search

mongodb / terraform-provider-mongodbatlas

Terraform MongoDB Atlas Provider: Deploy, update, and manage MongoDB Atlas infrastructure as code through HashiCorp Terraform
https://registry.terraform.io/providers/mongodb/mongodbatlas
Mozilla Public License 2.0
246 stars 179 forks source link

401 Unauthorised when importing Organization, but other resources import successfully #1622

Open seddy opened 1 year ago

seddy commented 1 year ago

Terraform CLI and Terraform MongoDB Atlas Provider Version

Terraform v1.6.2
on linux_amd64
+ provider registry.terraform.io/mongodb/mongodbatlas v1.12.3

Terraform Configuration File

# main.tf
terraform {
  required_providers {
    mongodbatlas = {
      source = "mongodb/mongodbatlas"
    }
  }
}

provider "mongodbatlas" {
  public_key  = "<public-api-key>"
  private_key = "<private-api-key>"
}

Steps to Reproduce

We're attempting to import an existing Organization into the state. This fails on a 401. However, other state imports (e.g. of projects) work fine. The API key being used has all permissions, we've tried with multiple different keys and it's the same behaviour each time.

For this example, we can just use following configuration:

resource "mongodbatlas_organization" "seddys_org" {
}

resource "mongodbatlas_project" "seddys_project" {
}

The API key we're using has all permissions at the Organization level and all permissions at the Project level. The behaviour is the same if it just has the Owner permission on both.

I've used the same API key to get the organization details using the API and it returns successfully, so I'm reasonably certain this is not a configuration issue with permissions on the API key.

Expected Behavior

Running both of these two commands should succeed:

terraform import mongodbatlas_organization.seddys_org <org-id>
terraform import mongodbatlas_project.seddys_project <project-id>

Both should succeed with:

Import successful!

The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.

Actual Behavior

The Project import works fine, the Organization import fails with:

│ Error: error reading organization information: GET https://cloud.mongodb.com/api/atlas/v1.0/orgs/<org-id>: 401 (request "") You are not authorized for this resource.

References

This is very similar to the issue outlined in #385, however that was two years ago and resolved outside of github. There were no potential fixes in there, so I'm re-raising it as a separate issue.

github-actions[bot] commented 1 year ago

Thanks for opening this issue! Please make sure you've followed our guidelines when opening the issue. In short, to help us reproduce the issue we need:

The ticket INTMDB-1288 was created for internal tracking.

AgustinBettati commented 1 year ago

Hello @seddy, thank you for the details provided.

I was able to reproduce the error, and identified an issue with how we are handling the import logic in this resource. We will keep you updated with any progress made in INTMDB-1288.

AgustinBettati commented 11 months ago

Hello @seddy, I wanted to follow up on this issue to gain more understanding on your use case for importing this resource. I am asking this because there are existing terraform resources we might be able to leverage depending on the attributes you are looking to obtain or modify.

seddy commented 11 months ago

Nothing too crazy @AgustinBettati as there's not tons to manage on this resource. What I'm interested in is:

  1. I'd rather not use magic var strings for critical things like organisation ID. I'd rather have that maintained inside the terraform state if I can and refer to it with mongodbatlas_organization.org.id
  2. I may want to change things like the description, and more importantly the owner of the organization which is a critical change that I'd like to be able to track in terraform
  3. The documentation says I should be able to do this, and importing terraform state is a fairly core to terraform, so if it's not possible for some reason that should be clearly explained in the docs.
AgustinBettati commented 11 months ago

With regards to being able to reference mongodbatlas_organization.org.id, I can suggest making use of the data source to have a single place were the id is defined while also ensuring the id is valid.

We have recently updated our documentation in https://github.com/mongodb/terraform-provider-mongodbatlas/pull/1806 to clarify the limitation, this will be present the coming release. Being able to support the import feature for organization resource will require a change from the API side which is currently planned in the long term. Will leave this github issue open in the interim, internal tracking ticket CLOUDP-215155.