"Error: Unable to remove owners on ComplianceStandard" when removing compliance check

[abochi1]

Please answer these questions when submitting your issue. Thanks!

1. What is your Terraform version? Run terraform -v to show the version. If you are not running the latest version of Terraform, please upgrade because your issue may have already been fixed.

• Version 0.3.18

2. What are the affected resources? For example, kion_aws_iam_policy, kion_compliance_check, etc.

• kion_compliance_check
• kion_compliance_standard

4. What does your Terraform configuration file look like?

terraform {
  required_providers {
    kion = {
      source  = "kionsoftware/kion"
      version = "~> 0.3.18"
    }
  }
}

# Variables
variable "kion_api_key" {
  type = string
}

variable "resources" {
  type = map(object({
    resource_identifier = string
  }))
  default = {
    "aws.ec2" = {
      resource_identifier = "InstanceId"
    }
    # "aws.s3" = {
    #   resource_identifier = "Name"
    # }
  }
}

locals {
  cloud_custodian_resources = flatten([
    for resource_type, resource_data in var.resources : {
      resource_type       = resource_type
      cloud_provider      = split(".", resource_type)[0]
      resource_name       = split(".", resource_type)[1]
      resource_identifier = resource_data.resource_identifier
    }
  ])
}

# Configure providers for AWS and Kion
provider "aws" {
  region = "us-east-1"
}

provider "kion" {
  url    = "https://kion.scric.org"
  apikey = var.kion_api_key
}

# Create the compliance checks for non-compliant tags
resource "kion_compliance_check" "compliance_check_non_compliant_tags" {
  for_each = {
    for cc in local.cloud_custodian_resources : cc.resource_type => cc
  }

  name                     = "test-tags-non-compliant-${each.value.cloud_provider}-${each.value.resource_name}"
  description              = "Test Tagging Non-Compliant Compliance Check for ${each.value.cloud_provider} ${each.value.resource_name}"
  compliance_check_type_id = 2 # Cloud Custodian
  cloud_provider_id        = 1 # AWS
  created_by_user_id       = 1 # Admin
  owner_user_groups {
    id = 1
  }
  frequency_minutes = 2 # Hours
  frequency_type_id = 3 # Hours. 2 = Minutes, 3 = Hours, 4 = Days
  severity_type_id  = 1 # 1 = Informational, 2 = Low, 3 = Medium, 4 = High
  regions           = ["us-east-1"]
  is_auto_archived  = true
  body              = <<-EOF
  ---
  policies:
    - name: "test-tags-non-compliant-${each.value.cloud_provider}-${each.value.resource_name}"
      resource: "${each.value.resource_type}"
      filters:
        - "tag:CostCenterCode": absent
      actions:
        - type: webhook
          url: "{{CT::CallbackURL}}"
          method: POST
          batch: true
          headers:
            Authorization: "`{{CT::Authorization}}`"
          body: |-
            {
              "compliance_check_id": `{{CT::CheckId}}`,
              "account_number": account_id,
              "region": region,
              "scan_started_at": execution_start,
              "findings": resources[].{resource_name: ${each.value.resource_identifier}, resource_type: `${each.value.resource_name}`, data_json: {"MissingTags": "c7n:MatchedFilters"[]}}
            }
  EOF
}

# Create the compliance standard
resource "kion_compliance_standard" "compliance_standard" {
  depends_on         = [kion_compliance_check.compliance_check_non_compliant_tags]
  name               = "Test Tagging"
  description        = "Test Tagging Compliance Standard"
  created_by_user_id = 1
  owner_user_groups {
    id = 1
  }

  dynamic "compliance_checks" {
    for_each = {
      for check in kion_compliance_check.compliance_check_non_compliant_tags : check.name => check
    }
    content {
      id = compliance_checks.value.id
    }
  }
}

5. Please provide a link to a GitHub Gist containing the complete debug output: https://www.terraform.io/docs/internals/debugging.html. Please do NOT paste the debug output in the issue; just paste a link to the Gist.

6. If Terraform produced a panic, please provide a link to a GitHub Gist containing the output of the crash.log.

7. What did you expect to see?
   Apply complete! Resources: 0 added, 1 changed, 1 destroyed

8. What did you actually see?

╷
│ Error: Unable to remove owners on ComplianceStandard
│ 
│   with kion_compliance_standard.compliance_standard,
│   on main (2).tf line 95, in resource "kion_compliance_standard" "compliance_standard":
│   95: resource "kion_compliance_standard" "compliance_standard" {
│ 
│ Error: url:
│ http://kion-ulb-public-442074388.us-west-2.elb.amazonaws.com/api/v3/compliance/standard/8/association, method:
│ DELETE, status: 400, body: {"status":400,"message":"compliance check not found"}
│ 
│ Item: 8

9. What steps can we run to reproduce the issue?

# Apply
terraform apply

typing terraform apply again gets rid of the error.

10. Is there anything atypical about your accounts that we should know? For example: Running in EC2 Classic? Custom version of OpenStack? Tight ACLs?

11. Are there any other GitHub issues (open or closed) or Pull Requests that should be linked here?

[bshutterkion]

PR #109