Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

data.ibm_scc_instance_settings not using private endpoint when using provider "visibility" "private" #5656

Open
fberzollaibm opened this issue Sep 18, 2024 · 1 comment
Open

data.ibm_scc_instance_settings not using private endpoint when using provider "visibility" "private" #5656

fberzollaibm opened this issue Sep 18, 2024 · 1 comment
Labels
service/SCC Issues related to SCC

Comments

@fberzollaibm
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform IBM Provider Version

1.69.2

Affected Resource(s)

  • data.ibm_scc_instance_settings

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

 
provider "ibm" {
  region     = local.scc_region
  alias      = "target_account_scc"
  visibility = "private"
}
 
terraform {
  required_version = ">= 1.0.0"
  required_providers {
    ibm = {
      source  = "IBM-Cloud/ibm"
      version = "1.69.2"
    }
  }
}
 
data "ibm_scc_instance_settings" "scc-settings-event-notification" {
  count = var.dry_run ? 0 : (var.scc_integration ? 1 : 0)
 
  depends_on = [
    ibm_iam_authorization_policy.reader-and-event-src-manager-policy-between-scc-and-en
  ]
 
  instance_id = data.ibm_resource_instance.scc_instance[0].guid
}

Debug Output

2024/09/18 11:46:49 Terraform apply | 2024-09-18T11:46:49.724Z [INFO] provider.terraform-provider-ibm_v1.69.2: 2024/09/18 11:46:49 [DEBUG] GET https://us-south.compliance.cloud.ibm.com/instances/e854617b-fa39-4136-a930-adc0196d8505/v3/settings: timestamp=2024-09-18T11:46:49.724Z
2024/09/18 11:46:49 Terraform apply | 2024-09-18T11:46:49.879Z [INFO] provider.terraform-provider-ibm_v1.69.2: 2024/09/18 11:46:49 [Debug] Response:
2024/09/18 11:46:50 Terraform apply | HTTP/2.0 403 Forbidden
2024/09/18 11:46:50 Terraform apply | Cache-Control: no-store
2024/09/18 11:46:50 Terraform apply | Cf-Cache-Status: DYNAMIC
2024/09/18 11:46:50 Terraform apply | Cf-Ray: 8c5119050ecb8785-DFW
2024/09/18 11:46:50 Terraform apply | Content-Type: application/json; charset=utf-8
2024/09/18 11:46:50 Terraform apply | Date: Wed, 18 Sep 2024 11:46:50 GMT
2024/09/18 11:46:50 Terraform apply | Server: cloudflare
2024/09/18 11:46:50 Terraform apply | Strict-Transport-Security: max-age=31536000; includeSubDomains
2024/09/18 11:46:50 Terraform apply | Transaction-Id: 2202a4df-0c0f-4bca-bc22-ffbec119754a
2024/09/18 11:46:50 Terraform apply | X-Content-Type-Options: nosniff
2024/09/18 11:46:50 Terraform apply | X-Correlation-Id: 2202a4df-0c0f-4bca-bc22-ffbec119754a
2024/09/18 11:46:50 Terraform apply | X-Envoy-Upstream-Service-Time: 252
2024/09/18 11:46:50 Terraform apply | X-Request-Id: bc13f8a3-da53-4554-939f-08f8d5a6e604
2024/09/18 11:46:50 Terraform apply |
2024/09/18 11:46:50 Terraform apply | {"status_code":403,"errors":[{"code":"forbidden","message":"The token is not authorized to perform the operation","ref":"COM10006"}],"trace":"2202a4df-0c0f-4bca-bc22-ffbec119754a"}: timestamp=2024-09-18T11:46:50.040Z
2024/09/18 11:46:50 Terraform apply | 2024-09-18T11:46:50.044Z [DEBUG] provider.terraform-provider-ibm_v1.69.2: GetSettingsWithContext failed The token is not authorized to perform the operation
2024/09/18 11:46:50 Terraform apply | {
2024/09/18 11:46:50 Terraform apply | "StatusCode": 403,
2024/09/18 11:46:50 Terraform apply | "Headers": {
2024/09/18 11:46:50 Terraform apply | "Cache-Control": [
2024/09/18 11:46:50 Terraform apply | "no-store"
2024/09/18 11:46:50 Terraform apply | ],
