Setting `Available for user logon` as `false` for `sap.default` IDP using the provider resource

codeyogi911 commented 3 months ago

What area do you want to see improved?

terraform provider

Is your feature request related to a problem? Please describe.

I want to set the available_for_user_logon to false for the sap.default IDP after the creation of subaccount. Right now if I declare the resource like below:

resource "btp_subaccount_trust_configuration" "ias_config" {
  subaccount_id     = btp_subaccount.project.id
  identity_provider = "sap.default"
  available_for_user_logon = false
}

It gives me the error:


btp_subaccount_trust_configuration.ias_config: Creating...
╷
│ Error: API Error Creating Resource Trust Configuration (Subaccount)
│ 
│   with btp_subaccount_trust_configuration.ias_config,
│   on main.tf line 82, in resource "btp_subaccount_trust_configuration" "ias_config":
│   82: resource "btp_subaccount_trust_configuration" "ias_config" {
│ 
│ Custom IAS IDP already exists.
╵
Operation failed: failed running terraform apply (exit 1)

Describe the solution you would like

If the trust configuration already exists it should just update the params.

Describe alternatives you have considered

There is no other resource that could be used. Earlier I was using BTP CLI but since moving to remote apply from HCP it shows command not found error as BTP CLI is not installed on remote machines running in HCP.

Additional context

No response

github-actions[bot] commented 3 months ago

Thanks for the feature request. We evaluate it and update the issue accordingly.

Community Note

Voting for Prioritization

Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

If you are interested in working on this issue, please leave a comment.
If this would be your first contribution, please review the contribution guide.

lechnerc77 commented 3 months ago

@codeyogi911 the bahavior you are experiencing is unfortunately an issue with the mechanics of the SAP BTP. When creating a subaccount the sap.default IDP is automatically linked to the subaccount. There is no option to deactivate this automatic assignment. Consequently the resource is existing on SAP BTP, but not managed by Terraform although the subaccount was created via Terraform.

The only way to resolve this situation is a multi-step process:

Create the subaccount (and the other resources you want to create) via a Terraform script
After successful creation, import the sap.defaultIDP via Terraform import block (see https://developer.hashicorp.com/terraform/language/import) to bring it under the management of Terraform. You can also give the experimental parameter -generate-config-out a try to let Terraform create the configuration for you. We made some good experience with this parameter although some manual post-processing might be necessary.
After successful import of the resource, change the parameters, in your case set the available for user logon parameter to false.

As there is nothing we can implement from the Terraform provider side to make this flow easier, I am closing this issue.

SAP / terraform-provider-btp