SM DA catalog validation fails regular with s2s auth policy clash #422
Description
The following error keeps occurring in catalog validation for SM DA because we are using an existing resource group and and existing HPCS instance, so parallel tests clash:
Error: [ERROR] Error creating authorization policy: The policy wasn't created because an access policy with identical attributes and roles already exists. Please update the rule in the existing policy (84261dbd-0f7c-4760-af70-30419052b761), or update the one you're trying to assign to include a different attribute assignment. {
2025/09/28 20:02:19 Terraform apply | "StatusCode": 409,
2025/09/28 20:02:19 Terraform apply | "Headers": {
2025/09/28 20:02:19 Terraform apply | "Cache-Control": [
2025/09/28 20:02:19 Terraform apply | "no-cache,no-store"
2025/09/28 20:02:19 Terraform apply | ],
2025/09/28 20:02:19 Terraform apply | "Connection": [
2025/09/28 20:02:19 Terraform apply | "keep-alive"
2025/09/28 20:02:19 Terraform apply | ],
2025/09/28 20:02:19 Terraform apply | "Content-Length": [
2025/09/28 20:02:19 Terraform apply | "1681"
2025/09/28 20:02:19 Terraform apply | ],
2025/09/28 20:02:19 Terraform apply | "Content-Type": [
2025/09/28 20:02:19 Terraform apply | "application/json; charset=utf-8"
2025/09/28 20:02:19 Terraform apply | ],
2025/09/28 20:02:19 Terraform apply | "Date": [
2025/09/28 20:02:19 Terraform apply | "Sun, 28 Sep 2025 20:01:49 GMT"
2025/09/28 20:02:19 Terraform apply | ],
2025/09/28 20:02:19 Terraform apply | "Expires": [
2025/09/28 20:02:19 Terraform apply | "Thursday, 1 January 1970 00:00:00 GMT"
2025/09/28 20:02:19 Terraform apply | ],
2025/09/28 20:02:19 Terraform apply | "Pragma": [
2025/09/28 20:02:19 Terraform apply | "no-cache"
2025/09/28 20:02:19 Terraform apply | ],
2025/09/28 20:02:19 Terraform apply | "Response-Time": [
2025/09/28 20:02:19 Terraform apply | "109.267ms"
2025/09/28 20:02:19 Terraform apply | ],
2025/09/28 20:02:19 Terraform apply | "Server": [
2025/09/28 20:02:19 Terraform apply | "nginx"
2025/09/28 20:02:19 Terraform apply | ],
2025/09/28 20:02:19 Terraform apply | "Strict-Transport-Security": [
2025/09/28 20:02:19 Terraform apply | "max-age=31536000; includeSubDomains",
2025/09/28 20:02:19 Terraform apply | "max-age=31536000; includeSubDomains"
2025/09/28 20:02:19 Terraform apply | ],
2025/09/28 20:02:19 Terraform apply | "Transaction-Id": [
2025/09/28 20:02:19 Terraform apply | "0a9f68fe8fca4514bccf0bd4c1285d9b"
2025/09/28 20:02:19 Terraform apply | ],
2025/09/28 20:02:19 Terraform apply | "X-Envoy-Upstream-Service-Time": [
2025/09/28 20:02:19 Terraform apply | "127"
2025/09/28 20:02:19 Terraform apply | ],
2025/09/28 20:02:19 Terraform apply | "X-Response-Time": [
2025/09/28 20:02:19 Terraform apply | "111.722ms"
2025/09/28 20:02:19 Terraform apply | ]
2025/09/28 20:02:19 Terraform apply | },
2025/09/28 20:02:19 Terraform apply | "Result": {
2025/09/28 20:02:19 Terraform apply | "errors": [
2025/09/28 20:02:19 Terraform apply | {
2025/09/28 20:02:19 Terraform apply | "code": "policy_conflict_error",
2025/09/28 20:02:19 Terraform apply | "details": {
2025/09/28 20:02:19 Terraform apply | "conflicts_with": {
2025/09/28 20:02:19 Terraform apply | "etag": "1-c37fa103e49b83d766938d655768a602",
2025/09/28 20:02:19 Terraform apply | "policy": {
2025/09/28 20:02:19 Terraform apply | "control": {
2025/09/28 20:02:19 Terraform apply | "grant": {
2025/09/28 20:02:19 Terraform apply | "roles": [
2025/09/28 20:02:19 Terraform apply | {
2025/09/28 20:02:19 Terraform apply | "role_id": "crn:v1:bluemix:public:iam::::role:Viewer"
2025/09/28 20:02:19 Terraform apply | }
2025/09/28 20:02:19 Terraform apply | ]
2025/09/28 20:02:19 Terraform apply | }
2025/09/28 20:02:19 Terraform apply | },
2025/09/28 20:02:19 Terraform apply | "created_at": "2025-09-28T19:40:11.642Z",
2025/09/28 20:02:19 Terraform apply | "created_by_id": "IBMid-666000KAO3",
2025/09/28 20:02:19 Terraform apply | "description": "Allow all Secrets Manager instances in the resource group 07b6d899988a4631841e3bc7d0307dcf viewer access to the hs-crypto instance GUID e6dce284-e80f-46e1-a3c1-830f7adff7a9.",
