Regression: "AuthorizationDelegator" no longer works in 1.30.0

[l2fprod]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform IBM Provider Version

Affected Resource(s)

• ibm_iam_authorization_policy

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

terraform {
  required_providers {
    ibm = {
      source  = "IBM-Cloud/ibm"
    }
  }
}

provider "ibm" {
  visibility = "public"
}

resource "ibm_iam_authorization_policy" "redis_policy" {
  source_service_name         = "databases-for-redis"
  target_service_name         = "kms"
  roles                       = ["Reader", "AuthorizationDelegator"]
}

Actual Behavior

Fails with provider 1.30.0 but works with 1.29.0:

╷
│ Error: RoleDoesnotExist: AuthorizationDelegator was not found. Valid roles are Writer, Manager, ReaderPlus, Reader, KeyPurge
│
│   with ibm_iam_authorization_policy.redis_policy,
│   on main.tf line 28, in resource "ibm_iam_authorization_policy" "redis_policy":
│   28: resource "ibm_iam_authorization_policy" "redis_policy" {
│
╵

[l2fprod]

it works from the UI

and the created policy references AuthorizationDelegator

        "roles": [
            {
                "role_id": "crn:v1:bluemix:public:iam::::role:AuthorizationDelegator",
                "display_name": "AuthorizationDelegator",
                "description": "AuthorizationDelegator"
            },
            {
                "role_id": "crn:v1:bluemix:public:iam::::serviceRole:Reader",
                "display_name": "Reader",
                "description": "As a reader, you can perform read-only actions within a service such as viewing service-specific resources."
            }
        ],

[kavya498]

@l2fprod ,
UI uses V1 APIs for authorisation policy.. We had to migrate to V2 to support private endpoints..
Looks like V2 APIs are not backward compatible..

I have raised a PR to revert the migration.. so that it doesn't break existing code..
This ll effect authorization policy resource when visibility is set to private.. Related issue

So until V2 APIs supports authorization delegator role we ll not be migrating authorization policy resource.. I believe ETA for this is 2 weeks based on the slack conversation

[kavya498]

@l2fprod , Fix is available in latest 1.33.1
I am closing this issue and will be reopening #2926 to track the migration of V2 APIs

Thanks..