Non consistent input type for SCC attachment

[pauljegouic]

Hello there,

Please fix the input type for the parameter_value of an SCC attachment.

The doc says that it requires a string_list, but : "[\"value1\",\"value2\"]" who was valid 2 weeks ago (before my holidays) and it's not working now.

I'd like to avoid to stringify complex json structure.

Look like it is an SCC API change since the error also happens on 1.64

[pauljegouic]

+ attachment_parameters {
          + assessment_id          = "rule-c92a1ac3-6f9a-4fb1-9cb8-57d312679020"
          + assessment_type        = "automated"
          + parameter_display_name = "Subnet(s) name"
          + parameter_name         = "excluded_subnets"
          + parameter_type         = "string_list"
          + parameter_value        = jsonencode(
                [
                  + "test",
                  + "tata",
                ]
            )
        }

With 1.64:

ibm_scc_profile_attachment.scc_profile_attachment_instance: Creating...
╷
│ Error: Plugin did not respond
│ 
│   with ibm_scc_profile_attachment.scc_profile_attachment_instance,
│   on main.tf line 22, in resource "ibm_scc_profile_attachment" "scc_profile_attachment_instance":
│   22: resource "ibm_scc_profile_attachment" "scc_profile_attachment_instance" {
│ 
│ The plugin encountered an error, and failed to respond to the plugin.(*GRPCProvider).ApplyResourceChange call. The plugin logs may contain more details.
╵

Stack trace from the terraform-provider-ibm_v1.64.0 plugin:

panic: interface conversion: interface {} is *schema.Set, not []interface {}

goroutine 57 [running]:
github.com/IBM-Cloud/terraform-provider-ibm/ibm/service/scc.resourceIbmSccProfileAttachmentMapToAttachmentsPrototype(0x10506d4c0?)
        github.com/IBM-Cloud/terraform-provider-ibm/ibm/service/scc/resource_ibm_scc_profile_attachment.go:637 +0x8ec
github.com/IBM-Cloud/terraform-provider-ibm/ibm/service/scc.resourceIbmSccProfileAttachmentMapToAttachmentPrototype(0x10506d4c0?)
        github.com/IBM-Cloud/terraform-provider-ibm/ibm/service/scc/resource_ibm_scc_profile_attachment.go:841 +0x144
github.com/IBM-Cloud/terraform-provider-ibm/ibm/service/scc.resourceIbmSccProfileAttachmentCreate({0x105814fb8, 0x14001c70060}, 0x0?, {0x1057bb840?, 0x1400040b500})
        github.com/IBM-Cloud/terraform-provider-ibm/ibm/service/scc/resource_ibm_scc_profile_attachment.go:310 +0x648
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).create(0x140015f50a0, {0x105814ff0, 0x14000bfed20}, 0xd?, {0x1057bb840, 0x1400040b500})
        github.com/hashicorp/terraform-plugin-sdk/v2@v2.29.0/helper/schema/resource.go:778 +0xe8
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).Apply(0x140015f50a0, {0x105814ff0, 0x14000bfed20}, 0x14001b3ab60, 0x14001cf0e80, {0x1057bb840, 0x1400040b500})
        github.com/hashicorp/terraform-plugin-sdk/v2@v2.29.0/helper/schema/resource.go:909 +0x890
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*GRPCProviderServer).ApplyResourceChange(0x14001289410, {0x105814ff0?, 0x14000bfec00?}, 0x14001b062d0)
        github.com/hashicorp/terraform-plugin-sdk/v2@v2.29.0/helper/schema/grpc_provider.go:1060 +0xb70
github.com/hashicorp/terraform-plugin-go/tfprotov5/tf5server.(*server).ApplyResourceChange(0x14000b14640, {0x105814ff0?, 0x14000bfe210?}, 0x140025ee070)
        github.com/hashicorp/terraform-plugin-go@v0.19.0/tfprotov5/tf5server/server.go:859 +0x3b8
github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_ApplyResourceChange_Handler({0x105636f40?, 0x14000b14640}, {0x105814ff0, 0x14000bfe210}, 0x140025ee000, 0x0)
        github.com/hashicorp/terraform-plugin-go@v0.19.0/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:467 +0x170
google.golang.org/grpc.(*Server).processUnaryRPC(0x1400016e000, {0x10581fd60, 0x1400052e680}, 0x14001b0e000, 0x1400168ad80, 0x1077d7b98, 0x0)
        google.golang.org/grpc@v1.57.1/server.go:1358 +0xc88
google.golang.org/grpc.(*Server).handleStream(0x1400016e000, {0x10581fd60, 0x1400052e680}, 0x14001b0e000, 0x0)
        google.golang.org/grpc@v1.57.1/server.go:1735 +0x82c
google.golang.org/grpc.(*Server).serveStreams.func1.1()
        google.golang.org/grpc@v1.57.1/server.go:970 +0xb4
created by google.golang.org/grpc.(*Server).serveStreams.func1
        google.golang.org/grpc@v1.57.1/server.go:981 +0x174

Error: The terraform-provider-ibm_v1.64.0 plugin crashed!

