Allow for graceful handling of errored users within users data source #256
Conversation
|
Hi @patrickmarabeas, thanks for this change suggestion. I'm looking to add similar functionality to the |
|
@manicminer that data source would also need to be uplifted to gracefully fail when a user being queried returns an error. I'm certainly happy to expand the scope of this PR to provide graceful failure to multiple data sources, but would like to confirm the approach before spending the time. |
|
@patrickmarabeas thanks for replying, I got mixed up and see now your change is quite different - sorry about that. If I'm honest, I'm not sure we should enable that behavior in a data source as it abstracts from API semantics and may arguably go against provider design principles. However, if we did enable this, I also don't think we could implement it reliably. There are cases where the API returns 404 for a resource that does or should exist - due to replication delays or other circumstances. In such events, we couldn't distinguish between a genuine error and one the operator wishes to ignore. |
|
@manicminer We are simply looking for graceful failure - regardless of the error. A renaming of the parameters would probably help this intent. But basically, if you opt into graceful failure you are expecting this result. This is certainly not something that should be enabled by default. In our case, we are looking for accounts to be gracefully and automatically removed from teams if the user data source returns an error. On/off-boarding of accounts in AzureAD is disconnected from the management of teams and we are looking to solve the blocker of Terraform failing when accounts no longer exist. We were hoping that accounts were simply being disabled (which we can check for via the |
|
@patrickmarabeas it's worth mentioning there's a couple of conventions in Terraform for Data Sources:
As such in this instance I'm wondering if the Whilst we've (unintentionally) had some Data Sources in the past which didn't raise an error when the resource wasn't found - we ended up reverting these to bring this into line with Terraform, as such I think we'd be better to add this to the Plural Data Source here rather than the Singular. What do you think? :) |
|
@tombuildsstuff I'm happy with this approach. I will migrate the changes across to the |
|
@patrickmarabeas to match the behaviour of the rest of Terraform, we'd still need this to error if no accounts are returned from the |
|
Yes, the accounts are being deleted. Disabled filtering is something that can be performed by the implementor. Having thought on it, the behaviour of an error when no users are returned makes sense - as the group would have no members. Probably a worthy time to call it out. I will follow this logic. EDIT: Looking at the Additional params to add:
|
patrickmarabeas
force-pushed
the
user-graceful-error
branch
from
a014fc9 to
9c3f091
Compare
|
|
patrickmarabeas
changed the title
There was a problem hiding this comment.
Hi @patrickmarabeas, many thanks, this looks great! I've added inline comments for some small changes, and a question on sanity checking the API response.
patrickmarabeas
force-pushed
the
user-graceful-error
branch
from
9c3f091 to
fd6eb9e
Compare
|
Changes have been amended and branch rebased. |
There was a problem hiding this comment.
@patrickmarabeas This is looking great. Sorry but an omission on my part - we'll need some additional test coverage for the case of ignore_missing = true and one user out of say 3 being omitted from the result. I'm happy to add this if you can give me contributor push access to your branch, else feel free to do so :)
patrickmarabeas
force-pushed
the
user-graceful-error
branch
from
a2b9612 to
58585ab
Compare
|
@manicminer I don't have anyway to run the tests, so if you could do this that would be fantastic. I've given you collaborator access on my fork. |
manicminer
force-pushed
the
user-graceful-error
branch
from
58585ab to
965cd7c
Compare
|
I've rebased and added a test for the Since I've touched the code, I'm opening for review from another contributor :) |
manicminer
force-pushed
the
user-graceful-error
branch
from
965cd7c to
a0b0158
Compare
* Add graceful_errors parameter to allow user lookup to gracefully fail. This allows only users which were successfully looked up to return. The data source will still result in an error if no users were returned. * Add users parameter - an array of users which mirrors that of the user data source. This allows for additional validation of users - such as checking whether the account is enabled. * Documentation updated to include the two new parameters.
…s, clean up error messages
manicminer
force-pushed
the
user-graceful-error
branch
from
a0b0158 to
6e9f0c9
Compare
|
Getting an error when testing this now. Which is this block: |
|
@patrickmarabeas Can you share configuration that reproduces the panic? Tests seem to work for me. |
|
I found the issue, will work up a fix shortly. |
|
@patrickmarabeas this should fix it: #289 Thanks for testing and reporting! |
|
This has been released in version 0.11.0 of the provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading. As an example: provider "azuread" {
version = "~> 0.11.0"
}
# ... other configuration ... |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you feel this issue should be reopened, we encourage creating a new issue linking back to this one for added context. If you feel I made an error 🤖 🙉 , please reach out to my human friends 👉 [email protected]. Thanks! |
ghost
locked and limited conversation to collaborators
Return all user data in
usersparameter araydata source. This allows for additional validation of users - such as
checking whether the account is enabled.
Allow user lookup to gracefully fail
This allows only users which were successfully looked up to return. The
data source will still result in an error if no users were returned.
Documentation updated to include the two new parameters.
Add missing MailNickname validation logic