akamai / terraform-provider-akamai

Terraform Akamai provider
https://www.terraform.io/docs/providers/akamai/
Mozilla Public License 2.0
109 stars 96 forks source link

DXE-4326 akamai_edgekv resource always issues a `PUT /edgekv/v1/initialize` #589

Open aukevanleeuwen opened 6 days ago

aukevanleeuwen commented 6 days ago

Terraform and Akamai Terraform Provider Versions

❯ terraform -v
Terraform v1.9.4
on darwin_arm64
+ provider registry.terraform.io/akamai/akamai v6.5.0
+ provider registry.terraform.io/hashicorp/aws v5.72.1

Affected Resource(s)

Please list the resources as a list, for example:

Terraform Configuration Files

resource "akamai_edgekv" "edgekv-staging" {
  count = var.orchestrated == null ? 0 : 1

  # EdgeKV for the staging network can only be US
  geo_location         = "US"
  group_id             = var.orchestrated.group_id
  namespace_name       = var.orchestrated.edgekv.config_namespace
  network              = "staging"
  retention_in_seconds = 0 # Infinite
}

Expected Behavior

I would to have this resource run with the least amount of privileges.

Actual Behavior

Looking at my access denied error messages, but more specifically here: https://github.com/akamai/terraform-provider-akamai/blob/e591db9b56b78954f9825d174fc914ec98d4dd38/pkg/providers/edgeworkers/resource_akamai_edgekv.go#L141-L144 It appears the EdgeWorker Initialize call is always issued. If I'm reading everything correctly that would need quite a bit of permissions. Even write permission on the root group for CP codes for example. I would want to run this 'initialization' manually through some admin CLI credentials perhaps just once, after which it should ideally work with less permissions.

I'm no Golang expert, but looking at the code it should be quite trivial to first query the initialization status (i.e. client.GetEdgeKVInitializationStatus(ctx) and depending on that start the initialization or just skip that call all together. By my testing, the client.GetEdgeKVInitializationStatus(ctx) needs a lot less permissions.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. terraform apply with the above mentioned resource
aukevanleeuwen commented 6 days ago

Also: the PUT seems rather slow, compared to the GET:

❯ time akamai edgekv show status
----------------------------------
--- EdgeKV already INITIALIZED ---
----------------------------------
AccountStatus  ProductionStatus  StagingStatus  Cpcode   DataAccessPolicy
-------------  ----------------  -------------  -------  -----------------------------------------------------------
INITIALIZED    INITIALIZED       INITIALIZED    xxxxxxx  restrictDataAccess=true, allowNamespacePolicyOverride=false

akamai edgekv show status  0.22s user 0.07s system 21% cpu 1.354 total
❯ time akamai edgekv init
---------------------------------------
--- EdgeKV INITIALIZED successfully ---
---------------------------------------
AccountStatus  ProductionStatus  StagingStatus  Cpcode   DataAccessPolicy
-------------  ----------------  -------------  -------  ----------------
INITIALIZED    INITIALIZED       INITIALIZED    xxxxxxx  N/A

akamai edgekv init  0.28s user 0.13s system 2% cpu 13.921 total
lsadlon commented 6 days ago

Hi @aukevanleeuwen

Thanks for reporting this issue. We need analyze impact of this change and we will inform you about progress.

BR, Lukasz