This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.

With 1.65

ibm_scc_profile_attachment.scc_profile_attachment_instance: Creating...
╷
│ Error: CreateAttachmentWithContext failed The parameter (Subnet(s) name) must be provided as a string_list value
│ {
│     "StatusCode": 400,
│     "Headers": {
│         "Cache-Control": [
│             "no-store"
│         ],
│         "Cf-Cache-Status": [
│             "DYNAMIC"
│         ],
│         "Cf-Ray": [
│             "8839670d7f116f0e-CDG"
│         ],
│         "Content-Length": [
│             "165"
│         ],
│         "Content-Type": [
│             "application/json; charset=utf-8"
│         ],
│         "Date": [
│             "Tue, 14 May 2024 08:08:51 GMT"
│         ],
│         "Ibm-Cloud-Tenant": [
│             "0e8d3cd94877445fa9764becb08ea5a7,15fc9828678f4b2b9820c1331ba39570,28a3359c631e45b99fe81b916684d484,2c9013ae47bd487ab044ca8cac66b488,33a7eb04e7d547cd9489e90c99d476a5,3d48a8711a8042bbbbe8f18024ea3887,6b29e5d81a8e4adda23ab13fd4e8fb03,81ada35eddd8453696febe365ad85ee2,8c5a7d7aa8e14efa8ac484dc2cd82b80,985c667b4f89413c974f812500e94ce0,a25f4fa98485407bb7b44e647f8a5e15,a3c1da9c4e4a4cdaaa92d1edeb7f4868,ac3e80fb25684f758aa059ef66c0b1fc,afba06f61a974bc4bd8c36560a3416da,d2cf8c1ca5a34fa280de191f6bd6eced,db8f0cc7bde24bbda8a71c121868f65a,dee3803b85714ce19f6e8b9b07d5cc81,ff8d762413d34824b12e2d3427b270a2"
│         ],
│         "Server": [
│             "cloudflare"
│         ],
│         "Strict-Transport-Security": [
│             "max-age=31536000; includeSubDomains"
│         ],
│         "Transaction-Id": [
│             "1ef64723-2d73-4ec2-ae47-ba0a55564b41"
│         ],
│         "X-Content-Type-Options": [
│             "nosniff"
│         ],
│         "X-Correlation-Id": [
│             "85f8dd7b-3f8e-4cb5-bc96-50b689dab5a1"
│         ],
│         "X-Envoy-Upstream-Service-Time": [
│             "2124"
│         ],
│         "X-Request-Id": [
│             "37354a4b-d3f2-4037-bf75-7c15652591c7"
│         ]
│     },
│     "Result": {
│         "errors": [
│             {
│                 "code": "Bad Request",
│                 "message": "The parameter (Subnet(s) name) must be provided as a string_list value"
│             }
│         ],
│         "trace": "85f8dd7b-3f8e-4cb5-bc96-50b689dab5a1"
│     },
│     "RawResult": null
│ }
│ 
│ 
│   with ibm_scc_profile_attachment.scc_profile_attachment_instance,
│   on main.tf line 22, in resource "ibm_scc_profile_attachment" "scc_profile_attachment_instance":
│   22: resource "ibm_scc_profile_attachment" "scc_profile_attachment_instance" {
│ 

[pauljegouic]

@hkantare

[tyao117]

was able to replicate v1.64 issue; the main problem with 1.64 is interface {} is *schema.Set, not []interface {}:

Stack trace from the terraform-provider-ibm_v1.64.0 plugin:

