search

rubrikinc / terraform-provider-polaris

Terraform provider for the Polaris platform
MIT License
2 stars 9 forks source link

Provider doesn't detect when the tenant domain has been deleted from RSC. #85

Open DamaniN opened 9 months ago

DamaniN commented 9 months ago

Expected Behavior

Using the Azure CNP integration, an update of polaris_azure_service_principal should detect if the Azure AD tenant still exists in RSC.

Current Behavior

I destroyed a Terraform script that removed the polaris_azure_subscription resource. This resource was linked to the last subscription in the tenant. This action also causes RSC to delete the last tenant. I then went to add the subscription back again by running a plan on the same resource. This resulted in the following error:

│ Error: failed to add subscription: failed to request addAzureCloudAccountWithoutOauth: graphql response body is an error (status code 200): NOT_FOUND: Failed to get service principal in the tenant. Azure may take some time to sync service principal. Please try after a minute (Azure error: [Unknown] Unknown service error) (code: 404, traceId: FWaZk7YsxjaRDF5NlWWsAw==)
│ 
│   with polaris_azure_subscription.polaris,
│   on main.tf line 84, in resource "polaris_azure_subscription" "polaris":
│   84: resource "polaris_azure_subscription" "polaris" {

I looked in RSC and noticed that the tenant domain was not there anymore. I then re-ran my TF script that creates the tenant domain in RSC via the polaris_azure_service_principal resource. Re-running the existing TF configuration resulted in the following message:

polaris_azure_service_principal.polaris: Refreshing state... [id=907a1235-8fb2-4670-943d-c478af52734f]

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.

This action should have resulted in TF finding that the tenant domain no longer existed and therefore putting it back. I was able to prove/workaround this by tainting the polaris_azure_service_principal.polaris resource and re-running the apply operation.

Failure Information (for bugs)

See text above

Steps to Reproduce

  1. Create an SP for a new Azure tenant domain with the polaris_azure_service_principal resource.
  2. Add a subscription to the tenant domain with the polaris_azure_subscription resource.
  3. Delete the subscription from RSC by destroying the polaris_azure_subscription resource, but do not destroy the polaris_azure_service_principal resource.
  4. Try to add the subscription back again by re-creating the same polaris_azure_subscription resource.

Context

Failure Logs

See above.

johan3141592 commented 3 months ago

This could be solved using the azureCloudAccountTenant GraphQL endpoint. We should probably add Tenant as a concept to the Go SDK, to be used in the TF provider.

johan3141592 commented 2 months ago

To fix this issue we need improvements to the GraphQL API. The issue has been raised with the engineering team.