Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

backend_roles and and_backend_roles - https://registry.terraform.io/providers/opensearch-project/opensearch/latest/docs/resources/roles_mapping[BUG] #156

Open
kcorelight opened this issue Feb 5, 2024 · 2 comments
Labels
bug Something isn't working

Comments

@kcorelight
Copy link

kcorelight commented Feb 5, 2024

What is the bug?

When I try to apply this resource, this is removing existing security users.
So, no user has permission to update the role with additional users

I am trying the differences between backend_roles and and_backend_roles. The documentation is not clear
https://registry.terraform.io/providers/phillbaker/elasticsearch/latest/docs/resources/opensearch_roles_mapping

How can one reproduce the bug?

resource "opensearch_roles_mapping" "security_manager_mapping" {
role_name = "security_manager"
description = "Mapping AWS IAM roles to ES role"
backend_roles = concat(var.security_access_roles, [var.saml_master_backend_role])
}

Here var.saml_master_backend_role already has security manager permissions. But, still I see the following error


│ Error: elastic: Error 403 (Forbidden)

│ with module.opensearch_logs_saml[0].opensearch_roles_mapping.security_manager_mapping,
│ on ../../../modules/common/opensearch_saml/roles_mapping.tf line 15, in resource "opensearch_roles_mapping" "security_manager_mapping":
│ 15: resource "opensearch_roles_mapping" "security_manager_mapping" {


[root@a044c3c081a3 NorthAmerica]#

What is the expected behavior?

The expected behavior is that, additional backend roles will be mapped to this opensearch role

What is your host/environment?

All OS

Do you have any screenshots?


│ Error: elastic: Error 403 (Forbidden)

│ with module.opensearch_logs_saml[0].opensearch_roles_mapping.security_manager_mapping,
│ on ../../../modules/common/opensearch_saml/roles_mapping.tf line 15, in resource "opensearch_roles_mapping" "security_manager_mapping":
│ 15: resource "opensearch_roles_mapping" "security_manager_mapping" {


[root@a044c3c081a3 NorthAmerica]#

Do you have any additional context?

Add any other context about the problem.

@prudhvigodithi
Copy link
Member

prudhvigodithi commented Feb 13, 2024

[Triage]
Thanks @kcorelight Looks similar #153, #158 .

Adding @rblcoder @bbarani

@rblcoder
Copy link
Collaborator

@kcorelight https://github.com/opensearch-project/terraform-provider-opensearch/blob/main/provider/resource_opensearch_roles_mapping.go is calling _plugins/_security/api/rolesmapping/

PUT _plugins/_security/api/rolesmapping/ will replace the existing role mapping, right?
(https://opensearch.slack.com/archives/D060NNV468H/p1707909374961869)
You would also need to specify any existing users and backend_roles for the role mapping in the terraform code itself.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working
Projects
Status: 📦 Backlog
Development

No branches or pull requests

3 participants