Role read when managing_org is gone

[jdelucaa]

Hello 👋

We have a scenario in which we iterate through a list of IAM orgs (from edi-platform) to create some hsdp_iam_role resources there. When a org is removed from IAM for any reason (offboarding made by another module, edi-platform for example), the next time we run our automation, we get the following error during READ:

│ Error: GET : StatusCode 403, Body: {"resourceType":"OperationOutcome","issue":[{"severity":"error","code":"Forbidden","details":{"coding":{"system":"extension","code":"10302"},"text":"Resource owner denied access to the request."}}]}
│ 
│   with hsdp_iam_role.onboarded_role["6547f40a-6197-4cbc-a934-c5ef07fc1083"],
│   on hsdp_iam_roles.tf line 3, in resource "hsdp_iam_role" "onboarded_role":
│    3: resource "hsdp_iam_role" "onboarded_role" {

I think this happens because IAM API returns a 403 forbidden in this case, just like when the role is gone.
In this part of the code https://github.com/philips-software/terraform-provider-hsdp/blob/main/internal/services/iam/role/resource_iam_role.go#L158, if the API returns a 403, we check if it has role.write permission in the managing organization, which in this case will return false, not because it does not have write permission, but because the org is gone.

Can we do anything about it in the provider?

Thanks!

[loafoe]

@jdelucaa yes, this can be added here as well as a workaround. That's much simpler than trying to change the arguably invalid response from the IAM API

[loafoe]

@jdelucaa which version of the provider are you using? The IAM team actually released a fix for INC0080073 recently so the latest provider version should actually return 404. The setup you are describing might trigger another corner case so having as much detail as possible will help here.

[loafoe]

@jdelucaa also, if we would return 404 then Terraform would mark the resource as gone and will try to recreate it as part of the run no? What about the managing ORG of this role?

[jdelucaa]

oh, my bad, I haven't tested the latest version of the provider yet. let me try it and get back with more details.

[jdelucaa]

@loafoe nevermind, it was a mistake on my end, I thought the IAM org was removed, but it is actually still there, what happened is that when they offboarded the org from the edi-platform, the automation removed the permissions our service identity had there.

Closing the issue for now, sorry for the confusion and thanks for your support 😄

[jdelucaa]

@jdelucaa also, if we would return 404 then Terraform would mark the resource as gone and will try to recreate it as part of the run no? What about the managing ORG of this role?

Yes, you are right, in the latest version of the provider it returns a 404 and it marks the resource as gone, I was using an older version. 👍