ibm_cis_rate_limit Error: cis_id or zone_id not passed but it was passed in

[kevinbarker1960]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform IBM Provider Version

terraform -v
Terraform v0.13.0

• provider registry.terraform.io/ibm-cloud/ibm v1.26.2

Affected Resource(s)

• ibm_cis_rate_limit

Terraform Configuration Files

resource "ibm_cis" "cis_instance" {
  count  	        = var.create_cis ? 1 : 0
  name              = format("cis-%s", var.unique_id )
  plan              = var.cis_plan 
  resource_group_id = var.resource_group_id
  tags              = var.cis_tags
  # Seems to not be an option from the Browser anymore, so just leave location as global.
  location          = "global"

  timeouts {
    create = "15m"
    update = "15m"
    delete = "15m"
  }
}

resource "ibm_cis_domain" "cis_domain" {
  count  	        = var.create_cis ? 1 : 0
  domain = local.env_domain_name
  cis_id = ibm_cis.cis_instance[0].id
}

locals {
  domain_middle = "dev"==var.environment_type ? "dev." : "stg"==var.environment_type ? "test." : ""
  env_domain_name = format("wh-%s.%stestsystem.ibm.com", var.unique_id, local.domain_middle )
}

resource "ibm_cis_rate_limit" "ratelimit" {
  count  	  = var.create_cis ? 1 : 0
  cis_id      = ibm_cis.cis_instance[0].id
  domain_id   = ibm_cis_domain.cis_domain[0].domain_id
  description = "Suspicious requests"
  threshold   = 1000000
  period      = 3600
  match {
      request {
          url = format("*.%s", local.env_domain_name)
          schemes = ["HTTP", "HTTPS"]
          methods = ["_ALL_"]
      }
  }
  action {
      mode = "ban"
      timeout = 86400
  }
  disabled = false
}

variable create_cis {
  default=true
}

variable unique_id {}

variable "resource_group_id" {}

variable "cis_plan" {
  default     = "enterprise-usage"
}

variable environment_type {
 	description = "dev, stg, or prd. Will affect the domain generated."
 	type = string
 	default = "dev"
 	validation {
 	  condition =  contains(["dev","stg","prd"],var.environment_type)
 	  error_message = "The variable environment_type must be one of dev, stg, or prd." 
 	}
}
terraform {
  required_version = ">= 0.13"
  required_providers {
    ibm = {
     source = "IBM-Cloud/ibm"
      version = ">= 1.18.0"
    }
  }
}

Plan output

  + resource "ibm_cis_rate_limit" "ratelimit" {
      + cis_id      = "2f70cb31-7c7e-4271-92cb-4b7b4b5c8737"
      + description = "Suspicious requests"
      + disabled    = false
      + domain_id   = "f3d51dd43ff9b463a270d04e0d6ffcc4"
      + id          = (known after apply)
      + period      = 3600
      + rule_id     = (known after apply)
      + threshold   = 1000000

      + action {
          + mode    = "ban"
          + timeout = 86400
        }

      + match {
          + request {
              + methods = [
                  + "_ALL_",
                ]
              + schemes = [
                  + "HTTP",
                  + "HTTPS",
                ]
              + url     = "*.wh-ksb-docker.dev.testsystem.ibm.com"
            }
        }
    }

Notice that the "cis_id" above is not a CRN, but guid.
Other resources using the same syntax to get the cis_id resolve to:
cis_id = "crn:v1:bluemix:public:internet-svcs:global:a/b2025f2345dc4e2c9477a5b4c0428805:2f70cb31-7c7e-4271-92cb-4b7b4b5c8737::"

Expected Behavior

Should have created an ibm_cis_rate_limit rule associated with the cis instance.

