[BUG] rancher2_auth_config_activedirector: refusing to set principal on user that is already bound to another user

[papanito]

Rancher Server Setup

• Rancher version: 2.7.6
• Installation option (Docker install/Helm Chart):
  • If Helm Chart, Kubernetes Cluster and version (RKE1, RKE2, k3s, EKS, etc): RKE1
• Proxy/Cert Details:

Information about the Cluster

• Kubernetes version: 1.26.8
• Cluster Type (Local/Downstream): Imported
  • If downstream, what type of cluster? (Custom/Imported or specify provider for Hosted/Infrastructure Provider):

    I manually configure the AD using a specific test user. This works fine. When I want to do the same setup using the rancher2 provider I get

    refusing to set principal on user that is already bound to another user

    To Reproduce

    This is my config

    resource "rancher2_auth_config_activedirectory" "activedirectory" {
      servers                  = ["mycompany.intra"]
      service_account_username = data.sops_file.secrets.data["service_account_username"]
      service_account_password = data.sops_file.secrets.data["service_account_password"]
      user_search_base         = "DC=mycompany,DC=intra"
      default_login_domain     = "mycompany"
      port                     = 636
      tls                      = true
      connection_timeout       = 5000
      access_mode              = "restricted"
      allowed_principal_ids = [
        "activedirectory_user://CN=AD_ACCESS,...",
        "activedirectory_user://CN=AD_TEST,...."
      ]
      ....
      test_username                   = data.sops_file.secrets.data["test_account_username"]
      test_password                   = data.sops_file.secrets.data["test_account_password"]
      certificate                     = data.sops_file.certificate.raw
    }
    
    data "sops_file" "secrets" {
      source_file = "./secrets/secrets.enc.json"
    }
    
    data "sops_file" "certificate" {
      source_file = "./secrets/certificate.enc.pem"
      input_type  = "raw"
    }

    Actual Result

    AD config is not applied and the following error is thrown

    refusing to set principal on user that is already bound to another user

    Expected Result

    AD config is applied

    Screenshots

    N/A

    Additional context

    Username and passwords are encrypted using sops, so the un-encrypted version of ./secrets/secrets.enc.json is something like

    {
      "service_account_username": "AD_ACCESS",
      "service_account_password": "xxxxxx",
      "test_account_username": "AD_TEST",
      "test_account_password": "yyyyyy"
    }
    

[papanito]

Apparently you should not use the same user for manual testing and for the terraform plan. Based on the AD docu

The AD user pertaining to the credentials entered in this step will be mapped to the local principal account and assigned administrator privileges in Rancher.

Hence, while I do a test with a different user (myself) for the AD config in the UI, I then can apply the changes with the desired user in terraform.

You also can check with

kubectl get userattributes.management.cattle.io -ocustom-columns='NAME:.metadata.name,GENERATION:.metadata.generation,LASTREFRESH:.LastRefresh,EXTRABYPROVIDER:.ExtraByProvider'