Account owner being removed results in a group with no owner
Summary
It is possible to remove the last person in the group and to have a situation where the group has no owner.
Steps to reproduce
- Use terraform and define users and resources
terraform {
backend "http" {
}
}
resource "gitlab_group_membership" "exampleuser" {
group_id = gitlab_group.examplegroup.id
user_id = gitlab_user.exampleuser.id
access_level = "owner"
}
resource "gitlab_group" "examplegroup" {
name = "examplegroup"
path = "examplegroup"
}
terraform {
required_providers {
gitlab = {
source = "gitlabhq/gitlab"
version = "3.15.1"
}
}
}
variable "GITLAB_ACCESS_TOKEN" {
type = string
}
provider "gitlab" {
token = var.GITLAB_ACCESS_TOKEN
}
resource "gitlab_project" "gitlab-manage" {
name = "GitLab Manage"
namespace_id = gitlab_group.examplegroup.id
remove_source_branch_after_merge = true
shared_runners_enabled = "true"
}
resource "gitlab_user" "exampleuser" {
name = "Example User"
username = "exampleuser"
email = "example@user.com"
is_admin = true
can_create_group = true
is_external = false
}
- Run pipeline
include:
- template: Terraform.latest.gitlab-ci.yml
variables:
TF_STATE_NAME: default
TF_CACHE_KEY: default
TF_ROOT: terraform
TF_VAR_GITLAB_ACCESS_TOKEN: $GITLAB_ACCESS_TOKEN
- Destroy resources
- Observe as the users are removed from the group
Example Project
Currently not available.
What is the current bug behavior?
The owner is removed from the group
What is the expected correct behavior?
At least one user should remain in the group
Relevant logs and/or screenshots
- Note that the below IDs are sanitized
Running with gitlab-runner 15.1.0~beta.20.g62206bb2 (62206bb2)
on green-4.shared.runners-manager.gitlab.com/default ntHFEtyX
Resolving secrets 00:00
Preparing the "docker+machine" executor 00:11
Using Docker executor with image registry.gitlab.com/gitlab-org/terraform-images/stable:latest ...
Authenticating with credentials from job payload (GitLab Registry)
Pulling docker image registry.gitlab.com/gitlab-org/terraform-images/stable:latest ...
Using docker image sha256:764fe72b1590cf6b9ec9bc4c088dbeaef76d41694ab475aaecf64bf8b8322c94 for registry.gitlab.com/gitlab-org/terraform-images/stable:latest with digest registry.gitlab.com/gitlab-org/terraform-images/stable@sha256:85ef4c5f18dca0e28d106741d7a9fd8f50b1beb8599d3571614ccf83cecc100f ...
Preparing environment 00:01
Running on runner-nthfetyx-project-123456-concurrent-0 via runner-nthfetyx-shared-1656011042-f5703aec...
Getting source from Git repository 00:02
$ eval "$CI_PRE_CLONE_SCRIPT"
Fetching changes with git depth set to 20...
Initialized empty Git repository in /builds/project-name/gitlab-manage/.git/
Created fresh repository.
Checking out 691723a7 as main...
Skipping Git submodules setup
Restoring cache 00:01
Checking cache for terraform-protected...
Downloading cache.zip from https://storage.googleapis.com/gitlab-com-runners-cache/project/123456/terraform-protected
Successfully extracted cache
Downloading artifacts 00:01
Downloading artifacts for build (2633059180)...
Downloading artifacts from coordinator... ok id=2633059180 responseStatus=200 OK token=nkVZT_N3
Executing "step_script" stage of the job script 00:05
Using docker image sha256:764fe72b1590cf6b9ec9bc4c088dbeaef76d41694ab475aaecf64bf8b8322c94 for registry.gitlab.com/gitlab-org/terraform-images/stable:latest with digest registry.gitlab.com/gitlab-org/terraform-images/stable@sha256:85ef4c5f18dca0e28d106741d7a9fd8f50b1beb8599d3571614ccf83cecc100f ...
$ cd "${TF_ROOT}"
$ gitlab-terraform apply
Initializing the backend...
Successfully configured the backend "http"! Terraform will automatically
use this backend unless the backend configuration changes.
Initializing provider plugins...
