search

IBM-Cloud / terraform-provider-ibm

https://registry.terraform.io/providers/IBM-Cloud/ibm/latest/docs
Mozilla Public License 2.0
337 stars 647 forks source link

Problem deleting users when the status is PENDING #762

Open ghost opened 4 years ago

ghost commented 4 years ago

We are having some issues when deleting users via terraform using the resource ibm_compute_user and when the user state is PENDING.

Terraform Version

$ terraform -v
Terraform v0.11.7
+ provider.ibm v0.17.3

Affected Resource

Terraform Configuration Files

resource "ibm_compute_user" "terraform-user" {
  address1     = "My street"
  city         = "My city"
  company_name = "My company"
  country      = "US"
  state        = "CA"
  timezone     = "PST"
  email        = "myemail@mydomain.com"
  first_name   = "Terraform"
  last_name    = "User"
  has_api_key  = false

  permissions = [
    "ACCESS_ALL_DEDICATEDHOSTS",
    "ACCESS_ALL_GUEST",
    "ACCESS_ALL_HARDWARE",
    "ANTI_MALWARE_MANAGE",
    "BANDWIDTH_MANAGE",
    "CDN_BANDWIDTH_VIEW",
    "DEDICATED_HOST_VIEW",
    "DNS_MANAGE",
    "FIREWALL_MANAGE",
    "FIREWALL_RULE_MANAGE",
    "HARDWARE_VIEW",
    "HOST_ID_MANAGE",
    "IP_ADD",
    "LICENSE_VIEW",
    "LOADBALANCER_MANAGE",
    "MONITORING_MANAGE",
    "NETWORK_MESSAGE_DELIVERY_MANAGE",
    "NTF_SUBSCRIBER_MANAGE",
    "PORT_CONTROL",
    "REMOTE_MANAGEMENT",
    "SOFTWARE_FIREWALL_MANAGE",
    "USER_MANAGE",
    "VIRTUAL_GUEST_VIEW",
    "VULN_SCAN_MANAGE",
  ]

  lifecycle {
    ignore_changes = [
      # Ignore changes to timezone if set by the user
      "timezone",
      "has_api_key",
    ]
  }
}

Expected Behavior

The user should be deleted.

Actual Behavior

We know the user's status is PENDING till the user enters for the first time. If the user doesn't active the account and we want to delete it, we are getting this error.

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  - destroy

Terraform will perform the following actions:

  - ibm_compute_user.terraform-user

Plan: 0 to add, 0 to change, 1 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

ibm_compute_user.terraform-user: Destroying... (ID: XXXXXXXX)

Error: Error applying plan:

1 error(s) occurred:

* ibm_compute_user.terraform-user (destroy): 1 error(s) occurred:

* ibm_compute_user.terraform-user: Error deleting IBM Cloud user: SoftLayer_Exception_Public: Switching user status from PENDING to DELETED is forbidden. (HTTP 500)

Steps to Reproduce

  1. terraform apply
  2. terraform destroy
hkantare commented 4 years ago

We internally call the Softlayer(Classic) API to make delete request ..So when user status is in pending state the API is throwing back the error SoftLayer_Exception_Public: Switching user status from PENDING to DELETED is forbidden. (HTTP 500). I will follow up with Classic API team and update

