TERRA-72 ⁃ Importing existing role with no changes is showing it needs to be replaced to to a different name

[bigjew92]

Hi there,

Please provide the following details with your issue report.

Affected Resource(s)

Please list the resources as a list, for example:

• astra_role

If this issue appears to affect multiple resources, it may be an issue with Terraform's core, so please mention this.

Terraform Configuration Files

resource "astra_role" "my_role" {
  role_name   = "role-name-removed-svc-role"
  description = "role-name-removed-svc-role"
  effect      = "allow"
  resources   = [
    "drn:astra:org:${module.astra_db.org_id}",
    "drn:astra:org:${module.astra_db.org_id}:db:${module.astra_db.database_id}",
    "drn:astra:org:${module.astra_db.org_id}:db:${module.astra_db.database_id}:keyspace:system_schema:table:*",
    "drn:astra:org:${module.astra_db.org_id}:db:${module.astra_db.database_id}:keyspace:system:table:*",
    "drn:astra:org:${module.astra_db.org_id}:db:${module.astra_db.database_id}:keyspace:system_virtual_schema:table:*",
    "drn:astra:org:${module.astra_db.org_id}:db:${module.astra_db.database_id}:keyspace:chat_dev1",
    "drn:astra:org:${module.astra_db.org_id}:db:${module.astra_db.database_id}:keyspace:chat_dev1:table:*",
    "drn:astra:org:${module.astra_db.org_id}:db:${module.astra_db.database_id}:keyspace:chat_dev2",
    "drn:astra:org:${module.astra_db.org_id}:db:${module.astra_db.database_id}:keyspace:chat_dev2:table:*"
   ]
  policy      = [
    "db-cql",
    "db-table-create",
    "db-table-modify",
    "db-table-alter",
    "db-table-describe",
    "db-table-select",
    "org-user-write",
    "org-user-read",
    "org-db-view"
    ]
}

Output From Postman

 {
    "id": "112233445566",
    "name": "role-name-removed-svc-role",
    "policy": {
        "description": "role-name-removed-svc-role",
        "resources": [
            "drn:astra:org:org-id-removed",
            "drn:astra:org:org-id-removed:db:db-id-removed",
            "drn:astra:org:org-id-removed:db:db-id-removed:keyspace:system_schema:table:*",
            "drn:astra:org:org-id-removed:db:db-id-removed:keyspace:system:table:*",
            "drn:astra:org:org-id-removed:db:db-id-removed:keyspace:system_virtual_schema:table:*",
            "drn:astra:org:org-id-removed:db:db-id-removed:keyspace:chat_dev1",
            "drn:astra:org:org-id-removed:db:db-id-removed:keyspace:chat_dev1:table:*",
            "drn:astra:org:org-id-removed:db:db-id-removed:keyspace:chat_dev2",
            "drn:astra:org:org-id-removed:db:db-id-removed:keyspace:chat_dev2:table:*"
        ],
        "actions": [
            "db-cql",
            "db-table-create",
            "db-table-modify",
            "db-table-alter",
            "db-table-describe",
            "db-table-select",
            "org-user-write",
            "org-user-read",
            "org-db-view"
        ],
        "effect": "allow"
    },
    "last_update_date_time": "0001-01-01T00:00:00Z",
    "last_update_user_id": ""
},

Expected Behavior

After getting the structure from Postman, I have recreated the role within terraform. I would expect there to be no changes to the infrastructure. I understand that the role_name changing will force a replacement, however, I have confirmed that the role_name has not changed. The same role_name that is being output by a Postman call is being used within the resource creation.

Actual Behavior

After importing the resource, a subsequent plan is showing that the resource needs to be recreated because the name is changing. The name is not changing, it is a copy and paste from the Postman output.

terraform plan/import/plan

> terraform plan      
An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # astra_role.my_role_role will be created
  + resource "astra_role" "my_role" {
      + description = "role-name-removed-svc-role"
      + effect      = "allow"
      + id          = (known after apply)
      + policy      = [
          + "db-cql",
          + "db-table-create",
          + "db-table-modify",
          + "db-table-alter",
          + "db-table-describe",
          + "db-table-select",
          + "org-user-write",
          + "org-user-read",
          + "org-db-view",
        ]
      + resources   = [
          + "drn:astra:org:org-id-removed",
          + "drn:astra:org:org-id-removed:db:db-id-removed",
          + "drn:astra:org:org-id-removed:db:db-id-removed:keyspace:system_schema:table:*",
          + "drn:astra:org:org-id-removed:db:db-id-removed:keyspace:system:table:*",
          + "drn:astra:org:org-id-removed:db:db-id-removed:keyspace:system_virtual_schema:table:*",
          + "drn:astra:org:org-id-removed:db:db-id-removed:keyspace:chat_dev1",
          + "drn:astra:org:org-id-removed:db:db-id-removed:keyspace:chat_dev1:table:*",
          + "drn:astra:org:org-id-removed:db:db-id-removed:keyspace:chat_dev2",
          + "drn:astra:org:org-id-removed:db:db-id-removed:keyspace:chat_dev2:table:*",
          + "drn:astra:org:org-id-removed:db:db-id-removed:keyspace:chat_dev1",
          + "drn:astra:org:org-id-removed:db:db-id-removed:keyspace:chat_dev1:table:*",
          + "drn:astra:org:org-id-removed:db:db-id-removed:keyspace:chat_dev2",
          + "drn:astra:org:org-id-removed:db:db-id-removed:keyspace:chat_dev2:table:*",
        ]
      + role_id     = (known after apply)
      + role_name   = "role-name-removed-svc-role"
    }

