Newer permissions should be added to the list of allowed permissions. #20

tobiangerstein · 2024-12-17T07:54:34Z

Current State:

The terraform provider compares the list of provided permissions in the permission set with the list of allowed permissions, which is defined here:

terraform-provider-instana/instana/restapi/groups-api.go

Line 72 in e2eac03

var SupportedInstanaPermissions = InstanaPermissions{

There are currently missing a bunch of permissions, which currently cannot be set:

CAN_CONFIGURE_WEBSITE_SMART_ALERTS
CAN_VIEW_SYNTHETIC_TESTS
CAN_VIEW_SYNTHETIC_LOCATIONS
CAN_VIEW_SYNTHETIC_TEST_RESULTS
CAN_MANUALLY_CLOSE_ISSUE

As I am currently not aware of any total list, I don't know, which additional permissions are still missing.

matihost · 2025-01-02T19:58:32Z

I reverse engineered build-in Owner group via

import {
 to = instana_rbac_group.Owner
 id = "-1"
}

and
terraform plan -generate-config-out=generated.tf

which resulted with:

resource "instana_rbac_group" "Owner" {
  name = "Owner"
  member {
    email   = "....."
    user_id = "......"
  }
  permission_set {
    application_ids             = []
    infra_dfq_filter            = null
    kubernetes_cluster_uuids    = []
    kubernetes_namespaces_uuids = []
    mobile_app_ids              = []
    permissions                 = ["CAN_CONFIGURE_AGENTS", "CAN_CONFIGURE_AGENT_RUN_MODE", "CAN_CONFIGURE_API_TOKENS", "CAN_CONFIGURE_APPLICATIONS", "CAN_CONFIGURE_APPLICATION_SMART_ALERTS", "CAN_CONFIGURE_AUTHENTICATION_METHODS", "CAN_CONFIGURE_AUTOMATION_ACTIONS", "CAN_CONFIGURE_AUTOMATION_POLICIES", "CAN_CONFIGURE_BIZOPS", "CAN_CONFIGURE_DATABASE_MANAGEMENT", "CAN_CONFIGURE_EUM_APPLICATIONS", "CAN_CONFIGURE_EVENTS_AND_ALERTS", "CAN_CONFIGURE_GLOBAL_ALERT_PAYLOAD", "CAN_CONFIGURE_GLOBAL_APPLICATION_SMART_ALERTS", "CAN_CONFIGURE_GLOBAL_INFRA_SMART_ALERTS", "CAN_CONFIGURE_GLOBAL_LOG_SMART_ALERTS", "CAN_CONFIGURE_GLOBAL_SYNTHETIC_SMART_ALERTS", "CAN_CONFIGURE_INTEGRATIONS", "CAN_CONFIGURE_LOG_MANAGEMENT", "CAN_CONFIGURE_LOG_RETENTION_PERIOD", "CAN_CONFIGURE_MAINTENANCE_WINDOWS", "CAN_CONFIGURE_MOBILE_APP_MONITORING", "CAN_CONFIGURE_MOBILE_APP_SMART_ALERTS", "CAN_CONFIGURE_PERSONAL_API_TOKENS", "CAN_CONFIGURE_RELEASES", "CAN_CONFIGURE_SERVICE_LEVEL_INDICATORS", "CAN_CONFIGURE_SERVICE_MAPPING", "CAN_CONFIGURE_SESSION_SETTINGS", "CAN_CONFIGURE_SYNTHETIC_CREDENTIALS", "CAN_CONFIGURE_SYNTHETIC_LOCATIONS", "CAN_CONFIGURE_SYNTHETIC_TESTS", "CAN_CONFIGURE_TEAMS", "CAN_CONFIGURE_USERS", "CAN_CONFIGURE_WEBSITE_SMART_ALERTS", "CAN_CREATE_HEAP_DUMP", "CAN_CREATE_PUBLIC_CUSTOM_DASHBOARDS", "CAN_CREATE_THREAD_DUMP", "CAN_DELETE_AUTOMATION_ACTION_HISTORY", "CAN_DELETE_LOGS", "CAN_EDIT_ALL_ACCESSIBLE_CUSTOM_DASHBOARDS", "CAN_INSTALL_NEW_AGENTS", "CAN_MANUALLY_CLOSE_ISSUE", "CAN_RUN_AUTOMATION_ACTIONS", "CAN_USE_SYNTHETIC_CREDENTIALS", "CAN_VIEW_ACCOUNT_AND_BILLING_INFORMATION", "CAN_VIEW_AUDIT_LOG", "CAN_VIEW_BIZOPS_ALERTS", "CAN_VIEW_BUSINESS_ACTIVITIES", "CAN_VIEW_BUSINESS_PROCESSES", "CAN_VIEW_BUSINESS_PROCESS_DETAILS", "CAN_VIEW_LOGS", "CAN_VIEW_LOG_VOLUME", "CAN_VIEW_SYNTHETIC_LOCATIONS", "CAN_VIEW_SYNTHETIC_TESTS", "CAN_VIEW_SYNTHETIC_TEST_RESULTS", "CAN_VIEW_TRACE_DETAILS"]
    website_ids                 = []
  }
}

Trying to create RBAC group with same set of permissions shows limitations of Instana TF provider with errors like:

  │ Error: expected permission_set.0.permissions.4 to be one of ["CAN_CONFIGURE_APPLICATIONS" "CAN_CONFIGURE_EUM_APPLICATIONS" "CAN_CONFIGURE_AGENTS" "CAN_VIEW_TRACE_DETAILS" "CAN_VIEW_LOGS" "CAN_CONFIGURE_SESSION_SETTINGS" "CAN_CONFIGURE_INTEGRATIONS" "CAN_CONFIGURE_GLOBAL_ALERT_CONFIGS" "CAN_CONFIGURE_GLOBAL_ALERT_PAYLOAD" "CAN_CONFIGURE_MOBILE_APP_MONITORING" "CAN_CONFIGURE_API_TOKENS" "CAN_CONFIGURE_SERVICE_LEVEL_INDICATORS" "CAN_CONFIGURE_AUTHENTICATION_METHODS" "CAN_CONFIGURE_RELEASES" "CAN_VIEW_AUDIT_LOG" "CAN_CONFIGURE_CUSTOM_ALERTS" "CAN_CONFIGURE_AGENT_RUN_MODE" "CAN_CONFIGURE_SERVICE_MAPPING" "CAN_EDIT_ALL_ACCESSIBLE_CUSTOM_DASHBOARDS" "CAN_CONFIGURE_USERS" "CAN_INSTALL_NEW_AGENTS" "CAN_CONFIGURE_TEAMS" "CAN_CREATE_PUBLIC_CUSTOM_DASHBOARDS" "CAN_CONFIGURE_LOG_MANAGEMENT" "CAN_VIEW_ACCOUNT_AND_BILLING_INFORMATION"], got CAN_CONFIGURE_APPLICATION_SMART_ALERTS

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Newer permissions should be added to the list of allowed permissions. #20

Newer permissions should be added to the list of allowed permissions. #20

tobiangerstein commented Dec 17, 2024

matihost commented Jan 2, 2025

Newer permissions should be added to the list of allowed permissions. #20

Newer permissions should be added to the list of allowed permissions. #20

Comments

tobiangerstein commented Dec 17, 2024

matihost commented Jan 2, 2025