A oci_identity_domains_group resource "assumes" the creator is in the same domain and sets invalid owner/idcs_created_by causing future updates to fail

[jeliker]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version and Provider Version

% terraform -v
Terraform v1.7.4
on darwin_amd64
+ provider registry.terraform.io/oracle/oci v5.44.0

Affected Resource(s)

affected_resources = oci_identity_domains_group

Terraform Configuration Files

resource "oci_identity_domains_group" "the_group" {

  #Required
  display_name  = "test-new-group"
  idcs_endpoint = var.domain_endpoint
  schemas = [
    "urn:ietf:params:scim:schemas:core:2.0:Group",
    "urn:ietf:params:scim:schemas:oracle:idcs:extension:OCITags",
    "urn:ietf:params:scim:schemas:oracle:idcs:extension:group:Group"
  ]

  attribute_sets = ["all"]
}

Creates the group without error. Next, add a tag to trigger an update.

resource "oci_identity_domains_group" "the_group" {

  #Required
  display_name  = "test-new-group"
  idcs_endpoint = var.domain_endpoint
  schemas = [
    "urn:ietf:params:scim:schemas:core:2.0:Group",
    "urn:ietf:params:scim:schemas:oracle:idcs:extension:OCITags",
    "urn:ietf:params:scim:schemas:oracle:idcs:extension:group:Group"
  ]

  attribute_sets = ["all"]

  urnietfparamsscimschemasoracleidcsextension_oci_tags {
    freeform_tags {
      key   = "user_role"
      value = "test-user"
    }
  }
}

Relevant output shown here

# oci_identity_domains_group.the_group will be updated in-place
  ~ resource "oci_identity_domains_group" "the_group" {
        id                                                    = "2b90f7a13ba24ad09dce6c3e78b3b957"
        # (13 unchanged attributes hidden)

      ~ urnietfparamsscimschemasoracleidcsextension_oci_tags {
            # (1 unchanged attribute hidden)

          + freeform_tags {
              + key   = "user_role"
              + value = "test-user"
            }

            # (2 unchanged blocks hidden)
        }

        # (2 unchanged blocks hidden)
    }

. . . 

Error: 400-BadErrorResponse, 
│ Suggestion: Please retry or contact support for help with service: Identity Domains Group
│ Documentation: https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/identity_domains_group 
│ API Reference: https://docs.oracle.com/iaas/api/#/en/identity-domains/v1/Group/PutGroup 
│ Request Target: PUT https://idcs-0fb561ef6dd083fb55b4150d4973b309.identity.oraclecloud.com:443/admin/v1/Groups/2b90f7a13ba24ad09dce6c3e78b3b957?attributeSets=all 
│ Provider version: 5.44.0, released on 2024-06-01.  
│ Service: Identity Domains Group 
│ Operation Name: PutGroup 
│ OPC request ID: 61fdd029090e720f5eff2c0c82182b31/Has2F1vH200000000 
│ 
│ 
│   with oci_identity_domains_group.the_group,
│   on group.tf line 5, in resource "oci_identity_domains_group" "the_group":
│    5: resource "oci_identity_domains_group" "the_group" {

Debug Output

Notice the issue as shown in debug output

Group.urn:ietf:params:scim:schemas:oracle:idcs:extension:group:Group:owners references a User with ID d459ecb1230d413596c786a043f58eb4 that does not exist

2024-06-04T13:50:45.724-0400 [DEBUG] provider.terraform-provider-oci_v5.44.0: {"schemas":["urn:ietf:params:scim:api:messages:2.0:Error","urn:ietf:params:scim:api:oracle:idcs:extension:messages:Error"],"detail":"Group.urn:ietf:params:scim:schemas:oracle:idcs:extension:group:Group:owners references a User with ID d459ecb1230d413596c786a043f58eb4 that does not exist.","status":"400","urn:ietf:params:scim:api:oracle:idcs:extension:messages:Error":{"messageId":"error.common.validation.invalidReferenceResource","additionalData":{"invalidReferenceResourceId":"d459ecb1230d413596c786a043f58eb4"}}}

The error is only partially correct. Here is what the owners attribute has as was set when the group was created:

"owners": [
  {
    "$ref":"https://idcs-0fb561ef6dd083fb55b4150d4973b309.identity.oraclecloud.com:443/admin/v1/Users/d459ecb1230d413596c786a043f58eb4",
    "display":"",
    "type":"User",
    "value":"d459ecb1230d413596c786a043f58eb4"}
]

What is true is that user d459ecb1230d413596c786a043f58eb4 is not valid in domain with endpoint https://idcs-0fb561ef6dd083fb55b4150d4973b309.identity.oraclecloud.com:443 which is the domain of the group being created. However, what is failing here is that the owners field is assuming that the user creating the new group is part of the same domain which is not true.

Here my SDK credentials are from a different domain but with privileges to manage the entire tenancy including the domain that is the target of this new group. When I created the group using SDK credentials from DomainA and attribute_sets = ["all"] the owners value (and for that matter idcs_created_by and idcs_last_modified_by) both created user $ref values that attached my actual user ID (from my Domain) to the Domain endpoint of the target Domain and called that a valid reference to the owner and creator. That is incorrect as there is not requirement for the creator of a group to be a member of the Domain—only that the creator of the group be a user with privileges to create groups in the domain.

Panic Output

Expected Behavior

Actual Behavior

Steps to Reproduce

1. terraform apply for a new identity_domains_group resource with attribute_sets = ["all"]. Ensure credentials of the user running apply are from a domain other than where the new group is being created.
2. Update the group to trigger a change event (i.e. add new Freeform Tag) then apply
3. Note the error that complains in debug output that (SDK) user is invalid because it assumes the SDK user is in the same domain that is being modified.

Important Factoids