IAM - opentelekomcloud_identity_role_v3 - Did no "Update" check

[uli-max]

Once a IAM-Role/Permission is successfully created via terraform and part of the tf-state, during an update of the role/permission-set there is no longer a check if the submitted role is valid.

Terraform provider version

yes
Terraform v1.5.4
on darwin_arm64

• provider registry.terraform.io/hashicorp/random v3.6.0
• provider registry.terraform.io/opentelekomcloud/opentelekomcloud v1.35.15

Affected Resource(s)

opentelekomcloud_identity_role_v3

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key.

resource "opentelekomcloud_identity_role_v3" "iam_cp_role_custom_dump_role" {
description = local.iam_cp_custom_dump_role_description
display_name = local.iam_cp_custom_dump_role_name
display_layer = local.iam_cp_custom_dump_role_display_layer
statement {
effect = "Allow"
action = [
"DDS::list",
"DDS::get",
# "DDS:bla:bla",
"DDS:instance:resetPasswd",
"DDS:instance:modifyBackupPolicy",
]
resource = ["*"]
}
}

Debug Output/Panic Output

Expected and valid error message:

╷
│ Error: error creating custom role: Bad request with: [POST https://iam.eu-de.otc.t-systems.com/v3.0/OS-ROLE/roles], error message: {"error":{"message":"Role policy format invalid! Action 'DDS:*:get' not registered!","code":400,"title":"Bad Request"}}
│
│ with opentelekomcloud_identity_role_v3.iam_cp_role_custom_dump_role,
│ on tf_A070_99_IAM_Policies_DumpRole.tf line 26, in resource "opentelekomcloud_identity_role_v3" "iam_cp_role_custom_dump_role":
│ 26: resource "opentelekomcloud_identity_role_v3" "iam_cp_role_custom_dump_role" {
│
╵

Steps to Reproduce

1. run terraform apply and see the error message
2. Comment-out the "invalid" rule for "DDS:*:get"
3. run terraform apply again
4. Check the tf result:
   opentelekomcloud_identity_role_v3.iam_cp_role_custom_dump_role: Creating...
   opentelekomcloud_identity_role_v3.iam_cp_role_custom_dump_role: Creation complete after 1s [id=ee0c35d9f7434e7682f01cfd32716e9a]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

5. Check the role in UI ...
6. Uncomment the "invalid" rule for "DDS:*:get" in your tf-code
7. run terraform apply again
8. Result:

opentelekomcloud_identity_role_v3.iam_cp_role_custom_dump_role will be updated in-place

~ resource "opentelekomcloud_identity_role_v3" "iam_cp_role_custom_dump_role" {
id = "ee0c35d9f7434e7682f01cfd32716e9a"
name = "custom_a6997651920947dab24f20a1f8186c00_5"
# (5 unchanged attributes hidden)

  ~ statement {
      ~ action   = [
            "DDS:*:list",
          + "DDS:*:get",
            "DDS:instance:resetPasswd",
            # (1 unchanged element hidden)
        ]
        # (2 unchanged attributes hidden)
    }
}

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.

Enter a value: yes

opentelekomcloud_identity_role_v3.iam_cp_role_custom_dump_role: Modifying... [id=ee0c35d9f7434e7682f01cfd32716e9a]
opentelekomcloud_identity_role_v3.iam_cp_role_custom_dump_role: Modifications complete after 1s [id=ee0c35d9f7434e7682f01cfd32716e9a]

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

9. Check again in UI. The wrong rule is displayed and active. Modification in UI is not possible.
10. You can also do the same with the nonsens rule "DDS:bla:bla"

opentelekomcloud_identity_role_v3.iam_cp_role_custom_dump_role will be updated in-place

~ resource "opentelekomcloud_identity_role_v3" "iam_cp_role_custom_dump_role" {
id = "ee0c35d9f7434e7682f01cfd32716e9a"
name = "custom_a6997651920947dab24f20a1f8186c00_5"
# (5 unchanged attributes hidden)

  ~ statement {
      ~ action   = [
            # (1 unchanged element hidden)
            "DDS:*:get",
          + "DDS:bla:bla",
            "DDS:instance:resetPasswd",
            # (1 unchanged element hidden)
        ]
        # (2 unchanged attributes hidden)
    }
}

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.

Enter a value: yes

opentelekomcloud_identity_role_v3.iam_cp_role_custom_dump_role: Modifying... [id=ee0c35d9f7434e7682f01cfd32716e9a]
opentelekomcloud_identity_role_v3.iam_cp_role_custom_dump_role: Modifications complete after 0s [id=ee0c35d9f7434e7682f01cfd32716e9a]

Apply complete! Resources: 0 added, 1 changed, 0 destroyed

No check of the validity of the rule happens.

Expected Behavior

Provider should check the validity of the updated rule, even if a state for the rule exists.

Actual Behavior

Invalid rule/permission-set will deployed to IAM.

Important Factoids

References

[artem-lifshits]

Hello @uli-max so if I understand correctly the invalid request is sent but server still processes it?
This is an API flaw and a ticket should be opened for OTC QA and support team.

From my point of view trying to fix API flaws on provider side is the wrong way to go. Any API change can result to needed changes on provider side and all the implemented "crutches" that make provider work would break the service.

Besides that IAM policy actions are different for each OTC service. For example gaussdb has 104 custom policies, for which validations have to be implemented manually. They also have to be verified with IAM service regularly from our side because IAM is updated frequently (new services / old service features).

[anton-sidelnikov]

https://jira.tsi-dev.otc-service.com/browse/OTCSEC-6115