Multiple SCC instances with the same Event Notifications

[in-1911]

There is a problem with using existing Event Notification instance with SCC.

It turns out that when the ibm_scc_instance_settings resource is used, it creates a source in the EN instance with the same name "compliance", so if two SCC instances are provisioned with this module, the second one trying to use EN will fails with the error about "source with the same name already exists.

It probably has to be fixed at the provider level as there is no name parameter in SCC instance settings resource, but when the integration is created in SCC UI, the source name is set to SCC instance name.

The effect of this is that when the DA is used to create a new SCC instance with referencing an existing Event Notifications service, any additional project/configuration using SCC module fails because of the existing source name.

Currently the only workaround is to use separate Events Notifications instances for each SCC instance.

Affected modules

*

Terraform CLI and Terraform provider versions

• Terraform version:
• Provider version:

Terraform output

Debug output

Expected behavior

Actual behavior

Steps to reproduce (including links and screen captures)

1. Run terraform apply

Anything else

---

By submitting this issue, you agree to follow our Code of Conduct

[iamar7]

It probably has to be fixed at the provider level as there is no name parameter in SCC instance settings resource, but when the integration is created in SCC UI, the source name is set to SCC instance name.

I attempted to deploy the complete example in the terraform-ibm-scc module to check where the source is set to compliance, but it appears to be configured internally. I didn't observe the source being set as compliance during the terraform plan or apply.

[iamar7]

The terraform plan showed the following -

scc_instance_details = [

 + {
      + account_id              = (known after apply)
      + allow_cleanup           = (known after apply)
      + created_at              = (known after apply)
      + created_by              = (known after apply)
      + crn                     = (known after apply)
      + dashboard_url           = (known after apply)
      + deleted_at              = (known after apply)
      + deleted_by              = (known after apply)
      + extensions              = (known after apply)
      + guid                    = (known after apply)
      + id                      = (known after apply)
      + last_operation          = (known after apply)
      + location                = "us-south"
      + locked                  = (known after apply)
      + name                    = "scc-instance"
      + onetime_credentials     = (known after apply)
      + parameters              = null
      + parameters_json         = null
      + plan                    = "security-compliance-center-standard-plan"
      + plan_history            = (known after apply)
      + resource_aliases_url    = (known after apply)
      + resource_bindings_url   = (known after apply)
      + resource_controller_url = (known after apply)
      + resource_crn            = (known after apply)
      + resource_group_crn      = (known after apply)
      + resource_group_id       = (known after apply)
      + resource_group_name     = (known after apply)
      + resource_id             = (known after apply)
      + resource_keys_url       = (known after apply)
      + resource_name           = (known after apply)
      + resource_plan_id        = (known after apply)
      + resource_status         = (known after apply)
      + restored_at             = (known after apply)
      + restored_by             = (known after apply)
      + scheduled_reclaim_at    = (known after apply)
      + scheduled_reclaim_by    = (known after apply)
      + service                 = "compliance"
      + service_endpoints       = (known after apply)
      + state                   = (known after apply)
      + status                  = (known after apply)
      + sub_type                = (known after apply)
      + tags                    = (known after apply)
      + target_crn              = (known after apply)
      + timeouts                = null
      + type                    = (known after apply)
      + update_at               = (known after apply)
      + update_by               = (known after apply)
    },
]

scc_instance_settings_details = [

  + {
      + event_notifications = [
          + {
              + instance_crn = (known after apply)
              + source_id    = (known after apply)
              + updated_on   = (known after apply)
            },
        ]
      + id                  = (known after apply)
      + instance_id         = (known after apply)
      + object_storage      = [
          + {
              + bucket          = "scc-cb"
              + bucket_endpoint = (known after apply)
              + bucket_location = (known after apply)
              + instance_crn    = (known after apply)
              + updated_on      = (known after apply)
            },
        ]
    },
]

It no where showed information about source is getting

[in-1911]

@iamar7 - you do not see the name set in terraform because the provider does not support it. But when you look at the actual Event Notifications source record you will see the hardcoded name.

[iamar7]

@iamar7 - you do not see the name set in terraform because the provider does not support it. But when you look at the actual Event Notifications source record you will see the hardcoded name.

That's where I was going, when I checked the source in the EN instance in Cloud UI it has a compliance which seems to be hardcoded from here so I will create a provider issue regarding this.

[iamar7]

Raised the provider issue here -> https://github.com/IBM-Cloud/terraform-provider-ibm/issues/5579

[ocofaigh]

This was fixed in https://github.com/IBM-Cloud/terraform-provider-ibm/pull/5818 since the source name is now required when doing EN integration. The fix has already been added to our SCC module and DA