-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Role read when managing_org is gone #299
Comments
@jdelucaa yes, this can be added here as well as a workaround. That's much simpler than trying to change the arguably invalid response from the IAM API |
@jdelucaa which version of the provider are you using? The IAM team actually released a fix for |
@jdelucaa also, if we would return |
oh, my bad, I haven't tested the latest version of the provider yet. let me try it and get back with more details. |
@loafoe nevermind, it was a mistake on my end, I thought the IAM org was removed, but it is actually still there, what happened is that when they offboarded the org from the edi-platform, the automation removed the permissions our service identity had there. Closing the issue for now, sorry for the confusion and thanks for your support 😄 |
Yes, you are right, in the latest version of the provider it returns a 404 and it marks the resource as gone, I was using an older version. 👍 |
Hello 👋
We have a scenario in which we iterate through a list of IAM orgs (from edi-platform) to create some
hsdp_iam_role
resources there. When a org is removed from IAM for any reason (offboarding made by another module, edi-platform for example), the next time we run our automation, we get the following error during READ:I think this happens because IAM API returns a 403 forbidden in this case, just like when the role is gone.
In this part of the code https://github.com/philips-software/terraform-provider-hsdp/blob/main/internal/services/iam/role/resource_iam_role.go#L158, if the API returns a 403, we check if it has
role.write
permission in the managing organization, which in this case will returnfalse
, not because it does not have write permission, but because the org is gone.Can we do anything about it in the provider?
Thanks!
The text was updated successfully, but these errors were encountered: