search

sbercloud-terraform / terraform-provider-sbercloud

Terraform SberCloud Provider
https://registry.terraform.io/providers/sbercloud-terraform/sbercloud/latest/docs
Mozilla Public License 2.0
34 stars 21 forks source link

"Role Type AX Permissions Not Effective Until Manually Reattached in Cloud GUI" #240

Open qukly opened 1 year ago

qukly commented 1 year ago

Request from AmazMe project

Terraform Version

Terraform v1.1.3 on linux_amd64

Affected Resource(s)

Terraform Configuration Files

resource "sbercloud_identity_user" "User_OBS" {
  name        = "terraform_user-2"
  description = "A user"
  password    = var.user_password
  pwd_reset   = false
}

resource "sbercloud_identity_role" "role222" {
  name        = "role_by_tf-2"
  description = "created by terraform"
  type        = "AX"
  policy      = <<EOF
{
    "Version": "1.1",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "obs:bucket:ListBucketVersions",
                "obs:object:GetObjectAcl",
                "obs:bucket:GetDirectColdAccessConfiguration",
                "obs:bucket:GetBucketLocation",
                "obs:bucket:GetBucketNotification",
                "obs:bucket:GetEncryptionConfiguration",
                "obs:bucket:GetBucketWebsite",
                "obs:bucket:GetBucketLogging",
                "obs:bucket:GetBucketTagging",
                "obs:bucket:GetLifecycleConfiguration",
                "obs:object:GetObjectVersionAcl",
                "obs:bucket:GetBucketCustomDomainConfiguration",
                "obs:bucket:GetBucketVersioning",
                "obs:bucket:GetBucketInventoryConfiguration",
                "obs:object:GetObjectVersion",
                "obs:object:GetObject",
                "obs:bucket:GetReplicationConfiguration",
                "obs:bucket:GetBucketPolicy",
                "obs:object:ListMultipartUploadParts",
                "obs:bucket:GetBucketQuota",
                "obs:bucket:GetBucketStoragePolicy",
                "obs:bucket:GetBucketAcl",
                "obs:bucket:GetBucketCORS",
                "obs:bucket:GetBucketStorage"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "obs:bucket:ListAllMyBuckets",
                "obs:bucket:ListBucketMultipartUploads",
                "obs:bucket:HeadBucket",
                "obs:bucket:ListBucket"
            ]
        }
    ]
}
EOF
}

resource "sbercloud_identity_group" "obs_users" {
   name         = "0bs-usergroup-name-2"
   description  = "by terraform"
}

resource "sbercloud_identity_group_membership" "membership_1" {
  group = sbercloud_identity_group.obs_users.id
  users = [
    sbercloud_identity_user.User_OBS.id,
  ]
}

resource "sbercloud_identity_role_assignment" "role1" {
  role_id    = sbercloud_identity_role.role222.id
  group_id   = sbercloud_identity_group.obs_users.id
  domain_id  = var.domain_id
}

Debug Output

There is a terraform apply with debug mode. https://gist.github.com/qukly/4d0bdc40dd8cfd7c44bbce15af8d6823

Expected Behavior

Role, when applied to a group, should grant permissions to users in that group.

Actual Behavior

Role, when applied to a group, doesn't grant permissions to users in this group, meanwhile in cloud GUI it shows that role has been added to group with right json policy. Permission doesn't work until the role is manually reattached to the group via the Cloud GUI. It happen for any AX role type with any json policy

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. terraform apply
pavel-trubitsyn commented 1 year ago

Hi, try this enterprise_project_id = "0" instead of domain_id.

resource "sbercloud_identity_role_assignment" "rw" {
  role_id               = sbercloud_identity_role.rw.id
  group_id            = sbercloud_identity_group.rw.id
  enterprise_project_id = "0"
}
qukly commented 1 year ago

Hi, When I apply this block, role doesn't added to the group, group keep w/o role

resource "sbercloud_identity_role_assignment" "rw" {
  role_id               = sbercloud_identity_role.rw.id
  group_id            = sbercloud_identity_group.rw.id
  enterprise_project_id = "0"
}
Ccaswell42 commented 11 months ago

For global services like OBS or IAM use project "MOS". 

data "sbercloud_identity_projects" "test" {
  name = "MOS"
}

resource "sbercloud_identity_role_assignment" "rw" {
  role_id               = sbercloud_identity_role.rw.id
  group_id            = sbercloud_identity_group.rw.id
  project_id = data.sbercloud_identity_projects.test.projects[0].id
}
qukly commented 11 months ago

Hi @Ccaswell42!

Could you fill me in on what the "MOS" project is?

We don't seem to have it, and when I run this code in Terraform, nothing happens – 0 changes. The role assignment isn't showing up in the GUI, though I can see a new object in the Terraform state after applied.

Here is state snippet resource "sbercloud_identity_role_assignment" "role1" { group_id = "fake_id" id = "fake_id" project_id = "fake_id" role_id = "fake_id" }

Ccaswell42 commented 11 months ago

The MOS project is the main project. As far as I know, everyone has it. When you run this code in terraform, there is no display in UI console, but roles are assigned to users in the group.

To assign roles via terraform so that it is displayed in the UI console, you need to use 2 manifests: one with domain_id, the second with the MOS project. Then this will be displayed in the UI console, and if you need, you can delete roles through the console.

Removing roles through terraform only by domain_id will remove the display of roles from the UI console, but in reality the roles of users in the group will not be deleted.