opentelekomcloud_identity_user_v3: error sending a welcome email: Action Forbidden code": 403,"message": "userId is invalid"

[shaderecker]

Terraform provider version

Terraform v1.8.0
on linux_amd64
+ provider registry.terraform.io/opentelekomcloud/opentelekomcloud v1.36.5

Affected Resource(s)

opentelekomcloud_identity_user_v3

Terraform Configuration Files

resource "opentelekomcloud_identity_user_v3" "user" {
  name               = "test_1"
  description        = "test_1"
  email              = "myemail+test1@gmail.com"
  pwd_reset          = false
  send_welcome_email = true
}

resource "opentelekomcloud_identity_project_v3" "project" {
  name        = "eu-nl_test_1"
  description = "Project Test1"
}

resource "opentelekomcloud_identity_group_v3" "group" {
  name        = "test1"
  description = "group test1"
}

resource "opentelekomcloud_identity_group_membership_v3" "membership" {
  group = opentelekomcloud_identity_group_v3.group.id
  users = [opentelekomcloud_identity_user_v3.user.id]
}

resource "opentelekomcloud_identity_role_assignment_v3" "role_assignment_test" {
  group_id   = opentelekomcloud_identity_group_v3.group.id
  project_id = opentelekomcloud_identity_project_v3.project.id
  role_id    = opentelekomcloud_identity_role_v3.role.id
}

data "opentelekomcloud_identity_role_v3" "ddos_adm" {
  name = "ddos_adm"
}

data "opentelekomcloud_identity_role_v3" "as_adm" {
  name = "as_adm"
}

data "opentelekomcloud_identity_role_v3" "tms_adm" {
  name = "tms_adm"
}

data "opentelekomcloud_identity_projects_v3" "all_projects" {
}

resource "opentelekomcloud_identity_role_assignment_v3" "role_assignment_ddos_adm" {
  group_id   = opentelekomcloud_identity_group_v3.group.id
  project_id = opentelekomcloud_identity_project_v3.project.id
  role_id    = data.opentelekomcloud_identity_role_v3.ddos_adm.id
}

resource "opentelekomcloud_identity_role_assignment_v3" "role_assignment_as_adm" {
  group_id   = opentelekomcloud_identity_group_v3.group.id
  project_id = opentelekomcloud_identity_project_v3.project.id
  role_id    = data.opentelekomcloud_identity_role_v3.as_adm.id
}

resource "opentelekomcloud_identity_role_assignment_v3" "role_assignment_tms_adm" {
  group_id  = opentelekomcloud_identity_group_v3.group.id
  domain_id = data.opentelekomcloud_identity_projects_v3.all_projects.id
  role_id   = data.opentelekomcloud_identity_role_v3.tms_adm.id
}

resource "opentelekomcloud_identity_role_v3" "role" {
  display_name  = "Test_Policy"
  description   = "Test policy description"
  display_layer = "project"

  statement {
    effect = "Allow"
    action = [
      "ecs:*:*",
      "evs:*:*",
      "vpc:*:delete",
      "vpc:*:get",
      "vpc:*:list",
      "vpc:networks:*",
      "vpc:subnets:*",
      "vpc:ports:*",
      "vpc:routers:*",
      "vpc:routeTables:*",
      "vpc:routes:*",
      "vpc:securityGroups:*",
      "vpc:securityGroupRules:*",
      "vpc:floatingIps:*",
      "vpc:publicIps:*",
      "vpc:bandwidths:*",
      "vpc:peerings:*",
      "vpc:vpcTags:*",
      "vpc:subnetTags:*",
      "vpc:publicipTags:*",
      "ims:*:*",
      "ces:*:*"
    ]
  }
}

Debug Output/Panic Output

│ Error: error sending a welcome email: Action Forbidden, error message: {"error": {"code": 403,"message": "userId is invalid","title": "Forbidden"}}
│
│   with opentelekomcloud_identity_user_v3.user,
│   on main.tf line 1, in resource "opentelekomcloud_identity_user_v3" "user":
│    1: resource "opentelekomcloud_identity_user_v3" "user" {
│
╵

https://gist.github.com/shaderecker/39a10b0d236c99a55df34fabee948492

Steps to Reproduce

1. terraform apply

Expected Behavior

• User gets created successfully and welcome email is sent

Actual Behavior

error during user creation, fails at "error sending a welcome email:"

Important Factoids

I did not change anything on my side since the last run. The last time I ran my terraform code was on 04.04.24 and this was working back then. The user has the same IAM permissions as before (admin), nothing changed there.

References

[artem-lifshits]

Hello @shaderecker I wasn't able to reproduce the issue. opentelekomcloud_identity_user_v3 wasn't changed from provider side in a while.

[shaderecker]

Hmm, I can reproduce it just now. With the provided TF configuration files. Any ideas what we can do / debug further?

[artem-lifshits]

Maybe something was changed from API side regarding newly created projects. Can you try running the same config on existing one?

[shaderecker]

I now set the project_id to the id of the exiting "eu-nl" project. Then the TF apply worked correctly. What is different for newly created projects?

[artem-lifshits]

There shouldn't be any and as you mentioned it worked fine before. That's why my guess is that something was changed on cloud side, not provider.

[shaderecker]

Albeit, it seems I was just lucky. Now after a few retries, I am facing the issue also with the eu-nl project id:

[anton-sidelnikov]

Hi @shaderecker please ask support if there any restrictions for sending thise emails? This is not provider issue

[shaderecker]

I wrote an email to the OTC support

[shaderecker]

In the meantime I tracked the requests with mitmproxy and analyzed it a bit: request:

response:

detail:

It doesn't happen every time. but can be reproduced after 4-5 tries.