search

aminueza / terraform-provider-minio

Terraform provider for managing MinIO S3 buckets and IAM Users.
https://registry.terraform.io/providers/aminueza/minio
GNU Affero General Public License v3.0
234 stars 69 forks source link

`minio_iam_service_account` resource keeps dropping policy. #517

Closed dmaes closed 12 months ago

dmaes commented 1 year ago

Description

minio_iam_service_account resource keeps dropping policy.

Steps to Reproduce

resource "minio_iam_user" "user" {
  name = var.name
}

resource "minio_iam_service_account" "sa" {
  target_user = minio_iam_user.user.name
}

resource "minio_iam_user_policy_attachment" "policy" {
  for_each    = toset(var.policies)
  user_name   = minio_iam_user.user.name
  policy_name = each.key
}

Expected behavior: Clean terraform runs when nothing has changed

Actual behavior: The service account's policy is set to the policies from it's user. Terraform picks this up, sees no policy defined in code, and tries to drop it on every run. Policy should be changed if any is defined and differs, but should be ignored when none is defined in code.

Reproduces how often: Always

Versions

Terraform: 1.5.5 Module: 1.18.0

Additional Information

Seems related to/introduced by Issue #501 and PR #502

ArataEM commented 1 year ago

I think that the better way would be to apply empty policy if none is set for minio_iam_service_account. This way we can avoid cases like:

In this case terraform apply won't change service account's policy, but it will be changed because user's policy has changed.

Functionally service account without policy has the same permissions as with user's policy.

dmaes commented 1 year ago

Tested your PR, looks good.