search

mongodb / terraform-provider-mongodbatlas

Terraform MongoDB Atlas Provider: Deploy, update, and manage MongoDB Atlas infrastructure as code through HashiCorp Terraform
https://registry.terraform.io/providers/mongodb/mongodbatlas
Mozilla Public License 2.0
241 stars 167 forks source link

X509 is using the wrong authentication database when updating an existing user #292

Closed themantissa closed 4 years ago

themantissa commented 4 years ago

Terraform CLI and Terraform MongoDB Atlas Provider Version

Terraform v0.13.0
+ provider registry.terraform.io/terraform-providers/mongodbatlas v0.6.3

Steps to Reproduce

When attempting to modify an existing customer-managed X509 database user in an Atlas project, it appears that the provider malforms the endpoint URL - i.e. it seems to be ignoring the "auth_database_name" and inserting "admin" as the databasePath parameter instead of "$external". To demonstrate what I mean:

Plan for creating a customer-managed X509 user with the mongodbatlas terraform provider (this works):

Get the database user object after creation with a call to the Get a Single Database User endpoint:

{ "awsIAMType": "NONE", "databaseName": "$external", "groupId": "REDACTED", "labels": [], "ldapAuthType": "NONE", "links": [ { "href": "https://cloud.mongodb.com/api/atlas/v1.0/groups/REDACTED/databaseUsers/$external/C=US,ST=California,L=CITY,O=COMPANY,OU=UNIT,CN=sampleuser", "rel": "self" } ], "roles": [ { "databaseName": "admin", "roleName": "readWriteAnyDatabase" } ], "scopes": [], "username": "C=US,ST=California,L=CITY,O=COMPANY,OU=UNIT,CN=sampleuser", "x509Type": "CUSTOMER" }

Plan for modifying roles of that user:

~ resource "mongodbatlas_database_user" "atlas" { auth_database_name = "$external" id = "REDACTED-butlongID" project_id = "REDACTED" username = "C=US,ST=California,L=CITY,O=COMPANY,OU=UNIT,CN=sampleuser" x509_type = "CUSTOMER"

    labels {
        key   = "%s"
        value = "%s"
    }

  - roles {
      - database_name = "admin" -> null
      - role_name     = "readWriteAnyDatabase" -> null
    }
  + roles {
      + collection_name = (known after apply)
      + database_name   = "admin"
      + role_name       = "atlasAdmin"
    }
}

This fails:

Error: error updating database user(C=US,ST=California,L=CITY,O=COMPANY,OU=UNIT,CN=sampleuser): PATCH https://cloud.mongodb.com/api/atlas/v1.0/groups/REDACTED/databaseUsers/admin/C=US,ST=California,L=CITY,O=COMPANY,OU=UNIT,CN=sampleuser: 404 (request "Not Found") No user with username C=US,ST=California,L=CITY,O=COMPANY,OU=UNIT,CN=sampleuser exists.

This is the API call that the provider makes as a result of the above, notice how the databaseName parameter is "admin" instead of "$external":

PATCH /api/atlas/v1.0/groups/REDACTED/databaseUsers/admin/C=US,ST=California,L=CITY,O=COMPANY,OU=UNIT,CN=sampleuser HTTP/1.1

Manually making the same request with the databaseName parameter set to "$external" works as expected:

PATCH https://cloud.mongodb.com/api/atlas/v1.0/groups/REDACTED/databaseUsers/$external/C=US,ST=California,L=CITY,O=COMPANY,OU=UNIT,CN=sampleuser

body: { "roles": [ { "databaseName": "admin", "roleName": "atlasAdmin" } ] }

response: { "awsIAMType": "NONE", "databaseName": "$external", "groupId": "REDACTED", "labels": [], "ldapAuthType": "NONE", "links": [ { "href": "https://cloud.mongodb.com/api/atlas/v1.0/groups/REDACTED/databaseUsers/$external/C=US,ST=California,L=CITY,O=COMPANY,OU=UNIT,CN=sampleuser", "rel": "self" } ], "roles": [ { "databaseName": "admin", "roleName": "atlasAdmin" } ], "scopes": [], "username": "C=US,ST=California,L=CITY,O=COMPANY,OU=UNIT,CN=sampleuser", "x509Type": "CUSTOMER" }

As a result of the above tests, I believe this is a bug in the PATCH functionality of the mongodbatlas-database-user.

Expected Behavior

See above for full explanation

Actual Behavior

See above for full explanation

References

PRODTRIAGE-814

themantissa commented 4 years ago

Please note this work is in progress and slated for 0.6.5