Port the command result capture option over from loafoe/ssh

IAM recently released the Aug Release with users will now be inactivated rather than off-boarded.
Which is a good from concept perspective, but now we need to find a way to be able to support customers to be able to resend activations in case inactivated post 72 hours!

Considerations:

• User was created/managed via terraform
• User marked Inactive post 72hours window
• User has not completed email verification (in case activated already would be great to skip)
• Preferred we "smartly" not re-trigger activation email every execution

Expected value of guid should be the IAM guid

We would like to have a data source for HSDP IAM Roles and Groups, so we can resolve the GUID based on the unique name / managing org ID.

The use case is that we want to reuse existing Roles / Groups on a lower level in the IAM organization hierarchy.

A module creates a Service Identity and it's private_key is outputted from the module I created.

This morning after I had some issues with the service identity not being in the correct group (and couldn't manually add it via the self-service portal either), I decided to destroy my environment and rebuild it, to check if it's a fluke.

The destroy went fine, but when I wanted to rebuild my environment I received the following error:

Error: Invalid function argument
  on ../../layers/hsdp/org/outputs.tf line 10, in output "iam_service_private_key":
  10:   value = replace(replace(hsdp_iam_service.iam_service.private_key, "-----END", "\n-----END"), "KEY-----", "KEY-----\n")
    |----------------
    | hsdp_iam_service.iam_service.private_key is null
Invalid value for "str" parameter: argument must not be null.

After downgrading from 0.14.7 to 0.14.6 I could apply the environment again.

Expose the details of the current logged in user/service id so that it can be used for further automation.

For example adding the current user to a new group.

When a hsdp_iam_service is created, you can set the expires_on attribute.
Changing this attribute will trigger an update of the service identity and it's validity.

Currently there is not an easy way of automatic rotation/update of the expires_on date.

We've created a workaround using Python, but it would be preferable if this could be integrated in a hsdp data source.

The python code will take the start date of the next quarter. If this date is within 30 days, it will return the start date of the following quarter.

Currently we defined the following in Terraform:

data "external" "expires_on" {
  program = ["python3", "${path.module}/expires_on.py"]
}

The content of expires_on.py:

from datetime import datetime
import json


def next_quarter_start_date(now: datetime):
    year = now.year
    month = now.month
    if now.day > 1:
        month += 1
    month += 4 - (month % 3)
    if month > 12:
        year += 1
        month = month % 12
    return datetime(year, month, 1)


expires_on = next_quarter_start_date(datetime.now())
delta = (expires_on - datetime.now()).days

if delta < 30:
    expires_on = next_quarter_start_date(expires_on)

json = json.dumps({"expires_on": expires_on.isoformat() + 'Z'})

print(json)

Feature Request
Creating the link between users to and organization is only possible at the user creation.
ressources: hsdp_iam_org and hsdp_iam_user do not permit to link existing users to an organization.

So ressource hsdp_iam_org could accept an array of user_id
AND/OR
So ressource hsdp_iam_user could accept an array of organization_id

Thanks in advance
Cédric Ramassamy

(Terraform destroy) CDR Offboard failing when managing org has 2 or more sub organizations. It is able to offboard one/two orgs and third org is failed.

This is happening due to race condition. When it try to delete the managing root org id before deleting the sub organization
terraform.log
.
terraform.log
terraform.log

╷
│ Warning: Experimental feature "module_variable_optional_attrs" is active
│
│ on terraform.tf line 11, in terraform:
│ 11: experiments = [module_variable_optional_attrs]
│
│ Experimental features are subject to breaking changes in future minor or patch releases, based on feedback.
│
│ If you have feedback on the design of this feature, please open a GitHub issue to discuss it.
│
│ (and one more similar warning elsewhere)
╵
╷
│ Error: DELETE : StatusCode 409: non http 20x CDR response
│

There is an (undocumented?) requirements that proposition and application names are all uppercase without spaces. The provider should enforce this.

miss one optional param @ researchStudy
dataProtectedFromDeletion boolean
This got added assume in this release (API Spec as from Vish) thus not @ hsdp.io.
https://github.com/philips-internal/hsp-cdl-openapi-spec/blob/develop/specs/clinical-data-lake.yml

Running into an issue where IAM has a potential 2-second delay between advertising new Group assignments. In case we are onboarding to DICOM it could be that the same Terraform apply run sets both the required permissions for the ADMIN user/service and onboards DICOM. The DICOM onboarding will fail with a permission error, even though we refresh the token before performing the API calls. Investigate adding a retry mechanism in case of 403.

