Bug in validation logic that is checking supported service credential role values

[ocofaigh]

A consumer has reported when trying to create a service credential using the role "Object Writer" it fails...

Input:

[
  {
    "secret_group_name": "scc"
    "existing_secret_group": true
    "service_credentials": [
      {
        "secret_name": "scc-cos-service-credentials"
        "service_credentials_source_service_role":  "Object Writer"
        "secret_labels": ["backup-secret"]
        "secret_auto_rotation": true
        "secret_auto_rotation_unit": "day"
        "secret_auto_rotation_interval": 89
        "service_credentials_ttl": 7776000
        "service_credential_secret_description": "sample description"
      }
    ]
  }
]

Fails with this:

The problem is the CRN that is generated has a space in it, and so fails regex check:

ACTIONS:

• Update the variable validation we have in place to accept ObjectWriter instead of Object Writer. Same fix needed for all roles that have a space in it.
• Update the doc to mention ALL the supported role values:
  • resource_keys: https://github.com/terraform-ibm-modules/terraform-ibm-cos/tree/main/solutions/instance/DA-types.md#resource-keys
  • service_credential_secrets: https://github.com/terraform-ibm-modules/terraform-ibm-cos/tree/main/solutions/instance/DA-types.md#service-credential-secrets
  • Update our PR tests to try and create credentials with ALL supported roles (looks like we only test manager and writer roles here)

[shemau]

WIP:

module.secrets_manager_service_credentials[0].module.secrets["cred-2"].ibm_sm_service_credentials_secret.service_credentials_secret[0]: Creating...
╷
│ Error: ---
│ id: terraform-d7812ff8
│ summary: |
│   CreateSecretWithContext failed: Bad request error. [secrets-manager.13037E]
│   {
│       "StatusCode": 400,
│       "Headers": {
│           "Cache-Control": [
│               "no-store, no-cache, must-revalidate, proxy-revalidate,no-cache, max-age=0, no-store"
│           ],
│           "Cf-Cache-Status": [
│               "DYNAMIC"
│           ],
│           "Cf-Ray": [
│               "904fed682c3660f9-LHR"
│           ],
│           "Content-Security-Policy": [
│               "default-src 'none'"
│           ],
│           "Content-Type": [
│               "application/json; charset=utf-8"
│           ],
│           "Correlation-Id": [
│               "f186b827-3167-7b25-0720-08a589780946"
│           ],
│           "Cross-Origin-Resource-Policy": [
│               "same-origin"
│           ],
│           "Date": [
│               "Mon, 20 Jan 2025 14:59:18 GMT"
│           ],
│           "Expires": [
│               "0"
│           ],
│           "Pragma": [
│               "no-cache"
│           ],
│           "Server": [
│               "cloudflare"
│           ],
│           "Strict-Transport-Security": [
│               "max-age=31536000; includeSubDomains; preload"
│           ],
│           "Surrogate-Control": [
│               "no-store"
│           ],
│           "Vary": [
│               "Accept-Encoding"
│           ],
│           "X-Content-Type-Options": [
│               "nosniff"
│           ]
│       },
│       "Result": {
│           "errors": [
│               {
│                   "code": "bad_request",
│                   "message": "Bad request error. [secrets-manager.13037E]",
│                   "more_info": "https://cloud.ibm.com/apidocs/secrets-manager"
│               }
│           ],
│           "status_code": 400,
│           "trace": "f186b827-3167-7b25-0720-08a589780946"
│       },
│       "RawResult": null
│   }
│ severity: error
│ resource: ibm_sm_service_credentials_secret
│ operation: create
│ component:
│   name: github.com/IBM-Cloud/terraform-provider-ibm
│   version: 1.73.0
│ ---
│ 
│ 
│   with module.secrets_manager_service_credentials[0].module.secrets["cred-2"].ibm_sm_service_credentials_secret.service_credentials_secret[0],
│   on .terraform/modules/secrets_manager_service_credentials.secrets/main.tf line 95, in resource "ibm_sm_service_credentials_secret" "service_credentials_secret":
│   95: resource "ibm_sm_service_credentials_secret" "service_credentials_secret" {
│ 
╵

Following code changes to the proposed role name ObjectWriter the CRN looks fine, but there is a subsequent error being investigated.

      + source_service {
          + iam          = (known after apply)
          + resource_key = (known after apply)

          + instance {
              + crn = "crn:v1:bluemix:public:cloud-object-storage:global:a/abac0df06b644a9cabc6e44f55b3880e:24cd9373-68e7-4058-bd0b-5d811cc8db56::"
            }

          + role {
              + crn = "crn:v1:bluemix:public:iam::::serviceRole:ObjectWriter"
            }
        }

[shemau]

When using a space ( + crn = "crn:v1:bluemix:public:iam::::serviceRole:Object Writer") it clearly reports

"│ CreateSecretWithContext failed: Request validation error: doesn't match schema due to: Error at "/source_service/role/crn": string doesn't match the regular expression "^crn:v0-9{8}$""

And reports where the problem is '/source_service/role/crn'.

When not using a space (crn:v1:bluemix:public:iam::::serviceRole:ObjectWriter)

A generic error is reported.

"│ CreateSecretWithContext failed: Bad request error. [secrets-manager.13037E]"

No idea if it passed the CRN check and failed for some other reason or the CRN matches the pattern, but is wrong.

[shemau]

The thread leads to secrets manager secret module at https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager-secret/blob/main/main.tf#L111

where the role is constructed as:

crn:v1:bluemix:public:iam::::serviceRole:ObjectWriter

whilst the documentation in IAM (https://cloud.ibm.com/iam/roles)

CRN: crn:v1:bluemix:public:cloud-object-storage::::serviceRole:ObjectWriter
Description: As an Object Writer, one can only write objects to a bucket.

crn:v1:bluemix:public:cloud-object-storage::::serviceRole:ObjectWriter

If this is the case, I am not sure that any of our service related roles would work via this module.

[ocofaigh]

As per internal discussions, the action items are:

1. [terraform-ibm-secrets-manager-secret] Add support to create service specific role
2. [terraform-ibm-secrets-manager] Add support to create service specific role credentials in the secrets submodule
3. Continue to ask for the service role in the COS DA but add logic to construct the CRN that will be passed to the secrets module