Unable to attach a role to a persmision if the role is created by the provider resource

VanessaK97 commented 8 months ago

Community Guidelines

[X] I have read and agree to the HashiCorp Community Guidelines .
[X] Vote on this issue by adding a 👍 reaction to the original issue initial description to help the maintainers prioritize.
[x] Do not leave "+1" or other comments that do not add relevant information or questions.
[x] If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Terraform

v1.6.4

Terraform Provider

v2.6.0

VMware vSphere

v8.0

Description

I am onboarding an agent with VMware Data Services Manager (instruction). Roles and permissions are created via terraform. When a role is created, it is only visible under 'Administration', but cannot be linked in a permission in 'Inventory'. After editing or creating a role via the UI, the terraform roles can be linked in permissions. After running terraform destroy the roles are still visible and only disappear after editing or creating roles via the UI.

Affected Resources or Data Sources

resource/vsphere_role
resource/vsphere_entity_permissions

Terraform Configuration

terraform {
  required_providers {
    vsphere = {
      source  = "hashicorp/vsphere"
      version = "2.6.0"
    }
  }
}

provider "vsphere" {}

data "vsphere_datacenter" "datacenter" {
  name = "Datacenter"
}

data "vsphere_distributed_virtual_switch" "dswitch" {
  name          = "DSwitch"
  datacenter_id = data.vsphere_datacenter.datacenter.id
}

data "vsphere_network" "vm_network" {
  name                            = "DSwitch-VM Network"
  datacenter_id                   = data.vsphere_datacenter.datacenter.id
  distributed_virtual_switch_uuid = data.vsphere_distributed_virtual_switch.dswitch.id
}

resource "vsphere_role" "dsm-network" {
  name            = "dsm-network"
  role_privileges = ["Network.Assign", "System.Anonymous", "System.Read", "System.View"]
}

resource "vsphere_entity_permissions" "vm_network_permissions" {
  entity_id   = data.vsphere_network.vm_network.id
  entity_type = "DistributedVirtualPortgroup"
  permissions {
    user_or_group = "vsphere.local\\dsm-user"
    propagate     = false
    is_group      = false
    role_id       = vsphere_role.dsm-network.id
  }
}

Debug Output

Debug Log

There is no explicit error or anything, so I set TF_LOG="DEBUG" to produce a log.

Panic Output

No response

Expected Behavior

I expect to see the created roles when I create or modify permissions in 'Inventory'.

Actual Behavior

The created roles are only visible under 'Administration' and I need to modify or create a role in the UI to see the roles I created with terraform in 'Inventory'.

This is the state after running terraform apply once and not modifying or creating any roles via the UI.

Steps to Reproduce

Create a new role and a permission with this role.

Environment Details

No response

Screenshots

Roles in Administration (dsm-test was created via the UI before running terraform apply and dsm-network was created via terraform).

Roles in Inventory (dsm-test was created via the UI before running terraform apply and dsm-root is a leftover of a previous terraform destroy).

References

No response

github-actions[bot] commented 8 months ago

Hello, VanessaK97! 🖐

Thank you for submitting an issue for this provider. The issue will now enter into the issue lifecycle.

If you want to contribute to this project, please review the contributing guidelines and information on submitting pull requests.

tenthirtyam commented 8 months ago

Seems to possibly be a duplicate of https://github.com/hashicorp/terraform-provider-vsphere/issues/1400.

VanessaK97 commented 8 months ago

Seems to possibly be a duplicate of #1400.

I don't see a connection here. They both have to do with vsphere_entity_permissions but the other issue is for the deletion of root folder permissions. In my case, I cannot see the created roles when creating permissions if I didn't create or modify a role via the UI after running terraform apply, so there seems to be a problem with updates of the Inventory.

tenthirtyam commented 2 months ago

Research Investigation: I've been able to reproduxe this issue using:

Terraform v1.8.5
Terraform Provider for VMware vSphere v2.8.1
VMware vSphere v8.0.2

Firstly, in the OP example, there would need to be a depends_on if the role is to be create prior to attempting the permission to the role.

Example:

resource "vsphere_role" "dsm-network" {
  name            = "dsm-network"
  role_privileges = ["Network.Assign"]
}

resource "vsphere_entity_permissions" "vm_network_permissions" {
  depends_on = [ vsphere_role.dsm-network ]
  entity_id   = data.vsphere_network.network.id
  entity_type = "DistributedVirtualPortgroup"
  permissions {
    user_or_group = "vsphere.local\\dsm-user"
    propagate     = false
    is_group      = false
    role_id       = vsphere_role.dsm-network.id
  }
}

Secondly, I have verified that after the role is opened in the vSphere UI only then is it usable with the Provider. I've also checked, just in case, with creation of role using PowerCLI and then consuming that role with Terraform - but there is no issue in PowerShell and it seems limited to the provider's creation of the resource.

hashicorp / terraform-provider-vsphere