ibm_iam_service_policy - Unable to find a custom Platform management IAM role

[Canito4]

Hello,

I have recently encountered a problem when we execute a terraform plan after the creation of a custom Platform management IAM role.

The scenario is the next one. After we create a new a custom IBMPlatform managment IAM role with the IBMCloud console, Terraform seems like is not finding this role. In the output of the terraform plan, appears as the role does not exist.

Steps we followed:

1. We create a new custom IBM Platform managment IAM role in the IBMCloud named "Content Writer".
2. We create a new ibm service policy for cloud object storage to give permissions to a specific bucket. Terraform code for policy create (main.tf of the cos policy module):

resource "ibm_iam_service_policy" "policy" {
  for_each       = var.policy
  iam_service_id = each.value.iam_service_id
  roles          = each.value.roles
  description    = "IAM Service Policy"
  resources {
    service              = "cloud-object-storage"
    resource_instance_id = element(split(":", each.value.resource_instance_id), 7)
    attributes           = { "resource" = each.value.attributes }
  }
}

3. On this apply we can see the new policy which will be added on the cloud infrastructure (which is correct). With the role "Content Writer"

Terraform will perform the following actions:

  # module.cos_policy.ibm_iam_service_policy.policy["policy1"] will be created

  + resource "ibm_iam_service_policy" "policy" {

      + account_management = false
      + description        = "IAM Service Policy"
      + iam_service_id     = "ServiceId-ee4e445b-3df4-46d1-81ff-9fc27a9ae361"
      + id                 = (known after apply)
      + roles              = [
          + "Content Writer",
        ]
      + transaction_id     = (known after apply)
      + resources {
          + attributes           = {
              + "resource" = "ib-eude-cxb-ope-dpcli-outacg-cdp-imagin-bucket01-pro"
            }
          + resource_instance_id = "d0d7f9fc-12bc-4b2b-9ada-3117988bb33a"
          + service              = "cloud-object-storage"
        }
    }

4. However, in the output of the apply, the following error appears:

Error: RoleDoesnotExist: Content Writer was not found. Valid roles are Writer, Reader, Manager, Content Reader, Object Reader, Object Writer, Viewer, Administrator, Operator, Editor
│
│   with module.cos_policy.ibm_iam_service_policy.policy["policy1"],
│   on .terraform/modules/cos_policy/main.tf line 5, in resource "ibm_iam_service_policy" "policy":
│    5: resource "ibm_iam_service_policy" "policy" {

This is an issue because we need to define custom roles for the different needs that can appear by the technical teams.

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform IBM Provider Version

Initializing provider plugins...
- Finding hashicorp/null versions matching "3.1.0"...
- Finding ibm-cloud/ibm versions matching "~> 1.0"...
- Finding hashicorp/vault versions matching "~> 2.24.0"...
- Installing hashicorp/null v3.1.0...
- Installed hashicorp/null v3.1.0 (unauthenticated)
- Installing ibm-cloud/ibm v1.46.0...
- Installed ibm-cloud/ibm v1.46.0 (unauthenticated)
- Installing hashicorp/vault v2.24.0...
- Installed hashicorp/vault v2.24.0 (unauthenticated)

Affected Resource(s)

• ibm_iam_service_policy

Terraform Configuration Files

https://github.com/terraform-ibm-modules/terraform-ibm-iam

Debug Output

Panic Output

Expected Behavior

Actual Behavior

Steps to Reproduce

1. terraform apply

Important Factoids

References

• 0000

[hkantare]

@Rajesh-Pirati Can you look and provide your updates

[Rajesh-Pirati]

we should be able to use custom roles while creating a policy.

Here is the sample terraform configuration to fetch roles which includes custom roles.

data "ibm_iam_roles" "test" {
        service = "cloud-object-storage"
}

sample output:

{
           description = ""
           name        = "Content Writer"
           type        = "custom"
       },
       {
           description = "Testing terraform"
           name        = "Test"
           type        = "custom"
       },

and pass that name value as roles in policy creation as mentioned below

resource "ibm_iam_access_group_policy" "ag_policy" {
access_group_id = "xxxxxxx"
roles = ["Content Writer"]

resources {
    service = "cloud-object-storage"
}
}

If you still sees, please share transaction-id to debug.