Error when assigning a custom db role to a database user.

[rifletcher]

Hi,

I have an issue where I'm trying to create a custom db role to assign to a db user.

I am using terraform 0.12.26 and mongodbatlas provider 0.6.2.

resource "mongodbatlas_custom_db_role" "test_role" {
  project_id = mongodbatlas_project.mongodb_project.id
  role_name  = "testdatabaserole"

  actions {
    action = "INSERT"
    resources {
      collection_name = ""
      database_name   = "testdatabase"
    }
  }
  actions {
    action = "FIND"
    resources {
      collection_name = ""
      database_name   = "testdatabase"
    }
  }
  actions {
    action = "REMOVE"
    resources {
      collection_name = ""
      database_name   = "testdatabase"
    }
  }
  actions {
    action = "UPDATE"
    resources {
      collection_name = ""
      database_name   = "testdatabase"
    }
  }
}

resource "mongodbatlas_database_user" "test_user1" {
  username           = "testuser1"
  password           = "testpassword1"
  project_id         = mongodbatlas_project.mongodb_project.id
  auth_database_name = "admin"

  roles {
    role_name     = "testdatabaserole"
    database_name = "testdatabase"
  }
    
  depends_on = [
      mongodbatlas_custom_db_role.test_role
  ]
}

The error I get on a terraform apply is

module.atlas-mongodb.mongodbatlas_database_user.test_user1: Creating...

Error: error creating database user: POST https://cloud.mongodb.com/api/atlas/v1.0/groups/5f182ae0bf8cd52f1281face/databaseUsers: 400 (request "Bad Request") The provided role is not supported.

  on modules\atlas-mongodb\main.tf line 73, in resource "mongodbatlas_database_user" "test_user1":
  73: resource "mongodbatlas_database_user" "test_user1" {

The role is created successfully

The user is not created, although I can create a user from the UI with that role manually.

[themantissa]

@rifletcher without more data I'm guessing a bit here based on experience but I think there probably needs to be a bit more of a time buffer between the role creation and the user creation. Once the API gets the request to create the role it returns immediate if the request is correct and accepted. The system then applies the new role to the clusters in the project. Once that is done the user can be created with the new role. So depends_on is part of it but likely also need a time delay: something perhaps like (not ideal but a potential workaround):
provisioner "local-exec" {
command = "sleep 90;"
}
The time is going to be variable but if you have a project with a small amount of clusters it should be relatively quick.

We are working on ways to make these kinds of interactions better in the underlying system as well but no ETA on that currently.

[themantissa]

@rifletcher did the suggested time delay help in the situation?

[themantissa]

@rifletcher hopefully the above helped. Closing issue.

[ed-dev-w]

Hi I know this issue is closed but I am having the same issue.

The custom role is created to allow the user to just modify indexes and i added a wait:

resource "mongodbatlas_custom_db_role" "createIndex" {
project_id = mongodbatlas_cluster.****.project_id
role_name = "createIndex"

actions {
action = "CREATE_INDEX"
resources {
database_name = "anyDatabase"
}
}
}

resource "time_sleep" "wait_30_seconds" {
depends_on = [mongodbatlas_custom_db_role.createIndex]

create_duration = "30s"
}

The user is created:

resource "mongodbatlas_database_user" "TestUser" {
username = "TestUser"
password = "FakePassword"
project_id = mongodbatlas_project.****_Project.id
auth_database_name = "admin"

roles {
role_name = "read"
database_name = var.mongodb_atlas_databasename
}

roles {
role_name = "createIndex"
database_name = var.mongodb_atlas_databasename
}

scopes {
name = var.cluster_name
type = "CLUSTER"
}

depends_on = [time_sleep.wait_30_seconds]
}

However I still get the not supported error:

400 (request "UNSUPPORTED_ROLE") The provided role is not supported

It is occurring when the custom role is being linked to the user.