Closed mpern closed 7 months ago
lechnerc77
commented
10 months ago Status retest with latest local version of Terraform provider successful:
Status retest with version 0.5.0-beta1 of Terraform provider successful:
lechnerc77
commented
10 months ago @mpern Can you please provide the scripts you are using for the setup as I cannot reproduce the error you are getting.
Here for comparison my setup:
resource "btp_directory" "dir_with_features" {
name = "my-feat-directory"
description = "This is a directory with features."
features = ["DEFAULT","ENTITLEMENTS","AUTHORIZATIONS"]
}
resource "btp_directory_role_collection_assignment" "rolecol1" {
directory_id = btp_directory.dir_with_features.id
role_collection_name = "Directory Viewer"
user_name = "user.one@sap.com"
}
resource "btp_directory_role_collection_assignment" "rolecol2" {
directory_id = btp_directory.dir_with_features.id
role_collection_name = "Directory Administrator"
user_name = "user.two@sap.com"
}I applied the script, removed the two role collection resources and reapplied the script without issues. I also executed a terraform destroy. Both scenarios worked.
One further point: do you add yourself/the person executing the script (which gets automatically added as Directory Administrator) into the role collection assignments?
lechnerc77
commented
10 months ago @mpern based on your overall configuration I could reproduce the setup. The error you are facing is caused by a "special" behavior of the platform that is out of reach for the Terraform provider:
When you create a directory (or a subaccount) SAP BTP will automatically add you user as directory (or subaccount) admin. If you explicitly assign your user to the role collection of the directory admin, the platform API will raise no error if you are already assigned to this role collection. However, Terraform will store your role assignment in the Terraform state. As soon as you delete the setup, Terraform will execute a un-assignment of the role collections based on the state. In your setup this means that all user assigned as directory administrators are unassigned. I assume that you are executing the script locally, so you user does no longer have the privileges to act as directory administrator and hence, your user can no longer execute the other un-assignments of the role which leads to a 403 error.
Can you please validate if my assumption is correct by removing your user from the admin list and executing the scripts locally with your user.
mpern
commented
10 months ago nope, that's not it. I have a dedicated technical user for terraform, it's not executing in the context of my personal account.
lechnerc77
commented
10 months ago nope, that's not it. I have a dedicated technical user for terraform, it's not executing in the context of my personal account.
hmm, as we anyway have a meeting on Thursday, we should take a look at your account when setup (before deletion/removal of role assignments)
lechnerc77
commented
10 months ago Aligned with @mpern : not possible to reproduce at the moment. Keeping the issue open and tagging it as wont-fix in case either Markus can reproduce the setup or another user reports a similar issue
lechnerc77
commented
7 months ago As no issues have been reported that help us reproduce this error, I will close this issue.
Is there an existing issue for this?
What version of Terraform are you using?
1.5.7
What type of issue are you facing
bug report
Describe the bug
Deleting/destroying a directory fails with
Expected Behavior
Destroying a Directory and all related resources "just works"
Steps To Reproduce
Add screenshots to help explain your problem
No response
Additional context
No response