Unable to create resource artifactory_scoped_token with expires_in value <=300.
Closed this issue · 4 comments
Describe the bug
We are unable to create resource artifactory_scoped_token with expires_in value <=300.
Requirements for and issue
We are unable to create artifactory_scoped_token using terraform when the expires_in = 300, works fine with no values or greater values such as 12600.
Please find the sample.tf file below:
terraform {
required_providers {
artifactory = {
source = "jfrog/artifactory"
version = "10.8.1"
}
}
}
provider "artifactory" {
url = "https://<arturl>/artifactory"
access_token = "<Token>"
}
resource "artifactory_user" "testing_user" {
name = "testing-new"
email = "new_user@somewhere.com"
groups = ["readers"]
}
resource "artifactory_scoped_token" "scoped_token_user" {
username = artifactory_user.testing_user.name
expires_in = 300
}
~Artifactory Version: 7.84
Terraform Version: v1.8.4
Terraform Provider Version: 10.8.1Expected behavior
We should be able to create artifactory_scoped_token with value 300.
Terraform output:
testingtoken % terraform plan
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# artifactory_scoped_token.scoped_token_user will be created
+ resource "artifactory_scoped_token" "scoped_token_user" {
+ access_token = (sensitive value)
+ expires_in = 300
+ expiry = (known after apply)
+ grant_type = "client_credentials"
+ id = (known after apply)
+ include_reference_token = (known after apply)
+ issued_at = (known after apply)
+ issuer = (known after apply)
+ reference_token = (sensitive value)
+ refresh_token = (sensitive value)
+ refreshable = false
+ scopes = (known after apply)
+ subject = (known after apply)
+ token_type = (known after apply)
+ username = "testing-new"
# (1 unchanged attribute hidden)
}
# artifactory_user.testing_user will be created
+ resource "artifactory_user" "testing_user" {
+ admin = false
+ disable_ui_access = true
+ email = "new_user@somewhere.com"
+ groups = [
+ "readers",
]
+ id = (known after apply)
+ internal_password_disabled = false
+ name = "testing-new"
+ password = (sensitive value)
+ profile_updatable = true
}
Plan: 2 to add, 0 to change, 0 to destroy.
─────────────────────────────────────────────
Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if you run "terraform apply" now.
elumalaig@elumalaig-mac testingtoken % terraform apply
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
+ create
Terraform will perform the following actions:
# artifactory_scoped_token.scoped_token_user will be created
+ resource "artifactory_scoped_token" "scoped_token_user" {
+ access_token = (sensitive value)
+ expires_in = 300
+ expiry = (known after apply)
+ grant_type = "client_credentials"
+ id = (known after apply)
+ include_reference_token = (known after apply)
+ issued_at = (known after apply)
+ issuer = (known after apply)
+ reference_token = (sensitive value)
+ refresh_token = (sensitive value)
+ refreshable = false
+ scopes = (known after apply)
+ subject = (known after apply)
+ token_type = (known after apply)
+ username = "testing-new"
# (1 unchanged attribute hidden)
}
# artifactory_user.testing_user will be created
+ resource "artifactory_user" "testing_user" {
+ admin = false
+ disable_ui_access = true
+ email = "new_user@somewhere.com"
+ groups = [
+ "readers",
]
+ id = (known after apply)
+ internal_password_disabled = false
+ name = "testing-new"
+ password = (sensitive value)
+ profile_updatable = true
}
Plan: 2 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
artifactory_user.testing_user: Creating...
artifactory_user.testing_user: Creation complete after 2s [id=testing-new]
artifactory_scoped_token.scoped_token_user: Creating...
╷
│ Warning: No password supplied
│
│ with artifactory_user.testing_user,
│ on main.tf line 15, in resource "artifactory_user" "testing_user":
│ 15: resource "artifactory_user" "testing_user" {
│
│ One will be generated (12 characters with 1 digit, 1 symbol, with upper and lower case letters) and this may fail as your Artifactory password policy can't be determined by the provider.
╵
╷
│ Error: Unable to Create Resource
│
│ with artifactory_scoped_token.scoped_token_user,
│ on main.tf line 21, in resource "artifactory_scoped_token" "scoped_token_user":
│ 21: resource "artifactory_scoped_token" "scoped_token_user" {
│
│ An unexpected error occurred while creating the resource update request. Please report this issue to the provider developers.
│
│ Error: NOT_FOUND - HTTP 404 Not Found
╵@elumalaigjfrog Thanks for the report. I've added this to our plan to investigate.
We are unable to create artifactory_scoped_token using terraform when the expires_in = 300, works fine with no values or greater values such as 12600.
BTW @elumalaigjfrog The expires_in attribute can be affected by Persistency Threshold on your instance. See the note in the resource doc.
Hi @alexhung
https://registry.terraform.io/providers/jfrog/artifactory/latest/docs/resources/scoped_token also highlights this, tho. as far as I confirm the token value has been stored under the terraform backend as tfstate after creating the scoped token resource.
is your comment for those who don't have the backend? or is there anything we need to pay attention to mange such short-lived token?
as far as I confirm the token value has been stored under the terraform backend as tfstate after creating the scoped token resource.
That's correct.
@rsw-a My comment refers to the fact the token is not stored in Artifactory. Meaning if you go to the Administration -> Users Management -> Access Tokens screen, the new token will not appear in the list due to persistence threshold.