search

goharbor / terraform-provider-harbor

A Terraform provider for Harbor. To configure and manage all aspects of your Harbor Container Registry with Terraform Infrastructure as Code.
https://registry.terraform.io/providers/goharbor/harbor
MIT License
115 stars 90 forks source link

harbor_project_member_group resources not deleted #450

Open tucsolo opened 3 days ago

tucsolo commented 3 days ago

Hello there, hope you could help me with this - or if we can manage to work on it together

Describe the bug Given an OIDC (Keycloak) group name + permission and its linked project, the harbor_project and the subsequential harbor_project_member_group resources are correctly created, but after executing a terraform destroy the groups are still on the Harbor. This happens with any group/project name and any group role.

To Reproduce terraform apply and then terraform destroy on:

terraform {
  required_providers {
    harbor = {
      source = "goharbor/harbor"
    }
  }
}

provider "harbor" {
  url      = var.server_harbor_url
  username = var.server_harbor_username
  password = var.server_harbor_password
  insecure = var.server_harbor_insecure_connection
}

resource "harbor_project" "my_project" {
  name                        = "test_project"
}

resource "harbor_project_member_group" "my_project_group" {
  project_id = harbor_project.my_project.id
  group_name = "test_group"
  role       = "guest"
  type       = "oidc"
}

Expected behavior After executing terraform destroy both resources should be deleted. The project is correctly deleted, the group isn't.

Additional context

flbla commented 2 days ago

Hello, harbor_project_member_group handle the membership not the group itself. the creation (and deletion) of group is handle by harbor_group, but with OIDC you can't use it. i think it's not the goal of harbor_project_member_group to check if the group is still used or not, if we do this, it means for each membership deletion, the harbor provider will need to check all the projects to check if there is the group as member or not

it should be probably handle by harbor itself in the garbage collect feature

(same as #437)

tucsolo commented 2 days ago

Hello, thanks for the answer

I just manually ran both Garbage Collection and Garbage Collection enabling Allow garbage collection on untagged artifacts but groups are still there.

I'm questioning then, if checking group's uselessness it's not the goal of harbor_project_member_group and I can't "assign permissions on projects" to harbor_group managed groups, how am I going to automate their deletion?

flbla commented 2 days ago

I worded my sentence badly, Garbage collection does not currently delete groups. But I think it should, at least for OIDC. Can you create an issue on the Harbor project if you need it ? https://github.com/goharbor/harbor/issues

You can import groups you want to delete as harbor_group resources before the deletion of the harbor_project_member_group And for next creation of harbor_project_member_group, you can create groups with terraform before you create the membership.