terraform-provider-grafana
terraform-provider-grafana copied to clipboard
grafana
data_source_permissions resource is not idempotent
Terraform Version
- Terraform: 2.2.3
- Terraform Grafana Provider: 1.24.0
- Grafana: 9.0
Affected Resource(s)
Please list the resources as a list, for example:
- data_source_permissions
Terraform Configuration Files
resource "grafana_data_source_permission" "fooPermissions" {
datasource_id = 1
permissions {
user_id = 1
permission = "Query"
}
}
Actual Behavior
When the above configuration is planned and applied second time without any modification, terraform always attempts to remove a permission which was never in the configuration, see below for the plan output.
# grafana_data_source_permission.fooPermissions will be updated in-place
~ resource "grafana_data_source_permission" "fooPermissions" {
id = "1"
# (1 unchanged attribute hidden)
- permissions {
- permission = "Query" -> null
- team_id = 0 -> null
- user_id = 0 -> null
}
}
Expected Behavior
When the above configuration is planned and applied second time without any modification, terraform should not show any changes.
Steps to Reproduce
Please list the steps required to reproduce the issue, for example:
terraform applythe above configuration 2.terraform applythe above configuration again without any changes
Important Factoids
The issue has been introduced with Grafana 9.0 release.
References
Context
The issue has been introduced with Grafana 9.0 release and the root cause is in the underlying implementation of data source permissions with RBAC (role-based access control). When the data source permissions were extended to support RBAC, we had to keep the system backward compatible and continue supporting data source permissions as they are, for now.
In order to do so, when fetching data source permissions through the Grafana API, RBAC computes relevant permission for the Basic Roles on the fly and returns the results in the response. This computation is not persisted and is done based on what different basic roles can do with the datasource. So basically, when terraform runs the configuration and compares the local state with the remote state, it sees the difference (the extra returned permissions) and tries to remove it from the terraform state - this is why this resource behaves in this way.
Two additional details:
- In addition to "Query" permission, there is now also an "Edit". Edit however is coming from the RBAC system and data source permissions API does not support it
- In addition, data source permissions are now by default enabled for Grafana Enterprise.
FYI, as a temporary workaround one can hardcode the following which will have no impact
permissions {
permission = "Query"
}
One temporary idea for the fix could be updating terraform provider to filter out the default Query returned by Grafana and ignore it when comparing with the state. @kalleep @IevaVasiljeva what do you think, is this a feasible approach to unblock using the resource while we are working on a proper long term fix?
A fix for the issue with basic role permissions: https://github.com/grafana/terraform-provider-grafana/pull/692
PR that enables setting Edit data source permission through Terraform: https://github.com/grafana/terraform-provider-grafana/pull/693
The PRs have been merged and a fox has been released with Issue for the remaining work: https://github.com/grafana/grafana-enterprise/issues/3710.