Comments (13)
It looks like these two may be separate issues. I'm not sure about the policy, but looks like the target_user
issue probably came from #525. I should be able to put in a quick PR to address that
from terraform-provider-minio.
People seem to be confusing the policy
change and the target_user
change here. Original issue seems to be about the policy
change. This issue is the same as #517 (fixed in #518), which seems to have re-surfaced since v2.0.0. When using mc admin user svcacct info <alias> <service-account>
, the response clearly states Implied
for Policy
. I would suspect the go lib this terraform provider uses would do the same, and I think the terraform code should thus not make any changes when policy
is not set and Minio servers says SA's policy is implied.
mcli admin user svcacct info local/ COYEK48Y9JMEM3FH2U6P
AccessKey: COYEK48Y9JMEM3FH2U6P
ParentUser: terraform
Status: on
Name:
Description:
Policy: implied
Expiration: no-expiry
from terraform-provider-minio.
We are also impacted by this - looking at the plan, the reason seems to be than target_user
is set using LDAP username, but somehow when the resource is read, the name become the LDAP DN.
To give an example, you would need to set the target_user
to minio-user
from a user with DN CN=minio-user,DC=example,DC=org
, but upon next execution, TF would force replacement because of CN=minio-user,DC=example,DC=org != minio-user
from terraform-provider-minio.
@acolombier just opened #547, would you be able to give that a try? I'm not sure the best way to test locally, so if you have a minimal example of testing with an LDAP user I can also try that. Ideally we would get that incorporated into our test pipeline as well
from terraform-provider-minio.
Unfortunately, the IaC suffering from this issue is in an automated production pipeline, so I won't be able to test in there till we have a proper release. I did comment your PR tho, hopefully this is adding some more context to cover the issue.
from terraform-provider-minio.
Ran this on version 2.0.1 and it still has the same issue. Hope you guys get this fixed soon, so I can move to the new version
from terraform-provider-minio.
Also running into this issue. anything I can do to help with debugging?
from terraform-provider-minio.
Sorry for the delay on this @Nabsku if you're still interested in helping to debug, you should be able to use the git branch in #547 as the provider source rather than the central registry.
from terraform-provider-minio.
Hi @pjsier, I'm having the same issue as the original poster, but I'm not using LDAP and #547 seems to have something to do with LDAP?
My problem is just that the policy in the service_accounts gets updated on every run.
from terraform-provider-minio.
@arusa thanks for the report! Could you share the output of your plan and what you were trying to change?
from terraform-provider-minio.
It's exactly what the original author of this issue reported.
I ran terraform apply
and everything finished successfully.
Then I immediately ran terraform plan
again and it showed changes for all minio_iam_service_account resources, although nothing was changed in the configuration:
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# xxx.minio_iam_service_account.this will be updated in-place
~ resource "minio_iam_service_account" "this" {
id = "XXXX"
- policy = jsonencode(
{
- Statement = [
- {
- Action = [
- "s3:*",
]
- Effect = "Allow"
- Resource = [
- "arn:aws:s3:::mybucket/*",
]
},
]
- Version = "2012-10-17"
}
) -> null
# (6 unchanged attributes hidden)
}
# xxx2.minio_iam_service_account.this will be updated in-place
~ resource "minio_iam_service_account" "this" {
id = "XXX2"
- policy = jsonencode(
{
- Statement = [
- {
- Action = [
- "s3:*",
]
- Effect = "Allow"
- Resource = [
- "arn:aws:s3:::mybucket2/*",
]
},
]
- Version = "2012-10-17"
}
) -> null
# (6 unchanged attributes hidden)
}
Plan: 0 to add, 2 to change, 0 to destroy.
from terraform-provider-minio.
@pjsier any news on that? I just ran terraform again and it once again wants to replace a minio_iam_service_account, that I haven't touched.
from terraform-provider-minio.
While the PR is being reviewed, this is the workaround I have been using to prevent the cycling of SA:
resource "minio_iam_service_account" "this" {
// ...
lifecycle {
ignore_changes = [
target_user # FIXME Workaround till https://github.com/aminueza/terraform-provider-minio/pull/547 gets merged
]
}
}
If you expect the SA to be recreated due to a genuine target_user
user change, you will have to terraform taint
the resource.
from terraform-provider-minio.
Related Issues (20)
- Module publishing - Terraform Registry HOT 7
- Add a description for every attribute in the documentation
- Can't install versions after 1.18.0 HOT 16
- Missing checksum list for 1.19.0 HOT 2
- terraform providfer does not work if api minio is running via proxy on port 443 HOT 1
- [Feature Request] Consider replacing Adminio-UI with the native MinIO Console
- [Feature_request] Set Expire delete marker on noncurrent_version_expiration_days life cycle management rule
- Lifecycle rule with noncurrent_version_expiration_days causes a update every plan/apply in 2.0.0 HOT 4
- Returned bucket_domain_name is wrong HOT 1
- [BUG] Root object was present, but now absent.
- [FATAL] unable to read policy: The canned policy does not exist
- Allow STS credentials instead of username/password HOT 1
- [FATAL] putting object failed (): one of source / content / content_base64 is not set
- [ilm] tier transitioning
- How create a folder into a specified bucket
- No Documentation for the `DeleteMarker` value of ilm policy's `expiration` field HOT 1
- Support Minio STS AssumeRoleWithWebIdentity to obtain dynamic credentials
- Inconsistent number of remote target and bucket replication rules HOT 1
- Import of existing S3 bucket fails HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from terraform-provider-minio.