User vs Acct MFA execution bug

[jpmonge86]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform IBM Provider Version

Terraform v1.3.0

Affected Resource(s)

ibm_iam_account_settings resource

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

resource "ibm_iam_account_settings" "iam_account_settings" {
  if_match                                   = "*"
  allowed_ip_addresses                       = local.iam_allowed_ip_addresses
  max_sessions_per_identity                  = var.max_sessions_per_identity
  mfa                                        = var.mfa
  restrict_create_service_id                 = var.serviceid_creation
  restrict_create_platform_apikey            = var.api_creation
  session_expiration_in_seconds              = var.active_session_timeout
  session_invalidation_in_seconds            = var.inactive_session_timeout
  system_access_token_expiration_in_seconds  = var.access_token_expiration
  system_refresh_token_expiration_in_seconds = var.refresh_token_expiration
}

Debug Output

Panic Output

Expected Behavior

User_mfa input is optional, therefore skipping this should not result in a change, rather, it should enforce the account MFA while preserving the user specific one(s)

Actual Behavior

When I apply the configuration, I am only specifying the MFA input/argument, but my account is configured with some user specific MFA settings (I am not specifying user_mfa input in my TF config), when executing apply, I see a changed that gets picked up indicating a user_mfa update followed by an execution error

module.iam_account_settings.ibm_cloud_shell_account_settings.cloud_shell_account_settings: Refreshing state... [id=ac-5a5b9393966873091a0d13cd50dc40ad]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # module.iam_account_settings.ibm_iam_account_settings.iam_account_settings will be updated in-place
  ~ resource "ibm_iam_account_settings" "iam_account_settings" {
        id                                         = "5a5b9393966873091a0d13cd50dc40ad"
        # (13 unchanged attributes hidden)

      - user_mfa {
          - iam_id = "IBMid-31000293CH" -> null
          - mfa    = "LEVEL3" -> null
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy.

module.iam_account_settings.ibm_iam_account_settings.iam_account_settings: Still modifying... [id=5a5b9393966873091a0d13cd50dc40ad, 40s elapsed]
╷
│ Error: RuntimeException.
│
│   with module.iam_account_settings.ibm_iam_account_settings.iam_account_settings,
│   on ../../main.tf line 17, in resource "ibm_iam_account_settings" "iam_account_settings":
│   17: resource "ibm_iam_account_settings" "iam_account_settings" {

Steps to Reproduce

1. terraform apply