Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug] Temporal Cloud User with no namespace access #115

Open
DmytroRomantsovM opened this issue Aug 14, 2024 · 1 comment
Open

[Bug] Temporal Cloud User with no namespace access #115

DmytroRomantsovM opened this issue Aug 14, 2024 · 1 comment
Assignees
@swgillespie
Labels
bug Something isn't working

Comments

@DmytroRomantsovM
Copy link

What are you really trying to do?

Create a Temporal Cloud User with no namespace access and read account access.

Describe the bug

Terrafrom returned the following error:

temporalcloud_user.user: Creating...

│ Error: Provider produced inconsistent result after apply

│ When applying changes to temporalcloud_user.user, provider
│ "provider["registry.terraform.io/temporalio/temporalcloud"]" produced an
│ unexpected new value: .namespace_accesses: was
│ cty.ListValEmpty(cty.Object(map[string]cty.Type{"namespace_id":cty.String,
│ "permission":cty.String})), but now null.

│ This is a bug in the provider, which should be reported in the provider's
│ own issue tracker.

Minimal Reproduction

  1. Create terraform deployment with one Temporal Cloud User
    For example:
    resource "temporalcloud_user" "user" {
    account_access = "read"
    email = "[email protected]"
    namespace_accesses = []
    }
  2. Apply the changes.
  3. The error also appears during the destruction of the resource.

Environment/Versions

  • OS and processor: M2 Pro Mac
  • Temporal Version: Terraform provider: registry.terraform.io/temporalio/temporalcloud: 0.0.11
@DmytroRomantsovM DmytroRomantsovM added the bug Something isn't working label Aug 14, 2024
@DmytroRomantsovM DmytroRomantsovM changed the title [Bug] FILL_TITLE_HERE [Bug] Temporal Cloud User with no namespace access Aug 14, 2024
@swgillespie swgillespie self-assigned this Aug 14, 2024
@DmytroRomantsovM
Copy link
Author

DmytroRomantsovM commented Aug 15, 2024
edited
Loading

Another approach is to specify all namespaces, which also gives an error:

Terraform plan:

 # temporalcloud_user.user["[email protected]"] will be created
  + resource "temporalcloud_user" "user" {
      + account_access     = "admin"
      + email              = "[email protected]"
      + id                 = (known after apply)
      + namespace_accesses = [
          + {
              + namespace_id = "qa-svc-eu01-temporal-hello-world.muvq0"
              + permission   = "admin"
            },
          + {
              + namespace_id = "miro-poc.muvq0"
              + permission   = "admin"
            },
          + {
              + namespace_id = "prod-eu01-teleport-access-automation.muvq0"
              + permission   = "admin"
            },
          + {
              + namespace_id = "qa-svc-eu01-temporal-hello-world.muvq0"
              + permission   = "admin"
            },
          + {
              + namespace_id = "staging-eu01-temporal-hello-world.muvq0"
              + permission   = "admin"
            },
          + {
              + namespace_id = "staging-eu01-temporal-nexus-1.muvq0"
              + permission   = "admin"
            },
          + {
              + namespace_id = "staging-eu01-temporal-nexus-2.muvq0"
              + permission   = "admin"
            },
          + {
              + namespace_id = "temporal-pg-org-id-bf-production-eu.muvq0"
              + permission   = "admin"
            },
          + {
              + namespace_id = "temporal-pg-org-id-bf-production-us.muvq0"
              + permission   = "admin"
            },
          + {
              + namespace_id = "temporal-pg-org-id-bf-staging-eu.muvq0"
              + permission   = "admin"
            },
          + {
              + namespace_id = "temporal-pg-repack-production-eu.muvq0"
              + permission   = "admin"
            },
          + {
              + namespace_id = "temporal-pg-repack-production-us.muvq0"
              + permission   = "admin"
            },
          + {
              + namespace_id = "temporal-pg-repack-qa-svc-eu.muvq0"
              + permission   = "admin"
            },
          + {
              + namespace_id = "temporal-pg-repack-staging-au01.muvq0"
              + permission   = "admin"
            },
          + {
              + namespace_id = "temporal-pg-repack-staging-eu.muvq0"
              + permission   = "admin"
            },
        ]
      + state              = (known after apply)
    }

Terraform apply:

temporalcloud_user.user["[email protected]"]: Creating...
╷
│ Error: Failed to create user
│ 
│   with temporalcloud_user.user["[email protected]"],
│   on main.tf line 19, in resource "temporalcloud_user" "user":
│   19: resource "temporalcloud_user" "user" {
│ 
│ rpc error: code = InvalidArgument desc = may not be assigned an account
│ admin role along with namespace permissions (type: bad-request, retryable:
│ false)
╵

swgillespie added a commit that referenced this issue Sep 24, 2024
@swgillespie
feature: temporalcloud_user_namespace_access
678da87 
This PR addresses #119, #116, and #115 by decoupling the definition of user accesses from the user itself, via a new resource: `temporalcloud_user_namespace_access`. This resource is intended to provide a many-to-many mapping between namespaces and users. Under the hood, this resource is manipulating a single User object via the API (as the underlying data model stashes all namespaces accesses on the user object), while also preserving the invariant that adding or removing a single user from a single namespace won't obliterate the list of permissions that a user has.

I do intend to write some more tests but I wanted to get this out quickly for review for some fast feedback before I write a bunch of tests that exercise things that might change in review.
@swgillespie swgillespie mentioned this issue Sep 24, 2024
Draft
@swgillespie swgillespie mentioned this issue Oct 2, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@swgillespie swgillespie

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@swgillespie @DmytroRomantsovM