2024/09/18 11:46:50 Terraform apply | "Cf-Cache-Status": [
2024/09/18 11:46:50 Terraform apply | "DYNAMIC"
2024/09/18 11:46:50 Terraform apply | ],
2024/09/18 11:46:50 Terraform apply | "Cf-Ray": [
2024/09/18 11:46:50 Terraform apply | "8c5119050ecb8785-DFW"
2024/09/18 11:46:50 Terraform apply | ],
2024/09/18 11:46:50 Terraform apply | "Content-Type": [
2024/09/18 11:46:50 Terraform apply | "application/json; charset=utf-8"
2024/09/18 11:46:50 Terraform apply | ],
2024/09/18 11:46:50 Terraform apply | "Date": [
2024/09/18 11:46:50 Terraform apply | "Wed, 18 Sep 2024 11:46:50 GMT"
2024/09/18 11:46:50 Terraform apply | ],
2024/09/18 11:46:50 Terraform apply | "Server": [
2024/09/18 11:46:50 Terraform apply | "cloudflare"
2024/09/18 11:46:50 Terraform apply | ],
2024/09/18 11:46:50 Terraform apply | "Strict-Transport-Security": [
2024/09/18 11:46:50 Terraform apply | "max-age=31536000; includeSubDomains"
2024/09/18 11:46:50 Terraform apply | ],
2024/09/18 11:46:50 Terraform apply | "Transaction-Id": [
2024/09/18 11:46:50 Terraform apply | "2202a4df-0c0f-4bca-bc22-ffbec119754a"
2024/09/18 11:46:50 Terraform apply | ],
2024/09/18 11:46:50 Terraform apply | "X-Content-Type-Options": [
2024/09/18 11:46:50 Terraform apply | "nosniff"
2024/09/18 11:46:50 Terraform apply | ],
2024/09/18 11:46:50 Terraform apply | "X-Correlation-Id": [
2024/09/18 11:46:50 Terraform apply | "2202a4df-0c0f-4bca-bc22-ffbec119754a"
2024/09/18 11:46:50 Terraform apply | ],
2024/09/18 11:46:50 Terraform apply | "X-Envoy-Upstream-Service-Time": [
2024/09/18 11:46:50 Terraform apply | "252"
2024/09/18 11:46:50 Terraform apply | ],
2024/09/18 11:46:50 Terraform apply | "X-Request-Id": [
2024/09/18 11:46:50 Terraform apply | "bc13f8a3-da53-4554-939f-08f8d5a6e604"
2024/09/18 11:46:50 Terraform apply | ]
2024/09/18 11:46:50 Terraform apply | },
2024/09/18 11:46:50 Terraform apply | "Result": {
2024/09/18 11:46:50 Terraform apply | "errors": [
2024/09/18 11:46:50 Terraform apply | {
2024/09/18 11:46:50 Terraform apply | "code": "forbidden",
2024/09/18 11:46:50 Terraform apply | "message": "The token is not authorized to perform the operation",
2024/09/18 11:46:50 Terraform apply | "ref": "COM10006"
2024/09/18 11:46:50 Terraform apply | }
2024/09/18 11:46:50 Terraform apply | ],
2024/09/18 11:46:50 Terraform apply | "status_code": 403,
2024/09/18 11:46:50 Terraform apply | "trace": "2202a4df-0c0f-4bca-bc22-ffbec119754a"
2024/09/18 11:46:50 Terraform apply | },
2024/09/18 11:46:50 Terraform apply | "RawResult": null
2024/09/18 11:46:50 Terraform apply | }: timestamp=2024-09-18T11:46:50.041Z
2024/09/18 11:46:50 Terraform apply | 2024-09-18T11:46:50.044Z [ERROR] provider.terraform-provider-ibm_v1.69.2: Response contains error diagnostic: @module=sdk.proto diagnostic_severity=ERROR tf_rpc=ReadDataSource diagnostic_detail=""
2024/09/18 11:46:50 Terraform apply | diagnostic_summary=
2024/09/18 11:46:50 Terraform apply | | GetSettingsWithContext failed The token is not authorized to perform the operation
2024/09/18 11:46:50 Terraform apply | | {
2024/09/18 11:46:50 Terraform apply | | "StatusCode": 403,
2024/09/18 11:46:50 Terraform apply | | "Headers": {
2024/09/18 11:46:50 Terraform apply | | "Cache-Control": [
2024/09/18 11:46:50 Terraform apply | | "no-store"
2024/09/18 11:46:50 Terraform apply | | ],
2024/09/18 11:46:50 Terraform apply | | "Cf-Cache-Status": [
2024/09/18 11:46:50 Terraform apply | | "DYNAMIC"
2024/09/18 11:46:50 Terraform apply | | ],
