Attachment RG scope causes terraform error

[in-1911]

Tried to use an RG scope for an attachment. I set the resource_groups_scope with one resource group name in the array. This was done after the SCC instance with a profile attachment for "AI Security Guardrails 2.0" has been deployed (originally using [] for the RG scope). When trying to update the deployment with the new RG scope, I got an error on apply (plan was successful):

2024/09/06 18:11:48 Terraform apply | Terraform will perform the following actions:
 2024/09/06 18:11:48 Terraform apply | 
 2024/09/06 18:11:48 Terraform apply |   # module.create_profile_attachment["AI Security Guardrails 2.0"].ibm_scc_profile_attachment.scc_profile_attachment will be updated in-place
 2024/09/06 18:11:48 Terraform apply |   ~ resource "ibm_scc_profile_attachment" "scc_profile_attachment" {
 2024/09/06 18:11:48 Terraform apply |         id                    = "42f*****94/7e0*****f13ea/38-****6d"
 2024/09/06 18:11:48 Terraform apply |         name                  = "1 daily full account attachment"
 2024/09/06 18:11:48 Terraform apply |       ~ schedule              = "daily" -> "every_30_days"
 2024/09/06 18:11:48 Terraform apply |       ~ status                = "disabled" -> "enabled"
 2024/09/06 18:11:48 Terraform apply |         # (12 unchanged attributes hidden)
 2024/09/06 18:11:48 Terraform apply | 
 2024/09/06 18:11:48 Terraform apply |       + scope {
 2024/09/06 18:11:48 Terraform apply |           + environment = "ibm-cloud"
 2024/09/06 18:11:48 Terraform apply | 
 2024/09/06 18:11:48 Terraform apply |           + properties {
 2024/09/06 18:11:48 Terraform apply |               + name  = "scope_type"
 2024/09/06 18:11:48 Terraform apply |               + value = "account.resource_group"
 2024/09/06 18:11:48 Terraform apply |             }
 2024/09/06 18:11:48 Terraform apply |           + properties {
 2024/09/06 18:11:48 Terraform apply |               + name  = "scope_id"
 2024/09/06 18:11:48 Terraform apply |               + value = "06****6f1"
 2024/09/06 18:11:48 Terraform apply |             }
 2024/09/06 18:11:48 Terraform apply |         }
 2024/09/06 18:11:48 Terraform apply | 
 2024/09/06 18:11:48 Terraform apply |         # (31 unchanged blocks hidden)
 2024/09/06 18:11:48 Terraform apply |     }
 2024/09/06 18:11:48 Terraform apply | 
 2024/09/06 18:11:48 Terraform apply | Plan: 0 to add, 1 to change, 0 to destroy.
......
2024/09/06 18:11:56 Terraform apply | module.create_profile_attachment["AI Security Guardrails 2.0"].ibm_scc_profile_attachment.scc_profile_attachment: Modifying... [id=42f*****94/7e0*****f13ea/38-****6d]

Error: ReplaceProfileAttachmentWithContext failed Necessary attachment parameters are not available to create or update attachment.

So I tried to change the RG scope back to [] but then somehow the schematics state got the module.create_profile_attachment["AI Security Guardrails 2.0"].ibm_scc_profile_attachment.scc_profile_attachment resource stuck with a non-empty value that it cannot refresh and I cannot even undeploy the config:

2024/09/06 21:16:31 Terraform refresh | module.create_profile_attachment["AI Security Guardrails 2.0"].ibm_scc_profile_attachment.scc_profile_attachment: Refreshing state... [id=42f*****94/7e0*****f13ea/38-****6d]
 2024/09/06 21:16:33 Terraform refresh | Error: Error setting scope: scope.0.properties.2.value: '' expected type 'string', got unconvertible type '[]interface {}', value: '[]'
 2024/09/06 21:16:33 Terraform refresh | 
 2024/09/06 21:16:33 Terraform refresh |   with module.create_profile_attachment["AI Security Guardrails 2.0"].ibm_scc_profile_attachment.scc_profile_attachment,
 2024/09/06 21:16:33 Terraform refresh |   on .terraform/modules/create_profile_attachment/modules/attachment/main.tf line 64, in resource "ibm_scc_profile_attachment" "scc_profile_attachment":

Affected modules

*

Terraform CLI and Terraform provider versions

• Terraform version:
• Provider version:

Terraform output

Debug output

Expected behavior

Actual behavior

Steps to reproduce (including links and screen captures)

1. Run terraform apply

Anything else

---

By submitting this issue, you agree to follow our Code of Conduct

[in-1911]

A variation of this problem also happens in the following scenario:

• Deploy the DA with a profile attachment (e.g. ["AI Security Guardrails 2.0"]) with default value for RG scope (i.e. [])
• Once SCC is deployed, go to SCC instance and modify the scope on the created attachment by adding some RG exclusions (I have more than 3, the number may need to be sufficiently large to trigger the error), but keep the main scope as "account".
• Try to undeploy the DA - it fails on resource refresh

I get an error indicating that there is an issue in the provider itself when it tries to read/map the scope parameters and gets the new values from the RG exclusion entries:

2024/09/11 18:32:31 Terraform refresh | Error: Error setting scope: scope.0.properties.2.value: '' 
expected type 'string', got unconvertible type '[]interface {}', value: 
'[map[scope_id:a1***39 scope_type:account.resource_group] 
map[scope_id:5b***09 scope_type:account.resource_group] 
map[scope_id:8e***f3 scope_type:account.resource_group] 
map[scope_id:ea***cc scope_type:account.resource_group] 
map[scope_id:07***f4 scope_type:account.resource_group] 
map[scope_id:5d***51 scope_type:account.resource_group] 
map[scope_id:70***18 scope_type:account.resource_group]]'
 2024/09/11 18:32:31 Terraform refresh | 
 2024/09/11 18:32:31 Terraform refresh |   with module.create_profile_attachment["AI Security Guardrails 2.0"].ibm_scc_profile_attachment.scc_profile_attachment,
 2024/09/11 18:32:31 Terraform refresh |   on .terraform/modules/create_profile_attachment/modules/attachment/main.tf line 64, in resource "ibm_scc_profile_attachment" "scc_profile_attachment":
 2024/09/11 18:32:31 Terraform refresh |   64: resource "ibm_scc_profile_attachment" "scc_profile_attachment" {

[in-1911]

It looks like any change to the attachment in SCC after deployment will cause the scope to get updated with [] as exclusion list and it will make the schematics state effectively invalid because now it cannot be refreshed - that [] value will always cause a read error.

Then the SCC DA cannot be undeployed or its inputs updated, the only way out is to clean up schematics workspace and delete the DA.

[jor2]

@ocofaigh https://github.com/IBM-Cloud/terraform-provider-ibm/issues/5718

[in-1911]

@jor2 - the case that you submitted above is a different issue. The error you show in the output indicates that you did not supply a parameter that is required, but no default value is in the profile. This is not the same as the scope read error above.