- Finding gitlabhq/gitlab versions matching "3.15.1"...
- Installing gitlabhq/gitlab v3.15.1...
- Installed gitlabhq/gitlab v3.15.1 (signed by a HashiCorp partner, key ID BC097C3333027B14)
Partner and community providers are signed by their developers.
If you'd like to know more about provider signing, you can read about it here:
https://www.terraform.io/docs/cli/plugins/signing.html
Terraform has created a lock file .terraform.lock.hcl to record the provider
selections it made above. Include this file in your version control repository
so that Terraform can guarantee to make the same selections by default when
you run "terraform init" in the future.
Terraform has been successfully initialized!
gitlab_group_membership.a-lastname: Destroying... [id=123456:5001]
gitlab_group_membership.b-lastname: Destroying... [id=123456:5002]
gitlab_group_membership.c-lastname: Destroying... [id=123456:5003]
gitlab_group_membership.d-lastname: Destroying... [id=123456:5004]
gitlab_group_membership.f-lastname: Destroying... [id=123456:5005]
gitlab_group_membership.f-lastname: Destruction complete after 1s
gitlab_user.f-lastname: Destroying... [id=5005]
gitlab_group_membership.c-lastname: Destruction complete after 1s
gitlab_user.c-lastname: Destroying... [id=5003]
gitlab_group_membership.a-lastname: Destruction complete after 1s
gitlab_user.a-lastname: Destroying... [id=5001]
╷
│ Error: DELETE https://gitlab.com/api/v4/users/5003: 403 {message: 403 Forbidden}
│
│
╵
╷
│ Error: DELETE https://gitlab.com/api/v4/users/5001: 403 {message: 403 Forbidden}
│
│
╵
╷
│ Error: DELETE https://gitlab.com/api/v4/groups/123456/members/5004: 403 {message: 403 Forbidden}
│
│
╵
╷
│ Error: DELETE https://gitlab.com/api/v4/groups/123456/members/5002: 403 {message: 403 Forbidden}
│
│
╵
╷
│ Error: DELETE https://gitlab.com/api/v4/users/5005: 403 {message: 403 Forbidden}
│
│
╵
╷
│ Error: Failed to save state
│
│ Error saving state: HTTP error: 404
╵
╷
│ Error: Failed to persist state to backend
│
│ The error shown above has prevented Terraform from writing the updated
│ state to the configured backend. To allow for recovery, the state has been
│ written to the file "errored.tfstate" in the current working directory.
│
│ Running "terraform apply" again at this point will create a forked state,
│ making it harder to recover.
│
│ To retry writing this state, use the following command:
│ terraform state push errored.tfstate
│
╵
╷
│ Error: Error releasing the state lock
│
│ Error message: Unexpected HTTP response code 404
│
│ Terraform acquires a lock when accessing your state to prevent others
│ running Terraform to potentially modify the state at the same time. An
│ error occurred while releasing this lock. This could mean that the lock
│ did or did not release properly. If the lock didn't release properly,
│ Terraform may not be able to run future commands since it'll appear as if
│ the lock is held.
│
│ In this scenario, please call the "force-unlock" command to unlock the
│ state manually. This is a very dangerous operation since if it is done
│ erroneously it could result in two people modifying state at the same time.
│ Only call this command if you're certain that the unlock above failed and
│ that no one else is holding a lock.
╵
Cleaning up project directory and file based variables 00:01
ERROR: Job failed: exit code 1
Output of checks
This bug happens on GitLab.com, GitLab Enterprise Edition 15.2.0-pre c26682b7
Results of GitLab environment info
Expand for output related to GitLab environment info
(For installations with omnibus-gitlab package run and paste the output of: `sudo gitlab-rake gitlab:env:info`) (For installations from source run and paste the output of: `sudo -u git -H bundle exec rake gitlab:env:info RAILS_ENV=production`)
Results of GitLab application Check
Expand for output related to the GitLab application check
(For installations with omnibus-gitlab package run and paste the output of:
sudo gitlab-rake gitlab:check SANITIZE=true
)(For installations from source run and paste the output of:
sudo -u git -H bundle exec rake gitlab:check RAILS_ENV=production SANITIZE=true
)(we will only investigate if the tests are passing)
Possible fixes
Edited by Artur Salii