[ibm_scc_profile_attachment] Error: CreateAttachmentWithContext failed Service Unavailable

[ocofaigh]

We are struggling with the ibm_scc_profile_attachment resource. Can you help? We keep getting this:

│ Error: CreateAttachmentWithContext failed Service Unavailable
│ {
│     "StatusCode": 503,
│     "Headers": {
│         "Cf-Cache-Status": [
│             "DYNAMIC"
│         ],
│         "Cf-Ray": [
│             "8644f1a24c1abaeb-MXP"
│         ],
│         "Content-Length": [
│             "118"
│         ],
│         "Content-Type": [
│             "text/plain"
│         ],
│         "Date": [
│             "Thu, 14 Mar 2024 14:27:23 GMT"
│         ],
│         "Server": [
│             "cloudflare"
│         ],
│         "Strict-Transport-Security": [
│             "max-age=31536000; includeSubDomains"
│         ]
│     },
│     "Result": null,
│     "RawResult": "dXBzdHJlYW0gY29ubmVjdCBlcnJvciBvciBkaXNjb25uZWN0L3Jlc2V0IGJlZm9yZSBoZWFkZXJzLiByZXRyaWVkIGFuZCB0aGUgbGF0ZXN0IHJlc2V0IHJlYXNvbjogY29ubmVjdGlvbiB0ZXJtaW5hdGlvbg=="
│ }

Trying to create like this:

Terraform will perform the following actions:

  # module.create_profile_attachment.ibm_scc_profile_attachment.scc_profile_attachment will be created
  + resource "ibm_scc_profile_attachment" "scc_profile_attachment" {
      + account_id            = (known after apply)
      + attachment_id         = (known after apply)
      + created_by            = (known after apply)
      + created_on            = (known after apply)
      + description           = "profile-attachment-description"
      + id                    = (known after apply)
      + instance_id           = "57b7ac52-e837-484c-aa07-e3c2db815c44"
      + last_scan             = (known after apply)
      + name                  = "conall-scc3-attachment"
      + next_scan_time        = (known after apply)
      + profile_attachment_id = (known after apply)
      + profile_id            = "f54b4962-06c6-46bb-bb04-396d9fa9bd60"
      + schedule              = "every_7_days"
      + status                = "enabled"
      + updated_by            = (known after apply)
      + updated_on            = (known after apply)

