform plan | Refreshing Terraform state in-memory prior to plan...
 2020/01/27 12:37:42 Terraform plan | The refreshed state will be used to calculate this plan, but will not be
 2020/01/27 12:37:42 Terraform plan | persisted to local or remote state storage.
 2020/01/27 12:37:42 Terraform plan | 
 2020/01/27 12:37:42 Terraform plan | ibm_resource_group.all_rg1: Refreshing state... (ID: ddef1de2ec1e4d6e849abf229c4bf7ad)
 2020/01/27 12:37:43 Terraform plan | 
 2020/01/27 12:37:43 Terraform plan | ------------------------------------------------------------------------
 2020/01/27 12:37:43 Terraform plan | 
 2020/01/27 12:37:43 Terraform plan | No changes. Infrastructure is up-to-date.
 2020/01/27 12:37:43 Terraform plan | 
 2020/01/27 12:37:43 Terraform plan | This means that Terraform did not detect any differences between your
 2020/01/27 12:37:43 Terraform plan | configuration and real physical resources that exist. As a result, no
 2020/01/27 12:37:43 Terraform plan | actions need to be performed.
 2020/01/27 12:37:43 Command finished successfully.

Similarly using an ibm_resource_group data source results in an error to retrieve the existing ResourceGroup if the plan is run using a ServiceID. 

2020/01/27 11:40:02 -----  Terraform SHOW  -----
 2020/01/27 11:40:02 Starting command: terraform show -no-color
 2020/01/27 11:40:02 Terraform show | No state.
 2020/01/27 11:40:02 Command finished successfully.

 2020/01/27 11:40:02 -----  Terraform PLAN  -----
 2020/01/27 11:40:02 Starting command: terraform plan -input=false -refresh=true -state=terraform.tfstate -var-file=schematics.tfvars -no-color
 2020/01/27 11:40:03 Terraform plan | Refreshing Terraform state in-memory prior to plan...
 2020/01/27 11:40:03 Terraform plan | The refreshed state will be used to calculate this plan, but will not be
 2020/01/27 11:40:03 Terraform plan | persisted to local or remote state storage.
 2020/01/27 11:40:03 Terraform plan | 
 2020/01/27 11:40:03 Terraform plan | data.ibm_resource_group.all_rg: Refreshing state...
 2020/01/27 11:40:03 Terraform plan | 
 2020/01/27 11:40:03 Terraform plan | Error: Error refreshing state: 1 error occurred:
 2020/01/27 11:40:03 Terraform plan |   * data.ibm_resource_group.all_rg: 1 error occurred:
 2020/01/27 11:40:03 Terraform plan |   * data.ibm_resource_group.all_rg: data.ibm_resource_group.all_rg: Error retrieving resource group Default: ResourceGroupDoesnotExist: Given resource Group : "Default" doesn't exist
 2020/01/27 11:40:03 Terraform plan | 
 2020/01/27 11:40:03 Terraform plan | 
 2020/01/27 11:40:03 Terraform plan | 
 2020/01/27 11:40:03 Terraform plan | 
 2020/01/27 11:40:03 Terraform plan | 
 2020/01/27 11:40:03 Terraform plan | 
 2020/01/27 11:40:03 Terraform PLAN error: Terraform PLAN errorexit status 1

Terraform Version (In Schematics)

0.21

hkantare commented 4 years ago

Can we retry this issue with latest terraform releases we migrated the SDK to v2 version. We tested with serviceID where we defined valid permission.We were not able to reproduce it

hkantare commented 3 years ago

closing the issue