search

opentelekomcloud / terraform-provider-opentelekomcloud

Terraform OpenTelekomCloud provider
https://registry.terraform.io/providers/opentelekomcloud/opentelekomcloud/latest
Mozilla Public License 2.0
87 stars 78 forks source link

IAM users created with Terraform not able to be deleted #2569

Closed brunoagueda closed 2 months ago

brunoagueda commented 3 months ago

Terraform provider version

Terraform v1.8.3 on linux_amd64

Affected Resource(s)

opentelekomcloud_identity_user_v3

Terraform Configuration Files

resource "opentelekomcloud_identity_user_v3" "users" {
  name               = "test_tf_user"
  description        = "Testing user creation on TF"
  enabled            = true
}

Steps to Reproduce

  1. terraform apply

Expected Behavior

The user created should be able to be deleted

Actual Behavior

It is not possible to delete the user

Important Factoids

We opened a support ticket on OTC Support for this issue, and they answered saying that the problem is due to the "xuser_type" that should be empty, but it is not. As a workaround, they recommended to add the xuser_type and xuser_id with empty value in the request. Is it possible to add this parameters on the Terraform module?

Support answer: "Alternatively however I would like to recommend integrating the recommended API to create users, which is "POST /v3.0/OS-USER/users".

Documentation: ;https://docs.sc.otc.t-systems.com/identity-access-management/api-ref/apis/user_management/creating_an_iam_user_recommended.html, ;which gives us chance to have control over the problematic user attribute's unexpected ;value assignment.

For the user creation, the payload's mandatory attributes are "name" and "domain_id". I recommend sending the attribute "xuser_type" with and empty string ( ex.: "xuser_type": "" ) as value to get rid of this issue once and for all when new users are created at client side.

Fixing existing users is also possible on client side by invoking the recommended API to modify user information, which is "PUT /v3.0/OS-USER/users/{user_id}/info".

Documentation: ;https://docs.sc.otc.t-systems.com/identity-access-management/api-ref/apis/user_management/modifying_user_information_including_email_address_and_mobile_number_as_an_iam_user.html ;

Using the same logic as before, the "xuser_type" attribute of affected users has to be updated with an empty string to regain the ability to delete them using common users."

anton-sidelnikov commented 3 months ago

Hi @brunoagueda the support didn't answer you why this optional parameters even sets now? Last changes in this module was 6 months ago, and we not pass them in request body:

    createOpts := users.CreateOpts{
        Name:          d.Get("name").(string),
        Description:   d.Get("description").(string),
        Email:         d.Get("email").(string),
        Phone:         d.Get("phone").(string),
        AreaCode:      d.Get("country_code").(string),
        AccessMode:    d.Get("access_type").(string),
        Enabled:       &enabled,
        PasswordReset: &reset,
        DomainID:      domainId,
    }

P.S.: opentelekomcloud_identity_user_v3 utilizes api: /v3.0/OS-USER/users

setting this parameters as empty is a workaround, i think need to fix api instead of this

anton-sidelnikov commented 3 months ago

@brunoagueda i checked tests, all passed in eu-de, but i see this error in eu-ch2 region, seems something wrong with api in this region, please ask again support for details. Interesting details, user created in eu-ch2 has external identity id parameter and it's empty:

image

after I click delete button for this parameter, user became deletable, this is a api bug for real.

brunoagueda commented 3 months ago

Hi @anton-sidelnikov I'm still asking them for a solution for this bug. My request here would be for making the xuser_type and xuser_id parameters available on the module so I can set them with empty values, like this

resource "opentelekomcloud_identity_user_v3" "users" {
  name               = "test_tf_user"
  description        = "Testing user creation on TF"
  enabled            = true
  xuser_type        = ""
  xuser_id            = ""
}

I get that this is a workaround and the api should be fixed, but is it possible to implement it so we can fix the issue while the api is not fixed?

anton-sidelnikov commented 3 months ago

@brunoagueda I will check, if it fix the issue then i will add in tf.

artem-lifshits commented 2 months ago

Hello @brunoagueda please check latest release

brunoagueda commented 2 months ago

Hi. I tested the latest release and even if I set the xuser_type and xuser_id parameters as null, the problem persists and I'm not able to delete the created user My code looks like this:

resource "opentelekomcloud_identity_user_v3" "users" { name = "test_tf_user" description = "Testing user creation on TF" enabled = true xuser_type = null xuser_id = null }

brunoagueda commented 2 months ago

Sorry, you can disregard my last comment. The user deletion option is grayed out on the console, but deleting with terraform destroy works. This is good enough for us right now, while we wait a definitive fix on the API for the Swiss region Thanks a lot!