Migrate from artifactory_permission_target to platform_permission

[xzhangatlassian]

Hi there,

I bumpped artifactory terraform provider from 9.8 to the latest 12.5.1. As a result I am forced to migrate to platform_permission. I have a permission like

resource "platform_permission" "permission-name" {
  name = "permission-name"

  artifact = {
    actions = {
      groups = [
        {
          name        = "migroup"
          permissions = []
        }
      ]
    }

    targets = [
      {
        name = ${module.repo.key}
        include_patterns = ["**"]
      }
    ]
  }
}

I ran terraform import to import the existing resource into by tf state. However, when I run terraform plan terraform output says

          ~ targets = [
              - {
                  - include_patterns = [
                      - "**",
                    ] -> null
                  - name             = "docker-hub-cache" -> null
                },
              + {
                  + include_patterns = [
                      + "**",
                    ]
                  + name             = "docker-hub"
                },
            ]

Please notice the repo name will change from doker-hub-cache to docker-hub. Is that expected? Should I use the repo key docker-hub or the cache repo key docker-hub-cache ?

Cheers,
Chandler

[alexhung]

@xzhangatlassian Can you confirm you have imported the correct resource? The repo name should not be different if it is from the same permission.

[xzhangatlassian]

@alexhung yep, I have imported the right resource. If I change my platform_permissiom to

 targets = [
      {
        name = "${module.repo.key}-cache"  #notice the -cache suffix htere
        include_patterns = ["**"]
      }
    ]

Terraform plan will not change anything.

[alexhung]

@xzhangatlassian Odd. Which version of Artifactory are you using? Are you using SaaS or self-hosted? What type of repository is this? Local, remote, etc.?

I have not seen this behavior in either the old or new API.

[xzhangatlassian]

@alexhung I am running artifactory onprem 7.98.7, This only happens to remote to repository (thus the -cache suffix). No problem with local repos

[alexhung]

@xzhangatlassian Indeed it's remote only. See the doc: https://jfrog.com/help/r/jfrog-artifactory-documentation/remote-repositories. I wonder how the -cache repo gets into your permission. It's not something Artifactory exposes to the UI or the API.

Do you see this docker-hub-cache repo in your permission list in the UI? Or the permission API response?

[xzhangatlassian]

The rest api response contains the -cache suffix, for example

        "npmjs-cache" : {
          "include_patterns" : [ "**" ],
          "exclude_patterns" : [ ]
        },

But not in UI

[alexhung]

@xzhangatlassian Thanks for the info. I'll try to reproduce this in my dev environment. Definitely not something I've seen before.

[alexhung]

@xzhangatlassian Whilst you can't create a permission in the UI for the -cache repo, you can using the REST API. Is it possible that in the past, something in your system created/updated the permissions with -cache repo name suffix?

[goodtune]

Just reporting that I saw the same issue in our enterprise installation; all the repositories have been managed by the Artifactory terraform provider, so I strongly believe that the suffix has come from this.

My approach to the migration was to create new resources for each of the permission targets that I manage, with similar but slightly different names. I then wrote a script to compare the API results for each - that was how I became aware of the -cache suffix.

As I could not see any difference on the Web UI between the two resources, I went ahead and eventually removed the deprecated resources.

This approach worked well - it took two commits, but gave me an opportunity to verify.