[BUG] `btp_subaccount_role_collection` silently takes over already existing resource

Question

[BUG] `btp_subaccount_role_collection` silently takes over already existing resource

Closed this issue 4 months ago · 6 comments

v0lkc commented 4 months ago

Is there an existing issue for this?

I have searched the existing issues

What version of the Terraform provider are you using?

dev

What version of the Terraform CLI are you using?

2.64.0

What type of issue are you facing

bug report

Describe the bug

The btp_subaccount_role_collection resource is expected to fail if a role collection does already exist. However it does not and silently takes over an already provisioned instance. This can simply be enforced by creating a role collection with the count attribute.

Expected Behavior

No response

Steps To Reproduce

Create two role collections with the same name.

resource "btp_subaccount_role_collection" "bug" {
  count = 2

  subaccount_id = "ce70e51a-01de-441b-b11e-4de5a93ba22e"
  name          = "Bug"
  roles         = []
}

User's Role Collections

No response

Add screenshots to help explain your problem

Additional context

No response

Answer 1 · 2024-07-19T12:58:56.000Z

Fyi, I haven't checked the role collection resources on directory or globalaccount level.

Answer 2 · 2024-07-22T07:45:27.000Z

The API creating the role collection does not check if the role collection is already existing and also does not return any information/error/warning if the role collection was already existing and is taken over

See https://api.sap.com/api/AuthorizationAPI/path/createRoleCollection

Answer 3 · 2024-07-22T09:32:38.000Z

I'm not that sure @lechnerc77. Have you seen the two different success states which the api returns? I'm guessing that 201 means the resource was created and 200 means it already exists. If that's the case it would be an easy fix. Let the terraform flow fail, if the API returns 200.

Answer 4 · 2024-07-22T09:36:05.000Z

This needs to be validated. We will check this also with the responsible team

Answer 5 · 2024-07-22T14:35:05.000Z

Update Retest: Backend response is always HTTP 200

Answer 6 · 2024-07-25T10:47:11.000Z

@v0lkc Clarified with the responsible team. The underlying API returns the same status code independent of the new creation or when taking over an existing role collection.
Hence, due to the existing API implementation the only option is to check on consumer side if the role collection already exists.