vsphere_entity_permissions resource drops other built-in externally managed permissions on next apply

[GolubevV]

Terraform Version

Terraform v1.0.5

vSphere Provider Version

2.0.2

Affected Resource(s)

• vsphere_entity_permissions

Terraform Configuration Files

data "vsphere_folder" "vsphere_root_folder" {
  path = "/"
}

resource vsphere_role "cns_search_spbm" {
  name = "CNS-SEARCH-AND-SPBM"
  role_privileges = ["Cns.Searchable", "StorageProfile.View", "InventoryService.Tagging.ObjectAttachable"]
}

resource "vsphere_entity_permissions" "vsphere_search_spbm" {
  for_each = var.vsphere_user_permissions
  entity_type = "Folder"
  entity_id = data.vsphere_folder.vsphere_root_folder.id

  permissions {
    user_or_group = each.key
    propagate = false
    is_group = false
    role_id = vsphere_role.cns_search_spbm.id
  }
  
  # Commented out to reproduce
  #lifecycle {
  #  ignore_changes = [
  #   permissions
  #  ]
  #}
}

Debug Output

https://gist.github.com/GolubevV/d3831fbd6cbae3b94a64d46c687c8557

Expected Behavior

When using vsphere_entity_permissions resource with explicitly specified permissions block, the provider should be managing only that specific permission on the Vsphere object, e.g - configured permission entity between Rule, target and grantee.

Terraform should not be dropping permissions which it does not manage though the code - as an example, aws provider does not drop ingress/egress rules on SecurityGroup object that are changed outside terraform code.

Actual Behavior

At first execution, terraform proposed to add missing permission on the specified object (root folder) which is correct behaviour.
However, looks like during apply it retrieves all permissions which have been assigned to the object and stores them in the state.
During next run, terraform proposes to drop all permissions except those which are configured in the code.
The only way to workaround situation and do not drop some built-in permissions is to add lifycycle/ignore changes directive but that will also cause to ignore all changes on the permissions managed by terraform, which defeats the whole purpose of using it.

Steps to Reproduce

1. Add vsphere_entity_permissions resource with entity_id of some existing Vsphere object of type Folder which has some built-in permissions already attached to it (did not test for others Vmware objects).
2. Run terraform plan/apply for the first time - it should propose to add new permission.
3. Execute successfully apply so that terraform state is updated.
4. Run terraform plan/apply for the second time - it should propose to drop all other permissions (built-in and set outside terraform) besides the one configured in the code.

References

• Some similar behaviour was reported in Sorting permissions object on username/group name before storing. #1311

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

[tenthirtyam]

Duplicate of #1400.

Marking this issue as closed in favor of the original issue report.

Ryan Johnson
Staff II Solutions Architect | VMware, Inc.

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.