Applying Role Derivations fails unless the Role keys are the same

[vancegillies]

Given this terraform file from ReBAC example (I have just changed the folderAdmin to folderAdminer)

resource "permitio_resource" "file" {
  key  = "file"
  name = "file"
  actions = {
    "create" = {
      "name" = "Create"
    }
    "read" = {
      "name" = "Read"
    }
    "update" = {
      "name" = "Update"
    }
    "delete" = {
      "name" = "Delete"
    }
  }
  attributes = {}
}

resource "permitio_resource" "folder" {
  key  = "folder"
  name = "folder"
  actions = {
    "create" = {
      "name" = "Create"
    }
    "list" = {
      "name" = "List"
    }
    "modify" = {
      "name" = "Modify"
    }
    "delete" = {
      "name" = "Delete"
    }
  }
  attributes = {}
}

resource "permitio_relation" "parent" {
  key              = "parent"
  name             = "parent of"
  subject_resource = permitio_resource.folder.key
  object_resource  = permitio_resource.file.key
}

resource "permitio_role" "fileAdmin" {
  key         = "admin"
  name        = "Administrator"
  description = "Administrator access to files"
  permissions = ["read", "create", "update", "delete"]
  extends     = []
  resource    = permitio_resource.file.key
  depends_on = [
    permitio_resource.file,
  ]
}

resource "permitio_role" "folderAdminer" {
  key         = "adminer"
  name        = "Administrator"
  description = "Administrator access to folders"
  permissions = ["create", "list", "modify", "delete"]
  extends     = []
  resource    = permitio_resource.folder.key
  depends_on = [
    permitio_resource.folder,
  ]
}

resource "permitio_role_derivation" "folderFileAdminer" {
  resource    = permitio_resource.file.key
  role        = permitio_role.fileAdmin.key
  on_resource = permitio_resource.folder.key
  to_role     = permitio_role.folderAdmin.key
  linked_by   = permitio_relation.parent.key
}

When trying to apply it fails on the role derivation with

│ Error: Unable to create role derivation
│
│   with permitio_role_derivation.folderFileAdmin,
│   on main.tf line 85, in resource "permitio_role_derivation" "folderFileAdmin":
│   85: resource "permitio_role_derivation" "folderFileAdmin" {
│
│ unable to create role derivation: ErrorCode: NotFound, ErrorType: api_error, Message: 404 Not Found

because its looking for folder#admin when its meant to befolder#adminer

[vancegillies]

Another note is just applying the ReBAC example and then destroying fails with

│ Error: Unable to read role derivation
│
│   with permitio_role_derivation.folderFileAdmin,
│   on main.tf line 85, in resource "permitio_role_derivation" "folderFileAdmin":
│   85: resource "permitio_role_derivation" "folderFileAdmin" {
│
│ unable to read role derivation: derivation not found: %!w(models.DerivedRoleRuleRead={5a39b24e8ae445d08e8038841c9a4762
│ bbe146450f034c7e8d1d6e34e153707b d2caab277edf476598feb7f822de5c82 admin folder parent 0x14000158108})

[alex-skeen]

👍this

[obsd]

Hi @alex-skeen and @vancegillies, thanks for bringing it to our attention we will check this out, in the meanwhile, if you get an error of something not found you can go here: https://docs.permit.io/api/api-with-cli#working-with-the-api-logs
See more detailed errors on this