      + attachment_parameters {
          + assessment_id          = "rule-f47c1c7d-cead-4f21-aa71-4fe7a307ae9b"
          + assessment_type        = "automated"
          + parameter_display_name = "Minimum number of VPC zones"
          + parameter_name         = "vpc_min_zones"
          + parameter_type         = "numeric"
        }
      + attachment_parameters {
          + assessment_id          = "rule-0be41446-a0e7-46fb-8cbb-37bf413e0286"
          + assessment_type        = "automated"
          + parameter_display_name = "Minimal number of loadbalancer zones"
          + parameter_name         = "loadbalancer_min_lb_zones"
          + parameter_type         = "numeric"
        }
      + attachment_parameters {
          + assessment_id          = "rule-064d9004-8728-4988-b19a-1805710466f6"
          + assessment_type        = "automated"
          + parameter_display_name = "Number of IBM Cloud Hyper Protect Crypto Service units"
          + parameter_name         = "hpcs_crypto_units"
          + parameter_type         = "string_list"
        }
      + attachment_parameters {
          + assessment_id          = "rule-574143f9-befe-4da1-a15e-af9437ed9ae7"
          + assessment_type        = "automated"
          + parameter_display_name = "Hyper Protect Crypto Services regions"
          + parameter_name         = "fs_cloud_regions"
          + parameter_type         = "string_list"
        }
      + attachment_parameters {
          + assessment_id          = "rule-51e15d43-3946-4898-b593-02e16a988d8e"
          + assessment_type        = "automated"
          + parameter_display_name = "Maximum number of days between vulnerability scans"
          + parameter_name         = "scan_interval_max"
          + parameter_type         = "numeric"
        }
      + attachment_parameters {
          + assessment_id          = "rule-d8d13c3e-5ca0-46c5-a055-2475852c4ec6"
          + assessment_type        = "automated"
          + parameter_display_name = "Enough characters in pre-shared key"
          + parameter_name         = "no_pre_shared_key_characters"
          + parameter_type         = "numeric"
        }
      + attachment_parameters {
          + assessment_id          = "rule-250c3e07-0d2d-48c6-9de6-cbf5ba0d22ed"
          + assessment_type        = "automated"
          + parameter_display_name = "Mininum number of hours between App ID password changes"
          + parameter_name         = "min_hours_change_password"
          + parameter_type         = "numeric"
        }
      + attachment_parameters {
          + assessment_id          = "rule-caf5e45d-ccc8-4e35-b124-e1b4c8bcab71"
          + assessment_type        = "automated"
          + parameter_display_name = "Hyper Protect Crypto Services key rotation policy"
          + parameter_name         = "hpcs_rotation_policy"
          + parameter_type         = "string_list"
        }
      + attachment_parameters {
          + assessment_id          = "rule-88ff070b-3a8d-4d66-a943-3b2fa28630ea"
          + assessment_type        = "automated"
          + parameter_display_name = "Minimum rotation period of Secrets Manager arbitrary secrets"
          + parameter_name         = "arbitrary_secret_min_rotation_period"
          + parameter_type         = "numeric"
        }
      + attachment_parameters {
          + assessment_id          = "rule-28e20137-3350-4d51-9abc-4dae8fee9e04"
          + assessment_type        = "automated"
          + parameter_display_name = "Minimum rotation period of Secrets Manager user credentials"
          + parameter_name         = "user_credential_min_rotation_period"
          + parameter_type         = "numeric"
        }
      + attachment_parameters {
          + assessment_id          = "rule-df5ef7fa-0ded-4f18-9555-02c399227693"
          + assessment_type        = "automated"
          + parameter_display_name = "Lockout duration policy setting in minutes"
          + parameter_name         = "lockout_policy_config_minutes"
          + parameter_type         = "numeric"
        }
      + attachment_parameters {
          + assessment_id          = "rule-a637949b-7e51-46c4-afd4-b96619001bf1"
          + assessment_type        = "automated"
          + parameter_display_name = "Sign out due to inactivity in seconds"
          + parameter_name         = "session_invalidation_in_seconds"
          + parameter_type         = "numeric"
        }
      + attachment_parameters {
          + assessment_id          = "rule-a8a69cd6-a902-4144-b652-8be68600a029"
          + assessment_type        = "automated"
          + parameter_display_name = "Diffie-Hellman group number set"
          + parameter_name         = "diffie_hellman_group"
          + parameter_type         = "numeric"
        }
      + attachment_parameters {
          + assessment_id          = "rule-d42bbc4b-932f-4ffe-9b2b-8d64fe9cf63f"
          + assessment_type        = "automated"
          + parameter_display_name = "IBM Cloud Public Gateway permitted zones"
          + parameter_name         = "public_gateway_permitted_zones"
          + parameter_type         = "string_list"
        }
      + attachment_parameters {
          + assessment_id          = "rule-0f7e7e60-a05c-43a7-be74-70615f14a342"
          + assessment_type        = "automated"
          + parameter_display_name = "Security group rule for allowed port numbers to DNS"
          + parameter_name         = "dns_port"
          + parameter_type         = "numeric"
        }
      + attachment_parameters {
          + assessment_id          = "rule-857646d8-23b8-4495-82a4-295ab399266e"
          + assessment_type        = "automated"
          + parameter_display_name = "At least one VPC created"
          + parameter_name         = "number_of_vpcs"
          + parameter_type         = "numeric"
        }
      + attachment_parameters {
          + assessment_id          = "rule-8c28c15e-c38f-410a-a883-a5f22a839176"
          + assessment_type        = "automated"
          + parameter_display_name = "Number of transit gateways"
          + parameter_name         = "number_of_transit_gateways"
          + parameter_type         = "numeric"
        }
      + attachment_parameters {
          + assessment_id          = "rule-c0314fad-f377-465e-9f16-fa5aa3d5ebbe"
          + assessment_type        = "automated"
          + parameter_display_name = "IBM Cloud Network Interfaces count"
          + parameter_name         = "vm_nic_count"
          + parameter_type         = "numeric"
        }
      + attachment_parameters {
          + assessment_id          = "rule-898ff49d-1979-4b70-9a79-d303c88dea63"
          + assessment_type        = "automated"
          + parameter_display_name = "Exclude interfaces with IP-spoofing from VPC"
          + parameter_name         = "exclude_ip_spoofing_check"
          + parameter_type         = "string_list"
        }
      + attachment_parameters {
          + assessment_id          = "rule-28271605-31bb-4efa-b0ef-5f51adc77d90"
          + assessment_type        = "automated"
          + parameter_display_name = "Enter the IP/CIDR list allowed for VPC inbound"
          + parameter_name         = "inbound_allowed_list"
          + parameter_type         = "ip_list"
        }
      + attachment_parameters {
          + assessment_id          = "rule-c981bedc-1526-448c-836c-10b0e3a2b812"
          + assessment_type        = "automated"
          + parameter_display_name = "Enter the IP/CIDR list allowed for VPC Outbound"
          + parameter_name         = "outbound_allowed_list"
          + parameter_type         = "ip_list"
        }
      + attachment_parameters {
          + assessment_id          = "rule-846058ff-dbf1-4ab6-864f-1be009618759"
          + assessment_type        = "automated"
          + parameter_display_name = "Session expiration in seconds for the account"
          + parameter_name         = "session_expiration_in_seconds"
          + parameter_type         = "numeric"
        }
      + attachment_parameters {
          + assessment_id          = "rule-91734f9f-b8ff-4bfd-afb3-db4f789ac38f"
          + assessment_type        = "automated"
          + parameter_display_name = "Expiration in minutes of App ID access tokens"
          + parameter_name         = "access_tokens_expiration_minutes"
          + parameter_type         = "numeric"
        }
      + attachment_parameters {
          + assessment_id          = "rule-11425765-ea68-47e7-b4e0-c443ec0cbd19"
          + assessment_type        = "automated"
          + parameter_display_name = "IP allowlist for Event Streams"
          + parameter_name         = "allowed_ip"
          + parameter_type         = "ip_list"
        }
      + attachment_parameters {
          + assessment_id          = "rule-e208d1c0-8ede-49f0-b4a3-4da3da738733"
          + assessment_type        = "automated"
          + parameter_display_name = "List of allowed tool integration services for toolchains"
          + parameter_name         = "allowed_tool_integration_services"
          + parameter_type         = "string_list"
        }
      + attachment_parameters {
          + assessment_id          = "rule-c0f15737-b451-44d0-a0b6-649013a155bc"
          + assessment_type        = "automated"
          + parameter_display_name = "Number of Direct Links"
          + parameter_name         = "number_of_direct_links"
          + parameter_type         = "numeric"
        }

