search

opensearch-project / terraform-provider-opensearch

https://registry.terraform.io/providers/opensearch-project/opensearch
Apache License 2.0
73 stars 55 forks source link

backend_roles and and_backend_roles - https://registry.terraform.io/providers/opensearch-project/opensearch/latest/docs/resources/roles_mapping[BUG] #156

Open kcorelight opened 5 months ago

kcorelight commented 5 months ago

What is the bug?

When I try to apply this resource, this is removing existing security users. So, no user has permission to update the role with additional users

I am trying the differences between backend_roles and and_backend_roles. The documentation is not clear https://registry.terraform.io/providers/phillbaker/elasticsearch/latest/docs/resources/opensearch_roles_mapping

How can one reproduce the bug?

resource "opensearch_roles_mapping" "security_manager_mapping" { role_name = "security_manager" description = "Mapping AWS IAM roles to ES role" backend_roles = concat(var.security_access_roles, [var.saml_master_backend_role]) }

Here var.saml_master_backend_role already has security manager permissions. But, still I see the following error

╷ │ Error: elastic: Error 403 (Forbidden) │ │ with module.opensearch_logs_saml[0].opensearch_roles_mapping.security_manager_mapping, │ on ../../../modules/common/opensearch_saml/roles_mapping.tf line 15, in resource "opensearch_roles_mapping" "security_manager_mapping": │ 15: resource "opensearch_roles_mapping" "security_manager_mapping" { │ ╵ [root@a044c3c081a3 NorthAmerica]#

What is the expected behavior?

The expected behavior is that, additional backend roles will be mapped to this opensearch role

What is your host/environment?

All OS

Do you have any screenshots?

╷ │ Error: elastic: Error 403 (Forbidden) │ │ with module.opensearch_logs_saml[0].opensearch_roles_mapping.security_manager_mapping, │ on ../../../modules/common/opensearch_saml/roles_mapping.tf line 15, in resource "opensearch_roles_mapping" "security_manager_mapping": │ 15: resource "opensearch_roles_mapping" "security_manager_mapping" { │ ╵ [root@a044c3c081a3 NorthAmerica]#

Do you have any additional context?

Add any other context about the problem.

prudhvigodithi commented 5 months ago

[Triage] Thanks @kcorelight Looks similar https://github.com/opensearch-project/terraform-provider-opensearch/issues/153, https://github.com/opensearch-project/terraform-provider-opensearch/issues/158 .

Adding @rblcoder @bbarani

rblcoder commented 5 months ago

@kcorelight https://github.com/opensearch-project/terraform-provider-opensearch/blob/main/provider/resource_opensearch_roles_mapping.go is calling _plugins/_security/api/rolesmapping/

PUT _plugins/_security/api/rolesmapping/ will replace the existing role mapping, right? (https://opensearch.slack.com/archives/D060NNV468H/p1707909374961869) You would also need to specify any existing users and backend_roles for the role mapping in the terraform code itself.