camptocamp/terraform-provider-freeipa

Issue with multiple indirect entities

nzolot opened this issue · 1 comments

nzolot commented

Hello, first of all I'd like to thank you for developing this provider, it helped me a lot to automate routine tasks.

Recently I've faced an issue when provider fails to find multiple indirect host entities like groups, sudo rules, etc.

Step to reproduce using multiple groups:

  1. Create 3 groups: 'provider_test_master_group1', 'provider_test_child1', 'provider_test_child2'
  2. Edit group 'provider_test_master_group1' and include 'provider_test_child1', 'provider_test_child2' groups
  3. Create freeipa_host resouce using terraform and attach group 'provider_test_master_group1'
  4. Run terraform plan, next message will be displayed:
    Error: unexpected value for field MemberofindirectHostgroup: [provider_test_child1 provider_test_child2]; expected at most one element

Step to reproduce using multiple sudo rules:

  1. Create 2 sudo rules 'provider_test_sudo1' and 'provider_test_sudo2' (no need to edit any rules, can be default)
  2. Create 1 group: 'provider_test_sudo_group1' and attach both sudo rules
  3. Create freeipa_host resouce using terraform and attach group 'provider_test_sudo_group1'
  4. Run terraform plan, next message will be displayed:
    Error: unexpected value for field MemberofindirectSudorule: [provider_test_sudo1 provider_test_sudo2]; expected at most one element

Same error for hbac rules:
Error: unexpected value for field MemberofindirectHbacrule: [provider_test_hbac1 provider_test_hbac2]; expected at most one element

Seems like fields 'Memberofindirect *' expected to be a string with single value, while it is an array with multiple elements

yann-soubeyrand commented

Hello @nzolot,

Sorry for the (very!!) late answer.

The problem is in the underlying library we use to connect to FreeIPA (https://github.com/ccin2p3/go-freeipa). This library is auto-generated based on a schema returned by FreeIPA. However, this approach has some limitations and manual overrides are required: https://github.com/ccin2p3/go-freeipa/blob/develop/data/dirty_overrides.json. We forked this library to add some additional overrides (https://github.com/camptocamp/go-freeipa/compare/95d4057aefb7602a3b4f145529b3f0bbe0da4891..d87bf972a3d5d4dbdb5add1cc24ffa8d381fa5d4?diff=unified#diff-046401a3601d9a4b7ff304467389d23b612e907d32b34f6abd18cd97aeeba1ec, we still have to propose them upstream), but we’ll need more of them for your use cases.