For below resources, observed that they continue to show creating resource forever(until timeout) in terraform. When debug log is enabled, it is clear that there is a HTTP request that failed with a reason. Instead of reporting a failure and stopping there, terraform continues endlessly.

Observed this with hsdp_dicom_remote_node , hsdp_dicom_gateway_config

module.dicom_cdr_data_org[0].hsdp_dicom_object_store.object_store: Still creating... [59m0s elapsed]
module.dicom_cdr_data_org[0].hsdp_dicom_gateway_config.dicom_gateway: Still creating... [59m0s elapsed]
module.dicom_cdr_data_org[1].hsdp_dicom_gateway_config.dicom_gateway: Still creating... [59m0s elapsed]
module.dicom_cdr_data_org[1].hsdp_dicom_repository.dicom_repository: Still creating... [59m0s elapsed]
module.dicom_cdr_data_org[0].hsdp_dicom_object_store.object_store: Still creating... [59m10s elapsed]
module.dicom_cdr_data_org[0].hsdp_dicom_gateway_config.dicom_gateway: Still creating... [59m10s elapsed]
module.dicom_cdr_data_org[1].hsdp_dicom_gateway_config.dicom_gateway: Still creating... [59m10s elapsed]
module.dicom_cdr_data_org[1].hsdp_dicom_repository.dicom_repository: Still creating... [59m10s elapsed]

Observed this on version 0.18.9

In the past observed similar behavior for hsdp_dicom_object_store, hsdp_dicom_repository but I cannot confirm if it is still the case

This can be reproduced by using service identity with insufficient privileges.

Hi,

I am trying out the new available resource hsdp_cdr_org by following the documentation, but it seems that the documentation is referring to an unsupported argument: root_org_id, while the correct argument name is fhir_org_id. The doc needs an update :)

I am sending a PR to fix it.

As of today it is possible to define a password to an hsdp_iam_user and coincidently I was having problems with it today when creating a default user for my team in a test environment.

I'm willing to pick this small change up, but it might take few days to get this done😄. If anyone else has higher priority to get this implemented feel free to do so!

• Store service
• QueryRetrieve service
• Remote nodes

Create resource similar to hsdp_dicom_object_store but for above resources

• Add blurb on security groups
• Maybe some stuff on CF to Container Host and visa-versa

Suggestion from the DICOM team to add a type argument to explicitly define the DICOM store type:

• Shared
• Dedicated

It could be useful if the expiration date of the service and certificate were exposed from the hsdp_iam_service resource.

This can then be used in other resources to trigger warnings etc.

DICOM Notification resource throwing ID mismatch error

Plan: 2 to add, 0 to change, 1 to destroy.
╷
│ Warning: Experimental feature "module_variable_optional_attrs" is active
│
│ on terraform.tf line 3, in terraform:
│ 3: experiments = [module_variable_optional_attrs]
│
│ Experimental features are subject to breaking changes in future minor or patch releases, based on feedback.
│
│ If you have feedback on the design of this feature, please open a GitHub issue to discuss it.
╵

Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.

Enter a value: yes

hsdp_dicom_notification.notification: Destroying... [id=ff009264-5718-4dd7-86d5-d73736cc6958]
╷
│ Error: unexpected ID mismatch: '055ef29d-14f8-4280-af40-19f134f75fdd' != 'ff009264-5718-4dd7-86d5-d73736cc6958'

When using resource hsdp_dicom_remote_node, port, hostname, ip_address in network_connection are not taken properly.
When debug logs are enabled, I see below error. From request body, I see it is not taking input I am passing at all.

