On second apply `ibm_code_engine_secret` tries to change secret Role

[akocbek]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform IBM Provider Version

Affected Resource(s)

• ibm_code_engine_secret

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "ibm_resource_key" "resourceKey" {
  name                 = "${var.prefix}-rk"
  role                 = "Writer"
  resource_instance_id = module.cos.cos_instance_id

  timeouts {
    create = "15m"
    delete = "15m"
  }
}

resource "ibm_code_engine_secret" "my_secret" {
  project_id = module.ce_project.project_id
  name       = "my-secret"
  format     = "service_access"
  service_access {
    resource_key {
      id = resource.ibm_resource_key.resourceKey.guid
    }
    service_instance {
      id = module.cos.cos_instance_guid
    }
  }
}

Debug Output

Error: ReplaceSecretWithContext failed A service access secret cannot be updated.
│ {
│     "StatusCode": 405,
│     "Headers": {
│         "Cache-Control": [
│             "no-cache, no-store"
│         ],
│         "Content-Length": [
│             "189"
│         ],
│         "Content-Type": [
│             "application/json; charset=UTF-8"
│         ],
│         "Date": [
│             "Fri, 22 Mar 2024 15:03:27 GMT"
│         ],
│         "Strict-Transport-Security": [
│             "max-age=31536000; includeSubDomains; preload"
│         ],
│         "X-Content-Type-Options": [
│             "nosniff"
│         ],
│         "X-Global-Transaction-Id": [
│             "codeengine-api-6248392f9e2a4eeabff67f1c36f68db4"
│         ]
│     },
│     "Result": {
│         "errors": [
│             {
│                 "code": "service_access_update_not_allowed",
│                 "message": "A service access secret cannot be updated."
│             }
│         ],
│         "status_code": 405,
│         "trace": "codeengine-api-6248392f9e2a4eeabff67f1c36f68db4"
│     },
│     "RawResult": null
│ }
│ 
│ 
│   with ibm_code_engine_secret.my_secret,
│   on main.tf line 115, in resource "ibm_code_engine_secret" "my_secret":
│  115: resource "ibm_code_engine_secret" "my_secret" {

Panic Output

Expected Behavior

ibm_code_engine_secret resource shouldn't modify service_access secret role on second terraform apply.

Actual Behavior

On second apply ibm_code_engine_secret tries to modify service_access secret role: - name = "Writer" -> null

Steps to Reproduce

1. create COS instance
2. create resource key for COS instance
3. create code engine project
4. create service_access secret using ibm_code_engine_secret
5. terraform apply
6. terraform apply

Important Factoids

References

• #0000

[shemau]

I wonder, and this is speculation, if name should be both Optional and Computed, since it is contained in a optional map.

[saevarb]

Are there any plans to fix this bug?

Initially when trying to use a service_access secret to set up a service binding, I didn't create a separate resource key since it wasn't clear to me that it was required(since resourceKey.id is optional). It ran successfully but resulted in the problem described in this ticket + resource_key.id trying to be updated as well, and then the same exact error as demonstrated in this ticket.

After creating a resource key explicitly, then trying to create a service binding(to mongodb in my case), I get the same exact issues as described here.

In the meantime, I've gotten around this by just creating normal secrets based directly on the resource key.

[jaksart1]

Hi @saevarb, because Code Engine automatically assigns the Role of "Writer" to Service Access Secrets when unspecified, terraform will see this as a discrepancy when the Role is initially not provided. A workaround here would to simply specify the Role field in your tf file.

This is a bug we have logged and are currently working on a fix for. We are also planning to update our terraform documentation to include this workaround until the work on this fix has been completed.

[saevarb]

Hi @jaksart1

From my experiments, there is actually no workaround that works.

Take the following

resource "ibm_resource_key" "test-key" {
  name                 = "rk-mdb-credentials"
  resource_instance_id = ibm_database.md-test-stuff.resource_crn
}


resource "ibm_code_engine_secret" "test-secret" {
  name       = "test-secret"
  project_id = ibm_code_engine_project.ce-test-stuff.id

  format = "service_access"

  service_access {
    resource_key {
      id = ibm_resource_key.test-key.guid
    }
    service_instance {
      id = ibm_database.md-test-stuff.guid
    }

    role {
      # name = "Writer" <----
    } 
  }
}

Note the marked line, which implements your suggestion.

If I remove the comment and run it, it will tell me that name of the role is not for me to set as it will be decided automatically. If I keep the comment and run a plan/apply, it keeps telling me that test-secret has changed(while listing 0 changed attributes), attempt to update the resource(but again, not telling me what it is supposedly updating) and then simply fail with the error described in this issue "service_access_update_not_allowed".

It's good to hear that you are working on this issue, however. Is there a place I can follow the progress or discussions regarding the fix?