Error: UpdateSettingsWithContext failed A service-to-service authorization policy is missing between Cloud Object Storage and Security and Compliance Center

While trying to use ibm_scc_instance_settings to connect a COS bucket to an SCC instance, the terraform apply failed with the error below saying there was a missing auth policy between SCC and COS. However, as you can see from the logs (and the code), the auth policy WAS created by terraform. We even added a 30 second sleep after it was created before calling ibm_scc_instance_settings to ensure it existed, yet we hit the error.

TestRunCompleteExample 2024-02-20T11:22:14Z logger.go:66: module.create_scc_instance.ibm_resource_instance.scc_instance: Creation complete after 16s [id=crn:v1:bluemix:public:compliance:us-south:a/abac0df06b644a9cabc6e44f55b3880e:6d26e0c8-91de-4cb2-92e6-d889c8c454cc::]
TestRunCompleteExample 2024-02-20T11:22:14Z logger.go:66: module.create_scc_instance.ibm_iam_authorization_policy.scc_cos_s2s_access[0]: Creating...
TestRunCompleteExample 2024-02-20T11:22:14Z logger.go:66: module.create_scc_instance.ibm_scc_instance_settings.scc_instance_settings: Creating...
TestRunCompleteExample 2024-02-20T11:22:16Z logger.go:66: module.event_notification.time_sleep.wait_for_authorization_policy: Still creating... [20s elapsed]
TestRunCompleteExample 2024-02-20T11:22:19Z logger.go:66: module.create_scc_instance.ibm_iam_authorization_policy.scc_cos_s2s_access[0]: Creation complete after 4s [id=9e02885f-5a4b-4762-a656-f3d2cf0b75fc]
TestRunCompleteExample 2024-02-20T11:22:26Z logger.go:66: module.event_notification.time_sleep.wait_for_authorization_policy: Still creating... [30s elapsed]
TestRunCompleteExample 2024-02-20T11:22:26Z logger.go:66: module.event_notification.time_sleep.wait_for_authorization_policy: Creation complete after 30s [id=2024-02-20T11:22:26Z]

ERROR:

│ Error: UpdateSettingsWithContext failed A service-to-service authorization policy is missing between Cloud Object Storage and Security and Compliance Center.
│ {
│     "StatusCode": 401,
│     "Headers": {
│         "Cache-Control": [
│             "no-store"
│         ],
│         "Cf-Cache-Status": [
│             "DYNAMIC"
│         ],
│         "Cf-Ray": [
│             "85865ee0f8d728e2-DFW"
│         ],
│         "Content-Length": [
│             "318"
│         ],
│         "Content-Type": [
│             "application/json; charset=utf-8"
│         ],
│         "Date": [
│             "Tue, 20 Feb 2024 11:22:15 GMT"
│         ],
│         "Server": [
│             "cloudflare"
│         ],
│         "Strict-Transport-Security": [
│             "max-age=31536000; includeSubDomains"
│         ],
│         "Transaction-Id": [
│             "1308baea-3f0d-4d57-9caf-e19191a5836a"
│         ],
│         "X-Content-Type-Options": [
│             "nosniff"
│         ],
│         "X-Correlation-Id": [
│             "1308baea-3f0d-4d57-9caf-e19191a5836a"
│         ],
│         "X-Envoy-Upstream-Service-Time": [
│             "538"
│         ],
│         "X-Ratelimit-Limit": [
│             "10"
│         ],
│         "X-Ratelimit-Remaining": [
│             "9"
│         ],
│         "X-Ratelimit-Reset": [
│             "1708428194"
│         ],
│         "X-Request-Id": [
│             "8dfb8e68-9227-4e6e-8cb8-94d68c26a43f"
│         ]
│     },
│     "Result": {
│         "errors": [
│             {
│                 "code": "Unauthorized",
│                 "message": "A service-to-service authorization policy is missing between Cloud Object Storage and Security and Compliance Center.",
│                 "more_info": "https://cloud.ibm.com/apidocs/security-compliance-admin",
│                 "ref": "ADM22002"
│             }
│         ],
│         "status_code": 401,
│         "trace": "1308baea-3f0d-4d57-9caf-e19191a5836a"
│     },
│     "RawResult": null
│ }
│ 
│ 
│   with module.create_scc_instance.ibm_scc_instance_settings.scc_instance_settings,
│   on ../../main.tf line 42, in resource "ibm_scc_instance_settings" "scc_instance_settings":
│   42: resource "ibm_scc_instance_settings" "scc_instance_settings" {
│ 
╵}

