search

IBM-Cloud / terraform-provider-ibm

https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs
Mozilla Public License 2.0
341 stars 670 forks source link

Permissions issue with ibm_container_alb_cert #2267

Closed feliperfmarques closed 3 years ago

feliperfmarques commented 3 years ago

Hi there,

I am trying to create an ALB certificate, using certificates stored in my instance of the Certificate Manager, using this terraform code. It is curious that this same code worked perfectly a few days ago:

resource "ibm_certificate_manager_order" "wildcard_certificate" {
  certificate_manager_instance_id = data.ibm_resource_instance.iks_1_us_south_certificate_manager.id
  name                            = "mydomain-wildcard-cert"
  description                     = "Wildcard certificate used for mydomain product."
  domains                         = ["*.mydomain.com.br", "mydomain.com.br"]
  rotate_keys                     = false
  domain_validation_method        = "dns-01"
  key_algorithm                   = "rsaEncryption 4096 bit"
  auto_renew_enabled              = true
  renew_certificate               = false
}

resource "ibm_container_alb_cert" "wildcard_certificate_alb" {
  cert_crn    = ibm_certificate_manager_order.wildcard_certificate.id
  secret_name = "mydomain-wildcard-cert"
  cluster_id  = ibm_container_vpc_cluster.iks_1_us_south.id
  namespace   = kubernetes_namespace.k8s_namespace.metadata.*.name[0]
}

But now, I got this error:

Error: Request failed with status code: 500, ServerErrorResponse: {"incidentID":"6238e6eb735df1f6-GRU","code":"ECSRCGC","description":"Error downloading certificate from the Certificate Manager instance. Try again later.","type":"General"}

In my activity tracker instance, I can see:

Feb 18 12:39:20 cloudcerts crn:v1:bluemix:public:cloudcerts:us-south:a/<mycloudcertinstance>:: ERROR Request 'cloudcerts.certificate.download' failed remotely. Reason is: '{"code":"IAMERR403-01","message":"Forbidden","additionalInfo":{"transactionId":"06e07b42-8406-498b-96b3-dc060971ec71"}}'

Terraform Version

Terraform v0.13.5
+ provider registry.terraform.io/gavinbunney/kubectl v1.9.4
+ provider registry.terraform.io/hashicorp/helm v2.0.1
+ provider registry.terraform.io/hashicorp/kubernetes v1.13.3
+ provider registry.terraform.io/hashicorp/template v2.2.0
+ provider registry.terraform.io/ibm-cloud/ibm v1.19.0

IAM Permissions

For provisioning this terraform code, I am using service Id with following IAM permissions:

resource "ibm_iam_access_group_policy" "iac_dev_policy_1" {
  access_group_id = ibm_iam_access_group.iac_dev.id
  roles          = ["Editor"]
}

resource "ibm_iam_access_group_policy" "iac_dev_policy_2" {
  access_group_id = ibm_iam_access_group.iac_dev.id
  roles          = ["Viewer"]
  resources {
    resource_type = "resource-group"
  }
}

resource "ibm_iam_access_group_policy" "iac_dev_policy_3" {
  access_group_id = ibm_iam_access_group.iac_dev.id
  roles          = ["Administrator"]
  resources {
    service = "is"
    resource_group_id = data.ibm_resource_group.dev.id
  }
}

resource "ibm_iam_access_group_policy" "iac_dev_policy_4" {
  access_group_id = ibm_iam_access_group.iac_dev.id
  roles          = ["Administrator", "Manager"]
  resources {
    service = "containers-kubernetes"
    resource_group_id = data.ibm_resource_group.dev.id
  }
}

resource "ibm_iam_access_group_policy" "iac_dev_policy_5" {
  access_group_id = ibm_iam_access_group.iac_dev.id
  roles          = ["Administrator", "Manager"]
  resources {
    service = "kms"
    resource_group_id = data.ibm_resource_group.dev.id
  }
}

resource "ibm_iam_access_group_policy" "iac_dev_policy_6" {
  access_group_id = ibm_iam_access_group.iac_dev.id
  roles          = ["Manager", "Editor"]
  resources {
    service = "cloudcerts"
    resource_group_id = data.ibm_resource_group.dev.id
  }
}

resource "ibm_iam_access_group_policy" "iac_dev_policy_7" {
  access_group_id = ibm_iam_access_group.iac_dev.id
  roles          = ["Administrator"]
  resources {
    service = "container-registry"
  }
}

resource "ibm_iam_access_group_policy" "iac_dev_policy_8" {
  access_group_id = ibm_iam_access_group.iac_dev.id
  roles          = ["Manager"]
  resources {
    service = "logdna"
    resource_group_id = data.ibm_resource_group.admin.id
  }
}

resource "ibm_iam_access_group_policy" "iac_dev_policy_9" {
  access_group_id = ibm_iam_access_group.iac_dev.id
  roles          = ["Manager"]
  resources {
    service = "sysdig-monitor"
    resource_group_id = data.ibm_resource_group.admin.id
  }
}

IKS Version

1.18.3 and 1.18.15

Expected Behavior

Create ALB certificate successfully

Actual Behavior

Permissions error in ALB certificate create process

Steps to Reproduce

  1. Create an cluster
  2. Create namespace
  3. Use terraform code for provisioning certificate and create certificate in ALB
hkantare commented 3 years ago

@feliperfmarques We are not able to reproduce the issue we are able to successfully create an ALB with an imported certiifcate from a certificate instance

resource "ibm_container_alb_cert" "cert" {
  cert_crn    = ibm_certificate_manager_import.cert.id
  secret_name = "testmy"
  cluster_id  = "XXXXXX"
  namespace   = kubernetes_namespace.example.metadata.*.name[0]
}

data "ibm_container_cluster_config" "cluster_foo" {
  cluster_name_id = "XXXX"
}

provider "kubernetes" {
  host                   = data.ibm_container_cluster_config.cluster_foo.host
  token                  = data.ibm_container_cluster_config.cluster_foo.token
  cluster_ca_certificate = data.ibm_container_cluster_config.cluster_foo.ca_certificate
}

resource "kubernetes_namespace" "example" {
  metadata {
    name = "terraform-example-namespace"
  }
}

Can you please raise a support ticket on IKS and ask them to investigate more on incident ID " {"incidentID":"6238e6eb735df1f6-GRU"...}

hkantare commented 3 years ago

closing the issue...