When attempting to modify an existing customer-managed X509 database user in an Atlas project, it appears that the provider malforms the endpoint URL - i.e. it seems to be ignoring the "auth_database_name" and inserting "admin" as the databasePath parameter instead of "$external". To demonstrate what I mean:
Plan for creating a customer-managed X509 user with the mongodbatlas terraform provider (this works):
Terraform CLI and Terraform MongoDB Atlas Provider Version
Steps to Reproduce
When attempting to modify an existing customer-managed X509 database user in an Atlas project, it appears that the provider malforms the endpoint URL - i.e. it seems to be ignoring the "auth_database_name" and inserting "admin" as the databasePath parameter instead of "$external". To demonstrate what I mean:
Plan for creating a customer-managed X509 user with the mongodbatlas terraform provider (this works):
resource "mongodbatlas_database_user" "atlas" {
auth_database_name = "$external"
id = (known after apply)
project_id = "REDACTED"
username = "C=US,ST=California,L=CITY,O=COMPANY,OU=UNIT,CN=sampleuser"
x509_type = "CUSTOMER"
labels {
roles {
Get the database user object after creation with a call to the Get a Single Database User endpoint:
{ "awsIAMType": "NONE", "databaseName": "$external", "groupId": "REDACTED", "labels": [], "ldapAuthType": "NONE", "links": [ { "href": "https://cloud.mongodb.com/api/atlas/v1.0/groups/REDACTED/databaseUsers/$external/C=US,ST=California,L=CITY,O=COMPANY,OU=UNIT,CN=sampleuser", "rel": "self" } ], "roles": [ { "databaseName": "admin", "roleName": "readWriteAnyDatabase" } ], "scopes": [], "username": "C=US,ST=California,L=CITY,O=COMPANY,OU=UNIT,CN=sampleuser", "x509Type": "CUSTOMER" }
Plan for modifying roles of that user:
~ resource "mongodbatlas_database_user" "atlas" { auth_database_name = "$external" id = "REDACTED-butlongID" project_id = "REDACTED" username = "C=US,ST=California,L=CITY,O=COMPANY,OU=UNIT,CN=sampleuser" x509_type = "CUSTOMER"
This fails:
Error: error updating database user(C=US,ST=California,L=CITY,O=COMPANY,OU=UNIT,CN=sampleuser): PATCH https://cloud.mongodb.com/api/atlas/v1.0/groups/REDACTED/databaseUsers/admin/C=US,ST=California,L=CITY,O=COMPANY,OU=UNIT,CN=sampleuser: 404 (request "Not Found") No user with username C=US,ST=California,L=CITY,O=COMPANY,OU=UNIT,CN=sampleuser exists.
This is the API call that the provider makes as a result of the above, notice how the databaseName parameter is "admin" instead of "$external":
PATCH /api/atlas/v1.0/groups/REDACTED/databaseUsers/admin/C=US,ST=California,L=CITY,O=COMPANY,OU=UNIT,CN=sampleuser HTTP/1.1
Manually making the same request with the databaseName parameter set to "$external" works as expected:
PATCH https://cloud.mongodb.com/api/atlas/v1.0/groups/REDACTED/databaseUsers/$external/C=US,ST=California,L=CITY,O=COMPANY,OU=UNIT,CN=sampleuser
body: { "roles": [ { "databaseName": "admin", "roleName": "atlasAdmin" } ] }
response: { "awsIAMType": "NONE", "databaseName": "$external", "groupId": "REDACTED", "labels": [], "ldapAuthType": "NONE", "links": [ { "href": "https://cloud.mongodb.com/api/atlas/v1.0/groups/REDACTED/databaseUsers/$external/C=US,ST=California,L=CITY,O=COMPANY,OU=UNIT,CN=sampleuser", "rel": "self" } ], "roles": [ { "databaseName": "admin", "roleName": "atlasAdmin" } ], "scopes": [], "username": "C=US,ST=California,L=CITY,O=COMPANY,OU=UNIT,CN=sampleuser", "x509Type": "CUSTOMER" }
As a result of the above tests, I believe this is a bug in the PATCH functionality of the mongodbatlas-database-user.
Expected Behavior
See above for full explanation
Actual Behavior
See above for full explanation
References
PRODTRIAGE-814