Plan does not handle Network Sources Authentication Error properly #2494
Description
Terraform Version and Provider Version
Terraform version: 1.14.0
oci v7.27.0
Affected Resource(s)
all
Debug Output
Terraform Trace Log
2025-11-26T22:01:27.140Z [DEBUG] provider.terraform-provider-oci_v7.27.0: 2025/11/26 22:01:27 ERROR IN GET: Error returned by Identity Service. Http Status Code: 404. Error Code: NotAuthorizedOrNotFound. Opc request id: 0e202f740d4c3fb338a13da2497a3a26/B60B26305D767355B77827695048586E/5A2DB249C093AC72BF54EC170D22FF93. Message: Authorization failed or requested resource not found.
2025-11-26T22:01:27.140Z [DEBUG] provider.terraform-provider-oci_v7.27.0: Operation Name: ListPolicies
2025-11-26T22:01:27.140Z [DEBUG] provider.terraform-provider-oci_v7.27.0: Timestamp: 2025-11-26 22:01:27 +0000 GMT
2025-11-26T22:01:27.140Z [DEBUG] provider.terraform-provider-oci_v7.27.0: Client Version: Oracle-GoSDK/65.105.0
2025-11-26T22:01:27.140Z [DEBUG] provider.terraform-provider-oci_v7.27.0: Request Endpoint: GET https://identity.us-phoenix-1.oci.oraclecloud.com/20160918/policies?compartmentId=ocid1.tenancy.oc1..aaaaaaaaqeu6w2p5s4riz33lvwuijstchyob36iklgotjbi444t4ycbmp35a
2025-11-26T22:01:27.140Z [DEBUG] provider.terraform-provider-oci_v7.27.0: Troubleshooting Tips: See https://docs.oracle.com/iaas/Content/API/References/apierrors.htm#apierrors_404__404_notauthorizedornotfound for more information about resolving this error.
2025-11-26T22:01:27.140Z [DEBUG] provider.terraform-provider-oci_v7.27.0: Also see https://docs.oracle.com/iaas/api/#/en/identity/20160918/Policy/ListPolicies for details on this operation's requirements.
2025-11-26T22:01:27.140Z [DEBUG] provider.terraform-provider-oci_v7.27.0: To get more info on the failing request, you can set OCI_GO_SDK_DEBUG env var to info or higher level to log the request/response details.
2025-11-26T22:01:27.140Z [DEBUG] provider.terraform-provider-oci_v7.27.0: If you are unable to resolve this Identity issue, please contact Oracle support and provide them this full error message.
2025-11-26T22:01:27.140Z [DEBUG] provider.terraform-provider-oci_v7.27.0: 2025/11/26 22:01:27 [DEBUG] Object does not exist. The error is
2025-11-26T22:01:27.140Z [DEBUG] provider.terraform-provider-oci_v7.27.0: Error returned by Identity Service. Http Status Code: 404. Error Code: NotAuthorizedOrNotFound. Opc request id: 0e202f740d4c3fb338a13da2497a3a26/B60B26305D767355B77827695048586E/5A2DB249C093AC72BF54EC170D22FF93. Message: Authorization failed or requested resource not found.
2025-11-26T22:01:27.140Z [DEBUG] provider.terraform-provider-oci_v7.27.0: Operation Name: ListPolicies
2025-11-26T22:01:27.140Z [DEBUG] provider.terraform-provider-oci_v7.27.0: Timestamp: 2025-11-26 22:01:27 +0000 GMT
2025-11-26T22:01:27.140Z [DEBUG] provider.terraform-provider-oci_v7.27.0: Client Version: Oracle-GoSDK/65.105.0
2025-11-26T22:01:27.140Z [DEBUG] provider.terraform-provider-oci_v7.27.0: Request Endpoint: GET https://identity.us-phoenix-1.oci.oraclecloud.com/20160918/policies?compartmentId=ocid1.tenancy.oc1..aaaaaaaaqeu6w2p5s4riz33lvwuijstchyob36iklgotjbi444t4ycbmp35a
2025-11-26T22:01:27.140Z [DEBUG] provider.terraform-provider-oci_v7.27.0: Troubleshooting Tips: See https://docs.oracle.com/iaas/Content/API/References/apierrors.htm#apierrors_404__404_notauthorizedornotfound for more information about resolving this error.
2025-11-26T22:01:27.140Z [DEBUG] provider.terraform-provider-oci_v7.27.0: Also see https://docs.oracle.com/iaas/api/#/en/identity/20160918/Policy/ListPolicies for details on this operation's requirements.
2025-11-26T22:01:27.140Z [DEBUG] provider.terraform-provider-oci_v7.27.0: To get more info on the failing request, you can set OCI_GO_SDK_DEBUG env var to info or higher level to log the request/response details.