[go-hsdp-api 8387ccf1-ed66-41a0-969d-c2583cc62013-1] --- Request start ---
POST /store/dicom/config/dicom/production/remoteNodes HTTP/1.1
Host: dss-config-edisa-tst.us-east.philips-healthsuite.com
Accept: application/json
Api-Version: 1
Authorization: [sensitive]
Content-Type: application/json
User-Agent: go-hsdp-api/dicom/0.42.1

{"title":"orthanc","networkConnection":{"port":0,"hostName":"","ipAddress":"","disableIpv6":false,"advancedSettings":{"pduLength":0,"artimTimeOut":0,"associationIdleTimeOut":0,"certificateInfo":{"id":""},"authenticateClientCertificate":false},"networkTimeout":0,"isSecure":false},"aeTitle":"ORTHANC"}
[go-hsdp-api 8387ccf1-ed66-41a0-969d-c2583cc62013-1] Request end ---
[go-hsdp-api 8387ccf1-ed66-41a0-969d-c2583cc62013-1] --- Response start ---
HTTP/1.1 422 Unprocessable Entity
Content-Length: 469
Connection: keep-alive
Content-Type: application/json
Date: Mon, 30 Aug 2021 10:13:17 GMT
X-Vcap-Request-Id: ce20faec-ae67-4dff-53a8-e1444090d2bd

{"error":"Request body is not parsable. :NoAdditionalPropertiesAllowed: #/networkConnection.advancedSettings.certificateInfo\nNoAdditionalPropertiesAllowed: #/networkConnection.advancedSettings.authenticateClientCertificate\nPatternMismatch: #/networkConnection.hostName\nStringTooShort: #/networkConnection.hostName\nNotOneOf: #/networkConnection.ipAddress\n{\n  IpV4Expected: #/networkConnection.ipAddress\n}\n{\n  IpV6Expected: #/networkConnection.ipAddress\n}\n\n"}
[go-hsdp-api 8387ccf1-ed66-41a0-969d-c2583cc62013-1] --- Response end ---

Observed this on version 0.18.9

The data source hsdp_notification_topics is considering as a change for every plan eventhough there is no change in the inputs

module.dicomstore_onboard[0].data.hsdp_notification_topics.notificationSeriesTopics["8a7b348e-57ec-4c62-8f21-7b6c3da1e808"] will be read during apply
(config refers to values not yet known)
<= data "hsdp_notification_topics" "notificationSeriesTopics" {
~ id = "notification_topics" -> (known after apply)
name = "dss-edisa-previewnew_8a7b348e-57ec-4c62-8f21-7b6c3da1e808_series"
~ topic_ids = [
- "a89e15b4-a625-44f9-965d-a92f2797fd99",
] -> (known after apply)
}

Had a wrongly created IAM user record with no 'contact' record at all and had wrong given / family name.
On the other side it was working account with linked resources. Wanted to correct. Received several side issues at once.

• Given / family name change was reported to work but user still had old wrong name. So 'terraform plan' was constantly indicating a difference with resource.
• User's 'contact' / 'emailAddress' was not updated so 'terraform plan' was always indicating a difference.

It would be really nice if we can change at least well-known user fields.

Please be careful when implementing user update: GET /security/users/$id API returns 'disabled' flag which must not be submitted to PUT /security/users/$id - otherwise update will not work and will indicate HTTP 200 response but internal error code 5011.

Provider version: 0.14.2

When adding a resource of type "hsdp_iam_pasword_policy", I am getting the following error:

Error: Invalid resource type

  on main.tf line 31, in resource "hsdp_iam_pasword_policy" "password_policy":
  31: resource "hsdp_iam_pasword_policy" "password_policy" {

The provider provider.hsdp does not support resource type
"hsdp_iam_pasword_policy".

https://github.com/philips-software/terraform-provider-hsdp/blob/main/internal/services/function/resource_function.go#L188

Hi,
I'm trying to create a role using the resource hsdp_iam_role and the creation is failing to retrieve the available permissions to assign, even though I'm using a service identity that has PERMISSIONS.READ assigned to it.

