terraform-ibm-modules/terraform-ibm-watsonx-saas-da

Decoding access token fails intermittently

Closed this issue · 2 comments

in-1911 commented

terraform-ibm-watsonx-saas-da/main.tf

Line 56 in db51d5c

account_id = jsondecode(base64decode(regex("^Bearer .+\\.(.+)\\..+$", data.ibm_iam_auth_token.deployer.iam_access_token)[0])).account.bss

Terraform's base64decode function is sensitive to base64 padding and the JWT token does not have one.
When the token part has certain length that would require the padding (trailing ==) in the encoded value, base64decode throws an error and plan/apply fails.
Apparently parsing the token for an account ID is not a good idea.

I think it would be better to fetch the necessary attributes in the configure_project module that should construct the URL and return it. Account ID can be parsed from a CRN of a watson instance.

in-1911 commented

I ran into this while deploying the DA with a trusted profile. Apparently the JWT attributes of the trusted profile have exactly the length to need base64 padding.

in-1911 commented

Resolved with rel 1.4.1 (#131)