atracker target set to COS is getting recreated and also updating the atracker route.

[Aashiq-J]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform IBM Provider Version

Affected Resource(s)

• ibm_atracker_target
• ibm_atracker_route

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

terraform {
  required_version = ">= 1.3"
  required_providers {
    ibm = {
      source  = "IBM-Cloud/ibm"
      version = "1.76.3"
    }
  }
}

provider "ibm" {
  ibmcloud_api_key = var.ibmcloud_api_key
  region           = var.region
}

variable "ibmcloud_api_key" {
  type        = string
  description = "The IBM Cloud api token"
  sensitive   = true
}

variable "region" {
  type        = string
  description = "Region where resources are created"
  default     = "eu-de"
}

variable "prefix" {
  type        = string
  description = "Prefix for name of all resource created by this example"
  validation {
    error_message = "Prefix must begin and end with a letter and contain only letters, numbers, and - characters."
    condition     = can(regex("^([A-z]|[a-z][-a-z0-9]*[a-z0-9])$", var.prefix))
  }
}

module "resource_group" {
  source              = "terraform-ibm-modules/resource-group/ibm"
  version             = "1.2.0"
  resource_group_name = "${var.prefix}-resource-group"
}

resource "ibm_resource_instance" "cos_instance" {
  name              = "${var.prefix}-cos"
  resource_group_id = module.resource_group.resource_group_id
  service           = "cloud-object-storage"
  plan              = "standard"
  location          = "global"
}


resource "ibm_cos_bucket" "cos_bucket" {
  bucket_name          = "${var.prefix}-bucket"
  resource_instance_id = ibm_resource_instance.cos_instance.id
  region_location      = var.region
  storage_class        = "standard"
}

resource "ibm_iam_authorization_policy" "cos_bucket_policy" {
  source_service_name = "atracker"
  roles               = ["Object Writer"]
  description         = "Allow atracker to write to COS bucket"

  resource_attributes {
    name     = "accountId"
    operator = "stringEquals"
    value    = trimprefix(split(":", ibm_cos_bucket.cos_bucket.crn)[6], "a/")
  }

  resource_attributes {
    name     = "serviceName"
    operator = "stringEquals"
    value    = "cloud-object-storage"
  }

  resource_attributes {
    name     = "resourceType"
    operator = "stringEquals"
    value    = "bucket"
  }

  resource_attributes {
    name     = "resource"
    operator = "stringEquals"
    value    = split(":", ibm_cos_bucket.cos_bucket.crn)[9]
  }
  lifecycle {
    create_before_destroy = true
  }
}

resource "time_sleep" "wait_for_authorization_policy_buckets" {
  depends_on = [ibm_iam_authorization_policy.cos_bucket_policy]

  create_duration = "30s"
}


resource "ibm_atracker_target" "atracker_target" {
  depends_on = [time_sleep.wait_for_authorization_policy_buckets]
  cos_endpoint {
    endpoint                   = "s3.private.${var.region}.cloud-object-storage.appdomain.cloud"
    target_crn                 = ibm_resource_instance.cos_instance.crn
    bucket                     = "${var.prefix}-bucket"
    service_to_service_enabled = true
  }
  name        = "${var.prefix}-atracker"
  target_type = "cloud_object_storage"
}

resource "ibm_atracker_route" "atracker_route" {
  name = "${var.prefix}-atracker-route"
  rules {
    target_ids = [
      ibm_atracker_target.atracker_target.id
    ]
    locations = ["*", "global"]
  }
}

Debug Output

Terraform will perform the following actions:

  # ibm_atracker_route.atracker_route will be updated in-place
  ~ resource "ibm_atracker_route" "atracker_route" {
        id          = "deb3d8e5-4895-4c78-a576-64143a9e372a"
        name        = "test994-atracker-route"
        # (5 unchanged attributes hidden)

      ~ rules {
          ~ target_ids = [
              - "770e720e-5014-4ba0-b96f-bfcb1f6f8142",
            ] -> (known after apply)
            # (1 unchanged attribute hidden)
        }
    }

  # ibm_atracker_target.atracker_target must be replaced
-/+ resource "ibm_atracker_target" "atracker_target" {
      ~ api_version  = 2 -> (known after apply)
      ~ created_at   = "2025-04-24T10:40:10.109Z" -> (known after apply)
      ~ crn          = "crn:v1:bluemix:public:atracker:eu-de:a/abac0df06b644a9cabc6e44f55b3880e::target:770e720e-5014-4ba0-b96f-bfcb1f6f8142" -> (known after apply)
      ~ id           = "770e720e-5014-4ba0-b96f-bfcb1f6f8142" -> (known after apply)
      + message      = (known after apply)
        name         = "test994-atracker"
      - region       = "eu-de" -> null # forces replacement
      ~ updated_at   = "2025-04-24T10:40:10.109Z" -> (known after apply)
      ~ write_status = [
          - {
              - status                  = "success"
                # (2 unchanged attributes hidden)
            },
        ] -> (known after apply)
        # (1 unchanged attribute hidden)

      ~ cos_endpoint {
          - api_key                    = (sensitive value) -> null
            # (4 unchanged attributes hidden)
        }
    }

Plan: 1 to add, 1 to change, 1 to destroy.

Panic Output

Expected Behavior

No changes to the resources

Actual Behavior

It is recreating target and route

Steps to Reproduce

1. terraform apply
2. change provider version from 1.76.3 -> 1.77.1
3. terraform plan

Important Factoids

References

• #0000

[wenjian2]

Found the root cause. The region attribute should not be returned when it is not defined in the target resource. Otherwise, terraform thinks the region attribute is changed to null.