Secrets Manager tests / catalog validation fails frequently due to HPCS auth policy clash #323
Description
Tests (including the catalog validation) that are using our permanent HPCS instance can fail with below error if auth policy already exists in our account since the module creates a 2nd auth policy (here) when using HPCS which is not scoped to any KMS key.
2025/04/25 16:26:43 Terraform apply | Error: [ERROR] Error creating authorization policy: The policy wasn't created because an access policy with identical attributes and roles already exists. Please update the rule in the existing policy (b5cc1116-06b9-4dab-af2b-acf109e20620), or update the one you're trying to assign to include a different attribute assignment. {
2025/04/25 16:26:43 Terraform apply | "StatusCode": 409,
2025/04/25 16:26:43 Terraform apply | "Headers": {
2025/04/25 16:26:43 Terraform apply | "Cache-Control": [
2025/04/25 16:26:43 Terraform apply | "no-cache,no-store"
2025/04/25 16:26:43 Terraform apply | ],
2025/04/25 16:26:43 Terraform apply | "Connection": [
2025/04/25 16:26:43 Terraform apply | "keep-alive"
2025/04/25 16:26:43 Terraform apply | ],
2025/04/25 16:26:43 Terraform apply | "Content-Length": [
2025/04/25 16:26:43 Terraform apply | "1681"
2025/04/25 16:26:43 Terraform apply | ],
2025/04/25 16:26:43 Terraform apply | "Content-Type": [
2025/04/25 16:26:43 Terraform apply | "application/json; charset=utf-8"
2025/04/25 16:26:43 Terraform apply | ],
2025/04/25 16:26:43 Terraform apply | "Date": [
2025/04/25 16:26:43 Terraform apply | "Fri, 25 Apr 2025 16:26:12 GMT"
2025/04/25 16:26:43 Terraform apply | ],
2025/04/25 16:26:43 Terraform apply | "Expires": [
2025/04/25 16:26:43 Terraform apply | "Thursday, 1 January 1970 00:00:00 GMT"
2025/04/25 16:26:43 Terraform apply | ],
2025/04/25 16:26:43 Terraform apply | "Pragma": [
2025/04/25 16:26:43 Terraform apply | "no-cache"
2025/04/25 16:26:43 Terraform apply | ],
2025/04/25 16:26:43 Terraform apply | "Response-Time": [
2025/04/25 16:26:43 Terraform apply | "84.378ms"
2025/04/25 16:26:43 Terraform apply | ],
2025/04/25 16:26:43 Terraform apply | "Server": [
2025/04/25 16:26:43 Terraform apply | "nginx"
2025/04/25 16:26:43 Terraform apply | ],
2025/04/25 16:26:43 Terraform apply | "Strict-Transport-Security": [
2025/04/25 16:26:43 Terraform apply | "max-age=31536000; includeSubDomains",
2025/04/25 16:26:43 Terraform apply | "max-age=31536000; includeSubDomains"
2025/04/25 16:26:43 Terraform apply | ],
2025/04/25 16:26:43 Terraform apply | "Transaction-Id": [
2025/04/25 16:26:43 Terraform apply | "b6515388ca3a4f6494acb945ee767b26"
2025/04/25 16:26:43 Terraform apply | ],
2025/04/25 16:26:43 Terraform apply | "X-Envoy-Upstream-Service-Time": [
2025/04/25 16:26:43 Terraform apply | "108"
2025/04/25 16:26:43 Terraform apply | ],
2025/04/25 16:26:43 Terraform apply | "X-Response-Time": [
2025/04/25 16:26:43 Terraform apply | "87.134ms"
2025/04/25 16:26:43 Terraform apply | ]
2025/04/25 16:26:43 Terraform apply | },
2025/04/25 16:26:43 Terraform apply | "Result": {
2025/04/25 16:26:43 Terraform apply | "errors": [
2025/04/25 16:26:43 Terraform apply | {
2025/04/25 16:26:43 Terraform apply | "code": "policy_conflict_error",
2025/04/25 16:26:43 Terraform apply | "details": {
2025/04/25 16:26:43 Terraform apply | "conflicts_with": {
2025/04/25 16:26:43 Terraform apply | "etag": "1-3bbef6a3bf3508c665e0d0e145412df9",
2025/04/25 16:26:43 Terraform apply | "policy": {
2025/04/25 16:26:43 Terraform apply | "control": {
2025/04/25 16:26:43 Terraform apply | "grant": {
2025/04/25 16:26:43 Terraform apply | "roles": [
2025/04/25 16:26:43 Terraform apply | {
2025/04/25 16:26:43 Terraform apply | "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
2025/04/25 16:26:43 Terraform apply | }
2025/04/25 16:26:43 Terraform apply | ]
2025/04/25 16:26:43 Terraform apply | }
2025/04/25 16:26:43 Terraform apply | },
2025/04/25 16:26:43 Terraform apply | "created_at": "2025-04-07T11:52:30.189Z",
2025/04/25 16:26:43 Terraform apply | "created_by_id": "IBMid-060001PU50",
2025/04/25 16:26:43 Terraform apply | "description": "Allow all Secrets Manager instances in the resource group e11a55e356cc42f78822b1aa5d3a41a5 viewer access to the hs-crypto instance GUID e6dce284-e80f-46e1-a3c1-830f7adff7a9.",
