You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
A oci_identity_domains_group resource "assumes" the creator is in the same domain and sets invalid owner/idcs_created_by causing future updates to fail
#2131
Open
jeliker opened this issue
Jun 4, 2024
· 0 comments
# oci_identity_domains_group.the_group will be updated in-place
~ resource"oci_identity_domains_group""the_group" {
id="2b90f7a13ba24ad09dce6c3e78b3b957"# (13 unchanged attributes hidden)
~ urnietfparamsscimschemasoracleidcsextension_oci_tags {
# (1 unchanged attribute hidden)+freeform_tags {
+key="user_role"+value="test-user"
}
# (2 unchanged blocks hidden)
}
# (2 unchanged blocks hidden)
}
...
Error:400-BadErrorResponse,
│ Suggestion: Please retry or contact support for help with service: Identity Domains Group
│ Documentation: https://registry.terraform.io/providers/oracle/oci/latest/docs/resources/identity_domains_group
│ API Reference: https://docs.oracle.com/iaas/api/#/en/identity-domains/v1/Group/PutGroup
│ Request Target: PUT https://idcs-0fb561ef6dd083fb55b4150d4973b309.identity.oraclecloud.com:443/admin/v1/Groups/2b90f7a13ba24ad09dce6c3e78b3b957?attributeSets=all
│ Provider version:5.44.0, released on 2024-06-01.
│ Service: Identity Domains Group
│ Operation Name: PutGroup
│ OPC request ID: 61fdd029090e720f5eff2c0c82182b31/Has2F1vH200000000
│
│
│ with oci_identity_domains_group.the_group,
│ on group.tf line 5, in resource "oci_identity_domains_group""the_group":
│ 5: resource"oci_identity_domains_group""the_group" {
Debug Output
Notice the issue as shown in debug output
Group.urn:ietf:params:scim:schemas:oracle:idcs:extension:group:Group:owners references a User with ID d459ecb1230d413596c786a043f58eb4 that does not exist
2024-06-04T13:50:45.724-0400 [DEBUG] provider.terraform-provider-oci_v5.44.0: {"schemas":["urn:ietf:params:scim:api:messages:2.0:Error","urn:ietf:params:scim:api:oracle:idcs:extension:messages:Error"],"detail":"Group.urn:ietf:params:scim:schemas:oracle:idcs:extension:group:Group:owners references a User with ID d459ecb1230d413596c786a043f58eb4 that does not exist.","status":"400","urn:ietf:params:scim:api:oracle:idcs:extension:messages:Error":{"messageId":"error.common.validation.invalidReferenceResource","additionalData":{"invalidReferenceResourceId":"d459ecb1230d413596c786a043f58eb4"}}}
The error is only partially correct. Here is what the owners attribute has as was set when the group was created:
What is true is that user d459ecb1230d413596c786a043f58eb4 is not valid in domain with endpoint https://idcs-0fb561ef6dd083fb55b4150d4973b309.identity.oraclecloud.com:443 which is the domain of the group being created. However, what is failing here is that the owners field is assuming that the user creating the new group is part of the same domain which is not true.
Here my SDK credentials are from a different domain but with privileges to manage the entire tenancy including the domain that is the target of this new group. When I created the group using SDK credentials from DomainA and attribute_sets = ["all"] the owners value (and for that matter idcs_created_by and idcs_last_modified_by) both created user $ref values that attached my actual user ID (from my Domain) to the Domain endpoint of the target Domain and called that a valid reference to the owner and creator. That is incorrect as there is not requirement for the creator of a group to be a member of the Domain—only that the creator of the group be a user with privileges to create groups in the domain.
Panic Output
Expected Behavior
Actual Behavior
Steps to Reproduce
terraform apply for a new identity_domains_group resource with attribute_sets = ["all"]. Ensure credentials of the user running apply are from a domain other than where the new group is being created.
Update the group to trigger a change event (i.e. add new Freeform Tag) then apply
Note the error that complains in debug output that (SDK) user is invalid because it assumes the SDK user is in the same domain that is being modified.
Important Factoids
The text was updated successfully, but these errors were encountered:
Community Note
Terraform Version and Provider Version
Affected Resource(s)
affected_resources = oci_identity_domains_group
Terraform Configuration Files
Creates the group without error. Next, add a tag to trigger an update.
Relevant output shown here
Debug Output
Notice the issue as shown in debug output
The error is only partially correct. Here is what the
owners
attribute has as was set when the group was created:What is true is that user
d459ecb1230d413596c786a043f58eb4
is not valid in domain with endpointhttps://idcs-0fb561ef6dd083fb55b4150d4973b309.identity.oraclecloud.com:443
which is the domain of the group being created. However, what is failing here is that theowners
field is assuming that the user creating the new group is part of the same domain which is not true.Here my SDK credentials are from a different domain but with privileges to manage the entire tenancy including the domain that is the target of this new group. When I created the group using SDK credentials from DomainA and
attribute_sets = ["all"]
theowners
value (and for that matteridcs_created_by
andidcs_last_modified_by
) both created user$ref
values that attached my actual user ID (from my Domain) to the Domain endpoint of the target Domain and called that a valid reference to the owner and creator. That is incorrect as there is not requirement for the creator of a group to be a member of the Domain—only that the creator of the group be a user with privileges to create groups in the domain.Panic Output
Expected Behavior
Actual Behavior
Steps to Reproduce
terraform apply
for a newidentity_domains_group
resource withattribute_sets = ["all"]
. Ensure credentials of the user running apply are from a domain other than where the new group is being created.apply
Important Factoids
The text was updated successfully, but these errors were encountered: