Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Change engineer to any other role #816

Open
pavelpulec opened this issue Mar 3, 2024 · 2 comments
Open

Change engineer to any other role #816

pavelpulec opened this issue Mar 3, 2024 · 2 comments

Comments

@pavelpulec
Copy link

Terraform Version

Terraform v1.7.4
on linux_amd64

Affected Fastly Terraform Resource(s)

Please list the affected resources, for example:

  • fastly_user

Terraform Configuration Files

terraform {
  required_providers {
    fastly = {
      source  = "fastly/fastly"
      version = "5.6.0"
    }
  }
}

variable "role" {
  default = "engineer"
}

resource "fastly_user" "this" {
  login = "[email protected]"
  name  = "Mr. Example"
  role  = var.role
}

resource "fastly_service_authorization" "this" {
  count      = var.role == "engineer" ? 1 : 0
  service_id = "<service_id>"
  user_id    = fastly_user.this.id
  permission = "full"
}

Expected Behavior

Terraform fails to change a role for existing users from engineer to anything else (e.g. user). The Terraform run fails with:

│ Error: 400 - Bad Request:
│ 
│     Title:  Record invalid
│     Detail: Role 'user' is not allowed to be service limited
│     RateLimitRemaining: 988
│     RateLimitReset:     1709467200
│ 
│   with fastly_user.this,
│   on example.tf line 14, in resource "fastly_user" "this":
│   14: resource "fastly_user" "this" {

I would expect that when all service authorizations are removed, then I will be able to change the role by Terraform without any manual intervention.

Actual Behavior

Terraform fails that the role user is not allowed to be service limited.

There is a manual workaround to go to Fastly UI, find user, check his access control and choose Access all services as it can be seen in the picture below.
image

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

  1. terraform apply
  2. Change a role in the variable role to user
  3. terraform apply
@pavelpulec
Copy link
Author

Hello Fastly,

I hit this issue again with another scenario. In this case, the Service Access switcher is on the Limit access to select services option and can't be changed by Terraform.

This behavior can be replicated by these steps:

  1. Create an user by the fastly_user resource with the engineer role.
  2. Create a service authorization to this user by the fastly_service_authorization resource.
  3. Remove this fastly_service_authorization resource.

Now, the user is left without access to any services because it has the engineer role but no authorized services.

To resolve this issue, there needs to be an option that will manage the "Service access" switcher.

Image

Could you look into this issue and implement an option that manages this configuration?
Thank you!

@kpfleming
Copy link
Contributor

We are investigating this now, thanks for the report. Most likely the solution we'll implement will make the limit_services attribute on a fastly_user directly manageable from within the provider. We've been told that some customers actually make use of limit_services == true without any service authorizations, so we can't automatically set limit_services to false when the service authorizations are removed, it will have to be explicit.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kpfleming @pavelpulec