2025/04/25 16:26:43 Terraform apply | "href": "https://private.iam.cloud.ibm.com/v1/policies/b5cc1116-06b9-4dab-af2b-acf109e20620",
2025/04/25 16:26:43 Terraform apply | "id": "b5cc1116-06b9-4dab-af2b-acf109e20620",
2025/04/25 16:26:43 Terraform apply | "last_modified_at": "2025-04-07T11:52:30.189Z",
2025/04/25 16:26:43 Terraform apply | "last_modified_by_id": "IBMid-060001PU50",
2025/04/25 16:26:43 Terraform apply | "resource": {
2025/04/25 16:26:43 Terraform apply | "attributes": [
2025/04/25 16:26:43 Terraform apply | {
2025/04/25 16:26:43 Terraform apply | "key": "serviceName",
2025/04/25 16:26:43 Terraform apply | "operator": "stringEquals",
2025/04/25 16:26:43 Terraform apply | "value": "hs-crypto"
2025/04/25 16:26:43 Terraform apply | },
2025/04/25 16:26:43 Terraform apply | {
2025/04/25 16:26:43 Terraform apply | "key": "accountId",
2025/04/25 16:26:43 Terraform apply | "operator": "stringEquals",
2025/04/25 16:26:43 Terraform apply | "value": "abac0df06b644a9cabc6e44f55b3880e"
2025/04/25 16:26:43 Terraform apply | },
2025/04/25 16:26:43 Terraform apply | {
2025/04/25 16:26:43 Terraform apply | "key": "serviceInstance",
2025/04/25 16:26:43 Terraform apply | "operator": "stringEquals",
2025/04/25 16:26:43 Terraform apply | "value": "e6dce284-e80f-46e1-a3c1-830f7adff7a9"
2025/04/25 16:26:43 Terraform apply | }
2025/04/25 16:26:43 Terraform apply | ]
2025/04/25 16:26:43 Terraform apply | },
2025/04/25 16:26:43 Terraform apply | "state": "active",
2025/04/25 16:26:43 Terraform apply | "subject": {
2025/04/25 16:26:43 Terraform apply | "attributes": [
2025/04/25 16:26:43 Terraform apply | {
2025/04/25 16:26:43 Terraform apply | "key": "serviceName",
2025/04/25 16:26:43 Terraform apply | "operator": "stringEquals",
2025/04/25 16:26:43 Terraform apply | "value": "secrets-manager"
2025/04/25 16:26:43 Terraform apply | },
2025/04/25 16:26:43 Terraform apply | {
2025/04/25 16:26:43 Terraform apply | "key": "accountId",
2025/04/25 16:26:43 Terraform apply | "operator": "stringEquals",
2025/04/25 16:26:43 Terraform apply | "value": "abac0df06b644a9cabc6e44f55b3880e"
2025/04/25 16:26:43 Terraform apply | },
2025/04/25 16:26:43 Terraform apply | {
2025/04/25 16:26:43 Terraform apply | "key": "resourceGroupId",
2025/04/25 16:26:43 Terraform apply | "operator": "stringEquals",
2025/04/25 16:26:43 Terraform apply | "value": "e11a55e356cc42f78822b1aa5d3a41a5"
2025/04/25 16:26:43 Terraform apply | }
2025/04/25 16:26:43 Terraform apply | ]
2025/04/25 16:26:43 Terraform apply | },
2025/04/25 16:26:43 Terraform apply | "type": "authorization",
2025/04/25 16:26:43 Terraform apply | "version": "v1.0"
2025/04/25 16:26:43 Terraform apply | }
2025/04/25 16:26:43 Terraform apply | }
2025/04/25 16:26:43 Terraform apply | },
2025/04/25 16:26:43 Terraform apply | "message": "The policy wasn't created because an access policy with identical attributes and roles already exists. Please update the rule in the existing policy (b5cc1116-06b9-4dab-af2b-acf109e20620), or update the one you're trying to assign to include a different attribute assignment."
2025/04/25 16:26:43 Terraform apply | }
2025/04/25 16:26:43 Terraform apply | ],
2025/04/25 16:26:43 Terraform apply | "status_code": 409,
2025/04/25 16:26:43 Terraform apply | "trace": "b6515388ca3a4f6494acb945ee767b26"
2025/04/25 16:26:43 Terraform apply | },
2025/04/25 16:26:43 Terraform apply | "RawResult": null
2025/04/25 16:26:43 Terraform apply | }
2025/04/25 16:26:43 Terraform apply |
2025/04/25 16:26:43 Terraform apply |
2025/04/25 16:26:43 Terraform apply | with module.secrets_manager.module.secrets_manager.ibm_iam_authorization_policy.secrets_manager_hpcs_policy[0],
2025/04/25 16:26:43 Terraform apply | on ../../main.tf line 137, in resource "ibm_iam_authorization_policy" "secrets_manager_hpcs_policy":
2025/04/25 16:26:43 Terraform apply | 137: resource "ibm_iam_authorization_policy" "secrets_manager_hpcs_policy" {
2025/04/25 16:26:43 Terraform apply |
2025/04/25 16:26:43 Terraform apply | ---
The best way to prevent this is to use Key Protect instead of HPCS. And just provision a new Key Protect instance before running the DA test. We already have the code to do this in https://github.com/terraform-ibm-modules/terraform-ibm-secrets-manager/blob/main/tests/existing-resources/main.tf so this can be used by tests and also by catalog validation by deploying it as part of a pre-validate script.