search

IBM-Cloud / terraform-provider-ibm

https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs
Mozilla Public License 2.0
336 stars 645 forks source link

SCC / ibm_scc_rule : no support for JSON "value" on required_config and / or #5388

Open nicolascomete opened 1 month ago

nicolascomete commented 1 month ago

Summary When creating a custom rule resource (ibm_scc_rule.scc_rule_instance), we can't set JSON value for required_config's value attribute.

Detailed description When required_config attribute has an and or or whose operator value implies a list for the value attribute (e.g. strings_required, ips_in_range, ...), it is not possible to create the custom rule, regardless of the input provided.

Terraform provider version used v1.65.1

Examples of failing template

resource "ibm_scc_rule" "scc_rule_instance" {
  instance_id = "fb4bc192-e20f-43e4-aee5-71467d08b625"
  description = "Test rule"
  required_config {
    description = "COS Bucket IP"
    and {
      or {
        property = "firewall.allowed_ip"
        operator = "ips_in_range"
        value    = "['10.0.0.0/24']"
      }
    }
  }
  target {
    service_name         = "cloud-object-storage"
    service_display_name = "Cloud Object Storage"
    resource_kind        = "bucket"
  }
  version = "1.0.0"
}

Leads to:

ibm_scc_rule.scc_rule_instance: Creating...
╷
│ Error: CreateRuleWithContext failed Encountered invalid operator value type. Expected []string
│ {
│     "StatusCode": 400,
│     "Headers": {
│         "Cache-Control": [
│             "no-store"
│         ],
│         "Cf-Cache-Status": [
│             "DYNAMIC"
│         ],
│         "Cf-Ray": [
│             "88862d1118aa9165-FRA"
│         ],
│         "Content-Length": [
│             "170"
│         ],
│         "Content-Type": [
│             "application/json; charset=utf-8"
│         ],
│         "Date": [
│             "Thu, 23 May 2024 15:45:58 GMT"
│         ],
│         "Server": [
│             "cloudflare"
│         ],
│         "Strict-Transport-Security": [
│             "max-age=31536000; includeSubDomains"
│         ],
│         "Transaction-Id": [
│             "79f870ca-a257-4895-b5be-4864520c1847"
│         ],
│         "X-Content-Type-Options": [
│             "nosniff"
│         ],
│         "X-Correlation-Id": [
│             "79f870ca-a257-4895-b5be-4864520c1847"
│         ],
│         "X-Envoy-Upstream-Service-Time": [
│             "678"
│         ],
│         "X-Ratelimit-Limit": [
│             "5"
│         ],
│         "X-Ratelimit-Remaining": [
│             "4"
│         ],
│         "X-Ratelimit-Reset": [
│             "1716479159"
│         ],
│         "X-Request-Id": [
│             "e2bdab75-c957-461d-b7cc-e924b3b103f0"
│         ]
│     },
│     "Result": {
│         "errors": [
│             {
│                 "code": "rule_error",
│                 "message": "Encountered invalid operator value type. Expected []string"
│             }
│         ],
│         "status_code": 400,
│         "trace": "79f870ca-a257-4895-b5be-4864520c1847"
│     },
│     "RawResult": null
│ }
│ 
│ 
│   with ibm_scc_rule.scc_rule_instance,
│   on rule.tf line 1, in resource "ibm_scc_rule" "scc_rule_instance":
│    1: resource "ibm_scc_rule" "scc_rule_instance" {

Note: also fails with the same error for the following:

value = jsonencode(["10.0.0.0/24"])
value = "[\"10.0.0.0/24\"]"
nicolascomete commented 1 month ago

Edit: after looking at the code I found the issue - but no workaround...

The expected format would be:

value    = "[10.0.0.0/24]"

Unfortunately this does not work in my case because the array has only one item. Because the way it is handled in the code is that the input string ["10.0.0.0/24"] is first trimmed for [ and ], then split with , to an array. Then if the array's length is 1 (which is the case here), the array is not kept and only string is assumed, leading to the failure.

If I had put:

value    = "[10.0.0.0/24,11.0.0.0/24]"

it would have worked.

There are 3 major flaws with this way of processing:

  1. single-item arrays are considered as strings (wrong type)
  2. what if one of the string items contain a , ?
  3. how are empty arrays processed ?
tyao117 commented 1 month ago

hey @nicolascomete. Some changes in the backend needs to be done to support this. Let me bring it up to the team.

nicolascomete commented 1 month ago

Hey @tyao117 @hkantare provider is being used in DMZR project