      + notifications {
          + enabled = false

          + controls {
              + failed_control_ids = []
              + threshold_limit    = 14
            }
        }

      + scope {
          + environment = "ibm-cloud"

          + properties {
              + name  = "scope_type"
              + value = "account.resource_group"
            }
          + properties {
              + name  = "scope_id"
              + value = "01c9e9ceaac94d169caa2c8add4bcbad"
            }
        }
    }

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform IBM Provider Version

tf 1.5.7 provider 1.63.0

Affected Resource(s)

• ibm_scc_profile_attachment

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please share a link to the ZIP file.

Debug Output

scc-debug.txt.zip

Panic Output

Expected Behavior

Actual Behavior

Steps to Reproduce

1. terraform apply

Important Factoids

References

• 0000

[ocofaigh]

The root cause is that the payload was missing the required parameter_value.

We used a data lookup to get the profile parameters:

data "ibm_scc_profile" "scc_profile" {
  instance_id = module.create_scc_instance.guid
  profile_id  = "f54b4962-06c6-46bb-bb04-396d9fa9bd60"
}

And then used this in the ibm_scc_profile_attachment resource block:

dynamic "attachment_parameters" {
    for_each = data.ibm_scc_profile.scc_profile.default_parameters
    content {
      parameter_name         = attachment_parameters.value["parameter_name"]
      parameter_display_name = attachment_parameters.value["parameter_display_name"]
      parameter_type         = attachment_parameters.value["parameter_type"]
      parameter_value        = attachment_parameters.value["parameter_value"]
      assessment_type        = attachment_parameters.value["assessment_type"]
      assessment_id          = attachment_parameters.value["assessment_id"]
    }
  }

The issue is that the data lookup is using the string parameter_default_value instead of parameter_value. For example, from data lookup output:

{
          + assessment_id           = "rule-f47c1c7d-cead-4f21-aa71-4fe7a307ae9b"
          + assessment_type         = "automated"
          + parameter_default_value = "3"
          + parameter_display_name  = "Minimum number of VPC zones"
          + parameter_name          = "vpc_min_zones"
          + parameter_type          = "numeric"
        }

As a workaround, we have updated our code to pull the parameter_default_value from the data lookup and map it to parameter_value in the attachment_parameters block. However I think the fix here should be that the data lookup should output parameter_value insteadofparameter_default_value` to align with the api. If you agree, please please let us know if you plan to make that change, as it would require us to update our module again if changes came in a new provider version