HSDP Provider version: 0.17.0

Error: GET https://idm-client-test.us-east.philips-healthsuite.com/authorize/identity/Permission: 403 {issue: [{code: forbidden}, {details: {coding: {code: 10302}, {system: extension}, {userSelected: failed to parse unexpected error type: bool}}, {text: Resource owner denied access to the request.}}, {severity: error}]}

Terraform code:

resource "hsdp_iam_role" "cco_cdr_read" {
  name        = "CCO_CDR_READ"
  description = "Do not modify manually. This resource is generated by Terraform."

  permissions = [
    "ALLERGYINTOLERANCE.READ",
    "MEDICATIONSTATEMENT.READ",
    "OBSERVATION.READ",
    "ORGANIZATION.READ",
    "PATIENT.READ",
    "PRACTITIONER.READ"
  ]

  managing_organization = var.org_id
}

In some cases it might be better to just ensure TCP/UDP port whitelisting instead of overwriting all firewall settings on an STL device. An example is if we have mulitple Terraform modules deploying applications to the same STL device. Each should be be able to contribute to the Firewall exceptions list instead of overwriting the others

Add some documentation to indicate which services can i query details for in hsdp_config

I know we can do iam but not sure what else

• Soft delete by default
• Option to specify hard delete

Unable to authenticate with service_id due to conflicts with org_admin credentials

when configuring

provider "hsdp" {
  region              = "us-east"
  environment         = var.ENVIRONMENT_NAME
  oauth2_client_id    = var.OAUTH2_CLIENT_ID
  oauth2_password     = var.OAUTH2_PASSWORD
  service_id          = var.SERVICE_ID
  service_private_key = var.SERVICE_PRIVATE_KEY
}

you get

╷                                                                                                        
│ Error: Missing required argument                                                                       
│                                                                                                        
│   with provider["registry.terraform.io/philips-software/hsdp"].useast,                                 
│   on main.tf line 6, in provider "hsdp":                                                               
│    6:   oauth2_client_id    = var.OAUTH2_CLIENT_ID                          
│                                                                                                        
│ "oauth2_client_id": all of `oauth2_client_id,org_admin_password,org_admin_username` must be specified  
╵                                                                                                        
╷                                                                                                        
│ Error: Missing required argument                                                                       
│                                                                                                        
│   with provider["registry.terraform.io/philips-software/hsdp"].useast,                                 
│   on main.tf line 7, in provider "hsdp":                                                               
│    7:   oauth2_password     = var.OAUTH2_PASSWORD                           
│                                                                                                        
│ "oauth2_password": all of `oauth2_password,org_admin_password,org_admin_username` must be specified    
╵                                                                                                        

If you add empty values you get further

provider "hsdp" {
  region              = "us-east"
  environment         = var.ENVIRONMENT_NAME
  oauth2_client_id    = var.OAUTH2_CLIENT_ID
  oauth2_password     = var.OAUTH2_PASSWORD
  service_id          = var.SERVICE_ID
  service_private_key = var.SERVICE_PRIVATE_KEY
  org_admin_password = ""
  org_admin_username = ""
}

╷
│ Error: Conflicting configuration arguments
│
│   with provider["registry.terraform.io/philips-software/hsdp"].useast,
│   on main.tf line 8, in provider "hsdp":
│    8:   service_id          = var.SERVICE_ID
│
│ "service_id": conflicts with org_admin_username
╵
╷
│ Error: Conflicting configuration arguments
│
│   with provider["registry.terraform.io/philips-software/hsdp"].useast,
│   on main.tf line 9, in provider "hsdp":
│    9:   service_private_key = var.SERVICE_PRIVATE_KEY
│
│ "service_private_key": conflicts with org_admin_password
╵
╷
│ Error: Conflicting configuration arguments
│
│   with provider["registry.terraform.io/philips-software/hsdp"].useast,
│   on main.tf line 10, in provider "hsdp":
│   10:   org_admin_password =""
│
│ "org_admin_password": conflicts with service_private_key
╵
╷
│ Error: Conflicting configuration arguments
│
│   with provider["registry.terraform.io/philips-software/hsdp"].useast,
│   on main.tf line 11, in provider "hsdp":
│   11:   org_admin_username =""
│
│ "org_admin_username": conflicts with service_id
╵

Ability to publish image to philipssoftware/terraform-provider-hsdp

There are several email templates available in IAM service to configure for organization.
Allow to configure all of supported email templates.

It would be awesome if email template could be just a html file.

POST /store/dicom/config/dicom/production/remoteNodes HTTP/1.1
GET /store/dicom/config/dicom/production/remoteNodes/3d2e090f-d912-48bb-b590-3229ecbb2325 HTTP/1.1

should be as
POST /store/dicom/config/dicom/production/remoteNodes?organizationId={{siteId}}
GET /store/dicom/config/dicom/production/remoteNodes?organizationId={{siteId}}
DELETE POST /store/dicom/config/dicom/production/remoteNodes/{{remoteNodeId}}?organizationId={{siteId}}.

Raised by @rsankaranarayanan

The below error message is occurring due to the security group.
{"code":400,"description":"CODE: InvalidGroup.NotFound, MESSAGE: You have specified two resources that belong to different networks."}

By default, the cartel API is adding a "base" security group while creating EC2 instances. Suppose I add a "base" security group in the "security_groups" group variable. This error message is occurring. I am thinking that the carte API is treating this as a new security group and try to add. It is failing.

The Example: security_groups = ["XXXX", "base"]

suppose by mistake i use the existing cartel instance ec2 name in the different resource block, it is deleting the existing ec2 instance also and gives error message that, the instances is already exist.
{“code”:400,“description”:“Host named XXXXXXXXXX-7730747f9b1b3974.dev already exists!“}

{“AWS”: “Instance(s) i-XXXXXXXXX terminated”, “Cartel”: {“XXXXXXXXXX-7730747f9b1b3974.dev.XXx.XXX.XXX”: “Instance removed.“}}

If by mistake, the existing ec2 name used. It should through an error message instead of deleting the existing ec2 instances.
The cartel API will through error and it would not delete the existing instances.

When you have a scenario where you have to delete a service identity it fails with a 409 when that service id is allocated to groups. It seems it will not do a cascade delete of the ID and the groups need to be removed first.

╷
│ Error: DELETE https://idm-client-test.us-east.philips-healthsuite.com/authorize/identity/Service/xXXXXXXXX-4a22e20ac189: 409
│
│
╵

You can see this error clearly in the UI when you try to do the delete

If you manually remove the group allocations and then run the terraform again it works as expected.

Use something like this:
resource "hsdp_iam_proposition" "prop" {
name = upper("${var.environment}-propositon")
description = "${var.environment} Proposition"
organization_id = hsdp_iam_org.suborg.id
global_reference_id = "2c5e8525-d9e5-81a6-8e9b-fb887d0f2d90"
}

Now update the global_reference_id.
When you apply, Terraform indicates that an update is needed and applies this after confirming.
From now on, all terraform apply calls will update the proposition, despite there being no changes. It indicates the previous global_reference_id is still current, and hence requires an update again.

This also holds for the hsdp_iam_application resource that also has a global_reference_id. It does work for hsdp_iam_client though.

If you do a terraform destroy first and apply then, it is all okay.

When IAM user is still present in some groups, DELETE request on him/her naturally fails with HTTP 409 but Terraforms hides it.
So off-boarding HSP users through Terraform always reports 'success' and in reality almost never happens because people are very lazy to check their permissions.

I would of course question why platform allows to delete while blocking on group participation (instead should drop them) but currently it would be nice at least not to remove resource when actual object was not deleted so configuration engineer will at least see the real problem instead of hanging unmanaged user as a result.

Logs of real API request (sensitive headers are stripped out):

[go-hsdp-api 2a5fd5d9-6b0d-4f2d-bed5-b128a2a64603-00002] --- Request start ---
DELETE /authorize/identity/User/82ec616d-5d48-444c-ba10-37c92007a529 HTTP/1.1
Host: idm-service.eu-west.philips-healthsuite.com
Accept: application/json
Api-Version: 1
Authorization: [sensitive]
Hsdp-Api-Signature:
Signeddate:
User-Agent: go-hsdp-api/iam/0.51.2
[go-hsdp-api 2a5fd5d9-6b0d-4f2d-bed5-b128a2a64603-00002] Request end ---
[go-hsdp-api 2a5fd5d9-6b0d-4f2d-bed5-b128a2a64603-00002] --- Response start ---
HTTP/1.1 409 Conflict
Transfer-Encoding: chunked
Connection: keep-alive
Content-Type: application/json
Date: Thu, 20 Jan 2022 16:18:51 GMT
Set-Cookie: JSESSIONID=A4243CBB495E297F8B00699203BA7E11; Path=/; Secure; HttpOnly
Set-Cookie: VCAP_ID=42b438fa-4a44-4bb1-412a-a478; Path=/; HttpOnly; Secure
Strict-Transport-Security: max-age=31536000 ; includeSubDomains
Vary: Origin
Vary: Access-Control-Request-Method
Vary: Access-Control-Request-Headers
X-Vcap-Request-Id: 97b8fac0-f5d5-476f-9489-40eb9effe23f

