Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

description field in nexus_role does not get updated in state #68

Closed
AliAllomani opened this issue Jun 24, 2020 · 10 comments
Closed

description field in nexus_role does not get updated in state #68

AliAllomani opened this issue Jun 24, 2020 · 10 comments
Assignees
@Nosmoht
Labels
bug Something isn't working
Projects
Ticket tracker

Comments

@AliAllomani
Copy link

description field of nexus_role always shows changes to be applied when performing plan.

13:07:46    # nexus_role.role["1cc99b0fb76325c7d8259c7fbb7e1402"] will be updated in-place
13:07:46    ~ resource "nexus_role" "role" {
13:07:46        ~ description = "cloud_engineering" -> "Created by Terraform"
13:07:46          id          = "cloud_engineering"
13:07:46          name        = "cloud_engineering"
13:07:46        ~ privileges  = [
13:07:46            + "nx-repository-admin-x-ce-dev-x-x",
13:07:46            + "nx-repository-view-x-ce-dev-x-x",
13:07:46            + "nx-repository-admin-x-ce-prod-x-x",
13:07:46            + "nx-repository-view-x-ce-prod-x-x",
13:07:46            + "nx-repository-admin-apt-ce-prod-test1-*",
13:07:46          ]
13:07:46          roleid      = "cloud_engineering"
13:07:46          roles       = []
13:07:46      }

I noticed that the field is getting updated in nexus but not in the state file.
@AliAllomani AliAllomani mentioned this issue Jun 24, 2020
Closed
Nosmoht added a commit that referenced this issue Jul 4, 2020
@Nosmoht
Fix #63 and #68
cea995d
Nosmoht added a commit that referenced this issue Jul 4, 2020
@Nosmoht
Fix #10, #63 and #68
5794366
@Nosmoht Nosmoht mentioned this issue Jul 6, 2020
Merged
@Nosmoht Nosmoht self-assigned this Jul 6, 2020
@Nosmoht Nosmoht added the bug Something isn't working label Jul 6, 2020
@Nosmoht
Copy link
Contributor

Nosmoht commented Jul 6, 2020

Hi @AliAllomani,

this should be fixed with release v1.9.0.

@fog1985
Copy link

fog1985 commented Jul 7, 2020

Hi @AliAllomani,

this should be fixed with release v1.9.0.

Hi @Nosmoht ,
Have just tested out.
It's not fixed.

I still get number of roles being touched all the time.
What I see is that it sees description and name fields as equal to id one. Even though they are not.
Roles assignment is re-do each time as well. Like role has sub-roles. And those roles are evaluated as to be added each time.
I have an assumption that it's due to ID filed having the value in UPPERCASE:

# nexus_role.UPPER_USERS will be updated in-place
  ~ resource "nexus_role" "UPPER_USERS" {
      ~ description = "UPPER_USERS" -> "LDAP role for UPPER_USERS" # but the field already has its final value. It's not equal to ID one.
        id          = "UPPER_USERS" # defined in upper case string.
      ~ name        = "UPPER_USERS" -> "ldap-some_value_users" # but the field already has its final value. It's not equal to ID one.
        privileges  = []
        roleid      = "UPPER_USERS"
      ~ roles       = [
          + "docker-group-read",
          + "docker-internal-some-read",
          + "internal-some-read",
          + "maven-group-some-read",
...
        ]
    }

Regards,
Taras.

@Nosmoht
Copy link
Contributor

Nosmoht commented Jul 7, 2020

Hi @fog1985 ,

could you please provide a full Terraform file which we can use to reproduce this? With the current test i'm not able to reproduce it.

@fog1985
Copy link

fog1985 commented Jul 7, 2020

Hi @fog1985 ,

could you please provide a full Terraform file which we can use to reproduce this? With the current test i'm not able to reproduce it.

