search

terraform-ibm-modules / stack-ibm-core-security-services

Deploy core security and other supporting services to get set up to manage the security compliance of the resources in your account.
Apache License 2.0
1 stars 4 forks source link

TestProjectsExistingResourcesTest test failing due to auth policy clash #92

Closed ocofaigh closed 1 month ago

ocofaigh commented 1 month ago

The TestProjectsExistingResourcesTest test is failing with below error because the HPCS auth policy already exists in the dev account:

2024/07/26 18:34:01 Terraform apply | Error: [ERROR] Error creating authorization policy: The policy wasn't created because an access policy with identical attributes and roles already exists. Please update the rule in the existing policy (66d6dfae-d8ad-4c7c-95e4-11f86a0df0a0), or update the one you're trying to assign to include a different attribute assignment. {
 2024/07/26 18:34:01 Terraform apply |     "StatusCode": 409,
 2024/07/26 18:34:01 Terraform apply |     "Headers": {
 2024/07/26 18:34:01 Terraform apply |         "Akamai-Grn": [
 2024/07/26 18:34:01 Terraform apply |             "0.cec61cb8.1722018840.25947de6"
 2024/07/26 18:34:01 Terraform apply |         ],
 2024/07/26 18:34:01 Terraform apply |         "Cache-Control": [
 2024/07/26 18:34:01 Terraform apply |             "no-cache,no-store"
 2024/07/26 18:34:01 Terraform apply |         ],
 2024/07/26 18:34:01 Terraform apply |         "Content-Length": [
 2024/07/26 18:34:01 Terraform apply |             "1675"
 2024/07/26 18:34:01 Terraform apply |         ],
 2024/07/26 18:34:01 Terraform apply |         "Content-Type": [
 2024/07/26 18:34:01 Terraform apply |             "application/json; charset=utf-8"
 2024/07/26 18:34:01 Terraform apply |         ],
 2024/07/26 18:34:01 Terraform apply |         "Date": [
 2024/07/26 18:34:01 Terraform apply |             "Fri, 26 Jul 2024 18:34:00 GMT"
 2024/07/26 18:34:01 Terraform apply |         ],
 2024/07/26 18:34:01 Terraform apply |         "Expires": [
 2024/07/26 18:34:01 Terraform apply |             "Thursday, 1 January 1970 00:00:00 GMT"
 2024/07/26 18:34:01 Terraform apply |         ],
 2024/07/26 18:34:01 Terraform apply |         "Pragma": [
 2024/07/26 18:34:01 Terraform apply |             "no-cache"
 2024/07/26 18:34:01 Terraform apply |         ],
 2024/07/26 18:34:01 Terraform apply |         "Response-Time": [
 2024/07/26 18:34:01 Terraform apply |             "133.660ms"
 2024/07/26 18:34:01 Terraform apply |         ],
 2024/07/26 18:34:01 Terraform apply |         "Strict-Transport-Security": [
 2024/07/26 18:34:01 Terraform apply |             "max-age=31536000; includeSubDomains"
 2024/07/26 18:34:01 Terraform apply |         ],
 2024/07/26 18:34:01 Terraform apply |         "Transaction-Id": [
 2024/07/26 18:34:01 Terraform apply |             "8e42e178bfa84e74a9605259bf050667"
 2024/07/26 18:34:01 Terraform apply |         ],
 2024/07/26 18:34:01 Terraform apply |         "X-Proxy-Upstream-Service-Time": [
 2024/07/26 18:34:01 Terraform apply |             "156"
 2024/07/26 18:34:01 Terraform apply |         ],
 2024/07/26 18:34:01 Terraform apply |         "X-Response-Time": [
 2024/07/26 18:34:01 Terraform apply |             "136.069ms"
 2024/07/26 18:34:01 Terraform apply |         ]
 2024/07/26 18:34:01 Terraform apply |     },
 2024/07/26 18:34:01 Terraform apply |     "Result": {
 2024/07/26 18:34:01 Terraform apply |         "errors": [
 2024/07/26 18:34:01 Terraform apply |             {
 2024/07/26 18:34:01 Terraform apply |                 "code": "policy_conflict_error",
 2024/07/26 18:34:01 Terraform apply |                 "details": {
 2024/07/26 18:34:01 Terraform apply |                     "conflicts_with": {
 2024/07/26 18:34:01 Terraform apply |                         "etag": "1-808fcdde86f2c3bf67a353c9f6d080fa",
 2024/07/26 18:34:01 Terraform apply |                         "policy": {
 2024/07/26 18:34:01 Terraform apply |                             "control": {
 2024/07/26 18:34:01 Terraform apply |                                 "grant": {
 2024/07/26 18:34:01 Terraform apply |                                     "roles": [
 2024/07/26 18:34:01 Terraform apply |                                         {
 2024/07/26 18:34:01 Terraform apply |                                             "role_id": "crn:v1:bluemix:public:iam::::serviceRole:Reader"
