minio_iam_user - Inconsistent result when changing password

[Bibz87]

Description

Attempting to change a user's password results in this error:

╷
│ Error: Provider produced inconsistent result after apply
│
│ When applying changes to minio_iam_user.test, provider "provider[\"registry.terraform.io/aminueza/minio\"]" produced an unexpected new value: Root object was present, but now        
│ absent.
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
╵

Sample configuration

terraform {
  required_providers {
    minio = {
      source  = "aminueza/minio"
      version = "~> 2.5"
    }
  }
}

variable "user_password" {
  description = "User password"
  type        = string
  sensitive   = true
  validation {
    condition     = length(var.user_password) >= 8
    error_message = "Password must have at least 8 characters"
  }
}

resource "minio_iam_user" "test" {
  name          = "test"
  secret        = var.user_password
  force_destroy = true
  tags = {
    managed-by = "terraform"
  }
}

resource "minio_iam_user_policy_attachment" "test" {
  user_name   = minio_iam_user.test.id
  policy_name = "readonly"
}

Steps to Reproduce

1. Set provider's environment variables
2. terraform init
3. terraform apply (use any 8+ characters password)
4. terraform apply (use a different password from previous step)
5. Notice Terraform prints an inconsistency error and that the user has been deleted from MinIO

Expected behavior: Terraform updates the user's password

Actual behavior: Terraform deleted the user

Reproduces how often: 100%

Versions

Terraform v1.9.4
on windows_amd64
+ provider registry.terraform.io/aminueza/minio v2.5.0

Additional Information

Looks like the provider also doesn't like having a user being deleted outside Terraform when referenced in other resources. Attempting to do anything with the configuration (plan, apply or destroy) results in this error:

╷
│ Error: [FATAL] failed to load user Infos (test): The specified user does not exist. (Specified user does not exist)
│
│   with minio_iam_user_policy_attachment.test,
│   on main.tf line 29, in resource "minio_iam_user_policy_attachment" "test":
│   29: resource "minio_iam_user_policy_attachment" "test" {
│
╵

[gudge25]

same on my side
-first run after pass change error and user deleted
-second run user recreated as new user

[gudge25]

