search

SAP / terraform-provider-btp

Terraform provider for SAP BTP
https://registry.terraform.io/providers/SAP/btp/latest
Apache License 2.0
91 stars 18 forks source link

[BUG] `btp_subaccount_role_collection` silently takes over already existing resource #859

Closed v0lkc closed 4 months ago

v0lkc commented 4 months ago

Is there an existing issue for this?

What version of the Terraform provider are you using?

dev

What version of the Terraform CLI are you using?

2.64.0

What type of issue are you facing

bug report

Describe the bug

The btp_subaccount_role_collection resource is expected to fail if a role collection does already exist. However it does not and silently takes over an already provisioned instance. This can simply be enforced by creating a role collection with the count attribute.

Expected Behavior

No response

Steps To Reproduce

Create two role collections with the same name. 

resource "btp_subaccount_role_collection" "bug" {
  count = 2

  subaccount_id = "ce70e51a-01de-441b-b11e-4de5a93ba22e"
  name          = "Bug"
  roles         = []
}

User's Role Collections

No response

Add screenshots to help explain your problem

image

Additional context

No response

v0lkc commented 4 months ago

Fyi, I haven't checked the role collection resources on directory or globalaccount level.

lechnerc77 commented 4 months ago

The API creating the role collection does not check if the role collection is already existing and also does not return any information/error/warning if the role collection was already existing and is taken over

See https://api.sap.com/api/AuthorizationAPI/path/createRoleCollection

v0lkc commented 4 months ago

I'm not that sure @lechnerc77. Have you seen the two different success states which the api returns? I'm guessing that 201 means the resource was created and 200 means it already exists. If that's the case it would be an easy fix. Let the terraform flow fail, if the API returns 200.

image
lechnerc77 commented 4 months ago

This needs to be validated. We will check this also with the responsible team

lechnerc77 commented 4 months ago

Update Retest: Backend response is always HTTP 200

lechnerc77 commented 4 months ago

@v0lkc Clarified with the responsible team. The underlying API returns the same status code independent of the new creation or when taking over an existing role collection. Hence, due to the existing API implementation the only option is to check on consumer side if the role collection already exists.