2025/09/28 20:02:19 Terraform apply | "href": "https://private.iam.cloud.ibm.com/v1/policies/84261dbd-0f7c-4760-af70-30419052b761",
2025/09/28 20:02:19 Terraform apply | "id": "84261dbd-0f7c-4760-af70-30419052b761",
2025/09/28 20:02:19 Terraform apply | "last_modified_at": "2025-09-28T19:40:11.642Z",
2025/09/28 20:02:19 Terraform apply | "last_modified_by_id": "IBMid-666000KAO3",
2025/09/28 20:02:19 Terraform apply | "resource": {
2025/09/28 20:02:19 Terraform apply | "attributes": [
2025/09/28 20:02:19 Terraform apply | {
2025/09/28 20:02:19 Terraform apply | "key": "serviceName",
2025/09/28 20:02:19 Terraform apply | "operator": "stringEquals",
2025/09/28 20:02:19 Terraform apply | "value": "hs-crypto"
2025/09/28 20:02:19 Terraform apply | },
2025/09/28 20:02:19 Terraform apply | {
2025/09/28 20:02:19 Terraform apply | "key": "accountId",
2025/09/28 20:02:19 Terraform apply | "operator": "stringEquals",
2025/09/28 20:02:19 Terraform apply | "value": "abac0df06b644a9cabc6e44f55b3880e"
2025/09/28 20:02:19 Terraform apply | },
2025/09/28 20:02:19 Terraform apply | {
2025/09/28 20:02:19 Terraform apply | "key": "serviceInstance",
2025/09/28 20:02:19 Terraform apply | "operator": "stringEquals",
2025/09/28 20:02:19 Terraform apply | "value": "e6dce284-e80f-46e1-a3c1-830f7adff7a9"
2025/09/28 20:02:19 Terraform apply | }
2025/09/28 20:02:19 Terraform apply | ]
2025/09/28 20:02:19 Terraform apply | },
2025/09/28 20:02:19 Terraform apply | "state": "active",
2025/09/28 20:02:19 Terraform apply | "subject": {
2025/09/28 20:02:19 Terraform apply | "attributes": [
2025/09/28 20:02:19 Terraform apply | {
2025/09/28 20:02:19 Terraform apply | "key": "serviceName",
2025/09/28 20:02:19 Terraform apply | "operator": "stringEquals",
2025/09/28 20:02:19 Terraform apply | "value": "secrets-manager"
2025/09/28 20:02:19 Terraform apply | },
2025/09/28 20:02:19 Terraform apply | {
2025/09/28 20:02:19 Terraform apply | "key": "accountId",
2025/09/28 20:02:19 Terraform apply | "operator": "stringEquals",
2025/09/28 20:02:19 Terraform apply | "value": "abac0df06b644a9cabc6e44f55b3880e"
2025/09/28 20:02:19 Terraform apply | },
2025/09/28 20:02:19 Terraform apply | {
2025/09/28 20:02:19 Terraform apply | "key": "resourceGroupId",
2025/09/28 20:02:19 Terraform apply | "operator": "stringEquals",
2025/09/28 20:02:19 Terraform apply | "value": "07b6d899988a4631841e3bc7d0307dcf"
2025/09/28 20:02:19 Terraform apply | }
2025/09/28 20:02:19 Terraform apply | ]
2025/09/28 20:02:19 Terraform apply | },
2025/09/28 20:02:19 Terraform apply | "type": "authorization",
2025/09/28 20:02:19 Terraform apply | "version": "v1.0"
2025/09/28 20:02:19 Terraform apply | }
2025/09/28 20:02:19 Terraform apply | }
2025/09/28 20:02:19 Terraform apply | },
2025/09/28 20:02:19 Terraform apply | "message": "The policy wasn't created because an access policy with identical attributes and roles already exists. Please update the rule in the existing policy (84261dbd-0f7c-4760-af70-30419052b761), or update the one you're trying to assign to include a different attribute assignment."
2025/09/28 20:02:19 Terraform apply | }
2025/09/28 20:02:19 Terraform apply | ],
2025/09/28 20:02:19 Terraform apply | "status_code": 409,
2025/09/28 20:02:19 Terraform apply | "trace": "0a9f68fe8fca4514bccf0bd4c1285d9b"
2025/09/28 20:02:19 Terraform apply | },
2025/09/28 20:02:19 Terraform apply | "RawResult": null
2025/09/28 20:02:19 Terraform apply | }
2025/09/28 20:02:19 Terraform apply |
2025/09/28 20:02:19 Terraform apply |
2025/09/28 20:02:19 Terraform apply | with module.secrets_manager.ibm_iam_authorization_policy.secrets_manager_hpcs_policy[0],
2025/09/28 20:02:19 Terraform apply | on ../../main.tf line 137, in resource "ibm_iam_authorization_policy" "secrets_manager_hpcs_policy":
2025/09/28 20:02:19 Terraform apply | 137: resource "ibm_iam_authorization_policy" "secrets_manager_hpcs_policy" {
2025/09/28 20:02:19 Terraform apply |
The solution here would be to either:
a) update to use Key Protect <- this will fail some fscloud rules
b) create new resource group every time for the catalog validation deploy