Actual Behavior

terraform apply resulted in:

ibm_cis_rate_limit.ratelimit[0]: Creating...
...
Error:  cis_id or zone_id not passed

  on cis.tf line 174, in resource "ibm_cis_rate_limit" "ratelimit":
 174: resource "ibm_cis_rate_limit" "ratelimit" {

Steps to Reproduce

1. terraform apply

I also tried modifying the tf files and hard coding the full cis_id crn. The plan then showed:

+ resource "ibm_cis_rate_limit" "ratelimit" {
      + cis_id      = "crn:v1:bluemix:public:internet-svcs:global:a/b2025f2345dc4e2c9477a5b4c0428805:2f70cb31-7c7e-4271-92cb-4b7b4b5c8737::"
      + description = "Suspicious requests"

But the apply had the same error:

Error:  cis_id or zone_id not passed

  on cis.tf line 175, in resource "ibm_cis_rate_limit" "ratelimit":
 175: resource "ibm_cis_rate_limit" "ratelimit" {

I also tried creating the object in the Browser and then doing an import, which worked

terraform import ibm_cis_rate_limit.ratelimit 7e8e2e0c8c5741aeb6336710cdf3e814:f3d51dd43ff9b463a270d04e0d6ffcc4:crn:v1:bluemix:public:internet-svcs:global:a/b2025f2345dc4e2c9477a5b4c0428805:2f70cb31-7c7e-4271-92cb-4b7b4b5c8737::
var.unique_id
  Enter a value: ksb-docker

var.vpc_load_balancer_address
  Address of the vpc load balancer to use in the origin

  Enter a value: 1.2.3.4

ibm_cis_rate_limit.ratelimit: Importing from ID "7e8e2e0c8c5741aeb6336710cdf3e814:f3d51dd43ff9b463a270d04e0d6ffcc4:crn:v1:bluemix:public:internet-svcs:global:a/b2025f2345dc4e2c9477a5b4c0428805:2f70cb31-7c7e-4271-92cb-4b7b4b5c8737::"...
ibm_cis_rate_limit.ratelimit: Import prepared!
  Prepared ibm_cis_rate_limit for import
ibm_cis_rate_limit.ratelimit: Refreshing state... [id=7e8e2e0c8c5741aeb6336710cdf3e814:f3d51dd43ff9b463a270d04e0d6ffcc4:crn:v1:bluemix:public:internet-svcs:global:a/b2025f2345dc4e2c9477a5b4c0428805:2f70cb31-7c7e-4271-92cb-4b7b4b5c8737::]

Import successful!

The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.

I then tried a plan and apply (the apply failed):

  # ibm_cis_rate_limit.ratelimit[0] will be updated in-place
  ~ resource "ibm_cis_rate_limit" "ratelimit" {
        cis_id      = "crn:v1:bluemix:public:internet-svcs:global:a/b2025f2345dc4e2c9477a5b4c0428805:2f70cb31-7c7e-4271-92cb-4b7b4b5c8737::"
      ~ description = "Browser Suspicious requests" -> "Suspicious requests"
        disabled    = false
        domain_id   = "f3d51dd43ff9b463a270d04e0d6ffcc4"
        id          = "7e8e2e0c8c5741aeb6336710cdf3e814:f3d51dd43ff9b463a270d04e0d6ffcc4:crn:v1:bluemix:public:internet-svcs:global:a/b2025f2345dc4e2c9477a5b4c0428805:2f70cb31-7c7e-4271-92cb-4b7b4b5c8737::"
        period      = 3600
        rule_id     = "7e8e2e0c8c5741aeb6336710cdf3e814"
        threshold   = 1000000

        action {
            mode    = "ban"
            timeout = 86400
        }

      ~ match {
          ~ request {
                methods = [
                    "_ALL_",
                ]
              ~ schemes = [
                  + "HTTP",
                  + "HTTPS",
                  - "_ALL_",
                ]
                url     = "*.wh-ksb-docker.dev.testsystem.ibm.com"
            }
        }
    }

apply:

ibm_cis_rate_limit.ratelimit[0]: Modifying... [id=7e8e2e0c8c5741aeb6336710cdf3e814:f3d51dd43ff9b463a270d04e0d6ffcc4:crn:v1:bluemix:public:internet-svcs:global:a/b2025f2345dc4e2c9477a5b4c0428805:2f70cb31-7c7e-4271-92cb-4b7b4b5c8737::]

Error: Error in getting correlate from expandRateLimitCorrelate correlate field is empty

  on cis.tf line 175, in resource "ibm_cis_rate_limit" "ratelimit":
 175: resource "ibm_cis_rate_limit" "ratelimit" {