2025-11-26T22:01:27.140Z [DEBUG] provider.terraform-provider-oci_v7.27.0: If you are unable to resolve this Identity issue, please contact Oracle support and provide them this full error message.
2025-11-26T22:01:27.140Z [DEBUG] provider.terraform-provider-oci_v7.27.0: 2025/11/26 22:01:27 [DEBUG] the response contains an error, but ignoring it and voiding state
2025-11-26T22:01:27.140Z [TRACE] provider.terraform-provider-oci_v7.27.0: Called downstream: tf_rpc=ReadDataSource @module=sdk.helper_schema tf_data_source_type=oci_identity_policies tf_mux_provider="*schema.GRPCProviderServer" tf_provider_addr=registry.terraform.io/hashicorp/oci @caller=github.com/hashicorp/terraform-plugin-sdk/[email protected]/helper/schema/resource.go:1076 tf_req_id=2cf58ee9-fb9e-3dfa-a021-bb796c7e651b timestamp=2025-11-26T22:01:27.140Z
2025-11-26T22:01:27.140Z [TRACE] provider.terraform-provider-oci_v7.27.0: Received downstream response: tf_data_source_type=oci_identity_policies tf_req_id=2cf58ee9-fb9e-3dfa-a021-bb796c7e651b tf_rpc=ReadDataSource diagnostic_error_count=0 tf_proto_version=5.8 tf_provider_addr=registry.terraform.io/hashicorp/oci tf_req_duration_ms=303 @caller=github.com/hashicorp/[email protected]/tfprotov5/internal/tf5serverlogging/downstream_request.go:42 @module=sdk.proto diagnostic_warning_count=0 timestamp=2025-11-26T22:01:27.140Z
2025-11-26T22:01:27.141Z [TRACE] provider.terraform-provider-oci_v7.27.0: Served request: @module=sdk.proto tf_data_source_type=oci_identity_policies tf_proto_version=5.8 tf_req_id=2cf58ee9-fb9e-3dfa-a021-bb796c7e651b @caller=github.com/hashicorp/[email protected]/tfprotov5/tf5server/server.go:705 tf_provider_addr=registry.terraform.io/hashicorp/oci tf_rpc=ReadDataSource timestamp=2025-11-26T22:01:27.140Z
2025-11-26T22:01:27.141Z [TRACE] terraform.contextPlugins: Schema for provider "registry.terraform.io/oracle/oci" is in the global cache
2025-11-26T22:01:27.141Z [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState to refreshState for data.oci_identity_policies.test_policies
2025-11-26T22:01:27.141Z [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState: writing state object for data.oci_identity_policies.test_policies
2025-11-26T22:01:27.141Z [TRACE] terraform.contextPlugins: Schema for provider "registry.terraform.io/oracle/oci" is in the global cache
2025-11-26T22:01:27.141Z [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState to workingState for data.oci_identity_policies.test_policies
2025-11-26T22:01:27.141Z [TRACE] NodeAbstractResouceInstance.writeResourceInstanceState: writing state object for data.oci_identity_policies.test_policies
Terraform Output
/opt/hostedtoolcache/terraform/1.14.0/x64/terraform plan -var-file=/home/vsts/work/1/a/envs/root-phoenix.tfvars -detailed-exitcode
module.policies.data.oci_identity_region_subscriptions.these: Reading...
data.oci_identity_policies.test_policies: Reading...
module.policies.data.oci_identity_tenancy.this: Reading...
module.policies.data.oci_identity_tenancy.this: Read complete after 0s [id=ocid1.tenancy.oc1..aaaaaaaaqeu6w2p5s4riz33lvwuijstchyob36iklgotjbi444t4ycbmp35a]
data.oci_identity_policies.test_policies: Read complete after 0s
module.policies.data.oci_identity_region_subscriptions.these: Read complete after 0s [id=IdentityRegionSubscriptionsDataSource-3147802002]
Changes to Outputs:
+ extracted_value = {
+ compartment_id = null
+ filter = null
+ id = null
+ name = null
+ policies = null
+ state = null
}
Expected Behavior
The terraform plan should report this as an error and fail.
Actual Behavior
terraform plan completes successfully. Terraform trace debug logs show the failure (as depicted above). Data block output returns no data
Code Block
data "oci_identity_policies" "test_policies" {
compartment_id = local.tenancy_ocid
}
output "extracted_value" {
value = data.oci_identity_policies.test_policies
}
Steps to Reproduce
- Create a Network Source which does not include the source IP that the API identity executing the terraform will be connecting from
- Apply the Network Source to the Policy grants associated with the API identity executing the terraform
- Attempt to do a Terraform plan which uses a data block to read in the tenant root policies of the default data domain and then output them