'''2024-09-19T01:29:21.657+0200 [INFO] backend/local: apply calling Apply
2024-09-19T01:29:21.657+0200 [DEBUG] Building and walking apply graph for NormalMode plan
2024-09-19T01:29:21.658+0200 [DEBUG] ProviderTransformer: "minio_s3_bucket.this (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/aminueza/minio"]
2024-09-19T01:29:21.658+0200 [DEBUG] ProviderTransformer: "minio_iam_group_policy_attachment.this (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/aminueza/minio"]
2024-09-19T01:29:21.658+0200 [DEBUG] ProviderTransformer: "minio_iam_user.test" (*terraform.NodeApplyableResourceInstance) needs provider["registry.terraform.io/aminueza/minio"]
2024-09-19T01:29:21.658+0200 [DEBUG] ProviderTransformer: "minio_iam_group.this (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/aminueza/minio"]
2024-09-19T01:29:21.658+0200 [DEBUG] ProviderTransformer: "minio_iam_group_membership.this (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/aminueza/minio"]
2024-09-19T01:29:21.658+0200 [DEBUG] ProviderTransformer: "minio_ilm_policy.bucket_lifecycle_rules (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/aminueza/minio"]
2024-09-19T01:29:21.658+0200 [DEBUG] ProviderTransformer: "minio_iam_policy.this (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/aminueza/minio"]
2024-09-19T01:29:21.658+0200 [DEBUG] ProviderTransformer: "minio_iam_user.this (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/aminueza/minio"]
2024-09-19T01:29:21.658+0200 [DEBUG] ProviderTransformer: "minio_iam_user.test (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/aminueza/minio"]
2024-09-19T01:29:21.659+0200 [DEBUG] ReferenceTransformer: "minio_iam_user.test" references: []
2024-09-19T01:29:21.659+0200 [DEBUG] ReferenceTransformer: "minio_iam_user.test (expand)" references: []
2024-09-19T01:29:21.659+0200 [DEBUG] ReferenceTransformer: "minio_iam_group.this (expand)" references: []
2024-09-19T01:29:21.659+0200 [DEBUG] ReferenceTransformer: "local.filtered_bucket_names (expand)" references: [local.new_names (expand)]
2024-09-19T01:29:21.659+0200 [DEBUG] ReferenceTransformer: "local.bucket_names (expand)" references: []
2024-09-19T01:29:21.659+0200 [DEBUG] ReferenceTransformer: "minio_iam_group_membership.this (expand)" references: []
2024-09-19T01:29:21.659+0200 [DEBUG] ReferenceTransformer: "minio_s3_bucket.this (expand)" references: [local.bucket_names (expand)]
2024-09-19T01:29:21.659+0200 [DEBUG] ReferenceTransformer: "minio_ilm_policy.bucket_lifecycle_rules (expand)" references: [local.bucket_names (expand)]
2024-09-19T01:29:21.659+0200 [DEBUG] ReferenceTransformer: "provider["registry.terraform.io/aminueza/minio"]" references: []
2024-09-19T01:29:21.659+0200 [DEBUG] ReferenceTransformer: "minio_iam_policy.this (expand)" references: []
2024-09-19T01:29:21.659+0200 [DEBUG] ReferenceTransformer: "minio_iam_group_policy_attachment.this (expand)" references: []
2024-09-19T01:29:21.659+0200 [DEBUG] ReferenceTransformer: "local.new_names (expand)" references: []
2024-09-19T01:29:21.659+0200 [DEBUG] ReferenceTransformer: "minio_iam_user.this (expand)" references: [local.bucket_names (expand)]
2024-09-19T01:29:21.660+0200 [DEBUG] pruneUnusedNodes: minio_iam_group.this (expand) is no longer needed, removing
2024-09-19T01:29:21.660+0200 [DEBUG] pruneUnusedNodes: local.filtered_bucket_names (expand) is no longer needed, removing
2024-09-19T01:29:21.660+0200 [DEBUG] pruneUnusedNodes: minio_iam_group_membership.this (expand) is no longer needed, removing
2024-09-19T01:29:21.660+0200 [DEBUG] pruneUnusedNodes: minio_s3_bucket.this (expand) is no longer needed, removing
2024-09-19T01:29:21.660+0200 [DEBUG] pruneUnusedNodes: minio_ilm_policy.bucket_lifecycle_rules (expand) is no longer needed, removing
2024-09-19T01:29:21.660+0200 [DEBUG] pruneUnusedNodes: minio_iam_user.this (expand) is no longer needed, removing
2024-09-19T01:29:21.660+0200 [DEBUG] pruneUnusedNodes: local.new_names (expand) is no longer needed, removing
2024-09-19T01:29:21.660+0200 [DEBUG] pruneUnusedNodes: minio_iam_group_policy_attachment.this (expand) is no longer needed, removing
2024-09-19T01:29:21.660+0200 [DEBUG] pruneUnusedNodes: local.bucket_names (expand) is no longer needed, removing
2024-09-19T01:29:21.660+0200 [DEBUG] pruneUnusedNodes: minio_iam_policy.this (expand) is no longer needed, removing
2024-09-19T01:29:21.660+0200 [DEBUG] Starting graph walk: walkApply
2024-09-19T01:29:21.661+0200 [DEBUG] created provider logger: level=debug
