ibm_iam_authorization_policy use of the target_resource_instance_id is not working as documented

[powellquiring]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform IBM Provider Version

bug-flowlog-to-cos-iam $ tf version
Terraform v1.0.11
on darwin_amd64
+ provider registry.terraform.io/ibm-cloud/ibm v1.36.0

You can find a full example here: https://github.com/powellquiring/tfbugs/tree/master/bug-flowlog-to-cos-iam

Docs: https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs/resources/iam_authorization_policy

Give an example of using the resource .id ibm_resource_instance.instance2.id

resource "ibm_iam_authorization_policy" "policy" {
  source_service_name         = "cloud-object-storage"
  source_resource_instance_id = ibm_resource_instance.instance1.id
  target_service_name         = "kms"
  target_resource_instance_id = ibm_resource_instance.instance2.id
  roles                       = ["Reader"]
}

An attempt to do this with the COS resource does not work. But if the guid is used instead of the id, success. Not sure if the docs are wrong or if the implementation of the resource is wrong. Using .id should be preferred (right?)

bug-flowlog-to-cos-iam $ cat main.tf
...
resource "ibm_iam_authorization_policy" "is_flowlog_write_to_cos" {
  source_service_name  = "is"
  source_resource_type = "flow-log-collector"
  target_service_name  = "cloud-object-storage"
  target_resource_instance_id = ibm_resource_instance.cos.id
  # target_resource_instance_id = ibm_resource_instance.cos.guid
  roles                = ["Writer"]
}
...
bug-flowlog-to-cos-iam $ tfa
ibm_is_vpc.source: Refreshing state... [id=r006-20fff31a-7f26-49cf-810e-b100284d2602]
ibm_resource_instance.cos: Refreshing state... [id=crn:v1:bluemix:public:cloud-object-storage:global:a/713c783d9a507a53135fe6793c37cc74:de9649a4-8b71-4e3b-aa1c-0b226a80a7ea::]
ibm_iam_authorization_policy.is_flowlog_write_to_cos: Refreshing state... [id=b4352fff-a2ab-4bea-906f-0ee139536611]
ibm_cos_bucket.flowlog: Refreshing state... [id=crn:v1:bluemix:public:cloud-object-storage:global:a/713c783d9a507a53135fe6793c37cc74:de9649a4-8b71-4e3b-aa1c-0b226a80a7ea:bucket:tfbug-flowlog-to-cos-001:meta:rl:us-south:public]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # ibm_is_flow_log.test_flowlog will be created
  + resource "ibm_is_flow_log" "test_flowlog" {
      + active                  = true
      + auto_delete             = (known after apply)
      + created_at              = (known after apply)
      + crn                     = (known after apply)
      + href                    = (known after apply)
      + id                      = (known after apply)
      + lifecycle_state         = (known after apply)
      + name                    = "tfbug-flowlog-to-cos"
      + resource_controller_url = (known after apply)
      + resource_crn            = (known after apply)
      + resource_group          = (known after apply)
      + resource_group_name     = (known after apply)
      + resource_name           = (known after apply)
      + resource_status         = (known after apply)
      + storage_bucket          = "tfbug-flowlog-to-cos-001"
      + tags                    = (known after apply)
      + target                  = "r006-20fff31a-7f26-49cf-810e-b100284d2602"
      + vpc                     = (known after apply)
    }

Plan: 1 to add, 0 to change, 0 to destroy.
ibm_is_flow_log.test_flowlog: Creating...
╷
│ Error: Create Flow Log Collector err Your Cloud Object Storage (COS) bucket is missing the Identity Authorization Management (IAM) authorization to allow the flow logs service to write flow logs to your bucket. (Error response code returned from COS Config call: 403)
│ {
│     "StatusCode": 400,
│     "Headers": {
│         "Cache-Control": [
│             "max-age=0, no-cache, no-store, must-revalidate"
│         ],
│         "Cf-Cache-Status": [
│             "DYNAMIC"
│         ],
│         "Cf-Ray": [
│             "6b0a5a489bae60f5-SEA"
│         ],
│         "Content-Length": [
│             "520"
│         ],
│         "Content-Type": [
│             "application/json; charset=utf-8"
│         ],
│         "Date": [
│             "Fri, 19 Nov 2021 15:08:15 GMT"
│         ],
│         "Expect-Ct": [
│             "max-age=604800, report-uri=\"https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct\""
│         ],
│         "Expires": [
│             "-1"
│         ],
│         "Pragma": [
│             "no-cache"
│         ],
│         "Server": [
│             "cloudflare"
│         ],
│         "Strict-Transport-Security": [
│             "max-age=31536000; includeSubDomains"
│         ],
│         "Vary": [
│             "Accept-Encoding"
│         ],
│         "X-Content-Type-Options": [
│             "nosniff"
│         ],
│         "X-Request-Id": [
│             "f44452e1-5649-408e-ac55-7aa902078d72"
│         ],
│         "X-Xss-Protection": [
│             "1; mode=block"
│         ]
│     },
│     "Result": {
│         "errors": [
│             {
│                 "code": "service_error",
│                 "message": "Your Cloud Object Storage (COS) bucket is missing the Identity Authorization Management (IAM) authorization to allow the flow logs service to write flow logs to your bucket. (Error response code returned from COS Config call: 403)",
│                 "more_info": "https://cloud.ibm.com/docs/vpc?topic=vpc-ordering-flow-log-collector#fl-before-you-begin",
│                 "target": {
│                     "name": "storage_bucket.name",
│                     "type": "field",
│                     "value": "tfbug-flowlog-to-cos-001"
│                 }
│             }
│         ],
│         "trace": "f44452e1-5649-408e-ac55-7aa902078d72"
│     },
│     "RawResult": null
│ }
│
│
│   with ibm_is_flow_log.test_flowlog,
│   on main.tf line 46, in resource "ibm_is_flow_log" "test_flowlog":
│   46: resource ibm_is_flow_log test_flowlog {
│

