Skip to content

[Bug] Changing role_descriptors in elasticstack_elasticsearch_security_api_key forces #793

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
Davasny opened this issue Sep 24, 2024 · 1 comment · Fixed by #843
Closed

[Bug] Changing role_descriptors in elasticstack_elasticsearch_security_api_key forces #793

Davasny opened this issue Sep 24, 2024 · 1 comment · Fixed by #843
Labels
bug Something isn't working

Comments

@Davasny
Copy link

Davasny commented Sep 24, 2024

Describe the bug
Changing value of role_descriptors forces api key replacement.
Editing api key roles via kibana doesn't change the api key value.

To Reproduce

  1. Create api key with some role descriptor
resource "elasticstack_elasticsearch_security_api_key" "test" {
  name = "test"

  role_descriptors = jsonencode({
    read_only = {
      indices = [
        {
          names = ["*"],
          privileges = ["read", "view_index_metadata"]
          allow_restricted_indices = false
        }
      ]
    }
  })
}

  1. terraform apply

  2. Change this role to anything else, I removed view_index_metadata in the following example

resource "elasticstack_elasticsearch_security_api_key" "test" {
  name = "test"

  role_descriptors = jsonencode({
    read_only = {
      indices = [
        {
          names = ["*"],
          privileges = ["read"]
          allow_restricted_indices = false
        }
      ]
    }
  })
}
  1. terraform apply will show "forces replacement"
Terraform will perform the following actions:

  # elasticstack_elasticsearch_security_api_key.test must be replaced
-/+ resource "elasticstack_elasticsearch_security_api_key" "test" {
      ~ api_key              = (sensitive value)
      ~ encoded              = (sensitive value)
      ~ expiration_timestamp = 0 -> (known after apply)
      ~ id                   = "BqFsxqFzRn--CUY9V3wk7w/FlCVI5IBVbU1E1HFWlqk" -> (known after apply)
      ~ metadata             = jsonencode({}) -> (known after apply)
        name                 = "test"
      ~ role_descriptors     = jsonencode(
          ~ {
              ~ read_only = {
                  ~ indices = [
                      ~ {
                          ~ privileges               = [
                                "read",
                              - "view_index_metadata",
                            ]
                            # (2 unchanged attributes hidden)
                        },
                    ]
                }
            } # forces replacement
        )
        # (1 unchanged attribute hidden)
    }

Plan: 1 to add, 0 to change, 1 to destroy.

Expected behavior
I expect terraform module to only update role descriptor the same way as kibana does.

Debug output
N/A

Screenshots
N/A

Versions (please complete the following information):

  • OS: macos 15
  • terraform 1.8.0
  • provider registry.terraform.io/elastic/elasticstack v0.11.7
  • elasticsearch 8.14.3

Additional context
N/A
@Davasny Davasny added the bug Something isn't working label Sep 24, 2024
@tobio tobio mentioned this issue Oct 5, 2024
Merged
@leandrocarneiro01
Copy link

I have a customer with this issue.

They workaround this issue by adding the cluster = ["<cluster>"] to their code.

I couldn't reproduce this issue, though.

@tobio tobio mentioned this issue Oct 14, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Support updating API keys elastic/terraform-provider-elasticstack
2 participants
@Davasny @leandrocarneiro01