2024-09-19T01:29:21.661+0200 [INFO] provider: configuring client automatic mTLS
2024-09-19T01:29:21.669+0200 [DEBUG] provider: starting plugin: path=.terraform/providers/registry.terraform.io/aminueza/minio/2.5.0/darwin_arm64/terraform-provider-minio_v2.5.0 args=[.terraform/providers/registry.terraform.io/aminueza/minio/2.5.0/darwin_arm64/terraform-provider-minio_v2.5.0]
2024-09-19T01:29:21.673+0200 [DEBUG] provider: plugin started: path=.terraform/providers/registry.terraform.io/aminueza/minio/2.5.0/darwin_arm64/terraform-provider-minio_v2.5.0 pid=89079
2024-09-19T01:29:21.673+0200 [DEBUG] provider: waiting for RPC address: path=.terraform/providers/registry.terraform.io/aminueza/minio/2.5.0/darwin_arm64/terraform-provider-minio_v2.5.0
2024-09-19T01:29:21.689+0200 [INFO] provider.terraform-provider-minio_v2.5.0: configuring server automatic mTLS: timestamp=2024-09-19T01:29:21.688+0200
2024-09-19T01:29:21.696+0200 [DEBUG] provider: using plugin: version=5
2024-09-19T01:29:21.696+0200 [DEBUG] provider.terraform-provider-minio_v2.5.0: plugin address: address=/var/folders/ps/lcq6km7x6ts2kwg1ntf09frm0000gn/T/plugin2125986001 network=unix timestamp=2024-09-19T01:29:21.696+0200
2024-09-19T01:29:21.706+0200 [WARN] ValidateProviderConfig from "provider["registry.terraform.io/aminueza/minio"]" changed the config value, but that value is unused
2024-09-19T01:29:21.708+0200 [WARN] Provider "registry.terraform.io/aminueza/minio" produced an invalid plan for minio_iam_user.test, but we are tolerating it because it is using the legacy plugin SDK.
The following problems may be the cause of any confusing errors from downstream operations:
- .update_secret: planned value cty.False for a non-computed attribute
- .disable_user: planned value cty.False for a non-computed attribute
minio_iam_user.test: Modifying... [id=test]
2024-09-19T01:29:21.709+0200 [INFO] Starting apply for minio_iam_user.test
2024-09-19T01:29:21.709+0200 [DEBUG] minio_iam_user.test: applying the planned Update change
2024-09-19T01:29:21.739+0200 [INFO] provider.terraform-provider-minio_v2.5.0: 2024/09/19 01:29:21 [DEBUG] Deleting IAM User request: test: timestamp=2024-09-19T01:29:21.739+0200
2024-09-19T01:29:22.524+0200 [DEBUG] State storage *statemgr.Filesystem declined to persist a state snapshot
2024-09-19T01:29:22.524+0200 [ERROR] vertex "minio_iam_user.test" error: Provider produced inconsistent result after apply
╷
│ Error: Provider produced inconsistent result after apply
│
│ When applying changes to minio_iam_user.test, provider "provider["registry.terraform.io/aminueza/minio"]" produced an unexpected new value: Root
│ resource was present, but now absent.
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
╵
2024-09-19T01:29:22.533+0200 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = error reading from server: EOF"
2024-09-19T01:29:22.535+0200 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/aminueza/minio/2.5.0/darwin_arm64/terraform-provider-minio_v2.5.0 pid=89079
2024-09-19T01:29:22.535+0200 [DEBUG] provider: plugin exited'''

[s-vitaliy]

It seems that the root cause of the issue is the following: if force_destroy = true was set and user modification was requested, the provider deletes the user which leads to inconsistent result in terraform apply.

The bug was introduced in #141 and it can be reproduced with any resource referring the user resource created with force_destroy = true.

It makes impossible to modify any attributes of the user if force_destroy was set to true.

[felladrin]

Thanks for investigating it, @s-vitaliy!

Do you think it's possible to fix this bug without a breaking change?

[s-vitaliy]

Hi, @felladrin.

My team is very interested in fixing this issue, as it can lead to the Terraform state breaking which would be a nightmare to fix.

Could you please elaborate on the user scenario behind the force_destroy property? It's not very clear to me from the minio_iam_user documentation, in which cases a user can utilize this property?

It seems that we can remove the following code from the minioUpdateUser function:

	if iamUserConfig.MinioForceDestroy {
		return minioDeleteUser(ctx, d, meta)
	}

This change could lead to behavior changes visible to the users: if force_destroy = true is set and a modification of user properties has been requested, the user will no longer be deleted.

Anyway, to be honest, it's hard to imagine that someone expects the user to be deleted if terraform plan says that the user object should be modified.