terraform-provider-azurerm icon indicating copy to clipboard operation
terraform-provider-azurerm copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

Error setting access control for Path using terraform module "azurerm_storage_data_lake_gen2_path"

Open pavan088 opened this issue 2 years ago • 2 comments

Is there an existing issue for this?

  • [X] I have searched the existing issues

Community Note

  • Please vote on this issue by adding a :thumbsup: reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

0.14.4

AzureRM Provider Version

2.70.0

Affected Resource(s)/Data Source(s)

azurerm_storage_data_lake_gen2_path

Terraform Configuration Files

# Terraform code to create the datalake filesystem
'''
resource "azurerm_storage_data_lake_gen2_filesystem" "test-containers" {
name = "test-container"
storage_account_id = module.storage.id
ace {
permissions = "rwx"
scope = "access"
type = "user"
}
ace {
permissions = "rwx"
scope = "access"
type = "group"
}
ace {
type = "group"
scope = "access"
id = XXXXXX-XXXX-XXXX-XXXX
permissions = "r-x"
}
ace {
type = "group"
scope = "access"
id = XXXXXX-XXXX-XXXX-XXXX
permissions = "r-x"
ace {
permissions = "rwx"
scope = "access"
type = "mask"
}
ace {
permissions = "---"
scope = "access"
type = "other"
}
ace {
permissions = "rwx"
scope = "default"
type = "user"
}
ace {
permissions = "rwx"
scope = "default"
type = "group"
}
ace {
permissions = "rwx"
scope = "default"
type = "mask"
}
ace {
permissions = "---"
scope = "default"
type = "other"
}
}
'''
# Terraform code to create the subfolder1 inside datalake filesystem and apply ACL
'''
resource "azurerm_storage_data_lake_gen2_path" "subfolder1" {
path = "subfolder1"
filesystem_name = azurerm_storage_data_lake_gen2_filesystem.test-containers.name
storage_account_id = module.storage.id
resource = "directory"
ace {
permissions = "rwx"
scope = "access"
type = "user"
}
ace {
permissions = "rwx"
scope = "access"
type = "group"
}
ace {
type = "group"
scope = "access"
id = XXXXXX-XXXX-XXXX-XXXX
permissions = "r-x"
}
ace {
type = "group"
scope = "access"
id = XXXXXX-XXXX-XXXX-XXXX
permissions = "r-x"
}
ace {
permissions = "rwx"
scope = "access"
type = "mask"
}
ace {
permissions = "---"
scope = "access"
type = "other"
}
ace {
permissions = "rwx"
scope = "default"
type = "user"
}
ace {
permissions = "rwx"
scope = "default"
type = "group"
}
ace {
permissions = "rwx"
scope = "default"
type = "mask"
}
ace {
permissions = "---"
scope = "default"
type = "other"
}
}
'''

Debug Output/Panic Output

Error setting access control for Path "subfolder1" in File System "test-container" in Storage Account "testdatalakestorage": datalakestore.Client#SetAccessControl: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationPermissionMismatch" Message="This request is not authorized to perform this operation using this permission.\nRequestId:a####e2-###-0##7-1##0-5##########00\nTime:XXXXX XXXX"

Expected Behaviour

The ACL's must be updated at the container level and folder level when ever a new AD group wants to access the specific directory. And the existing configuration should not be changed.

Actual Behaviour

The "azurerm_storage_data_lake_gen2_path" will always try to create the resource rather updating the ACL, i also followed one of the blog #9728 to create the ACL order.

Steps to Reproduce

  1. run the code pasted and observe the plan & apply which will create all the resources for the 1st time.
  2. add new object id and rerun the same code to reproduce the issue

Important Factoids

No response

References

No response

pavan088 avatar Apr 22 '22 13:04 pavan088

@pavan088 Thank you for submitting this! This appears to be an API issue rather than a provider bug: https://github.com/Azure/azure-rest-api-specs/issues/18815.

magodo avatar Apr 26 '22 02:04 magodo

@magodo @pavan088 Had same issue, while testing ACLs. It started to work when I assigned Storage Blob Data Owner and Storage Account Contributor (not sure if one of them is enough, I tried only after setting both roles), as described here: https://learn.microsoft.com/en-us/azure/storage/blobs/data-lake-storage-access-control-model That is also mentioned in the Note on top of resource documentation: https://registry.terraform.io/providers/hashicorp/azurerm/latest/docs/resources/storage_data_lake_gen2_filesystem

dkuzmenok avatar Sep 22 '22 08:09 dkuzmenok

Any idea when this issue be resolved?

Qumber-ali avatar Jan 22 '23 21:01 Qumber-ali