Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

backend_roles and and_backend_roles - https://registry.terraform.io/providers/opensearch-project/opensearch/latest/docs/resources/roles_mapping[BUG] #156

Open
kcorelight opened this issue Feb 5, 2024 · 2 comments
Open

backend_roles and and_backend_roles - https://registry.terraform.io/providers/opensearch-project/opensearch/latest/docs/resources/roles_mapping[BUG] #156

kcorelight opened this issue Feb 5, 2024 · 2 comments
Labels
bug Something isn't working

Comments

@kcorelight
Copy link

kcorelight commented Feb 5, 2024
edited
Loading

What is the bug?

When I try to apply this resource, this is removing existing security users.
So, no user has permission to update the role with additional users

I am trying the differences between backend_roles and and_backend_roles. The documentation is not clear
https://registry.terraform.io/providers/phillbaker/elasticsearch/latest/docs/resources/opensearch_roles_mapping

How can one reproduce the bug?

resource "opensearch_roles_mapping" "security_manager_mapping" {
role_name = "security_manager"
description = "Mapping AWS IAM roles to ES role"
backend_roles = concat(var.security_access_roles, [var.saml_master_backend_role])
}

Here var.saml_master_backend_role already has security manager permissions. But, still I see the following error


│ Error: elastic: Error 403 (Forbidden)

│ with module.opensearch_logs_saml[0].opensearch_roles_mapping.security_manager_mapping,
│ on ../../../modules/common/opensearch_saml/roles_mapping.tf line 15, in resource "opensearch_roles_mapping" "security_manager_mapping":
│ 15: resource "opensearch_roles_mapping" "security_manager_mapping" {


[root@a044c3c081a3 NorthAmerica]#

What is the expected behavior?

The expected behavior is that, additional backend roles will be mapped to this opensearch role

What is your host/environment?

All OS

Do you have any screenshots?


│ Error: elastic: Error 403 (Forbidden)

│ with module.opensearch_logs_saml[0].opensearch_roles_mapping.security_manager_mapping,
│ on ../../../modules/common/opensearch_saml/roles_mapping.tf line 15, in resource "opensearch_roles_mapping" "security_manager_mapping":
│ 15: resource "opensearch_roles_mapping" "security_manager_mapping" {


[root@a044c3c081a3 NorthAmerica]#

Do you have any additional context?

Add any other context about the problem.
@kcorelight kcorelight added bug Something isn't working untriaged labels Feb 5, 2024
@prudhvigodithi prudhvigodithi mentioned this issue Feb 13, 2024
Closed
@prudhvigodithi
Copy link
Collaborator

prudhvigodithi commented Feb 13, 2024
edited
Loading

[Triage]
Thanks @kcorelight Looks similar #153, #158 .

Adding @rblcoder @bbarani

@prudhvigodithi prudhvigodithi mentioned this issue Feb 13, 2024
Open
@rblcoder
Copy link
Collaborator

@kcorelight https://github.com/opensearch-project/terraform-provider-opensearch/blob/main/provider/resource_opensearch_roles_mapping.go is calling _plugins/_security/api/rolesmapping/

PUT _plugins/_security/api/rolesmapping/ will replace the existing role mapping, right?
(https://opensearch.slack.com/archives/D060NNV468H/p1707909374961869)
You would also need to specify any existing users and backend_roles for the role mapping in the terraform code itself.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
Engineering Effectiveness Board
Status: Backlog
Milestone
No milestone
Development

No branches or pull requests
3 participants
@prudhvigodithi @rblcoder @kcorelight