terraform-provider-elasticstack icon indicating copy to clipboard operation
terraform-provider-elasticstack copied to clipboard
verified publisher icon elastic

[Bug] Error: Unable to create apikey without an elasticsearch_connection

Open ramon-carrasco opened this issue 1 year ago • 1 comments

Describe the bug I am using version "3.97.1" of azurerm, where the elasticsearch_connection is getting deprecated. When trying to create the elasticstack_elasticsearch_security_api_key without the elasticsearch_connection, I am getting this error:

│ Error: Unable to create apikey
│ 
│ Failed with:
│ {"error":{"root_cause":[{"type":"illegal_argument_exception","reason":"creating
│ derived api keys requires an explicit role descriptor that is empty (has no
│ privileges)"}],"type":"illegal_argument_exception","reason":"creating
│ derived api keys requires an explicit role descriptor that is empty (has no
│ privileges)"},"status":400}

But I did add the empty role descriptor, as can be seen in this terraform plan:

resource "***stack_***search_security_api_key" "api_key_test" {
      + api_key              = (sensitive value)
      + encoded              = (sensitive value)
      + expiration_timestamp = (known after apply)
      + id                   = (known after apply)
      + metadata             = (known after apply)
      + name                 = "test1"
      + role_descriptors     = jsonencode({})
    }

Moreover, I would love to see an example of how to assign an user to the api_key without using the elasticsearch_connection, since I have not found clear examples in the documentation.

To Reproduce Steps to reproduce the behavior:

  1. TF configuration used 'azurerm v3.97.1'
  2. Resource:
resource "elasticstack_elasticsearch_security_api_key" "api_key_test" {
  name                   = "test1"
  role_descriptors = jsonencode({})
}
  1. Failed on terraform apply

Expected behavior The new api key is created in elasticsearch.

Versions (please complete the following information):

  • OS: Ubuntu 2204
  • Terraform Version 1.3.9
  • Provider version 3.97.1
  • Elasticsearch Version 8.5.1

ramon-carrasco avatar May 13 '24 20:05 ramon-carrasco

Hi,

The error message confused me at first, but I don't think it's a bug. It requires an empty role descriptor, so something like:

resource "elasticstack_elasticsearch_security_api_key" "api_key_test" {
  name                   = "test1"
  role_descriptors = jsonencode({
     default = {} # <-- Default is the role descriptor (but you can use any name)
  })
}

herrBez avatar Sep 23 '24 13:09 herrBez