Open strobeti opened 1 year ago
[Triage] Could you help look into this? Thanks! @prudhvigodithi @phillbaker
other AWS resource providers tend to have two resources for additive versus complete set resources: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_membership vs https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_group_membership I'd expect opensearch_roles_mapping could remain as is, but add something like: opensearch_user_roles_mapping in addition that has the additive behavior. Though honestly the later is usually all I use.
At the very least I think this behaviour should be documented. Very easy to lock yourself out of a cluster without knowing.
What is the bug?
Adding more than one
opensearch_roles_mapping
per role will cause inconsistency between the terraform state and the actual mapping in OpenSearch.OpenSearch's REST API provides an endpoint for role mapping using the role name as identifier:
_plugins/_security/api/rolesmapping/<role>
. OpenSearch DocumentationMultiple
opensearch_roles_mappings
for the same role will result in multiple calls to this REST API, overwriting or deleting existing role mappings.How can one reproduce the bug?
Add role:
opensearch_roles_mappings
resources with the same role_name.Remove one of these roles:
What is the expected behavior?
What is your host/environment?