If the guid is used instead of the id the authorization policy is created and successfully authorizes the flow log to be created.

bug-flowlog-to-cos-iam $ cat main.tf
...
resource "ibm_iam_authorization_policy" "is_flowlog_write_to_cos" {
  source_service_name  = "is"
  source_resource_type = "flow-log-collector"
  target_service_name  = "cloud-object-storage"
  # target_resource_instance_id = ibm_resource_instance.cos.id
  target_resource_instance_id = ibm_resource_instance.cos.guid
  roles                = ["Writer"]
}
...
bug-flowlog-to-cos-iam $ tfa
ibm_resource_instance.cos: Refreshing state... [id=crn:v1:bluemix:public:cloud-object-storage:global:a/713c783d9a507a53135fe6793c37cc74:de9649a4-8b71-4e3b-aa1c-0b226a80a7ea::]
ibm_is_vpc.source: Refreshing state... [id=r006-20fff31a-7f26-49cf-810e-b100284d2602]
ibm_iam_authorization_policy.is_flowlog_write_to_cos: Refreshing state... [id=b4352fff-a2ab-4bea-906f-0ee139536611]
ibm_cos_bucket.flowlog: Refreshing state... [id=crn:v1:bluemix:public:cloud-object-storage:global:a/713c783d9a507a53135fe6793c37cc74:de9649a4-8b71-4e3b-aa1c-0b226a80a7ea:bucket:tfbug-flowlog-to-cos-001:meta:rl:us-south:public]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # ibm_iam_authorization_policy.is_flowlog_write_to_cos must be replaced
-/+ resource "ibm_iam_authorization_policy" "is_flowlog_write_to_cos" {
      ~ id                          = "b4352fff-a2ab-4bea-906f-0ee139536611" -> (known after apply)
      ~ source_service_account      = "713c783d9a507a53135fe6793c37cc74" -> (known after apply)
      ~ target_resource_instance_id = "crn:v1:bluemix:public:cloud-object-storage:global:a/713c783d9a507a53135fe6793c37cc74:de9649a4-8b71-4e3b-aa1c-0b226a80a7ea::" -> "de9649a4-8b71-4e3b-aa1c-0b226a80a7ea" # forces replacement
      + version                     = (known after apply)
        # (4 unchanged attributes hidden)
    }

  # ibm_is_flow_log.test_flowlog will be created
  + resource "ibm_is_flow_log" "test_flowlog" {
      + active                  = true
      + auto_delete             = (known after apply)
      + created_at              = (known after apply)
      + crn                     = (known after apply)
      + href                    = (known after apply)
      + id                      = (known after apply)
      + lifecycle_state         = (known after apply)
      + name                    = "tfbug-flowlog-to-cos"
      + resource_controller_url = (known after apply)
      + resource_crn            = (known after apply)
      + resource_group          = (known after apply)
      + resource_group_name     = (known after apply)
      + resource_name           = (known after apply)
      + resource_status         = (known after apply)
      + storage_bucket          = "tfbug-flowlog-to-cos-001"
      + tags                    = (known after apply)
      + target                  = "r006-20fff31a-7f26-49cf-810e-b100284d2602"
      + vpc                     = (known after apply)
    }

Plan: 2 to add, 0 to change, 1 to destroy.
ibm_iam_authorization_policy.is_flowlog_write_to_cos: Destroying... [id=b4352fff-a2ab-4bea-906f-0ee139536611]
ibm_is_flow_log.test_flowlog: Creating...
ibm_iam_authorization_policy.is_flowlog_write_to_cos: Destruction complete after 0s
ibm_iam_authorization_policy.is_flowlog_write_to_cos: Creating...
ibm_iam_authorization_policy.is_flowlog_write_to_cos: Creation complete after 1s [id=447e4d14-82a0-4dfc-a0a6-c50c7eb24822]
ibm_is_flow_log.test_flowlog: Creation complete after 3s [id=r006-66fe5a6d-5af7-4f7c-970b-05c826865dee]

Apply complete! Resources: 2 added, 0 changed, 1 destroyed.

[kavya498]

@powellquiring , It depends on how respective services has defined authorization policy in their back-end.. This should be the same with CLI as well..

I think we can't do much here as it is expected API behavior.. may be respective service APIs should maintain consistency across the cloud

[powellquiring]

I think you are saying it is not possible to use ".id" for the id so ".guid" has to be used instead, right?

The docs need to be updated.

[powellquiring]

@kavya498 - Can the docs be updated: