Fail to add a subaccount user admin as a Org member in "Cloud Foundry"[BUG]

[MatanElitzur]

Is there an existing issue for this?

• [X] I have searched the existing issues

What version of Terraform are you using?

0.2.0-beta2

What type of issue are you facing

bug report

Describe the bug

• I have created a subaccount.
• For cloud foundry, I am using the same code as in https://github.com/SAP-samples/btp-terraform-samples/blob/7f7551345949ee5fc01e57602a8055c8093ae6cb/released/modules/envinstance-cloudfoundry/main.tf
• I also created a subaccount user realUserInSAP@sap.com, and added it to the users array like in line 44 https://github.com/SAP-samples/btp-terraform-samples/blob/7f7551345949ee5fc01e57602a8055c8093ae6cb/released/modules/envinstance-cloudfoundry/main.tf#L44

The users array looks like this;

users = [
 {
   id    = null_resource.cache_orchestrator.triggers.id
   email = null_resource.cache_orchestrator.triggers.email
 },
 {
   id    = "realUserInSAP@sap.com"
   email = "realUserInSAP@sap.com"
  }

• Invoked the terraform apply command, which showed the following code:

 # module.main-sub-account.module.cloudfoundry_environment[0].btp_subaccount_environment_instance.cloudfoundry will be created
  + resource "btp_subaccount_environment_instance" "cloudfoundry" {
      + broker_id        = (known after apply)
      + created_date     = (known after apply)
      + custom_labels    = (known after apply)
      + dashboard_url    = (known after apply)
      + description      = (known after apply)
      + environment_type = "cloudfoundry"
      + id               = (known after apply)
      + labels           = (known after apply)
      + landscape_label  = (known after apply)
      + last_modified    = (known after apply)
      + name             = "Research_test-sub-domain"
      + operation        = (known after apply)
      + parameters       = jsonencode(
            {
              + instance_name = "Research_test-sub-domain"
              + users         = [
                  + {
                      + email = "technicalUser@sap.com"
                      + id    = "technicalUser@sap.com"
                    },
                  + {
                      + email = "realUserInSAP@sap.com"
                      + id    = "realUserInSAP@sap.com"
                    },
                ]
            }
        )
      + plan_id          = (known after apply)
      + plan_name        = "standard"
      + platform_id      = (known after apply)
      + service_id       = (known after apply)
      + service_name     = "cloudfoundry"
      + state            = (known after apply)
      + subaccount_id    = (known after apply)
      + tenant_id        = (known after apply)
      + state            = (known after apply)
      + subaccount_id    = (known after apply)
      + type             = (known after apply)
    }

The problem is that the subaccount admin user realUserInSAP@sap.com did not get the org member role in Cloud Foundry and therefore doesn't have permissions like create a space

Expected Behavior

The subaccount user realUserInSAP@sap.com has permission to create a new space in Cloud Foundry. Therefore it needs the Org Manager role

Steps To Reproduce

see above

Add screenshots to help explain your problem

Additional context

n/a

[lechnerc77]

Thanks for bringing that to our attention. Seems like the array in the parameters JSON is ignored or maybe there are issues in the transfer. Needs to be analyzed

[MatanElitzur]

If you check this code area, it will be easier to write terraform code that adds only email parameter to that json.

[lechnerc77]

The documentation was wrong in this area. The definition of additional users for the environment instance i.e. of additional org users for Cloud Foundry is not a valid parameter. The flow for the setup of a Cloud Foundry environment via the BTP CLI is described in help.sap.com (steps 11-14). This can be translated to the Terraform provider as follows:

1. Create an environment instance for Cloud Foundry. The only valid parameter is the instance_name that must be specified. The user triggering the environment creation is automatically assigned to the created Cloud Foundry org
2. Ad additional users to the newly created Cloud Foundry environment (namely Cloud Foundry org) by leveraging the Cloud Foundry community provider for Terraform. The relevant resource is the cloudfoundry_org_users.

The documentation of the Terraform provider for SAP BTP will be fixed with PR #386

[TVSiemens]

Hi @lechnerc77, do you have a hint how to add Users to cloud foundry orgs and spaces with a custom IDP for the platform activated? It seems there is a BTP specific problem with the origin while creating a new user: https://github.com/cloudfoundry-community/terraform-provider-cloudfoundry/issues/535

[lechnerc77]

Hi @TVSiemens there are different topics around that using a custom IdP:

• the available provider did not support the configuration of the provider with a custom origin. Today a new version of the provider was released (https://github.com/cloudfoundry-community/terraform-provider-cloudfoundry/releases/tag/v0.52.0). That now supports the usage of a custom IdP via the parameter origin.
• The resource to create user in a Cloud Foundry org is possible (with or without IdP) via cloudfoundry_user.

The creation of org user has a caveat that is highlighted in the documentation namely:

This resource requires the provider to be authenticated with an account granted admin permissions and UAA admin client. See related uaa documentation ~> NOTE: Create an existing user will not trigger any errors and will lead to retrieve id of existing user and update it.

You do not have UAA admin permissions in SAP BTP due to the SAP-specific usage of Cloud Foundry. This means:

• Scenario 1: If you try to create a user that was never created in UAA will result in an error. The only way to create such a user is via the BTP Cockpit.
• Scenario 2: If the user was created in UAA at a former point in time, the creation as org user via the resource will succeed.

This behavior is identical, no matter if you use the provider or the CF CLI together with SAP BTP CF environments.

The only workaround as of today for scenario 1 is: create the user via the cockpit, delete it again in the cockpit and then re-create it via the resource (as this time the user is known in UAA). There are discussion going on to improve this, but nothing that will solve this issue in the near future.

[RCarvalhoSiemens]

Hello @lechnerc77,

I've done the steps you mentioned to workaround in case I dont have UAA admin permissions and still couldn't create the user in cloud foundry. My user has manager role in cloud foundry.

[lechnerc77]

Hi @RCarvalhoSiemens ,

can you give this resource a try for assigning users to an organization: cloudfoundry_org_users.

Here a snippet:

resource "cloudfoundry_org_users" "org_users" {
  org                       = btp_subaccount_environment_instance.cf.platform_id
  managers             = var.cf_org_managers
  billing_managers  = var.cf_org_billing_managers
  auditors                = var.cf_org_auditors
}

This should work if the users are not "brand-new" (= unknown to UAA). However that is limited from the role perspective. Here the link to the samples I fetched that from: https://github.com/SAP-samples/btp-terraform-samples/tree/main/released/modules/environment/cloudfoundry/envinstance_cf

Same could be done for the space i.e. the space users:

resource "cloudfoundry_space_users" "space-users" {
  space      = cloudfoundry_space.space.id
  managers   = var.cf_space_managers
  developers = var.cf_space_developers
  auditors   = var.cf_space_auditors
}

[RCarvalhoSiemens]

Hi @lechnerc77 Thank you for your answer. I've tried the resource "cloudfoundry_org_users" and I need to specify an origin which I believe this resource does not allow.

I've tried to use the resource "cloudfoundry_user" where I can specify an origin, but I get this error message

[lechnerc77]

If you in addition need an origin then you will to the best of my knowledge not be able to execute this CF setup via Terraform i.e. the existing Cloud Foundry provider on SAP BTP as the specifics of CF on SAP BTP cannot be handled via this provider.