2024/09/18 11:46:50 Terraform apply | | "Cf-Ray": [
2024/09/18 11:46:50 Terraform apply | | "8c5119050ecb8785-DFW"
2024/09/18 11:46:50 Terraform apply | | ],
2024/09/18 11:46:50 Terraform apply | | "Content-Type": [
2024/09/18 11:46:50 Terraform apply | | "application/json; charset=utf-8"
2024/09/18 11:46:50 Terraform apply | | ],
2024/09/18 11:46:50 Terraform apply | | "Date": [
2024/09/18 11:46:50 Terraform apply | | "Wed, 18 Sep 2024 11:46:50 GMT"
2024/09/18 11:46:50 Terraform apply | | ],
2024/09/18 11:46:50 Terraform apply | | "Server": [
2024/09/18 11:46:50 Terraform apply | | "cloudflare"
2024/09/18 11:46:50 Terraform apply | | ],
2024/09/18 11:46:50 Terraform apply | | "Strict-Transport-Security": [
2024/09/18 11:46:50 Terraform apply | | "max-age=31536000; includeSubDomains"
2024/09/18 11:46:50 Terraform apply | | ],
2024/09/18 11:46:50 Terraform apply | | "Transaction-Id": [
2024/09/18 11:46:50 Terraform apply | | "2202a4df-0c0f-4bca-bc22-ffbec119754a"
2024/09/18 11:46:50 Terraform apply | | ],
2024/09/18 11:46:50 Terraform apply | | "X-Content-Type-Options": [
2024/09/18 11:46:50 Terraform apply | | "nosniff"
2024/09/18 11:46:50 Terraform apply | | ],
2024/09/18 11:46:50 Terraform apply | | "X-Correlation-Id": [
2024/09/18 11:46:50 Terraform apply | | "2202a4df-0c0f-4bca-bc22-ffbec119754a"
2024/09/18 11:46:50 Terraform apply | | ],
2024/09/18 11:46:50 Terraform apply | | "X-Envoy-Upstream-Service-Time": [
2024/09/18 11:46:50 Terraform apply | | "252"
2024/09/18 11:46:50 Terraform apply | | ],
2024/09/18 11:46:50 Terraform apply | | "X-Request-Id": [
2024/09/18 11:46:50 Terraform apply | | "bc13f8a3-da53-4554-939f-08f8d5a6e604"
2024/09/18 11:46:50 Terraform apply | | ]
2024/09/18 11:46:50 Terraform apply | | },
2024/09/18 11:46:50 Terraform apply | | "Result": {
2024/09/18 11:46:50 Terraform apply | | "errors": [
2024/09/18 11:46:50 Terraform apply | | {
2024/09/18 11:46:50 Terraform apply | | "code": "forbidden",
2024/09/18 11:46:50 Terraform apply | | "message": "The token is not authorized to perform the operation",
2024/09/18 11:46:50 Terraform apply | | "ref": "COM10006"
2024/09/18 11:46:50 Terraform apply | | }
2024/09/18 11:46:50 Terraform apply | | ],
2024/09/18 11:46:50 Terraform apply | | "status_code": 403,
2024/09/18 11:46:50 Terraform apply | | "trace": "2202a4df-0c0f-4bca-bc22-ffbec119754a"
2024/09/18 11:46:50 Terraform apply | | },
2024/09/18 11:46:50 Terraform apply | | "RawResult": null
2024/09/18 11:46:50 Terraform apply | | }
2024/09/18 11:46:50 Terraform apply | tf_data_source_type=ibm_scc_instance_settings @caller=github.com/hashicorp/[email protected]/tfprotov5/internal/diag/diagnostics.go:58 tf_proto_version=5.4 tf_provider_addr=provider tf_req_id=9854ce39-5038-2b37-5b27-aa373d6942a8 timestamp=2024-09-18T11:46:50.041Z
2024/09/18 11:46:50 Terraform apply | 2024-09-18T11:46:50.044Z [ERROR] vertex "data.ibm_scc_instance_settings.scc-settings-event-notification[0]" error: GetSettingsWithContext failed The token is not authorized to perform the operation
2024/09/18 11:46:50 Terraform apply | {
2024/09/18 11:46:50 Terraform apply | "StatusCode": 403,
2024/09/18 11:46:50 Terraform apply | "Headers": {
2024/09/18 11:46:50 Terraform apply | "Cache-Control": [
2024/09/18 11:46:50 Terraform apply | "no-store"
2024/09/18 11:46:50 Terraform apply | ],
2024/09/18 11:46:50 Terraform apply | "Cf-Cache-Status": [
2024/09/18 11:46:50 Terraform apply | "DYNAMIC"
2024/09/18 11:46:50 Terraform apply | ],
