search

SAP / terraform-provider-btp

Terraform provider for SAP BTP
https://registry.terraform.io/providers/SAP/btp/latest
Apache License 2.0
91 stars 18 forks source link

[BUG] Error: API Error Deleting Resource Role Collection Assignment (Subaccount). Cannot delete last admin user of subaccount. #883

Closed ptesny closed 3 months ago

ptesny commented 3 months ago

Is there an existing issue for this?

What version of the Terraform provider are you using?

1.5.0

What version of the Terraform CLI are you using?

1.9.3

What type of issue are you facing

bug report

Describe the bug

Error: API Error Deleting Resource Role Collection Assignment (Subaccount). Cannot delete last admin user of subaccount. This happens when:

  1. the tf script is run with a platform user that belongs to a custom idp defined on a global account level
  2. a new subaccount is being created and additional subaccount admin users are being added
  3. these additional subaccount admin users exclude both the platform user above and the GA owner
  4. if these admin users are added to the default identity provider only the bug will occur
  5. adding these users to both default and custom identity providers removes the race condition and solves the problem
  6. on a side note, if the platform user - the runner of the tf script - is a user coming from a default identity provider, there is no error

resource "btp_subaccount_role_collection_assignment" "subaccount_users" {
  #
  # https://github.com/SAP/terraform-provider-btp/issues/345
  /*
  depends_on         = [btp_subaccount_trust_configuration.custom_idp]

  for_each             = toset("${var.emergency_admins}")
  subaccount_id        = data.btp_subaccount.context.id
  role_collection_name = "Subaccount Administrator"
  user_name            = each.value
  #origin               = btp_subaccount_trust_configuration.custom_idp.origin
}

To summerize, if the tf script runner is a custom identity provider user and admin users are being added to the subaccount as default identity provider users, this error occurs.

Expected Behavior

No response

Steps To Reproduce

This happens when:

  1. the tf script is run with a platform user that belongs to a custom idp defined on a global account level
  2. a new subaccount is being created and additional subaccount admin users are being added
  3. these additional subaccount admin users exclude both the platform user above and the GA owner
  4. if these admin users are added to the default identity provider only the bug will occur
  5. adding these users to both default and custom identity providers removes the race condition and solves the problem
  6. on a side note is the platform user - the runner of the tf script - is a user coming from a default identity provider, there is no error

resource "btp_subaccount_role_collection_assignment" "subaccount_users" {
  #
  # https://github.com/SAP/terraform-provider-btp/issues/345
  /*
  depends_on         = [btp_subaccount_trust_configuration.custom_idp]

  for_each             = toset("${var.emergency_admins}")
  subaccount_id        = data.btp_subaccount.context.id
  role_collection_name = "Subaccount Administrator"
  user_name            = each.value
  # uncomment the below line to solve the issue if the tf script runner is a user belonging to the custom idp
  # if the tf script runner belongs to the default SAP ID there is no error
  #origin               = btp_subaccount_trust_configuration.custom_idp.origin
}

To summerize, if the tf script runner is a custom identity provider user and admin users are being added to the subaccount as default identity provider users, this error occurs.

User's Role Collections

One can easily locate the undeleted role collection in the tf state file. Removing it from the state file and running the tf apply allows to complete the subaccount destruction

Add screenshots to help explain your problem

No response

Additional context

No response

CHERIANS commented 3 months ago

@ptesny is the user who runs the tf script a part of this list _var.emergencyadmins specified here for_each = toset("${var.emergency_admins}") If yes then this will throw error while destroy as specified by @lechnerc77 here https://github.com/SAP/terraform-provider-btp/issues/345#issuecomment-1655136400

ptesny commented 3 months ago

@ptesny is the user who runs the tf script a part of this list _var.emergencyadmins specified here for_each = toset("${var.emergency_admins}") If yes then this will throw error while destroy as specified by @lechnerc77 here #345 (comment)

@CHERIANS , no, it is not part of the list...please the read steps to reproduce above:

these additional subaccount admin users exclude both the platform user above and the GA owner

lechnerc77 commented 3 months ago

@ptesny I do not fully understand the procedure tbh. Could you share your complete TF scripts (in the best case a reference to GH repo) including the variables you set (in this case users), so that we can take a look at the complete script and the setup that causes the error.

The error message is a (in the meantime) unnecessary safeguard of the platform when trying to remove the last admin user on subaccount level.

ptesny commented 3 months ago

@lechnerc77 , the root cause of the reported issue is most likely a problem with the BTP ga account that stopped populating the custom platform idp (the one define on a ga level) to both the existing and the newly created subaccounts (which is a default behaviour); As of today, this seems to be working again (with the same ga), so for the sake of time I will be closing the issue for now.