search

datastax / terraform-provider-astra

A project that allows DataStax Astra users to manage their full database lifecycle for Astra Serverless databases (built on Apache Cassandra(TM)) using Terraform
https://registry.terraform.io/providers/datastax/astra
Mozilla Public License 2.0
20 stars 23 forks source link

Terraform script drop and recreate the same keyspace leading to the admin user loses access to the recreated keyspace #294

Open GLZ9568 opened 1 year ago

GLZ9568 commented 1 year ago

The customer has reported that after they use Terraform script to drop and recreate keyspace cssservice, their admin user admin-ocp-p-p-uspd-css-cass-01 loses access to the recreated keyspace.

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:

 + create
 ~ update in-place
Terraform will perform the following actions:
 # module.ds-astra-cluster.astra_keyspace.this["dekms"] will be created
 + resource "astra_keyspace" "this" {
   + database_id = "51a23389-1499-4d64-b73a-c958f96e79a0"
   + id     = (known after apply)
   + name    = "dekms"
  }
 # module.ds-astra-cluster.astra_role.admin will be updated in-place
 ~ resource "astra_role" "admin" {
    id     = "d031a210-7a6b-4310-a993-fdf05409c3ed"
   ~ resources  = [
      "drn:astra:org:aa277a78-b6d6-495a-a67f-3715f6a9524a:db:51a23389-1499-4d64-b73a-c958f96e79a0:keyspace:default_unused",
     + "drn:astra:org:aa277a78-b6d6-495a-a67f-3715f6a9524a:db:51a23389-1499-4d64-b73a-c958f96e79a0:keyspace:dekms",
    ]
    # (5 unchanged attributes hidden)
  }
Plan: 1 to add, 1 to change, 0 to destroy.

Below is the output from Terraform:

147 # module.ds-astra-cluster.astra_role.admin will be updated in-place
148 ~ resource "astra_role" "admin" {
149 ~ description = "admin-ocp-p-p-uspd-css-cass-01" -> "Admin role"
150 id = "5d19d90a-7cee-4d1f-abaa-d4b11eaf28eb"
...
164Plan: 0 to add, 1 to change, 1 to destroy.
165module.ds-astra-cluster.astra_keyspace.this["cssservice"]: Destroying... [id=c2db6b6d-844c-4963-a225-58b9f91550dd/keyspace/cssservice]
166module.ds-astra-cluster.astra_role.admin: Modifying... [id=5d19d90a-7cee-4d1f-abaa-d4b11eaf28eb]
167module.ds-astra-cluster.astra_keyspace.this["cssservice"]: Destruction complete after 0s
168module.ds-astra-cluster.astra_role.admin: Modifications complete after 1s [id=5d19d90a-7cee-4d1f-abaa-d4b11eaf28eb]
...

it appears the astra_role.admin table is modified when a keyspace is dropped, does terraform modify the user roles when removing a keyspace? if so, does it add the correct access for the role back when the keyspace is recreated?

pgier commented 1 year ago

@GLZ9568 Can you provide the version of Terraform and the Astra provider/plugin, and also an example main.tf to reproduce the issue? The Terraform Astra provider shouldn't modify the contents of the role if the contents are directly specified. I'm guessing in this case there is a loop to dynamically create the permissions, which would cause the resources to be automatically added/removed, but I can't tell without the source main.tf.