 2024/07/26 18:34:01 Terraform apply |                                         }
 2024/07/26 18:34:01 Terraform apply |                                     ]
 2024/07/26 18:34:01 Terraform apply |                                 }
 2024/07/26 18:34:01 Terraform apply |                             },
 2024/07/26 18:34:01 Terraform apply |                             "created_at": "2024-07-07T11:29:30.625Z",
 2024/07/26 18:34:01 Terraform apply |                             "created_by_id": "IBMid-666000KAO3",
 2024/07/26 18:34:01 Terraform apply |                             "description": "Allow all Secrets Manager instances in the resource group 292170bc79c94f5e9019e46fb48f245a to read from the hs-crypto instance GUID e6dce284-e80f-46e1-a3c1-830f7adff7a9",
 2024/07/26 18:34:01 Terraform apply |                             "href": "https://iam.cloud.ibm.com/v1/policies/66d6dfae-d8ad-4c7c-95e4-11f86a0df0a0",
 2024/07/26 18:34:01 Terraform apply |                             "id": "66d6dfae-d8ad-4c7c-95e4-11f86a0df0a0",
 2024/07/26 18:34:01 Terraform apply |                             "last_modified_at": "2024-07-07T11:29:30.625Z",
 2024/07/26 18:34:01 Terraform apply |                             "last_modified_by_id": "IBMid-666000KAO3",
 2024/07/26 18:34:01 Terraform apply |                             "resource": {
 2024/07/26 18:34:01 Terraform apply |                                 "attributes": [
 2024/07/26 18:34:01 Terraform apply |                                     {
 2024/07/26 18:34:01 Terraform apply |                                         "key": "serviceName",
 2024/07/26 18:34:01 Terraform apply |                                         "operator": "stringEquals",
 2024/07/26 18:34:01 Terraform apply |                                         "value": "hs-crypto"
 2024/07/26 18:34:01 Terraform apply |                                     },
 2024/07/26 18:34:01 Terraform apply |                                     {
 2024/07/26 18:34:01 Terraform apply |                                         "key": "accountId",
 2024/07/26 18:34:01 Terraform apply |                                         "operator": "stringEquals",
 2024/07/26 18:34:01 Terraform apply |                                         "value": "abac0df06b644a9cabc6e44f55b3880e"
 2024/07/26 18:34:01 Terraform apply |                                     },
 2024/07/26 18:34:01 Terraform apply |                                     {
 2024/07/26 18:34:01 Terraform apply |                                         "key": "serviceInstance",
 2024/07/26 18:34:01 Terraform apply |                                         "operator": "stringEquals",
 2024/07/26 18:34:01 Terraform apply |                                         "value": "e6dce284-e80f-46e1-a3c1-830f7adff7a9"
 2024/07/26 18:34:01 Terraform apply |                                     }
 2024/07/26 18:34:01 Terraform apply |                                 ]
 2024/07/26 18:34:01 Terraform apply |                             },
 2024/07/26 18:34:01 Terraform apply |                             "state": "active",
 2024/07/26 18:34:01 Terraform apply |                             "subject": {
 2024/07/26 18:34:01 Terraform apply |                                 "attributes": [
 2024/07/26 18:34:01 Terraform apply |                                     {
 2024/07/26 18:34:01 Terraform apply |                                         "key": "serviceName",
 2024/07/26 18:34:01 Terraform apply |                                         "operator": "stringEquals",
 2024/07/26 18:34:01 Terraform apply |                                         "value": "secrets-manager"
 2024/07/26 18:34:01 Terraform apply |                                     },
 2024/07/26 18:34:01 Terraform apply |                                     {
 2024/07/26 18:34:01 Terraform apply |                                         "key": "accountId",
 2024/07/26 18:34:01 Terraform apply |                                         "operator": "stringEquals",
 2024/07/26 18:34:01 Terraform apply |                                         "value": "abac0df06b644a9cabc6e44f55b3880e"
 2024/07/26 18:34:01 Terraform apply |                                     },
 2024/07/26 18:34:01 Terraform apply |                                     {
 2024/07/26 18:34:01 Terraform apply |                                         "key": "resourceGroupId",
