Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Terraform script drop and recreate the same keyspace leading to the admin user loses access to the recreated keyspace #294

Open
GLZ9568 opened this issue Aug 28, 2023 · 1 comment
Open

Terraform script drop and recreate the same keyspace leading to the admin user loses access to the recreated keyspace #294

GLZ9568 opened this issue Aug 28, 2023 · 1 comment

Comments

@GLZ9568
Copy link

GLZ9568 commented Aug 28, 2023

The customer has reported that after they use Terraform script to drop and recreate keyspace cssservice, their admin user admin-ocp-p-p-uspd-css-cass-01 loses access to the recreated keyspace.

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:

 + create
 ~ update in-place
Terraform will perform the following actions:
 # module.ds-astra-cluster.astra_keyspace.this["dekms"] will be created
 + resource "astra_keyspace" "this" {
   + database_id = "51a23389-1499-4d64-b73a-c958f96e79a0"
   + id     = (known after apply)
   + name    = "dekms"
  }
 # module.ds-astra-cluster.astra_role.admin will be updated in-place
 ~ resource "astra_role" "admin" {
    id     = "d031a210-7a6b-4310-a993-fdf05409c3ed"
   ~ resources  = [
      "drn:astra:org:aa277a78-b6d6-495a-a67f-3715f6a9524a:db:51a23389-1499-4d64-b73a-c958f96e79a0:keyspace:default_unused",
     + "drn:astra:org:aa277a78-b6d6-495a-a67f-3715f6a9524a:db:51a23389-1499-4d64-b73a-c958f96e79a0:keyspace:dekms",
    ]
    # (5 unchanged attributes hidden)
  }
Plan: 1 to add, 1 to change, 0 to destroy.

Below is the output from Terraform:

147 # module.ds-astra-cluster.astra_role.admin will be updated in-place
148 ~ resource "astra_role" "admin" {
149 ~ description = "admin-ocp-p-p-uspd-css-cass-01" -> "Admin role"
150 id = "5d19d90a-7cee-4d1f-abaa-d4b11eaf28eb"
...
164Plan: 0 to add, 1 to change, 1 to destroy.
165module.ds-astra-cluster.astra_keyspace.this["cssservice"]: Destroying... [id=c2db6b6d-844c-4963-a225-58b9f91550dd/keyspace/cssservice]
166module.ds-astra-cluster.astra_role.admin: Modifying... [id=5d19d90a-7cee-4d1f-abaa-d4b11eaf28eb]
167module.ds-astra-cluster.astra_keyspace.this["cssservice"]: Destruction complete after 0s
168module.ds-astra-cluster.astra_role.admin: Modifications complete after 1s [id=5d19d90a-7cee-4d1f-abaa-d4b11eaf28eb]
...

it appears the astra_role.admin table is modified when a keyspace is dropped, does terraform modify the user roles when removing a keyspace? if so, does it add the correct access for the role back when the keyspace is recreated?
@pgier
Copy link
Collaborator

pgier commented Sep 15, 2023

@GLZ9568 Can you provide the version of Terraform and the Astra provider/plugin, and also an example main.tf to reproduce the issue? The Terraform Astra provider shouldn't modify the contents of the role if the contents are directly specified. I'm guessing in this case there is a loop to dynamically create the permissions, which would cause the resources to be automatically added/removed, but I can't tell without the source main.tf.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@pgier @GLZ9568