{"resourceType":"OperationOutcome","issue":[{"severity":"error","code":"conflict","details":{"coding":{"system":"extension","code":"31302"},"text":"Edit version conflict."},"diagnostics":"Failed to delete the resource as it has associated memberships in the system."}]}
[go-hsdp-api 2a5fd5d9-6b0d-4f2d-bed5-b128a2a64603-00002] --- Response end ---

Please update documentation. Some variables are invalid, some are incorrect in below two resources

dicom_remote_node

dicom_gateway_config

On left side is documented(example), Right side is actual

Having such a data source would allow one to retrieve information on email templates associated with an IAM Org

Currently hsdp_function is creating scheduled jobs which makes tasks run at scheduled time. Should add functionality to:

• Support for getting scheduled task status.
• Support for getting history of tasks ran for a scheduled job

Hi 👋

Can we extend the provider so that it has the capability of adding members to an existing IAM group? We have use cases where one config will create the group and another config will assign members to that group.

IAM offers an endpoint for that too:
https://www.hsdp.io/documentation/identity-and-access-management-iam/api-documents/resource-reference-api/user-api/group-api#/Group%20Management/post_Group__id___add_members

Thanks 😄

Any plans to include CDR configuration into this provider?

Being able to model the configuration of orgs in the CDR or other settings would be useful.

Hi,

This is a follow on from ticket 'INC0067775'. The hsdp module does not seem to fetch the correct token and relies on an old token with invalid permissions if we have modified it in the deployment. This causes our build to fail unless we set parallelism to 1. This bloats our deployment times from 10 minutes to well over an hour and this blocks the teams during this time.

Ideally, we need the module to be more aggressive with retries and fetching tokens if it cannot determine the dependencies at the start of the apply stage.

Verify input is correct so we fail fast in case of mismatches

• Expose subnet setting in container host resource

Similar to #3 the role resource's name is converted to uppercase when created. Need to add a validator that checks it's declared in uppercase. This prevents mismatch after resource creation

Hi,
In hsdp_dicom_gateway_config resource, using “description” attribute and its value, is not reflecting in the apply. Hence, the destroy and re creation of resource in every apply.

Terraform plan:
`# module.dicom_gateway_onboard.module.tenant_orgs_dicomgateway_onboard["a tenant id "].hsdp_dicom_gateway_config.dicom_gateway has been changed
~ resource "hsdp_dicom_gateway_config" "dicom_gateway" {
id = "05e5cd5a4d50387566412001a8b35e11"
# (2 unchanged attributes hidden)

  + query_retrieve_service {
      + artim_timeout            = 3000
      + association_idle_timeout = 4500
      + is_secure                = false
      + pdu_length               = 65535
      + port                     = 108
      + title                    = "DicomGatewayQueryService-TF"

      + application_entity {
          + ae_title        = "CloudDcmQueryScp"
          + allow_any       = true
          + organization_id = "a tenant id"
        }
    }
  - query_retrieve_service {
      - artim_timeout            = 3000 -> null
      - association_idle_timeout = 4500 -> null
      - description              = "This is created by dicom-gateway terraform to configure Dicom Gateway Query service" -> null
      - is_secure                = false -> null
      - pdu_length               = 65535 -> null
      - port                     = 108 -> null
      - title                    = "DicomGatewayQueryService-TF" -> null

      - application_entity {
          - ae_title        = "CloudDcmQueryScp" -> null
          - allow_any       = true -> null
          - organization_id = "a tenant id" -> null
        }
    }

`

When using hsdp_config it would be good if it could pull through from values set in the provider for the region and environment. This would save having to push them through as variables to modules etc.

If they are not set on the provider it should probably error out if they are empty in the hsdp_config