rfiestas-nr commented 4 years ago

I added more information about this issue 

terraform --version
Terraform v0.11.7
+ provider.ibm v0.22.0

Terraform logs

ibm_compute_user.user-terraform-foobar (destroy)
  provider.ibm
provider.ibm
2020/01/15 11:09:59 [DEBUG] ReferenceTransformer: "ibm_compute_user.user-terraform-foobar (destroy)" references: []
2020/01/15 11:09:59 [DEBUG] ReferenceTransformer: "provider.ibm" references: []
2020/01/15 11:09:59 [DEBUG] Starting graph walk: walkApply
2020-01-15T11:09:59.366+0100 [DEBUG] plugin.terraform-provider-ibm_v0.22.0: 2020/01/15 11:09:59 Configuring SoftLayer Session with API key
2020-01-15T11:09:59.366+0100 [DEBUG] plugin.terraform-provider-ibm_v0.22.0: 2020/01/15 11:09:59 Configuring IBM Cloud Session with API key
2020-01-15T11:10:04.163+0100 [DEBUG] plugin.terraform-provider-ibm_v0.22.0: 2020/01/15 11:10:04 the apiendpoint url for power is us-south.power-iaas.cloud.ibm.com
2020-01-15T11:10:04.165+0100 [DEBUG] plugin.terraform-provider-ibm_v0.22.0: 2020/01/15 11:10:04 [INFO] Deleting IBM Cloud user: 7xxxxxx
2020-01-15T11:10:04.166+0100 [DEBUG] plugin.terraform-provider-ibm_v0.22.0: 2020/01/15 11:10:04 [DEBUG] Request URL:  PUT https://api.softlayer.com/rest/v3/SoftLayer_User_Customer/7xxxxxx.json
2020-01-15T11:10:04.166+0100 [DEBUG] plugin.terraform-provider-ibm_v0.22.0: 2020/01/15 11:10:04 [DEBUG] Parameters:  {"parameters":[{"userStatusId":1021}]}
2020-01-15T11:10:05.188+0100 [DEBUG] plugin.terraform-provider-ibm_v0.22.0: 2020/01/15 11:10:05 [DEBUG] Status Code:  500
2020-01-15T11:10:05.188+0100 [DEBUG] plugin.terraform-provider-ibm_v0.22.0: 2020/01/15 11:10:05 [DEBUG] Response:  {"error":"Switching user status from PENDING to DELETED is forbidden.","code":"SoftLayer_Exception_Public"}
2020/01/15 11:10:05 [ERROR] root: eval: *terraform.EvalApplyPost, err: 1 error(s) occurred:

* ibm_compute_user.user-terraform-foobar: Error deleting IBM Cloud user: SoftLayer_Exception_Public: Switching user status from PENDING to DELETED is forbidden. (HTTP 500)
2020/01/15 11:10:05 [ERROR] root: eval: *terraform.EvalSequence, err: 1 error(s) occurred:

* ibm_compute_user.user-terraform-foobar: Error deleting IBM Cloud user: SoftLayer_Exception_Public: Switching user status from PENDING to DELETED is forbidden. (HTTP 500)
2020/01/15 11:10:05 [ERROR] root: eval: *terraform.EvalOpFilter, err: 1 error(s) occurred:

* ibm_compute_user.user-terraform-foobar: Error deleting IBM Cloud user: SoftLayer_Exception_Public: Switching user status from PENDING to DELETED is forbidden. (HTTP 500)
2020/01/15 11:10:05 [TRACE] [walkApply] Exiting eval tree: ibm_compute_user.user-terraform-foobar (destroy)
2020/01/15 11:10:05 [DEBUG] plugin: waiting for all plugin processes to complete...
hkantare commented 4 years ago

Its working according to classic API infrastructure API. Can you please try with new IBM Cloud API to manage classic Infrastructure API https://ibm-cloud.github.io/tf-ibm-docs/v1.0.0/r/iam_user_invite.html

ghost commented 4 years ago

Hi @hkantare, we tried the new method and it's working, the problem we found with the new method is that we aren't able to import the current users.

Do you know if it will be added?

Anil-CM commented 4 years ago

Hi @djimbel-nr, When we invite a user to an account, there will be an email sent out to the invited user.

The invited user should accept the invitation. If the invited user is not having an account in IBM Cloud, while accepting the invitation invited user will be prompted to new page to create the account in IBM cloud, on completion of this the invited user status will be 'ACTIVE'.

ghost commented 4 years ago

Hi @Anil-CM. Thanks for the response.

Maybe I didn't explain myself correctly, the problem we are having with the new method is that we aren't able to import the current users. Also AFAIK, the method iam_user_invite isn't valid to create/modify/delete users, it's only valid to send invitation.

We would need to be able to administrate users in IBMCloud with IBMid.

Regards,