Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Data resource uses v3 API endpoint instead of v3.0 to get MFA device information #2506

Closed
bascht opened this issue May 16, 2024 · 2 comments
Closed

Data resource uses v3 API endpoint instead of v3.0 to get MFA device information #2506

bascht opened this issue May 16, 2024 · 2 comments
Assignees
@artem-lifshits

Comments

@bascht
Copy link

bascht commented May 16, 2024

Terraform provider version

Terraform v1.6.2
on linux_amd64
+ provider registry.terraform.io/opentelekomcloud/opentelekomcloud v1.36.8

Affected Resource(s)

  • opentelekomcloud_identity_user_v3

Terraform Configuration Files

data "opentelekomcloud_identity_user_v3" "user" {
  name     = "my-user-name"
}

Debug Output/Panic Output

Trying to access the data.opentelekomcloud_identity_user_v3.user.mfa_device will always be an empty string, even if the user has their MFA device set up.

Steps to Reproduce

  • Set up a virtual MFA for the user via their Console login
  • Terraform plan and try to access the mfa_device attribute

Expected Behavior

The data attribute should be set to a valid serial number like

iam:(domain-id):mfa/(iam-user-id)

Actual Behavior

  • The data resource will always return an empty string ''.

Important Factoids

According to the providers code, this will happen when the API returns a 404:

terraform-provider-opentelekomcloud/opentelekomcloud/services/iam/data_source_opentelekomcloud_identity_user_v3.go

Lines 89 to 111 in 433d703

log.Printf("[DEBUG] Single user found: %s", user.ID)
d.SetId(user.ID)
mErr := multierror.Append(
d.Set("domain_id", user.DomainID),
d.Set("enabled", user.Enabled),
d.Set("name", user.Name),
d.Set("password_expires_at", user.PasswordExpiresAt.Format(time.RFC3339)),
)
mfa, err := security.GetUserMfaDevice(client, user.ID)
switch err.(type) {
case golangsdk.ErrDefault403:
log.Printf("[DEBUG] Security administrator permissions needed to set MFA")
case nil, golangsdk.ErrDefault404:
if mfa == nil {
mErr = multierror.Append(mErr, d.Set("mfa_device", ""))
} else {
mErr = multierror.Append(mErr, d.Set("mfa_device", mfa.SerialNumber))
}
default:
log.Printf("[DEBUG] Error getting MFA info: %v", err.Error())
}

So, I checked the underlying API, where at least to docs claim that the call goes to /v3.0/OS-MFA/users/{user_id}/virtual-mfa-device:

https://github.com/opentelekomcloud/gophertelekomcloud/blob/devel/openstack/identity/v3.0/security/GetUserMfaDevice.go#L9

But if I trace the terraform plan run with OS_DEBUG turned on, I can see that the provider is trying to reach the v3 endpoint (user id redacted):

2024-05-16T13:59:24.857+0200 [INFO]  provider.terraform-provider-opentelekomcloud_v1.36.8: 2024/05/16 13:59:24 [DEBUG] OpenTelekomCloud Request URL: GET https://iam.eu-de.otc.t-systems.com/v3/OS-MFA/users/…/virtual-mfa-device: timestamp="2024-05-16T13:59:24.857+0200"

Is this something that can be configured per resource or something that needs to be fixed by the Terraform provider itself?

Let me know if I can supply more logs or debug output.
@artem-lifshits artem-lifshits mentioned this issue May 17, 2024
Merged
5 tasks
otc-zuul bot pushed a commit that referenced this issue May 17, 2024
@artem-lifshits
data source fix (#2508)
4670f55 
[IAM]: user data source MFA fix

Summary of the Pull Request
Fix MFA API endpoint.
PR Checklist

 Refers to: #2506
 Tests added/passed.
 Documentation updated.
 Schema updated.
 Release notes added.

Acceptance Steps Performed

Reviewed-by: Anton Sidelnikov
@artem-lifshits
Copy link
Member

@bascht please check latest release.

@bascht
Copy link
Author

bascht commented May 22, 2024

@artem-lifshits thanks for the quick reaction! Tested this on 1.36.9 and can confirm that the data resource now works as advertised! ✨

@bascht bascht closed this as completed May 22, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@artem-lifshits artem-lifshits

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@bascht @anton-sidelnikov @artem-lifshits