Resource "genesyscloud_tf_export" asking for permissions that do not exist

[boston51]

I've granted Terraform OAuth client credentials with a role that has every single permission applied to it. I've received errors upon trying to use the genesyscloud_tf_export resource without specifying any resource filters as we wish to export everything, hence why we gave it a role with all permissions applied.

Is this an issue with the provider? Or is there a way to workaround this? I've tried the log_permission_errors = true option under the genesyscloud_tf_export resource as one error stated the apply would continue if it found errors and that option was set, but it still stops and fails due to permissions errors that I cannot resolve.

Here is my main.tf, pretty straight-forward.

resource "genesyscloud_tf_export" "export" {
  directory                 = "./export"
  split_files_by_resource   = true
  export_as_hcl             = true
  log_permission_errors     = true
}

Here is the provider I have set. I did try the latest version 1.43.1, however it did not make a difference.

terraform {
  required_providers {
    genesyscloud = {
      source = "MyPureCloud/genesyscloud"
      version = "1.43.0"
    }
  }
}

Here are the permissions that I've seen so far in errors when trying to run the apply, but don't exist in my org.

employeePerformance:externalMetricDefinition:view
routing:transcriptionSettings:view
workitems:worktype:view

[charliecon]

Hi @boston51

At the moment I'm unable to recreate the behaviour you're seeing, but I have created a ticket so we can get a dev working on this as soon as possible. If you don't mind, could you copy and paste the error message appearing in your logs? That will help us to debug.

Thanks for bringing this to our attention.

(Tracking with DEVTOOLING-760)

[boston51]

Hey @charliecon , here is an example. This time it happened to be the workitems:worktype:view permission that it's asking for, but again, does not exist as all possible permissions, in all divisions, have been granted to the OAuth credentials being used.

genesyscloud_tf_export.test: Creating...
╷
│ Error: Failed to get task management worktype error: failed to get worktypes: API Error: 403 - Unable to perform the requested action. You must have permission workitems:worktype:view in at least one division. (df95a5ef-dc75-4a55-ba1c-e3085b3dcad1)
│ To continue exporting other resources in spite of this error, set the 'log_permission_errors' attribute to 'true'
│
│   with genesyscloud_tf_export.test,
│   on main.tf line 10, in resource "genesyscloud_tf_export" "test":
│   10: resource "genesyscloud_tf_export" "test" {
│
│ {"resourceName":"genesyscloud_task_management_worktype","method":"POST","path":"/api/v2/taskmanagement/worktypes/query","statusCode":403,"errorMessage":"API
│ Error: 403 - Unable to perform the requested action. You must have permission workitems:worktype:view in at least one division.
│ (df95a5ef-dc75-4a55-ba1c-e3085b3dcad1)","correlationId":"df95a5ef-dc75-4a55-ba1c-e3085b3dcad1"}

Here is the full main.tf code that was used. You can see I started going down the path of using the include_filter_resources option to select specific resources to workaround this issue for now.

resource "genesyscloud_tf_export" "main" {
  directory                    = "./export"
  split_files_by_resource      = true # <--- if not specified, all resources exported into one file
  export_as_hcl                = true
  include_filter_resources     = ["genesyscloud_user"] # <--- if not specified, all resources are exported
  log_permission_errors        = true #<--- "should" allow apply to run completely even if permissions errors are encountered, and logs the to a file
  enable_dependency_resolution = true #<--- automatically export additional dependencies, enhances the comprehensiveness, its related entities are included
}

resource "genesyscloud_tf_export" "test" {
  directory                    = "./export-test"
  split_files_by_resource      = true
  export_as_hcl                = true
}