The resource 'hsdp_iam_group_membership' is not removing user membership from IAM on destroy

[l-lafin]

The resource 'hsdp_iam_group_membership' is not removing user membership from IAM on destroy nor when removing the user from the list, but it also doesn't fail the terraform run and claim a successful execution.

Version: 0.41.0

[loafoe]

@l-lafin tested this and it is working as expected. Can you provide more details, or better a setup where you can reproduce this?

[loafoe]

@l-lafin added additional test code and was able to observe deletion of users group on destroy. On key thing is that groups referred to in hsdp_iam_group_membership should have drift_detection = false otherwise you get permadiffs, or possibly the issue you are seeing as mentioned in this issue. Adding hsdp_iam_group_membership in retrospect was a mistake IMHO. It goes against the ownership of resources and feels more and more like a footgun. Closing

[l-lafin]

Hi @loafoe,
Thanks for the updates, regarding the drift_detection according to the documentation in case the group is managed by Terraform. it indicates the drift_detection should be false, see below:

We are still trying to fix this issue on our side :(, I tried to simulate using plain Terraform and indeed I wasn't able to see the error, but for some reason when I'm using Terragrunt I'm having this error.

[loafoe]

You are right, it should be set to false , somehow inverted that in my msg🤦‍♂️

I'm not a fan of terragrunt. It feels like what coffeescript was to javascript i.e. plastering over some imperfections and making things more opaque but, by design, also making runs less transparent..

[l-lafin]

Hi @loafoe, I just discovered what was happening. The issue happens when the service identity doesn't have the permission HSDP_IAM_ORGANIZATION.MGMT on that specific IAM organization, so it is an authorization issue. That being said it's weird that the provider is not displaying a 403 error when it is not able to remove the user from the group.

I also dived even further and took a look into the provider code and it seems to be calling the $remove-members API, but according to the documentation (see image), any identity with HSDP_IAM_ORGANIZATION.MGMT, GROUP.WRITE or HSDP_IAM_GROUP.REMOVE_USER should be able to remove the members...but in reality, only service identities with HSDP_IAM_ORGANIZATION.MGMT are able to remove members.

[l-lafin]

We also tested the IAM API itself and it works when the identity has any of those permissions.