Hi @Nosmoht ,
I can't easily copy-paste whole tf file due to data sensitivity, but one of those roles which are re-created declaration is as follow:

resource "nexus_role" "SOME_USERS" {
  roleid      = "SOME_USERS"
  name        = "ldap-some_users"
  description = "LDAP role for SOME_USERS"
  privileges  = []
  roles       = ["npm-group-read", "docker-group-read", "maven-group-some-read", "internal-some-read", "pypi-group-read", "docker-internal-some-read"]
}

And those roles this role is referencing are defined in the same manner but they have privileges defined. Not the roles. So only this one main is referencing sub-roles.
Please let me know if still will not be reproducible from your side. Will try to get more details.

Regards,
Taras.

@Nosmoht
Copy link
Contributor

Nosmoht commented Jul 7, 2020

Hi @fog1985,

i'm testing with the following code, which hopefully reflects your real code, but i'm not able to reproduce the behaviour.

provider "nexus" {
  url      = "http://127.0.0.1:8081"
  username = "admin"
  password = "admin123"
}

resource "nexus_role" "npm_group_read" {
  name       = "npm-group-read"
  privileges = ["nx-repository-view-npm-*-read"]
  roleid     = "npm-group-read"
}

resource "nexus_role" "docker_group_read" {
  name       = "docker-group-read"
  privileges = ["nx-repository-view-docker-*-read"]
  roleid     = "docker-group-read"
}

resource "nexus_role" "maven_group_read" {
  name       = "maven-group-read"
  privileges = ["nx-repository-view-maven2-*-read"]
  roleid     = "maven-group-read"
}

resource "nexus_role" "some_users" {
  name = "some-users"
  roles = [
    nexus_role.npm_group_read.name,
    nexus_role.docker_group_read.name,
    nexus_role.maven_group_read.name,
  ]
  roleid = "some-users"
}

If this does not reflect your code, could you please modify it so i've something which brings up the change ?

@fog1985
Copy link

fog1985 commented Jul 7, 2020

Hi @fog1985,

i'm testing with the following code, which hopefully reflects your real code, but i'm not able to reproduce the behaviour.

provider "nexus" {
  url      = "http://127.0.0.1:8081"
  username = "admin"
  password = "admin123"
}

resource "nexus_role" "npm_group_read" {
  name       = "npm-group-read"
  privileges = ["nx-repository-view-npm-*-read"]
  roleid     = "npm-group-read"
}

resource "nexus_role" "docker_group_read" {
  name       = "docker-group-read"
  privileges = ["nx-repository-view-docker-*-read"]
  roleid     = "docker-group-read"
}

resource "nexus_role" "maven_group_read" {
  name       = "maven-group-read"
  privileges = ["nx-repository-view-maven2-*-read"]
  roleid     = "maven-group-read"
}

resource "nexus_role" "some_users" {
  name = "some-users"
  roles = [
    nexus_role.npm_group_read.name,
    nexus_role.docker_group_read.name,
    nexus_role.maven_group_read.name,
  ]
  roleid = "some-users"
}

If this does not reflect your code, could you please modify it so i've something which brings up the change ?

Hi @Nosmoht , please try to change this block:

resource "nexus_role" "some_users" {
  name = "some-users"
  roles = [
    nexus_role.npm_group_read.name,
    nexus_role.docker_group_read.name,
    nexus_role.maven_group_read.name,
  ]
  roleid = "some-users"
}

To this one:

resource "nexus_role" "SOME_USERS" {
  roleid = "SOME_USERS"
  name = "some-users"
  description = "SOME_USERS role"
  privileges = []

  roles = [
    nexus_role.npm_group_read.name,
    nexus_role.docker_group_read.name,
    nexus_role.maven_group_read.name,
  ]
}

@Nosmoht
Copy link
Contributor

Nosmoht commented Jul 7, 2020

Hi @fog1985 ,

i did, but the result is as expected:

No changes. Infrastructure is up-to-date.

