search

rubrikinc / terraform-provider-polaris

Terraform provider for the Polaris platform
MIT License
2 stars 9 forks source link

Removing accounts with S3 enabled fails. #128

Open DamaniN opened 4 months ago

DamaniN commented 4 months ago

Expected Behavior

Running terraform destroy -auto-approve -var-file ./variables.tfvars will remove an AWS account from RSC.

Current Behavior

Running terraform destroy -auto-approve -var-file ./variables.tfvars results in the following error:

│ Error: failed to delete account: failed to request bulkDeleteAwsCloudAccountWithoutCft: graphql response body is an error (status code 200): FAILED_PRECONDITION: Feature CLOUD_NATIVE_S3_PROTECTION with status CONNECTED is not valid for deletion. (code: 400, traceId: AWgABR5CM1FD7P6vhgh6ag==)

Looking in RSC shows that S3 protection is still enabled. I suspect that the provider is not disabling protection on the S3 account before attempting to delete it.

Provider version is beta.15

polaris_aws_cnp_account block is:

resource "polaris_aws_cnp_account" "account" {
  cloud                       = data.polaris_aws_cnp_artifacts.artifacts.cloud
  external_id                 = var.aws_external_id
  delete_snapshots_on_destroy = var.rsc_aws_delete_snapshots_on_destroy
  name                        = var.aws_account_name
  native_id                   = var.aws_account_id
  regions                     = var.aws_regions
  dynamic "feature" {
    for_each = var.rsc_aws_features
    content {
      name              = feature.value["name"]
      permission_groups = feature.value["permission_groups"]
    }
  }
}

var.rsc_aws_features is:

rsc_aws_features                    = [
                                          {
                                            name              = "CLOUD_NATIVE_PROTECTION",
                                            permission_groups = []
                                          },
                                          {
                                            name              = "RDS_PROTECTION",
                                            permission_groups = []
                                          },
                                          {
                                            name              = "CLOUD_NATIVE_S3_PROTECTION"
                                            permission_groups = []
                                          },
                                          {
                                            name              = "EXOCOMPUTE"
                                            permission_groups = []
                                          },
                                          {
                                            name = "CLOUD_NATIVE_ARCHIVAL",
                                            permission_groups = []
                                          }
                                        ]