search

rancher / terraform-provider-rancher2

Terraform Rancher2 provider
https://www.terraform.io/docs/providers/rancher2/
Mozilla Public License 2.0
263 stars 228 forks source link

[BUG] Cannot bind AD users using project & cluster template bindings #1133

Open moshiaiz opened 1 year ago

moshiaiz commented 1 year ago

Rancher Server Setup

Provider Information

Describe the bug

This might be related to Rancher issue #36539

When trying to bind an AD user to a cluster or a project using rancher2_project_role_template_binding or rancher2_cluster_role_template_binding resources - it fails.

Example of a failed block:

resource "rancher2_project_role_template_binding" "rb-test-user" {
  name               = "rb-test-user"
  project_id         = data.rancher2_project.default.id
  role_template_id   = "workloads-view"
  user_principal_id = "activedirectory_user://CN=SOMEUSER,OU=Users,DC=domain,DC=com"
}

It generates error:

module.rke2_cluster["nh-debug-cluster"].rancher2_project_role_template_binding.rb-test: Creating...
╷
│ Error: Bad response statusCode [500]. Status [500 Internal Server Error]. Body: [baseType=error, code=ServerError, message=users.management.cattle.io "CN=SOMEUSER,OU=Users,DC=domain,DC=com" not found] from [https://rancher.mydomain.com/v3/projectroletemplatebindings]
│
│   with module.rke2_cluster["nh-debug-cluster"].rancher2_project_role_template_binding.rb-test,
│   on modules/rke2_cluster/main.tf line 1, in resource "rancher2_project_role_template_binding" "rb-test":
│    1: resource "rancher2_project_role_template_binding" "rb-test" {

But, when trying to bind an AD group to a cluster or a project, using this block:

resource "rancher2_project_role_template_binding" "rb-test-group" {
  name               = "rb-test-group"
  project_id         = data.rancher2_project.default.id
  role_template_id   = "workloads-view"
  group_principal_id = "activedirectory_group://CN=SOMEGROUP,DC=domain,DC=com"

It works!

So somehow, you can bind AD groups and NOT AD users. PS: This happens only when rancher2 TF provider is authenticated to Rancher with local admin user. When using AD user, it works.

julienym commented 1 year ago

Same on 2.7.5 and azuread auth provider!

njk187 commented 11 months ago

Still an issue on 2.7.9:

 Error: Bad response statusCode [500]. Status [500 Internal Server Error]. Body: [baseType=error, code=ServerError, message=users.management.cattle.io "af95d834-ff31-43f1-b55e-31b1d4b6626b" not found] from [https://rancher.dev-k8s.sherwin.com/v3/projectroletemplatebindings]