2024/09/18 11:46:50 Terraform apply | "Cf-Ray": [
2024/09/18 11:46:50 Terraform apply | "8c5119050ecb8785-DFW"
2024/09/18 11:46:50 Terraform apply | ],
2024/09/18 11:46:50 Terraform apply | "Content-Type": [
2024/09/18 11:46:50 Terraform apply | "application/json; charset=utf-8"
2024/09/18 11:46:50 Terraform apply | ],
2024/09/18 11:46:50 Terraform apply | "Date": [
2024/09/18 11:46:50 Terraform apply | "Wed, 18 Sep 2024 11:46:50 GMT"
2024/09/18 11:46:50 Terraform apply | ],
2024/09/18 11:46:50 Terraform apply | "Server": [
2024/09/18 11:46:50 Terraform apply | "cloudflare"
2024/09/18 11:46:50 Terraform apply | ],
2024/09/18 11:46:50 Terraform apply | "Strict-Transport-Security": [
2024/09/18 11:46:50 Terraform apply | "max-age=31536000; includeSubDomains"
2024/09/18 11:46:50 Terraform apply | ],
2024/09/18 11:46:50 Terraform apply | "Transaction-Id": [
2024/09/18 11:46:50 Terraform apply | "2202a4df-0c0f-4bca-bc22-ffbec119754a"
2024/09/18 11:46:50 Terraform apply | ],
2024/09/18 11:46:50 Terraform apply | "X-Content-Type-Options": [
2024/09/18 11:46:50 Terraform apply | "nosniff"
2024/09/18 11:46:50 Terraform apply | ],
2024/09/18 11:46:50 Terraform apply | "X-Correlation-Id": [
2024/09/18 11:46:50 Terraform apply | "2202a4df-0c0f-4bca-bc22-ffbec119754a"
2024/09/18 11:46:50 Terraform apply | ],
2024/09/18 11:46:50 Terraform apply | "X-Envoy-Upstream-Service-Time": [
2024/09/18 11:46:50 Terraform apply | "252"
2024/09/18 11:46:50 Terraform apply | ],
2024/09/18 11:46:50 Terraform apply | "X-Request-Id": [
2024/09/18 11:46:50 Terraform apply | "bc13f8a3-da53-4554-939f-08f8d5a6e604"
2024/09/18 11:46:50 Terraform apply | ]
2024/09/18 11:46:50 Terraform apply | },
2024/09/18 11:46:50 Terraform apply | "Result": {
2024/09/18 11:46:50 Terraform apply | "errors": [
2024/09/18 11:46:50 Terraform apply | {
2024/09/18 11:46:50 Terraform apply | "code": "forbidden",
2024/09/18 11:46:50 Terraform apply | "message": "The token is not authorized to perform the operation",
2024/09/18 11:46:50 Terraform apply | "ref": "COM10006"
2024/09/18 11:46:50 Terraform apply | }
2024/09/18 11:46:50 Terraform apply | ],
2024/09/18 11:46:50 Terraform apply | "status_code": 403,
2024/09/18 11:46:50 Terraform apply | "trace": "2202a4df-0c0f-4bca-bc22-ffbec119754a"
2024/09/18 11:46:50 Terraform apply | },
2024/09/18 11:46:50 Terraform apply | "RawResult": null
2024/09/18 11:46:50 Terraform apply | }
2024/09/18 11:46:50 Terraform apply | 2024-09-18T11:46:50.044Z [ERROR] vertex "data.ibm_scc_instance_settings.scc-settings-event-notification (expand)" error: GetSettingsWithContext failed The token is not authorized to perform the operation
2024/09/18 11:46:50 Terraform apply | {
2024/09/18 11:46:50 Terraform apply | "StatusCode": 403,
2024/09/18 11:46:50 Terraform apply | "Headers": {
2024/09/18 11:46:50 Terraform apply | "Cache-Control": [
2024/09/18 11:46:50 Terraform apply | "no-store"
2024/09/18 11:46:50 Terraform apply | ],
2024/09/18 11:46:50 Terraform apply | "Cf-Cache-Status": [
2024/09/18 11:46:50 Terraform apply | "DYNAMIC"
2024/09/18 11:46:50 Terraform apply | ],
2024/09/18 11:46:50 Terraform apply | "Cf-Ray": [
2024/09/18 11:46:50 Terraform apply | "8c5119050ecb8785-DFW"
2024/09/18 11:46:50 Terraform apply | ],
2024/09/18 11:46:50 Terraform apply | "Content-Type": [
2024/09/18 11:46:50 Terraform apply | "application/json; charset=utf-8"
2024/09/18 11:46:50 Terraform apply | ],
2024/09/18 11:46:50 Terraform apply | "Date": [