 2024/07/26 18:34:01 Terraform apply |                                         "operator": "stringEquals",
 2024/07/26 18:34:01 Terraform apply |                                         "value": "292170bc79c94f5e9019e46fb48f245a"
 2024/07/26 18:34:01 Terraform apply |                                     }
 2024/07/26 18:34:01 Terraform apply |                                 ]
 2024/07/26 18:34:01 Terraform apply |                             },
 2024/07/26 18:34:01 Terraform apply |                             "type": "authorization",
 2024/07/26 18:34:01 Terraform apply |                             "version": "v1.0"
 2024/07/26 18:34:01 Terraform apply |                         }
 2024/07/26 18:34:01 Terraform apply |                     }
 2024/07/26 18:34:01 Terraform apply |                 },
 2024/07/26 18:34:01 Terraform apply |                 "message": "The policy wasn't created because an access policy with identical attributes and roles already exists. Please update the rule in the existing policy (66d6dfae-d8ad-4c7c-95e4-11f86a0df0a0), or update the one you're trying to assign to include a different attribute assignment."
 2024/07/26 18:34:01 Terraform apply |             }
 2024/07/26 18:34:01 Terraform apply |         ],
 2024/07/26 18:34:01 Terraform apply |         "status_code": 409,
 2024/07/26 18:34:01 Terraform apply |         "trace": "8e42e178bfa84e74a9605259bf050667"
 2024/07/26 18:34:01 Terraform apply |     },
 2024/07/26 18:34:01 Terraform apply |     "RawResult": null
 2024/07/26 18:34:01 Terraform apply | }
 2024/07/26 18:34:01 Terraform apply | 
 2024/07/26 18:34:01 Terraform apply | 
 2024/07/26 18:34:01 Terraform apply |   with module.secrets_manager[0].ibm_iam_authorization_policy.kms_policy[0],
 2024/07/26 18:34:01 Terraform apply |   on ../../main.tf line 49, in resource "ibm_iam_authorization_policy" "kms_policy":
 2024/07/26 18:34:01 Terraform apply |   49: resource "ibm_iam_authorization_policy" "kms_policy" {
 2024/07/26 18:34:01 Terraform apply | 
 2024/07/26 18:34:01 Terraform apply | ---
 2024/07/26 18:34:01 Terraform apply | id: terraform-caba950c
 2024/07/26 18:34:01 Terraform apply | summary: |
 2024/07/26 18:34:01 Terraform apply |   [ERROR] Error creating authorization policy: The policy wasn't created because an access policy with identical attributes and roles already exists. Please update the rule in the existing policy (66d6dfae-d8ad-4c7c-95e4-11f86a0df0a0), or update the one you're trying to assign to include a different attribute assignment. {
 2024/07/26 18:34:01 Terraform apply |       "StatusCode": 409,
 2024/07/26 18:34:01 Terraform apply |       "Headers": {
 2024/07/26 18:34:01 Terraform apply |           "Akamai-Grn": [
 2024/07/26 18:34:01 Terraform apply |               "0.cec61cb8.1722018840.25947de6"
 2024/07/26 18:34:01 Terraform apply |           ],
 2024/07/26 18:34:01 Terraform apply |           "Cache-Control": [
 2024/07/26 18:34:01 Terraform apply |               "no-cache,no-store"
 2024/07/26 18:34:01 Terraform apply |           ],
 2024/07/26 18:34:01 Terraform apply |           "Content-Length": [
 2024/07/26 18:34:01 Terraform apply |               "1675"
 2024/07/26 18:34:01 Terraform apply |           ],
 2024/07/26 18:34:01 Terraform apply |           "Content-Type": [
 2024/07/26 18:34:01 Terraform apply |               "application/json; charset=utf-8"
 2024/07/26 18:34:01 Terraform apply |           ],
 2024/07/26 18:34:01 Terraform apply |           "Date": [
 2024/07/26 18:34:01 Terraform apply |               "Fri, 26 Jul 2024 18:34:00 GMT"
 2024/07/26 18:34:01 Terraform apply |           ],
 2024/07/26 18:34:01 Terraform apply |           "Expires": [
 2024/07/26 18:34:01 Terraform apply |               "Thursday, 1 January 1970 00:00:00 GMT"
 2024/07/26 18:34:01 Terraform apply |           ],
 2024/07/26 18:34:01 Terraform apply |           "Pragma": [
 2024/07/26 18:34:01 Terraform apply |               "no-cache"
 2024/07/26 18:34:01 Terraform apply |           ],
 2024/07/26 18:34:01 Terraform apply |           "Response-Time": [
 2024/07/26 18:34:01 Terraform apply |               "133.660ms"
 2024/07/26 18:34:01 Terraform apply |           ],
 2024/07/26 18:34:01 Terraform apply |           "Strict-Transport-Security": [
 2024/07/26 18:34:01 Terraform apply |               "max-age=31536000; includeSubDomains"