But i realized that nexus_role.<role>.name is wrong and must be nexus_role.<role>.roleid instead in a role's roles. Unfortunately Nexus API docu only says The list of roles assigned to this role. to attribute roles. So the right code would be:

provider "nexus" {
  url      = "http://127.0.0.1:8081"
  username = "admin"
  password = "admin123"
}

resource "nexus_role" "npm_group_read" {
  name       = "npm-group-read-name"
  privileges = ["nx-repository-view-npm-*-read"]
  roleid     = "npm-group-read-id"
}

resource "nexus_role" "docker_group_read" {
  name       = "docker-group-read-name"
  privileges = ["nx-repository-view-docker-*-read"]
  roleid     = "docker-group-read-id"
}

resource "nexus_role" "maven_group_read" {
  name       = "maven-group-read-name"
  privileges = ["nx-repository-view-maven2-*-read"]
  roleid     = "maven-group-read-id"
}

resource "nexus_role" "role" {
  name        = "role-name"
  roleid      = "role-id"
  description = "role-description"
}

resource "nexus_role" "SOME_USERS" {
  roleid = "SOME_USERS"
  name = "some-users"
  description = "SOME_USERS role"
  privileges = []

  roles = [
    nexus_role.npm_group_read.roleid,
    nexus_role.docker_group_read.roleid,
    nexus_role.maven_group_read.roleid,
  ]
}

@fog1985
Copy link

fog1985 commented Jul 7, 2020

Hi @fog1985 ,

i did, but the result is as expected:

No changes. Infrastructure is up-to-date.

But i realized that nexus_role.<role>.name is wrong and must be nexus_role.<role>.roleid instead in a role's roles. Unfortunately Nexus API docu only says The list of roles assigned to this role. to attribute roles. So the right code would be:

provider "nexus" {
  url      = "http://127.0.0.1:8081"
  username = "admin"
  password = "admin123"
}

resource "nexus_role" "npm_group_read" {
  name       = "npm-group-read-name"
  privileges = ["nx-repository-view-npm-*-read"]
  roleid     = "npm-group-read-id"
}

resource "nexus_role" "docker_group_read" {
  name       = "docker-group-read-name"
  privileges = ["nx-repository-view-docker-*-read"]
  roleid     = "docker-group-read-id"
}

resource "nexus_role" "maven_group_read" {
  name       = "maven-group-read-name"
  privileges = ["nx-repository-view-maven2-*-read"]
  roleid     = "maven-group-read-id"
}

resource "nexus_role" "role" {
  name        = "role-name"
  roleid      = "role-id"
  description = "role-description"
}

resource "nexus_role" "SOME_USERS" {
  roleid = "SOME_USERS"
  name = "some-users"
  description = "SOME_USERS role"
  privileges = []

  roles = [
    nexus_role.npm_group_read.roleid,
    nexus_role.docker_group_read.roleid,
    nexus_role.maven_group_read.roleid,
  ]
}

Ah. And one more I provide roles as a list of Ids as follow:

  roles = [
    "npm-group-read-id",
    "docker-group-read-id",
    "maven-group-read-id",
  ]

So not referring role's names based on their resources. But based on their IDs just as strings.
In TF's declaration roleid equals to name.

@Nosmoht
Copy link
Contributor

Nosmoht commented Jul 7, 2020

And you still get changes all the time?

@anmoel anmoel added this to Needs triage in Ticket tracker Jan 21, 2021
@anmoel anmoel moved this from Needs triage to High priority in Ticket tracker Jan 21, 2021
@anmoel
Copy link
Member

anmoel commented Jan 2, 2022

I close this stale issue. Please reopen if this error still exists

@anmoel anmoel closed this as completed Jan 2, 2022
Ticket tracker automation moved this from High priority to Closed Jan 2, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Nosmoht Nosmoht

Labels
bug Something isn't working
Projects
Nexus Terraform Provider
Status: Closed
Ticket tracker
Closed
Milestone
No milestone
Development

No branches or pull requests
4 participants
@fog1985 @Nosmoht @AliAllomani @anmoel