terraform-provider-vcd icon indicating copy to clipboard operation
terraform-provider-vcd copied to clipboard
verified publisher icon vmware

Setting vApp Access control does not work without Org Rights

Open bogi0704 opened this issue 1 year ago • 0 comments

Hello,

Setting vApp Access controls fails when a tenant user has no rights to access the Organization. Doing this via the UI works though.

Terraform Version

terraform_1.8.5_linux_amd64 Installed vmware/vcd v3.14.1

Affected Resource(s)

  • vcd_vapp_access_control

Terraform Configuration Files

resource "vcd_vapp" "MyVApp" {
  vdc  = "MYVDC"
  org  = "MYORG"
  name = "MyVApp"
}

resource "vcd_vapp_access_control" "vapp_ac" {
  vapp_id = vcd_vapp.MyVApp.id
  vdc     = "MYVDC"
  org     = "MYORG"

  shared_with_everyone  = true
  everyone_access_level = "Change"
}

Debug Output

I do not have the debug output, because this is happening in a pipeline. If you absolutely need it, then I will find a way to get it.

Expected Behavior

The Access control settings should have been set. Logging in as the same user via the tenant portal and setting this manually works.

Actual Behavior

Error: [resourceAccessControlVappUpdate] error setting access control for vApp MyVApp: no parent found for VDC "MYVDC"

with vcd_vapp_access_control.vapp_ac, on /tmp/terraform-data-dir/main.tf line 7, in resource "vcd_vapp_access_control" "vapp_ac": 7: resource "vcd_vapp_access_control" "vapp_ac" {

Steps to Reproduce

terraform apply

User Access rights

The user has the following rights:

resource "vcd_global_role" "vapp_author" { name = "vApp Author" description = "Rights given to a user who uses catalogs and creates vApps" rights = [ "API Tokens: Manage", "Catalog: Add vApp from My Cloud", "Catalog: View ACL", "Catalog: View Private and Shared Catalogs", "Catalog: View Published Catalogs", "Organization vDC Compute Policy: View", "Organization vDC Disk: Edit IOPS", "Organization vDC Disk: View IOPS", "Organization vDC Named Disk: Create", "Organization vDC Named Disk: Delete", "Organization vDC Named Disk: Edit Properties", "Organization vDC Named Disk: View Encryption Status", "Organization vDC Named Disk: View Properties", "Organization vDC Network: View Properties", "Organization vDC: VM-VM Affinity Edit", "Organization vDC: View", "Organization vDC: View CPU and Memory Reservation", "Security Tag Edit", "UI Plugins: View", "VAPP_VM_METADATA_TO_VCENTER", "vApp Template / Media: Copy", "vApp Template / Media: Edit", "vApp Template / Media: View", "vApp Template: Checkout", "vApp: Copy", "vApp: Create / Reconfigure", "vApp: Delete", "vApp: Download", "vApp: Edit Properties", "vApp: Edit VM CPU", "vApp: Edit VM Compute Policy", "vApp: Edit VM Hard Disk", "vApp: Edit VM Memory", "vApp: Edit VM Network", "vApp: Edit VM Properties", "vApp: Manage VM Password Settings", "vApp: Power Operations", "vApp: Sharing", "vApp: Snapshot Operations", "vApp: Upload", "vApp: Use Console", "vApp: VM Boot Options", "vApp: View ACL", "vApp: View VM and VM's Disks Encryption Status", "vApp: View VM metrics", ] publish_to_all_tenants = true }

Important Factoids

It looks like the "getParentOrg" function is being called, because I found the error message originating from here: https://github.com/vmware/go-vcloud-director/blob/3d77bc4797b19f672a79d31fad6ca66ca56c8a85/govcd/vdc.go#L1284

bogi0704 avatar Jan 10 '25 17:01 bogi0704