TERRA-60 ⁃ astra_role module crashes when listing existing roles

[sflandergan]

Hi,

I've tried to manage a role with the astra_role module.
While it managed to create the role it crashes directly afterwards when listing the roles.

Terraform Version

Terraform v1.1.9
on linux_amd64
+ provider registry.terraform.io/carlpett/sops v0.7.0
+ provider registry.terraform.io/datastax/astra v2.1.0-beta2
+ provider registry.terraform.io/hashicorp/azurerm v3.4.0

Affected Resource(s)

• astra_role

Terraform Configuration Files

## main.tf

terraform {
  required_providers {
    astra = {
      source = "datastax/astra"
    }
  }
}

resource "astra_database" "db_instance" {
  name           = var.db_name
  cloud_provider = "azure"
  regions        = ["westeurope"]
  keyspace       = "app"
}

resource "astra_role" "app" {
    role_name = "app"
    description = "application access"
    effect = "allow"
    resources = [
      "drn:astra:org:${astra_database.db_instance.organization_id}:db:${astra_database.db_instance.id}",
      "drn:astra:org:${astra_database.db_instance.organization_id}:db:${astra_database.db_instance.id}:keyspace:app",
      "drn:astra:org:${astra_database.db_instance.organization_id}:db:${astra_database.db_instance.id}:keyspace:app:table:*"
      ]
    policy = [
      "db-cql",
      "db-table-alter",
      "db-table-create",
      "db-table-describe",
      "db-table-modify",
      "db-table-select"
    ]
}

## variables.tf
variable "db_name" {
  type        = string
  description = "Name of the database instance"
}

Panic Output

Panic Output

Expected Behavior

terraform plan and apply should work withouth the module crashing.

Actual Behavior

The module crashes after the role has been created.

Additional Information

The state has been successfully written:

$> terraform state show module.astra-db-instance.astra_role.app

resource "astra_role" "app" {
    description = "application access"
    effect      = "allow"
    id          = "<omitted>"
    policy      = [
        "db-cql",
        "db-table-alter",
        "db-table-create",
        "db-table-describe",
        "db-table-modify",
        "db-table-select",
    ]
    resources   = [
        "drn:astra:org:<omitted>",
        "drn:astra:org:<omitted>:db:<omitted>:keyspace:app",
        "drn:astra:org:<omitted>:db:<omitted>:keyspace:app:table:*",
    ]
    role_id     = "<omitted>"
    role_name   = "app"
}

Steps to Reproduce

1. terraform apply -auto-approve

┆Issue is synchronized with this Jira Task by Unito
┆friendlyId: TERRA-60
┆priority: Major

[emerkle826]

@sflandergan I tried to reproduce this one, but I'm not able to. Can you verify that the Astra token you are using when you perform this has permissions to read user roles? It would be a little odd to have the ability to create a role, but not be able to read it.

[sflandergan]

Hi @emerkle826 ,

Can you verify that the Astra token you are using when you perform this has permissions to read user roles?

Yes I can.
When I query the DevOps API with the token it works perfectly fine.

You can check the response of http https://api.astra.datastax.com/v2/organizations/roles "Authorization: Bearer $ASTRA_TOKEN" I get within this gist.
I just omitted all the IDs from the response.

It might be necessary though that you need to create a token referring to the role:

resource "astra_token" "app" {
    roles = [astra_role.app.id]
}

Seems otherwise the routine github.com/datastax/terraform-provider-astra/v2/internal/provider.listRole is not triggered

[emerkle826]

@sflandergan Thanks for the gist with your token permissions. Using the terraform file you provided, and creating a role that matches the permissions of your terraform role, I am able to reproduce this by first doing a terraform apply to create the database and role, then doing a terraform plan gives me the same panic. I should be able to fix this soon.

[emerkle826]

A little more of an update. While I am able to use the terraform role to list all roles in an org via the DevOps API, I am not able to use it to list a specific role, which is what the provider is doing. If you try to list out a specific role via the DevOps API, you get something like this

"user <client ID> is missing admin role for organization <org ID>"

However, when I use an Admin token with the provider, I am able to list the role via terraform. I am also able to list specific roles via DevOps API with the admin token.

I'm going to leave this ticket open for now, but I'll raise an issue with the Dev Ops API folks to see if this is expected.

[sflandergan]

@emerkle826 thanks for the update.
Using the Organization Administrator role does work for me too.
This is a good workaround for me until the API is fixed.

As you said this looks like a bug in the DevOps API since there seems to be an explicite check for the admin role.
Even if I give my custom role all authorities available in the UI the DevOps API still denies reading the role

[emerkle826]

@sflandergan Glad the workaround will work for you. Also, I have a fix to prevent the panic and dump the Astra error instead in the PR #105 (which addresses #99)

[maestre3d]

Seems that the issue is still appearing after a time of using this module. The issue happened after a couple of months using the module. Finallt, it is worth to mention that I did not have any issues until now and I did not even modify nothing related to the module for a while.

Besides the role not having enough permissions, I've also got a null database fetch response but I guess this is related.

At this moment, using an Organization Administrator role seems to be fixing the issue but I don't think we should be using an org admin role when provisioning a single database (which is my case) according to other cloud's security best practices for IAM systems (grant least priviledge).