 2024/07/26 18:34:01 Terraform apply |           ],
 2024/07/26 18:34:01 Terraform apply |           "Transaction-Id": [
 2024/07/26 18:34:01 Terraform apply |               "8e42e178bfa84e74a9605259bf050667"
 2024/07/26 18:34:01 Terraform apply |           ],
 2024/07/26 18:34:01 Terraform apply |           "X-Proxy-Upstream-Service-Time": [
 2024/07/26 18:34:01 Terraform apply |               "156"
 2024/07/26 18:34:01 Terraform apply |           ],
 2024/07/26 18:34:01 Terraform apply |           "X-Response-Time": [
 2024/07/26 18:34:01 Terraform apply |               "136.069ms"
 2024/07/26 18:34:01 Terraform apply |           ]
 2024/07/26 18:34:01 Terraform apply |       },
 2024/07/26 18:34:01 Terraform apply |       "Result": {
 2024/07/26 18:34:01 Terraform apply |           "errors": [
 2024/07/26 18:34:01 Terraform apply |               {
 2024/07/26 18:34:01 Terraform apply |                   "code": "policy_conflict_error",
 2024/07/26 18:34:01 Terraform apply |                   "details": {
 2024/07/26 18:34:01 Terraform apply |                       "conflicts_with": {
 2024/07/26 18:34:01 Terraform apply |                           "etag": "1-808fcdde86f2c3bf67a353c9f6d080fa",
 2024/07/26 18:34:01 Terraform apply |                           "policy": {
 2024/07/26 18:34:01 Terraform apply |                               "control": {
 2024/07/26 18:34:01 Terraform apply |                                   "grant": {
 2024/07/26 18:34:01 Terraform apply |                                       "roles": [
 2024/07/26 18:34:01 Terraform apply |                                           {
 2024/07/26 18:34:01 Terraform apply |                                               "role_id": "crn:v1:bluemix:public:iam::::serviceRole:Reader"
 2024/07/26 18:34:01 Terraform apply |                                           }
 2024/07/26 18:34:01 Terraform apply |                                       ]
 2024/07/26 18:34:01 Terraform apply |                                   }
 2024/07/26 18:34:01 Terraform apply |                               },
 2024/07/26 18:34:01 Terraform apply |                               "created_at": "2024-07-07T11:29:30.625Z",
 2024/07/26 18:34:01 Terraform apply |                               "created_by_id": "IBMid-666000KAO3",
 2024/07/26 18:34:01 Terraform apply |                               "description": "Allow all Secrets Manager instances in the resource group 292170bc79c94f5e9019e46fb48f245a to read from the hs-crypto instance GUID e6dce284-e80f-46e1-a3c1-830f7adff7a9",
 2024/07/26 18:34:01 Terraform apply |                               "href": "https://iam.cloud.ibm.com/v1/policies/66d6dfae-d8ad-4c7c-95e4-11f86a0df0a0",
 2024/07/26 18:34:01 Terraform apply |                               "id": "66d6dfae-d8ad-4c7c-95e4-11f86a0df0a0",
 2024/07/26 18:34:01 Terraform apply |                               "last_modified_at": "2024-07-07T11:29:30.625Z",
 2024/07/26 18:34:01 Terraform apply |                               "last_modified_by_id": "IBMid-666000KAO3",
 2024/07/26 18:34:01 Terraform apply |                               "resource": {
 2024/07/26 18:34:01 Terraform apply |                                   "attributes": [
 2024/07/26 18:34:01 Terraform apply |                                       {
 2024/07/26 18:34:01 Terraform apply |                                           "key": "serviceName",
 2024/07/26 18:34:01 Terraform apply |                                           "operator": "stringEquals",
 2024/07/26 18:34:01 Terraform apply |                                           "value": "hs-crypto"
 2024/07/26 18:34:01 Terraform apply |                                       },
 2024/07/26 18:34:01 Terraform apply |                                       {
 2024/07/26 18:34:01 Terraform apply |                                           "key": "accountId",
 2024/07/26 18:34:01 Terraform apply |                                           "operator": "stringEquals",
 2024/07/26 18:34:01 Terraform apply |                                           "value": "abac0df06b644a9cabc6e44f55b3880e"
 2024/07/26 18:34:01 Terraform apply |                                       },
 2024/07/26 18:34:01 Terraform apply |                                       {
 2024/07/26 18:34:01 Terraform apply |                                           "key": "serviceInstance",
