search

terraform-ibm-modules / terraform-ibm-watsonx-saas-da

A deployable architecture solution to deploy IBM Watsonx SaaS resources.
Apache License 2.0
2 stars 1 forks source link

Insufficient account entitlements error seen when trying to enable storage delegation #154

Closed ocofaigh closed 2 months ago

ocofaigh commented 2 months ago 
 2024/09/02 15:39:50 Terraform apply | Error: unexpected response code '403': {"statusCode":403,"message":"Insufficient account entitlements."}
 2024/09/02 15:39:50 Terraform apply | 
 2024/09/02 15:39:50 Terraform apply |   with module.storage_delegation[0].restapi_object.storage_delegation,
 2024/09/02 15:39:50 Terraform apply |   on storage_delegation/main.tf line 36, in resource "restapi_object" "storage_delegation":
 2024/09/02 15:39:50 Terraform apply |   36: resource "restapi_object" "storage_delegation" {
 2024/09/02 15:39:50 Terraform apply |

What is the missing entitlements? Is it documented somewhere?

ocofaigh commented 2 months ago

Here is what I see returned from the entitlements api setting the context to data_catalog in the account where I see the error:

{
  "entitlements": {
    "data_science_experience": {
      "service_instance_guid": "bcb56b00-e714-4a47-b4d3-d9c1208c6d29",
      "type": "data_science_experience",
      "plan_id": "9536fed9-cf90-4acb-aebf-521f5b2d19fe",
      "free": true,
      "plan_name": "lite-v1",
      "schema_version": "4.10.0",
      "properties": {
        "authorized_users": 1,
        "capacity_unit_hours": 10,
        "lineage": false,
        "environments": {
          "notebooks": {
            "max_cpu_cores": 4,
            "gpu_support": {
              "enabled": false
            }
          },
          "rstudio": {
            "max_cpu_cores": 4
          },
          "spark": {
            "max_executors": 2,
            "max_driver_cpu_cores": 1,
            "max_executor_cpu_cores": 1
          }
        },
        "services": {
          "analytics_engine": {
            "enabled": false
          },
          "aws_emr": {
            "enabled": false
          }
        },
        "projects": {
          "key_protect_bucket_creation": false
        }
      },
      "region": "us-south",
      "resource_instance_crn": "crn:v1:bluemix:public:data-science-experience:us-south:a/9f9af00a96104f49b6509aa715f9d6a5:bcb56b00-e714-4a47-b4d3-d9c1208c6d29::",
      "instance_type": "resource_instance",
      "bss_account_name": "__skipped__",
      "plan_display_name": "Lite",
      "cse_type": "public",
      "resource_group_crn": "crn:v1:bluemix:public:resource-controller::a/9f9af00a96104f49b6509aa715f9d6a5::resource-group:9cfd824c29d146d3bd7a37e1edb454ee"
    },
    "data_refinery": {
      "type": "data_refinery",
      "plan_id": "65811264-3345-48d6-9e66-bbb8014b353a",
      "plan_name": "Lite",
      "free": true,
      "schema_version": "3.3.1",
      "service_instance_guid": "65811264-3345-48d6-9e66-bbb8014b353a",
      "properties": {
        "data_movement": true,
        "dataflow": {
          "max_volume_per_month": 0.09765625
        },
        "compute_units": {
          "stop_on_max_compute_units": true,
          "notify_on_max_compute_units": true,
          "max_compute_units_per_month": 50
        },
        "classification": {
          "project": true,
          "manual": true,
          "automatic": false,
          "custom": false,
          "predefined": "LIMITED",
          "max_predefined": 20,
          "mode": "LIMITED",
          "max_rows": 5000
        },
        "scheduling": false,
        "profiling": {
          "project": true,
          "manual": true,
          "automatic": false,
          "mode": "LIMITED",
          "max_rows": 5000
        },
        "sampling": {
          "project": true,
          "manual": true,
          "automatic": false,
          "random": false,
          "mode": "LIMITED",
          "max_rows": 5000
        },
        "dashboard": false
      }
    }
  }
}

Compared to an account where this is working:

{
  "entitlements": {
    "data_science_experience": {
      "service_instance_guid": "02deb65c-c61e-4e6d-8eb5-0b53b928df6f",
      "type": "data_science_experience",
      "plan_id": "a386ed81-6789-4ced-a099-da1581353281",
      "free": false,
      "plan_name": "professional-v1",
      "schema_version": "1.1.0",
      "properties": {
        "authorized_users": 1000000,
        "capacity_unit_hours": 0,
        "lineage": true,
        "environments": {
          "notebooks": {
            "gpu_support": {
              "enabled": true
            }
          }
        },
        "services": {
          "analytics_engine": {
            "enabled": false
          },
          "aws_emr": {
            "enabled": false
          }
        },
        "projects": {
          "key_protect_bucket_creation": true
        }
      },
      "region": "us-south",
      "resource_instance_crn": "crn:v1:bluemix:public:data-science-experience:us-south:a/abac0df06b644a9cabc6e44f55b3880e:02deb65c-c61e-4e6d-8eb5-0b53b928df6f::",
      "instance_type": "resource_instance",
      "bss_account_name": "__skipped__",
      "plan_display_name": "Professional v1",
      "cse_type": "public",
      "resource_group_crn": "crn:v1:bluemix:public:resource-controller::a/abac0df06b644a9cabc6e44f55b3880e::resource-group:321c515a609741c1a2896fc0b43ce476"
    },
    "data_refinery": {
      "type": "data_refinery",
      "plan_id": "f26f2010-8e7a-4e73-a3cc-e5a2fc60d3b0",
      "plan_name": "Professional",
      "free": false,
      "schema_version": "3.0.0",
      "service_instance_guid": "f26f2010-8e7a-4e73-a3cc-e5a2fc60d3b0",
      "properties": {
        "data_movement": true,
        "dataflow": {
          "max_volume_per_month": 5000
        },
        "compute_units": {
          "stop_on_max_compute_units": false,
          "notify_on_max_compute_units": true,
          "max_compute_units_per_month": 5000
        },
        "classification": {
          "project": true,
          "manual": true,
          "automatic": false,
          "custom": true,
          "predefined": "UNLIMITED",
          "mode": "UNLIMITED",
          "auto_mode": "LIMITED",
          "auto_max_rows": 5000
        },
        "scheduling": true,
        "profiling": {
          "project": true,
          "manual": true,
          "automatic": false,
          "mode": "UNLIMITED"
        },
        "sampling": {
          "project": true,
          "manual": true,
          "automatic": false,
          "random": true,
          "mode": "UNLIMITED"
        },
        "dashboard": true
      }
    }
  }
}

One obvious different is that its a Lite plan VS Professional plan.

ocofaigh commented 2 months ago

I have been informed the following:

You must have either

data_science_experience (Watson Studio)
data_catalog (IKC)

entitlements.

And for the one you have you must have projects.key_protect_bucket_creation set as true for it.

So it seems this setting is set to false in the account where this is occurring. Need to find out best way to set it to true.

ocofaigh commented 2 months ago

This was occurring due to the same root case as https://github.com/terraform-ibm-modules/terraform-ibm-watsonx-saas-da/issues/148

We had a "lite" Watson studio instance in our account in us-south and the DA was always using the us-south endpoint even though we set the DA to eu-de, so hence we got back the entitlement error.

So the fix for this is in https://github.com/terraform-ibm-modules/terraform-ibm-watsonx-saas-da/releases/tag/v1.4.12