2024/09/18 11:46:50 Terraform apply | "Wed, 18 Sep 2024 11:46:50 GMT"
2024/09/18 11:46:50 Terraform apply | ],
2024/09/18 11:46:50 Terraform apply | "Server": [
2024/09/18 11:46:50 Terraform apply | "cloudflare"
2024/09/18 11:46:50 Terraform apply | ],
2024/09/18 11:46:50 Terraform apply | "Strict-Transport-Security": [
2024/09/18 11:46:50 Terraform apply | "max-age=31536000; includeSubDomains"
2024/09/18 11:46:50 Terraform apply | ],
2024/09/18 11:46:50 Terraform apply | "Transaction-Id": [
2024/09/18 11:46:50 Terraform apply | "2202a4df-0c0f-4bca-bc22-ffbec119754a"
2024/09/18 11:46:50 Terraform apply | ],
2024/09/18 11:46:50 Terraform apply | "X-Content-Type-Options": [
2024/09/18 11:46:50 Terraform apply | "nosniff"
2024/09/18 11:46:50 Terraform apply | ],
2024/09/18 11:46:50 Terraform apply | "X-Correlation-Id": [
2024/09/18 11:46:50 Terraform apply | "2202a4df-0c0f-4bca-bc22-ffbec119754a"
2024/09/18 11:46:50 Terraform apply | ],
2024/09/18 11:46:50 Terraform apply | "X-Envoy-Upstream-Service-Time": [
2024/09/18 11:46:50 Terraform apply | "252"
2024/09/18 11:46:50 Terraform apply | ],
2024/09/18 11:46:50 Terraform apply | "X-Request-Id": [
2024/09/18 11:46:50 Terraform apply | "bc13f8a3-da53-4554-939f-08f8d5a6e604"
2024/09/18 11:46:50 Terraform apply | ]
2024/09/18 11:46:50 Terraform apply | },
2024/09/18 11:46:50 Terraform apply | "Result": {
2024/09/18 11:46:50 Terraform apply | "errors": [
2024/09/18 11:46:50 Terraform apply | {
2024/09/18 11:46:50 Terraform apply | "code": "forbidden",
2024/09/18 11:46:50 Terraform apply | "message": "The token is not authorized to perform the operation",
2024/09/18 11:46:50 Terraform apply | "ref": "COM10006"
2024/09/18 11:46:50 Terraform apply | }
2024/09/18 11:46:50 Terraform apply | ],
2024/09/18 11:46:50 Terraform apply | "status_code": 403,
2024/09/18 11:46:50 Terraform apply | "trace": "2202a4df-0c0f-4bca-bc22-ffbec119754a"
2024/09/18 11:46:50 Terraform apply | },
2024/09/18 11:46:50 Terraform apply | "RawResult": null
2024/09/18 11:46:50 Terraform apply | }

Expected Behavior

We have activated CBR rules to use private endpoints for SCC.

The IBM CLoud provider configuration specifies that we want to use private endpoints visibility = "private"

The provider must use private endpoints to access IBM Cloud APIS

Actual Behavior

We have activated CBR rules to use private endpoints for SCC.

The IBM CLoud provider configuration specifies that we want to use private endpoints visibility = "private"

The provider must use private endpoints to access IBM Cloud APIS

In thi case it uses a public api endpoint instead of private GET https://us-south.compliance.cloud.ibm.com/instances/e854617b-fa39-4136-a930-adc0196d8505/v3/settings

And then the CBR rules reply a 403 !

  • #0000
@github-actions github-actions bot added the service/SCC Issues related to SCC label Sep 18, 2024
@tyao117
Copy link
Contributor

tyao117 commented Oct 14, 2024

sorry about the late reply, I had assumed that someone would have looked into this problem before i came into vacation.

Until a fix, can you use environment variables? such as this: export IBMCLOUD_SCC_API_ENDPOINT=https://eu-es.compliance.cloud.ibm.com. This fix will not work if you are targeting multiple distinct regions from the same Terraform client.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
service/SCC Issues related to SCC
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tyao117 @fberzollaibm