search

opensearch-project / terraform-provider-opensearch

https://registry.terraform.io/providers/opensearch-project/opensearch
Apache License 2.0
74 stars 57 forks source link

[BUG] Adding more than one opensearch_roles_mapping per role will cause inconsistency #66

Open strobeti opened 1 year ago

strobeti commented 1 year ago

What is the bug?

Adding more than one opensearch_roles_mapping per role will cause inconsistency between the terraform state and the actual mapping in OpenSearch.

OpenSearch's REST API provides an endpoint for role mapping using the role name as identifier: _plugins/_security/api/rolesmapping/<role>. OpenSearch Documentation

Multiple opensearch_roles_mappings for the same role will result in multiple calls to this REST API, overwriting or deleting existing role mappings.

How can one reproduce the bug?

Add role:

Resource "opensearch_roles_mapping" "a" {
  role_name = a_role
   ...
}

resource "opensearch_roles_mapping" "b" {
  role_name = a_role
   ...
}

Remove one of these roles:

resource "opensearch_roles_mapping" "a" {
  role_name = a_role
   ...
}

What is the expected behavior?

What is your host/environment?

zelinh commented 1 year ago

[Triage] Could you help look into this? Thanks! @prudhvigodithi @phillbaker

drew-altana commented 10 months ago

other AWS resource providers tend to have two resources for additive versus complete set resources: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_group_membership vs https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/iam_user_group_membership I'd expect opensearch_roles_mapping could remain as is, but add something like: opensearch_user_roles_mapping in addition that has the additive behavior. Though honestly the later is usually all I use.

cameronattard commented 9 months ago

At the very least I think this behaviour should be documented. Very easy to lock yourself out of a cluster without knowing.