Skip to Main Content

General Cloud Infrastructure

Announcement

For appeals, questions and feedback, please email oracle-forums_moderators_us@oracle.com

Terraform Core Drg Attachment policy failure

Adam GanttMar 10 2024

Terraform version:

❯ terraform version
Terraform v1.7.4
on darwin_arm64
+ provider registry.terraform.io/hashicorp/null v3.1.0
+ provider registry.terraform.io/oracle/oci v5.30.0

Successfully deployed compartments, VCNs, subnets, DRG and route tables. Attempting to create Drg Attachments to my VCNs to with the following code block:

# DRG Attachement
resource "oci_core_drg_attachment" "drg" {
  for_each = data.oci_core_subnets.drg_subnets

  drg_id = oci_core_drg.drg.id
  display_name = "${local.project_name}-${title(each.key)}-DRG-Attachment"
  drg_route_table_id = oci_core_drg_route_table.default.id
  vcn_id = oci_core_vcn.vcn[each.key].id

  network_details {
    id = each.key
    type = "VCN"
    vcn_route_type = "DRG_ROUTE"
  }

  defined_tags = local.default_tags
}

Terraform plan validates my expected results:

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following
symbols:
  + create

Terraform will perform the following actions:

  # oci_core_drg_attachment.drg["Dev"] will be created
  + resource "oci_core_drg_attachment" "drg" {
      + compartment_id                   = (known after apply)
      + defined_tags                     = {
          + "Gantta-Sandbox.Environment" = "Sandbox"
          + "Gantta-Sandbox.Project"     = "Gantta"
        }
      + display_name                     = "Gantta-Dev-DRG-Attachment"
      + drg_id                           = "ocid1.drg.oc1.iad.aaaaaaaadyaesclbjexq2bp5rsluz2i4op5vausb7r6wbzn6iu4zbl6n7vaa"
      + drg_route_table_id               = "ocid1.drgroutetable.oc1.iad.aaaaaaaaqbii76qrjsi3lixw7isiaw53pkod4hdyrfgotilkebvhsdxelcuq"
      + export_drg_route_distribution_id = (known after apply)
      + freeform_tags                    = (known after apply)
      + id                               = (known after apply)
      + is_cross_tenancy                 = (known after apply)
      + route_table_id                   = (known after apply)
      + state                            = (known after apply)
      + time_created                     = (known after apply)
      + vcn_id                           = "ocid1.vcn.oc1.iad.<REDACTED>"

      + network_details {
          + id                      = "Dev"
          + ids                     = (known after apply)
          + ipsec_connection_id     = (known after apply)
          + route_table_id          = (known after apply)
          + transport_attachment_id = (known after apply)
          + transport_only_mode     = (known after apply)
          + type                    = "VCN"
          + vcn_route_type          = "DRG_ROUTE"
        }
    }
.....

Results in the following error message:

│ Error: 404-NotAuthorizedOrNotFound, Authorization failed or requested resource not found.
│ Suggestion: Either the resource has been deleted or service Core Drg Attachment need policy to access this resource. Policy reference: https://docs.oracle.com/en-us/iaas/Content/Identity/Reference/policyreference.htm
│ Documentation: https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/core_drg_attachment 
│ API Reference: https://docs.oracle.com/iaas/api/#/en/iaas/20160918/DrgAttachment/CreateDrgAttachment 
│ Request Target: POST https://iaas.us-ashburn-1.oraclecloud.com/20160918/drgAttachments 
│ Provider version: 5.30.0, released on 2024-02-21. This provider is 2 Update(s) behind to current. 
│ Service: Core Drg Attachment 
│ Operation Name: CreateDrgAttachment 
│ OPC request ID: 15fb60b726334bdf7f3983608b7fdda5/2CC6AF0F56AC51DC1E752BD61974758A/DF632A8CBE944265456521A26FE1C5F3 
│ 
│ 
│   with oci_core_drg_attachment.drg["Dev"],
│   on vcn_drg_attach.tf line 44, in resource "oci_core_drg_attachment" "drg":
│   44: resource "oci_core_drg_attachment" "drg" {
│ 

When I encountered this error message previously, my account was bumping up against default OCI service limit quotas, however I don't see any such limits associated with Drg attachments.

I'm also struggling to find any relevant IAM policy that I can add as I haven't found any related docs to allow Core Drg Attchments service to manage virtual-network-family resources.

Any tips or other settings to check would be helpful.

Comments
Post Details
Added on Mar 10 2024
3 comments
198 views