panic: interface conversion: interface {} is *schema.Set, not []interface {}

goroutine 147 [running]:
github.com/IBM-Cloud/terraform-provider-ibm/ibm/service/scc.resourceIbmSccProfileAttachmentMapToAttachmentsPrototype(0x4c9c9a0?)
        github.com/IBM-Cloud/terraform-provider-ibm/ibm/service/scc/resource_ibm_scc_profile_attachment.go:637 +0x9d4
github.com/IBM-Cloud/terraform-provider-ibm/ibm/service/scc.resourceIbmSccProfileAttachmentMapToAttachmentPrototype(0x4c9c9a0?)
        github.com/IBM-Cloud/terraform-provider-ibm/ibm/service/scc/resource_ibm_scc_profile_attachment.go:841 +0x13b
github.com/IBM-Cloud/terraform-provider-ibm/ibm/service/scc.resourceIbmSccProfileAttachmentCreate({0x5d53418, 0xc002952cc0}, 0x0?, {0x53eaee0?, 0xc0001b2000})
        github.com/IBM-Cloud/terraform-provider-ibm/ibm/service/scc/resource_ibm_scc_profile_attachment.go:310 +0x71f
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).create(0xc0015c0e00, {0x5d53450, 0xc002937c50}, 0xd?, {0x53eaee0, 0xc0001b2000})
        github.com/hashicorp/terraform-plugin-sdk/v2@v2.29.0/helper/schema/resource.go:778 +0x12e
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).Apply(0xc0015c0e00, {0x5d53450, 0xc002937c50}, 0xc00290dba0, 0xc002942780, {0x53eaee0, 0xc0001b2000})
        github.com/hashicorp/terraform-plugin-sdk/v2@v2.29.0/helper/schema/resource.go:909 +0xa85
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*GRPCProviderServer).ApplyResourceChange(0xc000865068, {0x5d53450?, 0xc002937b30?}, 0xc001a2b130)
        github.com/hashicorp/terraform-plugin-sdk/v2@v2.29.0/helper/schema/grpc_provider.go:1060 +0xe8d
github.com/hashicorp/terraform-plugin-go/tfprotov5/tf5server.(*server).ApplyResourceChange(0xc000b1c0a0, {0x5d53450?, 0xc002937140?}, 0xc002858770)
        github.com/hashicorp/terraform-plugin-go@v0.19.0/tfprotov5/tf5server/server.go:859 +0x574
github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_ApplyResourceChange_Handler({0x52665e0?, 0xc000b1c0a0}, {0x5d53450, 0xc002937140}, 0xc002858700, 0x0)
        github.com/hashicorp/terraform-plugin-go@v0.19.0/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:467 +0x170
google.golang.org/grpc.(*Server).processUnaryRPC(0xc000b941e0, {0x5d5e2e0, 0xc001678820}, 0xc001d1f8c0, 0xc001656cc0, 0x7d83078, 0x0)
        google.golang.org/grpc@v1.57.1/server.go:1358 +0xe23
google.golang.org/grpc.(*Server).handleStream(0xc000b941e0, {0x5d5e2e0, 0xc001678820}, 0xc001d1f8c0, 0x0)
        google.golang.org/grpc@v1.57.1/server.go:1735 +0xa2f
google.golang.org/grpc.(*Server).serveStreams.func1.1()
        google.golang.org/grpc@v1.57.1/server.go:970 +0xca
created by google.golang.org/grpc.(*Server).serveStreams.func1
        google.golang.org/grpc@v1.57.1/server.go:981 +0x15c

Error: The terraform-provider-ibm_v1.64.0 plugin crashed!

This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.

The problem stems from the type mismatch between the actual type and the expected.

[tyao117]

@pauljegouic i might have a workaround for v1.65:
change

parameter_value = jsonencode(
                [
                  + "test",
                  + "tata",
                ]
            )

to:

parameter_value = "['test', 'tata']"

[pavanm87]

@pauljegouic I am currently trying addressing this issue which you reported. A modification was implemented some weeks ago to introduce validation, preventing empty string values in a string list. This update includes support for two string list formats, aligning with UI validation:

["test","tata"]
"['test', 'tata']"

In the upcoming fix, we will also include support for the format "["test","tata"]".

[pauljegouic]

@tyao117 actually I can't. Because those values are actually the subnet's names computed through a datasource. That's why we are doing a jsonencode.

[pauljegouic]

# WAIT FOR IBM FIX : https://github.com/IBM-Cloud/terraform-provider-ibm/issues/5350
    {
      parameter_name  = "excluded_subnets",
     parameter_value = "${jsonencode(module.ibm_vpc.subnet_zone_list[*].name)}"
    },

[pauljegouic]

@pavanm87 I'd like to get an ETA about the support of " [ \"value1\", ...] " because this module is part of a global module that initialize environments on my platform.

Therefore, it prevents me from updating other parts of my DA (especially IAM access groups). I will need to know if I need to release a wordarounded-version on my side, or if it's a matter of days, we can wait.

Thanks a lot guys in advance !

[pavanm87]

@pauljegouic We anticipate completing the task by the end of May, indicating that the fix will be accessible in the BNPP region by the month's end. As a temporary solution, we can utilize ["test","tata"] in this precise string_list format.

[pauljegouic]

any update @pavanm87 ?

[pavanm87]

@pauljegouic This change will be available in BNPP region by May 29th.