 2024/07/26 18:34:01 Terraform apply |                                           "operator": "stringEquals",
 2024/07/26 18:34:01 Terraform apply |                                           "value": "e6dce284-e80f-46e1-a3c1-830f7adff7a9"
 2024/07/26 18:34:01 Terraform apply |                                       }
 2024/07/26 18:34:01 Terraform apply |                                   ]
 2024/07/26 18:34:01 Terraform apply |                               },
 2024/07/26 18:34:01 Terraform apply |                               "state": "active",
 2024/07/26 18:34:01 Terraform apply |                               "subject": {
 2024/07/26 18:34:01 Terraform apply |                                   "attributes": [
 2024/07/26 18:34:01 Terraform apply |                                       {
 2024/07/26 18:34:01 Terraform apply |                                           "key": "serviceName",
 2024/07/26 18:34:01 Terraform apply |                                           "operator": "stringEquals",
 2024/07/26 18:34:01 Terraform apply |                                           "value": "secrets-manager"
 2024/07/26 18:34:01 Terraform apply |                                       },
 2024/07/26 18:34:01 Terraform apply |                                       {
 2024/07/26 18:34:01 Terraform apply |                                           "key": "accountId",
 2024/07/26 18:34:01 Terraform apply |                                           "operator": "stringEquals",
 2024/07/26 18:34:01 Terraform apply |                                           "value": "abac0df06b644a9cabc6e44f55b3880e"
 2024/07/26 18:34:01 Terraform apply |                                       },
 2024/07/26 18:34:01 Terraform apply |                                       {
 2024/07/26 18:34:01 Terraform apply |                                           "key": "resourceGroupId",
 2024/07/26 18:34:01 Terraform apply |                                           "operator": "stringEquals",
 2024/07/26 18:34:01 Terraform apply |                                           "value": "292170bc79c94f5e9019e46fb48f245a"
 2024/07/26 18:34:01 Terraform apply |                                       }
 2024/07/26 18:34:01 Terraform apply |                                   ]
 2024/07/26 18:34:01 Terraform apply |                               },
 2024/07/26 18:34:01 Terraform apply |                               "type": "authorization",
 2024/07/26 18:34:01 Terraform apply |                               "version": "v1.0"
 2024/07/26 18:34:01 Terraform apply |                           }
 2024/07/26 18:34:01 Terraform apply |                       }
 2024/07/26 18:34:01 Terraform apply |                   },
 2024/07/26 18:34:01 Terraform apply |                   "message": "The policy wasn't created because an access policy with identical attributes and roles already exists. Please update the rule in the existing policy (66d6dfae-d8ad-4c7c-95e4-11f86a0df0a0), or update the one you're trying to assign to include a different attribute assignment."
 2024/07/26 18:34:01 Terraform apply |               }
 2024/07/26 18:34:01 Terraform apply |           ],
 2024/07/26 18:34:01 Terraform apply |           "status_code": 409,
 2024/07/26 18:34:01 Terraform apply |           "trace": "8e42e178bfa84e74a9605259bf050667"
 2024/07/26 18:34:01 Terraform apply |       },
 2024/07/26 18:34:01 Terraform apply |       "RawResult": null
 2024/07/26 18:34:01 Terraform apply |   }
 2024/07/26 18:34:01 Terraform apply | severity: error
 2024/07/26 18:34:01 Terraform apply | resource: ibm_iam_authorization_policy
 2024/07/26 18:34:01 Terraform apply | operation: create
 2024/07/26 18:34:01 Terraform apply | component:
 2024/07/26 18:34:01 Terraform apply |   name: github.com/IBM-Cloud/terraform-provider-ibm
 2024/07/26 18:34:01 Terraform apply |   version: 1.67.1
 2024/07/26 18:34:01 Terraform apply | ---
ocofaigh commented 1 month ago

When we start to pass an existing secrets manager instance to the TestProjectsExistingResourcesTest test, this will no longer be an issue. However that depends on the following PR to be merged: https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/pull/162

ocofaigh commented 1 month ago

Should be solved with https://github.com/terraform-ibm-modules/stack-ibm-core-security-services/pull/101