vmware / terraform-provider-avi

Terraform AVI Networks provider
https://registry.terraform.io/providers/vmware/avi/
Mozilla Public License 2.0
31 stars 32 forks source link

Cannot use Role ako-tenant with access to Controller, Role, Tenant or User in non-admin tenant #584

Open vitality411 opened 8 months ago

vitality411 commented 8 months ago

Describe the bug

It is not possible to use ako-tenant role with READ_ACCESS to resource PERMISSION_CONTROLLER for user creation: │ Error: Encountered an error on POST request to URL https://nsx-alb.tld.de/api/user: HTTP code: 400; error from Controller: map[error:Cannot use Role ako-tenant with access to Controller, Role, Tenant or User in non-admin tenant]

This is required by AKO: ako-0 ako 2024-03-01T10:23:20.483Z WARN lib/avi_api.go:65 msg: Unable to fetch data from uri /api/cluster Encountered an error on GET request to URL https://nsx-alb.tld.de/api/cluster: HTTP code: 403; error from Avi: map[error:User 'ako-test' is not authorized to read on resource System in tenant AKOTEST]

Reproduction steps

  1. Create ako-tenant role according to https://github.com/vmware/load-balancer-and-ingress-services-for-kubernetes/blob/master/docs/roles/ako-tenant.json
  2. Try to create avi_user with individuel tenants and role refs according to https://github.com/vmware/load-balancer-and-ingress-services-for-kubernetes/blob/master/docs/ako_tenancy.md
    resource "avi_user" "avi_user" {
    name = "ako-${var.tenant}"
    access {
    tenant_ref  = avi_tenant.tenant.id
    role_ref    = data.avi_role.ako_tenant.id
    all_tenants = false
    }
    access {
    tenant_ref  = data.avi_tenant.admin.id
    role_ref    = data.avi_role.ako_admin.id
    all_tenants = false
    }
    password           = "SuperSecretPassword!"
    default_tenant_ref = avi_tenant.tenant.id
    }

Expected behavior

It is possible to use ako-tenant role with READ_ACCESS to resource PERMISSION_CONTROLLER.

Additional context

No response