[nicolascomete]

@pavanm87 hello - note that there is a similar issue on ibm_scc_rule for required_config on and and or field value.
I can't get the workaround "['a','b']" to work in neither 1.64.*, 1.65.* and 1.66.*

[pavanm87]

@nicolascomete This is different issue but what you are saying is it is not allowing "['1.64.*', '1.65.*', '1.66.*']"?

Can you please provide the example body which you are trying?

[nicolascomete]

@pavanm87 I'm saying that the trick does not work for provider in v1.65, v1.65 or v1.66.

{
  "description": "XXX",
  "target": {
    "service_name": "cloud-object-storage",
    "service_display_name": "Cloud Object Storage",
    "resource_kind": "bucket",
    "additional_target_attributes": []
  },
  "required_config": {
    "description": "Cloud object storage bucket",
    "and": [
      {
        "property": "firewall.allowed_ip",
        "operator": "ips_in_range",
        "value": "[\"1.2.3.4/25\"]"
      }
    ]
  },
  "labels": []
}

This is an example of what fails. It also fails with "value": "['1.2.3.4/25']"

[pavanm87]

And also can you please provide the error which you are getting @nicolascomete

[nicolascomete]

Error: CreateRuleWithContext failed Encountered invalid operator value type. Expected []string
│ {
│ "StatusCode": 400,
│ "Headers": {
│ "Cache-Control": [
│ "no-store"
│ ],
│ "Cf-Cache-Status": [
│ "DYNAMIC"
│ ],
│ "Cf-Ray": [
│ "888565247d9618b3-FRA"
│ ],
│ "Content-Length": [
│ "170"
│ ],
│ "Content-Type": [
│ "application/json; charset=utf-8"
│ ],
│ "Date": [
│ "Thu, 23 May 2024 13:29:29 GMT"
│ ],
│ "Server": [
│ "cloudflare"
│ ],
│ "Strict-Transport-Security": [
│ "max-age=31536000; includeSubDomains"
│ ],
│ "Transaction-Id": [
│ "ceaeb57a-b9b3-4580-bc1d-34cdc5e3ab1b"
│ ],
│ "X-Content-Type-Options": [
│ "nosniff"
│ ],
│ "X-Correlation-Id": [
│ "ceaeb57a-b9b3-4580-bc1d-34cdc5e3ab1b"
│ ],
│ "X-Envoy-Upstream-Service-Time": [
│ "584"
│ ],
│ "X-Ratelimit-Limit": [
│ "5"
│ ],
│ "X-Ratelimit-Remaining": [
│ "4"
│ ],
│ "X-Ratelimit-Reset": [
│ "1716470970"
│ ],
│ "X-Request-Id": [
│ "e496e24c-de39-4cf4-b5b5-e514709d9bb6"
│ ]
│ },
│ "Result": {
│ "errors": [
│ {
│ "code": "rule_error",
│ "message": "Encountered invalid operator value type. Expected []string"
│ }
│ ],
│ "status_code": 400,
│ "trace": "ceaeb57a-b9b3-4580-bc1d-34cdc5e3ab1b"
│ },
│ "RawResult": null
│ }

[pavanm87]

@pauljegouic The fix for this issue has been promoted to BNPP region, verified the fix and looks fine to me. Please check and close it from your end.

A fix has been pushed to BNPP, and it works as expected. It now supports the format "["us-south-1", "us-south-2"]" that the client requested, check below.

main.tf which I used for testing with the format

 resource "ibm_scc_profile_attachment" "scc_profile_attachment_instance" {
 profile_id = "xxx" 
 instance_id = "xxx"
 name = "tf-atr-train-8-test"
 description = "tf atr train 8"
 scope {
 environment = "ibm-cloud"
 properties {
 name = "scope_id"
 value = "xxx"
 }
 properties {
 name = "scope_type"
 value = "account"
 }
 }
attachment_parameters {
    assessment_id="rule-1edc74ae-0dad-4ea1-865d-89e3214d240f"
    assessment_type="automated"
    parameter_display_name="Cloud Object Storage buckets cross region support"
    parameter_name="cos_bucket_cross_regions"
    parameter_type="string_list"
    parameter_value="[\"us-south-1\", \"us-south-2\"]"
    }
 schedule = "daily"
 status = "disabled"
 notifications {
 enabled = false
 controls {
 failed_control_ids = []
 threshold_limit = 14
 }
 }
 }

Additionally, it maintains UI consistency with the formats "['us-south-1','us-south-2']".

Added validation when empty string provided while creating or updating an attachment like below
"["us-south-1", ""]".

[pauljegouic]

Thanks.

I confirm, closing the issue