Plan: 1 to add, 0 to change, 0 to destroy.

------------------------------------------------------------------------

Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.

> terraform import 'astra_role.my_role_role' 112233445566
astra_role.my_role_role: Importing from ID "112233445566"...
astra_role.my_role_role: Import prepared!
  Prepared astra_role for import
astra_role.my_role_role: Refreshing state... [id=112233445566]

Import successful!

The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.

> terraform plan
astra_role.my_role_role: Refreshing state... [id=112233445566]

An execution plan has been generated and is shown below.
Resource actions are indicated with the following symbols:
-/+ destroy and then create replacement

Terraform will perform the following actions:

  # astra_role.my_role_role must be replaced
-/+ resource "astra_role" "my_role_role" {
      + description = "role-name-removed-svc-role"
      + effect      = "allow"
      ~ id          = "112233445566" -> (known after apply)
      + policy      = [
          + "db-cql",
          + "db-table-create",
          + "db-table-modify",
          + "db-table-alter",
          + "db-table-describe",
          + "db-table-select",
          + "org-user-write",
          + "org-user-read",
          + "org-db-view",
        ]
      + resources   = [
          + "drn:astra:org:org-id-removed",
          + "drn:astra:org:org-id-removed:db:db-id-removed",
          + "drn:astra:org:org-id-removed:db:db-id-removed:keyspace:system_schema:table:*",
          + "drn:astra:org:org-id-removed:db:db-id-removed:keyspace:system:table:*",
          + "drn:astra:org:org-id-removed:db:db-id-removed:keyspace:system_virtual_schema:table:*",
          + "drn:astra:org:org-id-removed:db:db-id-removed:keyspace:chat_dev1",
          + "drn:astra:org:org-id-removed:db:db-id-removed:keyspace:chat_dev1:table:*",
          + "drn:astra:org:org-id-removed:db:db-id-removed:keyspace:chat_dev2",
          + "drn:astra:org:org-id-removed:db:db-id-removed:keyspace:chat_dev2:table:*",
          + "drn:astra:org:org-id-removed:db:db-id-removed:keyspace:chat_dev1",
          + "drn:astra:org:org-id-removed:db:db-id-removed:keyspace:chat_dev1:table:*",
          + "drn:astra:org:org-id-removed:db:db-id-removed:keyspace:chat_dev2",
          + "drn:astra:org:org-id-removed:db:db-id-removed:keyspace:chat_dev2:table:*",
        ]
      ~ role_id     = "112233445566" -> (known after apply)
      + role_name   = "role-name-removed-svc-role" # forces replacement
    }

Plan: 1 to add, 0 to change, 1 to destroy.

------------------------------------------------------------------------

Note: You didn't specify an "-out" parameter to save this plan, so Terraform
can't guarantee that exactly these actions will be performed if
"terraform apply" is subsequently run.

┆Issue is synchronized with this Jira Task by Unito
┆friendlyId: TERRA-72
┆priority: Major

[emerkle826]

@bigjew92 I'm not able to reproduce this. I have some existing roles in my organization and I was able to do a terraform import as you describe and the resource is successfully imported. A follow-up with terraform plan doesn't show any changes that need to be made.

I'm assuming you are using the latest v2.1.2 of the provider. If not, can you let me know which version?
Also, can you let me know if the Astra token you are using is associated with the Organization Administrator role? If not, what role/role permissions does your token have?

The reason I ask about the token you are using is because of the issue described in #101. That issue is still open as the DevOps API still doesn't allow you to list a specific role without elevated permissions (even though you can use a role without them to create a role and list all roles).

[bigjew92]

@emerkle826 Thanks for checking. I'm not sure why this was happening multiple times, but trying this morning with v2.1.2, it works with no changes to my code or token I am using. I believe my token is for Admin User. In any case, I was able to import and run another plan and see no changes. Will close this as it does not seem to be an issue anymore. Thank you again!

[emerkle826]

Thanks for replying back. This might have been an issue prior to v2.1.1 as I fixed a few things around roles in that version.

[bigjew92]

I believe last I checked was possibly v2.1.0-rc9, so definitely possible!