Authorization error when trying to attach PER enabled PowerVS Workspace to a Transit Gateway

[christopher-horn]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform IBM Provider Version

Terraform v1.5.7
on linux_amd64

• provider registry.terraform.io/ibm-cloud/ibm v1.57.0

Affected Resource(s)

• ibm_tg_connection

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "ibm_tg_gateway" "gateway" {
  name     = "test-case-gateway"
  location = "us-south"
  global   = true
}

resource "ibm_resource_instance" "workspace" {
  name     = "test-case-workspace"
  service  = "power-iaas"
  plan     = "power-virtual-server-group"
  location = "dal10"
}

resource "ibm_tg_connection" "per_connection" {
  gateway      = ibm_tg_gateway.gateway.id
  network_type = "power_virtual_server"
  name         = "test-case-workspace"
  network_id   = ibm_resource_instance.workspace.target_crn
}

I think the variables.tf, provider.tf, versions.tf and terraform.tfvars that go with the above are obvious enough and will not replicate here.

Debug Output

https://gist.github.com/christopher-horn/fb266132b4b43ca14c656e6bd4b8a080

Panic Output

Expected Behavior

Connection is created.

Actual Behavior

The deployment fails with the Transit Gateway service claiming that it is not authorized.

2023-09-27T08:55:17.636-0400 [ERROR] vertex "ibm_tg_connection.per_connection" error: [ERROR] Create Transit Gateway connection err The request is not authorized.
{
    "StatusCode": 403,
    "Headers": {
        "Cache-Control": [
            "no-cache,no-store,must-revalidate"
        ],
        "Cf-Cache-Status": [
            "DYNAMIC"
        ],
        "Cf-Ray": [
            "80d3e66b4b8f425d-EWR"
        ],
        "Content-Type": [
            "application/json; charset=utf-8"
        ],
        "Date": [
            "Wed, 27 Sep 2023 12:55:17 GMT"
        ],
        "Server": [
            "cloudflare"
        ],
        "Strict-Transport-Security": [
            "max-age=31536000; includeSubDomains; preload"
        ],
        "Transaction-Id": [
            "204f0789-d50e-4792-9944-8b98557dc069"
        ],
        "X-Content-Type-Options": [
            "nosniff"
        ],
        "X-Correlation-Id": [
            "204f0789-d50e-4792-9944-8b98557dc069"
        ],
        "X-Envoy-Upstream-Service-Time": [
            "460"
        ],
        "X-Frame-Options": [
            "DENY"
        ],
        "X-Request-Id": [
            "4664334b-4a16-4cb1-a5fa-224965218d96"
        ],
        "X-Xss-Protection": [
            "1; mode=block"
        ]
    },
    "Result": {
        "errors": [
            {
                "code": "not_authorized",
                "message": "The request is not authorized.",
                "more_info": "https://cloud.ibm.com/apidocs/transit-gateway#error-handling",
                "target": {
                    "name": "resource",
                    "type": "not authorized"
                }
            }
        ],
        "trace": "204f0789-d50e-4792-9944-8b98557dc069"
    },
    "RawResult": null
}

However if I issue the command using the ibmcloud cli it works perfectly fine so it does not appear to be an IAM but a provider issue.

Steps to Reproduce

1. terraform apply

Important Factoids

References

[christopher-horn]

@yussufsh calling this to your attention. If you could please take a look would appreciate it.

[yussufsh]

@christopher-horn how are you initializing the ibm provider? If I can understand the issue correctly you may need to initialize 2 providers for powervs+network service.

[christopher-horn]

I am only using the 1 IBM cloud provider. Why would this be different from the direct link attach which works fine?

[christopher-horn]

Oh maybe I see.

[christopher-horn]

No I don't. I am using the same provider in the same Terraform to attach the direct link if the site uses that instead and that has been working fine. So why should one work and the other not? Is that working because of some kind of unidentified bug that skips checking the authorization?

[christopher-horn]

Found my issue, user error. Using incorrect CRN. Sigh. Closing this out now, my apologies.

[michaelkad]

@christopher-horn I was looking at you logs — I am glad you found it.

resource "ibm_tg_connection" "per_connection" {
  gateway      = ibm_tg_gateway.gateway.id
  network_type = "power_virtual_server"
  name         = "test-case-workspace"
  network_id   = ibm_resource_instance.workspace.crn
}