The resource 'hsdp_iam_group_membership' is not removing user membership from IAM on destroy about terraform-provider-hsdp HOT 6 OPEN

Hi @loafoe, I just discovered what was happening. The issue happens when the service identity doesn't have the permission HSDP_IAM_ORGANIZATION.MGMT on that specific IAM organization, so it is an authorization issue. That being said it's weird that the provider is not displaying a 403 error when it is not able to remove the user from the group.

I also dived even further and took a look into the provider code and it seems to be calling the $remove-members API, but according to the documentation (see image), any identity with HSDP_IAM_ORGANIZATION.MGMT, GROUP.WRITE or HSDP_IAM_GROUP.REMOVE_USER should be able to remove the members...but in reality, only service identities with HSDP_IAM_ORGANIZATION.MGMT are able to remove members.

from terraform-provider-hsdp.

@l-lafin tested this and it is working as expected. Can you provide more details, or better a setup where you can reproduce this?

from terraform-provider-hsdp.

@l-lafin added additional test code and was able to observe deletion of users group on destroy. On key thing is that groups referred to in hsdp_iam_group_membership should have drift_detection = false otherwise you get permadiffs, or possibly the issue you are seeing as mentioned in this issue. Adding hsdp_iam_group_membership in retrospect was a mistake IMHO. It goes against the ownership of resources and feels more and more like a footgun. Closing

from terraform-provider-hsdp.

Hi @loafoe,
Thanks for the updates, regarding the drift_detection according to the documentation in case the group is managed by Terraform. it indicates the drift_detection should be false, see below:

We are still trying to fix this issue on our side :(, I tried to simulate using plain Terraform and indeed I wasn't able to see the error, but for some reason when I'm using Terragrunt I'm having this error.

from terraform-provider-hsdp.

You are right, it should be set to false , somehow inverted that in my msg🤦‍♂️

I'm not a fan of terragrunt. It feels like what coffeescript was to javascript i.e. plastering over some imperfections and making things more opaque but, by design, also making runs less transparent..

from terraform-provider-hsdp.

We also tested the IAM API itself and it works when the identity has any of those permissions.

from terraform-provider-hsdp.