Proof that auth policy got created:

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform IBM Provider Version

ibm provider 1.62.0 tf 1.5.7

Affected Resource(s)

ibm_scc_instance_settings

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

Run terraform apply on -> https://github.com/terraform-ibm-modules/terraform-ibm-scc/tree/main/examples/complete

Debug Output

terraform-ibm-scc-test-logs-240220-112259.tar.gz

Panic Output

Expected Behavior

No error

Actual Behavior

Error as per above

Steps to Reproduce

terraform apply

Important Factoids

After the issue occurred, I manually went to the instance and was able to attach the COS bucket. This might of worked if I did a re-apply of the terraform code, but I did not have access to the statefile in order to do that.

References

0000

@tyao117 FYI I reproduced this again in our weekly tests:

│ Error: UpdateSettingsWithContext failed A service-to-service authorization policy is missing between Cloud Object Storage and Security and Compliance Center.
│ {
│     "StatusCode": 401,
│     "Headers": {
│         "Cache-Control": [
│             "no-store"
│         ],
│         "Cf-Cache-Status": [
│             "DYNAMIC"
│         ],
│         "Cf-Ray": [
│             "85c0a0c7ea1e346d-DFW"
│         ],
│         "Content-Length": [
│             "318"
│         ],
│         "Content-Type": [
│             "application/json; charset=utf-8"
│         ],
│         "Date": [
│             "Tue, 27 Feb 2024 13:03:28 GMT"
│         ],
│         "Server": [
│             "cloudflare"
│         ],
│         "Strict-Transport-Security": [
│             "max-age=31536000; includeSubDomains"
│         ],
│         "Transaction-Id": [
│             "ed483ca4-9dea-4dc4-9f24-736fd1b90605"
│         ],
│         "X-Content-Type-Options": [
│             "nosniff"
│         ],
│         "X-Correlation-Id": [
│             "ed483ca4-9dea-4dc4-9f24-736fd1b90605"
│         ],
│         "X-Envoy-Upstream-Service-Time": [
│             "882"
│         ],
│         "X-Ratelimit-Limit": [
│             "10"
│         ],
│         "X-Ratelimit-Remaining": [
│             "9"
│         ],
│         "X-Ratelimit-Reset": [
│             "1709039068"
│         ],
│         "X-Request-Id": [
│             "7629033a-3c03-48dc-88a0-7f64e65d44a1"
│         ]
│     },
│     "Result": {
│         "errors": [
│             {
│                 "code": "Unauthorized",
│                 "message": "A service-to-service authorization policy is missing between Cloud Object Storage and Security and Compliance Center.",
│                 "more_info": "https://cloud.ibm.com/apidocs/security-compliance-admin",
│                 "ref": "ADM22002"
│             }
│         ],
│         "status_code": 401,
│         "trace": "ed483ca4-9dea-4dc4-9f24-736fd1b90605"
│     },
│     "RawResult": null
│ }
│ 
│ 
│   with module.create_scc_instance.ibm_scc_instance_settings.scc_instance_settings,
│   on ../../main.tf line 42, in resource "ibm_scc_instance_settings" "scc_instance_settings":
│   42: resource "ibm_scc_instance_settings" "scc_instance_settings" {
│ 
╵}

IBM-Cloud / terraform-provider-ibm