Comments (6)
Hi @loafoe, I just discovered what was happening. The issue happens when the service identity doesn't have the permission HSDP_IAM_ORGANIZATION.MGMT
on that specific IAM organization, so it is an authorization issue. That being said it's weird that the provider is not displaying a 403
error when it is not able to remove the user from the group.
I also dived even further and took a look into the provider code and it seems to be calling the $remove-members
API, but according to the documentation (see image), any identity with HSDP_IAM_ORGANIZATION.MGMT
, GROUP.WRITE
or HSDP_IAM_GROUP.REMOVE_USER
should be able to remove the members...but in reality, only service identities with HSDP_IAM_ORGANIZATION.MGMT
are able to remove members.
from terraform-provider-hsdp.
@l-lafin tested this and it is working as expected. Can you provide more details, or better a setup where you can reproduce this?
from terraform-provider-hsdp.
@l-lafin added additional test code and was able to observe deletion of users group on destroy. On key thing is that groups referred to in hsdp_iam_group_membership
should have drift_detection = false
otherwise you get permadiffs, or possibly the issue you are seeing as mentioned in this issue. Adding hsdp_iam_group_membership
in retrospect was a mistake IMHO. It goes against the ownership of resources and feels more and more like a footgun. Closing
from terraform-provider-hsdp.
Hi @loafoe,
Thanks for the updates, regarding the drift_detection
according to the documentation in case the group is managed by Terraform. it indicates the drift_detection
should be false
, see below:
We are still trying to fix this issue on our side :(, I tried to simulate using plain Terraform and indeed I wasn't able to see the error, but for some reason when I'm using Terragrunt I'm having this error.
from terraform-provider-hsdp.
You are right, it should be set to false
, somehow inverted that in my msg🤦♂️
I'm not a fan of terragrunt. It feels like what coffeescript was to javascript i.e. plastering over some imperfections and making things more opaque but, by design, also making runs less transparent..
from terraform-provider-hsdp.
We also tested the IAM API itself and it works when the identity has any of those permissions.
from terraform-provider-hsdp.
Related Issues (20)
- Role read when managing_org is gone HOT 6
- CDR: provider trying to force replace orgs in update runs in case purge_delete is enabled HOT 5
- IAM Group datasource: expose member details
- PKI: Add triggers when issuing certificate expires HOT 1
- getting "Role does not exist" while trying to detach certain role from some group while simultaneously removing the role
- getting 422 error while updating roles in group, second time passes
- "Failed to delete the resource as it has associated memberships in the system." when removing a user from a group HOT 1
- [Feature] Add DataSource for MDM Discovery Service Actions HOT 1
- Iron docker codes with authentication have timing issues HOT 1
- hsdp_connect_mdm_blob_data_contract resource is crashing in provider version 0.44.1
- Support backoff retry for 429 rate limit errors HOT 1
- Ability to run tasks on request
- Request to provide a feature to migrate users in bulk from one org to another
- Refactor password generator in acceptance test
- Request to modify the provider to ignore non terraform additions when drift detection is disabled. HOT 1
- Unable to create IAM create client using terraform HOT 2
- Need to specify the max character limit for each of the iam resources on the terraform documentation page
- Unsupported Argument Error in service action filter
- Intermittent iron.io errors upon deploy.
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from terraform-provider-hsdp.