terraform-provider-vcd: BUG: Update of imported `vcd_org` overwrites LDAP configuration

Hi there,

After importing an existing vcd_org into terraform the “apply” fails.

Terraform Version

Terraform v0.15.4 on linux_amd64

provider registry.terraform.io/vmware/vcd v3.2.0

Affected Resource(s)

vcd_org

Terraform Configuration Files

I have created custom Terraform modules.

module "***-vcd-org" {
  source = "***"

  ## vcd org ##
  org_name              = var.org_name
  org_description       = "description"
  org_full_name         = "full_name"
}

Debug Output

go-vcloud-director.log: https://gist.github.com/bogi0704/155cafb68e6bcbfc609aeab49b73b638.js

Terraform (Shell) Output:

module.***-vcd-org.vcd_org.org: Modifying... [id=urn:vcloud:org:11327aa4-5cc5-476b-80f4-cb7ed9f75e88]
╷
│ Error: error updating Org error updating Org: API Error: 400: [ f289b47a-3d19-4069-9e4d-9979a0b348ed ] HTTP 400 Bad Request
│  - cvc-complex-type.2.4.a: Invalid content was found starting with element 'BackLinkIdentifier'. One of '{"http://www.vmware.com/vcloud/v1.5":MembershipIdentifier}' is expected.
│
│   with module.***-vcd-org.vcd_org.org,
│   on .terraform/modules/***-vcd-org/modules/***-vcd-org/main.tf line 1, in resource "vcd_org" "org":
│    1: resource "vcd_org" "org" {
│
╵

Expected Behavior

The planned changes (change the description of the Organization) should have been applied.

Actual Behavior

Terraform errored out.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

import an existing vcd_org into your terraform state. -> successful
‘terraform plan’ -> successful
terraform apply -> fails

About this issue

Original URL
State: closed
Created 3 years ago
Comments: 28 (5 by maintainers)

Commits related to this issue

Fix Issue #672 - update Org with invalid LDAP An Org that has its LDAP settings changed outside Terraform (possibly without error checking and thus incomplete) would fail to update. This check will p... — committed to dataclouder/terraform-provider-vcd by dataclouder 2 years ago
Fix Issue #672 - update Org with invalid LDAP (#952) * Fix Issue #672 - update Org with invalid LDAP An Org that has its LDAP settings changed outside Terraform (possibly without error checking an... — committed to vmware/terraform-provider-vcd by dataclouder 2 years ago

Most upvoted comments

I have added a fix to the Org update: if an invalid LDAP is detected, it gets ignored. The right way of updating a LDAP settings id through vcd_org_ldap. If you need to import an org with LDAP settings, you should import both resources. Only with this double resource can Terraform keep track of the Org LDAP configuration.

dataclouder on Dec 6, 2022

https://github.com/vmware/terraform-provider-vcd/releases/tag/v3.8.1

dataclouder on Dec 14, 2022

It will be soon

dataclouder on Dec 13, 2022

Thanks for testing it!

dataclouder on Dec 13, 2022

Using the newly implemented vcd_org_ldap resource, this problem should go away.

For example:

resource "vcd_org" "dummy" {
  name                            = "dummy"
  full_name                       = "dummy"
  is_enabled                      = "true"
  stored_vm_quota                 = 50
  deployed_vm_quota               = 50
  delete_force                    = "true"
  delete_recursive                = "true"
  can_publish_external_catalogs   = "true"
  can_subscribe_external_catalogs = "true"
  # description                     = "dummy org"


  vapp_lease {
    maximum_runtime_lease_in_sec          = 60*60*24*30 
    power_off_on_runtime_lease_expiration = false
    maximum_storage_lease_in_sec          = 0
    delete_on_storage_lease_expiration    = false
  }

  vapp_template_lease {
    maximum_storage_lease_in_sec       = 60*60*24*3
    delete_on_storage_lease_expiration = false
  }
}

resource "vcd_org_ldap" "dummy" {
  org_id    = vcd_org.dummy.id
  ldap_mode = "CUSTOM"
  custom_settings {
    server                  = "192.168.1.15"
    port                    = 389
    is_ssl                  = false
    username                = "cn=admin,dc=planetexpress,dc=com"
    password                = "GoodNewsEveryone"
    authentication_method   = "SIMPLE"
    base_distinguished_name = "dc=planetexpress,dc=com"
    connector_type          = "OPEN_LDAP"
    user_attributes {
      object_class                = "inetOrgPerson"
      unique_identifier           = "uid"
      display_name                = "cn"
      username                    = "uid"
      given_name                  = "givenName"
      surname                     = "sn"
      telephone                   = "telephoneNumber"
      group_membership_identifier = "dn"
      email                       = "mail"
    }
    group_attributes {
      name                        = "cn"
      object_class                = "group"
      membership                  = "member"
      unique_identifier           = "cn"
      group_membership_identifier = "dn"
    }
  }
  lifecycle {
    # password value does not get returned by GET
    ignore_changes = [custom_settings[0].password]
  }
}

I created this Org, with attached LDAP configuration. Then I removed the Org from terraform state (terraform state rm vcd_org.dummy), I imported it, and tried adding a description and changing the lease. Everything works as expected, using VCD 10.4.0.

dataclouder on Sep 21, 2022