[BUG] Cannot assign new (non-existing) user to org_role on CF - BTP

[eshirke]

Is there an existing issue for this?

• I have searched the existing issues

What version of the Terraform provider are you using?

1.2.0

What version of the Terraform CLI are you using?

1.7.4

What CF API version are you using?

No response

What type of issue are you facing

bug report

Describe the bug

Could not register Role with user ID : executing POST request for /v3/roles failed: cfclient error (CF-UnprocessableEntity|10008)

Expected Behavior

Issue:
Not able to add new users as org_managers via terraform code, getting this error where as same user is getting added via BTP Cloud foundry portal manually.
 
Error Details:
Error: API Error Registering Role
with module.xxx-global-nfe-drc-nonprod-cloudfoundry.cloudfoundry_org_role.org_users["[email protected]"]
on modules/cloudfoundry/main.tf line 10, in resource "cloudfoundry_org_role" "org_users":
resource "cloudfoundry_org_role" "org_users" {
Could not register Role with user ID : executing POST request for /v3/roles failed: cfclient error (CF-UnprocessableEntity|10008): No user exists with the username '[email protected]'.

Terraform Code:
resource "cloudfoundry_org_role" "org_managers" {
for_each = toset(var.org_managers)

org = var.cloudfoundry_org_id
type = "organization_manager"
username = each.value
}

resource "cloudfoundry_org_role" "org_users" {
for_each = toset(var.org_managers)

org = var.cloudfoundry_org_id
type = "organization_user"
username = each.value
}

Steps To Reproduce

No response

Your Terraform Configuration

Roles

No response

Add screenshots to help explain your problem

No response

Additional context

No response

[vipinvkmenon]

For the cf-client/terraform provider to be able to add a user to an organisation/space in CF in BTP, the user must log in to the cf API at least once.
In BTP, please ensure that this user has logged into cf (cf login) with the specific cf API for the subaccount.

The subaccount_administrator is mapped to the org_manager of cloudfoundry in BTP. Please refer to the permissions for org_manager.

An org_manager can only assign existing users to an org/space that are onboarded to the UAA. Currently an org_manager cannot onboard new users to the UAA.

An RFC to support this feature is being discussed and can be followed here.

[lechnerc77]

@eshirke Aa you using Cloud Foundry on SAP Business Technology Platform (SAP BTP) this is probably a known limitation with regards to the handling of new Cloud Foundry org user.

If the user is brand-new, meaning that the user was never before assigned to a Cloud Foundry org in this BTP region, you will only be able to add the user to an org role via SAP BTP cockpit. The assignment is not possible via CF CLI or the Cloud Foundry provider. Once the user was once added to a CloudFoundry organization in a region via SAP BTP cockpit (which internally triggers the onboarding to CF UAA), you can add the user to other orgs via CF CLI or the Terraform provider.

You can test this be removing the user you just manually added and add it agian via Terraform which should work.

This limitation should be removed in the future, but there is no delivery date up to now.

[eshirke]

Thanks for details, can we have the links or reference details where we have listed down such limitations for Cloud Foundry on SAP Business Technology Platform (SAP BTP) management via terraform provider.