Terraform issues

[klizhentas]

• Terraform enters broken state if resource removed

If someone removes a user managed by terraform state, the plugin enters error state

teleport_user.example: Refreshing state... [id=Foo]

Error: user "Foo" is not found

It's OK to return error, but need explainer for a user what to do then.
Or, implement autorecovery logic

• Can create resource, but not update if missing Kind

Create user from your example:

resource "teleport_user" "example" {
  metadata {
    name        = "Foo"
    description = "Bar"
    labels = {
      test      = "true"
    }
  }
  spec {
    roles = ["admin"]
  }
}

Run terraform apply twice

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

teleport_user.tf_test: Modifying... [id=test]

Error: user kind is not set

  on main.tf line 17, in resource "teleport_user" "tf_test":
  17: resource "teleport_user" "tf_test" {

• Update getting started doc with role example and retest against latest branch/v6 (We have merged all methods)

• Create role with insufficient resources, the error message is not great

• Add missing resources backported into branch/v6

[klizhentas]

1. “Terraform enters broken state if resource removed”.
   If I use user which has no rights on performing specific action, instead of meaningful message, I get:
   “Error: not found”
   In the same time, if I forgot to add permissions on some resources to this user, I get the same error.
   I expect to get something like “User %u has no permissions to perform CreateUser” with 403 in case I have no perms, and 404 in case I try to access a resource which does not exist, but I have rights to operate on.
   That is very confusing because I need to distinguish “no access” and “does not exist” situations in order to make Terraform provider work correctly with resources deleted outside Terraform (see https://github.com/hashicorp/terraform-provider-aws/blob/main/aws/resource_aws_cloudformation_stack_set_instance.go#L192, I need to know for sure if a resource is missing in the same situation on my side)
   See GRPC API error handling is wrong teleport#6225, last point. It is blocking me.

2. “Can create resource, but not update if missing Kind”
   Problem:
   Let kind, sub_kind and metadata.namespace are not specified in Terraform config. Once Terraform config is applied and objects are created in Teleport, that fields get default values on Teleport side. After creation, object is read from Teleport API and it’s actual state goes to .tfstate. Next apply compares .tfstate and resource definition in .tf., finds out that kind is set in .tfstate, but missing in resource definition, and tries to update a resource and nullify kind. It fails because kind can’t be empty.
   Possible solutions:

   a. (implemented) kind, subkind and version are marked as computed. They now exist in Terraform status, can be referenced, but can’t be set. This solves problem with changes, but makes this fields read-only.
   b. Mark these fields as required on Terraform side, and optionally assign a default values. This would be better, but in ideal world we need to somehow sync default values (assign them in proto definition would be the best way).

3. “Create role with insufficient resources, the error message is not great”
   I made error messages a bit better. To solve this completely, we need to fix this: GRPC API error handling is wrong teleport#6225

4. “Add missing resources backported into branch/v6"
   Added GithubConnectorV3, adding other resources in progress.

5. How would we deal with Teleport resource versions? Different resource versions might have different structure (hence, different schemas). So, wouldn’t it be reasonable to rename “teleport_user” resource to “teleport_user_v2" to distinguish resource versions on the provider side? @sasha (edited)

[klizhentas]

1. I agree that we should fix error code
   2a. I agree is the best
2. OK
   4 OK
3. No need to do anything specific

[gzigzigzeo]

Btw, regarding your #1: deep in Terraform docs, I've found the paragraph saying that in this case graceful auto recovery must be implemented. So, resources deleted outside Terraform should be marked as deleted by Terraform. Will implement this behaviour, but it kind of relies on error codes :-)

[gzigzigzeo]

All these seems fixed.