cyberark
diff --git a/‎CHANGELOG.md‎
Lines changed: 9 additions & 0 deletions b/‎CHANGELOG.md‎
Lines changed: 9 additions & 0 deletions
diff --git a/‎internal/cyberark/client.go‎
Lines changed: 7 additions & 1 deletion b/‎internal/cyberark/client.go‎
Lines changed: 7 additions & 1 deletion
diff --git a/‎internal/cyberark/error.go‎
Lines changed: 32 additions & 0 deletions b/‎internal/cyberark/error.go‎
Lines changed: 32 additions & 0 deletions
diff --git a/‎internal/cyberark/pam.go‎
Lines changed: 30 additions & 52 deletions b/‎internal/cyberark/pam.go‎
Lines changed: 30 additions & 52 deletions
@@ -4,6 +4,15 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](http://keepachangelog.com/en/1.0.0/)
 and this project adheres to [Semantic Versioning](http://semver.org/spec/v2.0.0.html).
 
+## [0.3.1] - 2025-04-23
+
+### Fixed
+- Provide error messages from the API back to the user
+- Make `retention` and `purge` fields for safes `computed` so the API can provide default values if they are not user-provided
+- Safe resource update should look at safe members in the plan, not the existing state
+- Handle removing or adding the optional `address` property when updating an account
+- Fix crash when debug logging is enabled
+
 ## [0.3.0] - 2025-04-11
 
 ### Added
 
@@ -54,12 +54,18 @@ func (c *Client) DoRequest(ctx context.Context, method string, path string, body
 
 	if c.logResponse {
 		responseBody, err := io.ReadAll(response.Body)
+
+		var url url.URL
+		if req.URL != nil {
+			url = *req.URL
+		}
+
 		if err == nil && len(responseBody) > 0 {
 			tflog.Debug(
 				ctx,
 				"Response from CyberArk API",
 				map[string]interface{}{
-					"request_url":     req.URL,
+					"request_url":     url.String(),
 					"method":          method,
 					"response_status": response.Status,
 					"response_body":   string(responseBody),
 
@@ -0,0 +1,32 @@
+package cyberark
+
+import (
+	"encoding/json"
+	"errors"
+	"fmt"
+	"io"
+)
+
+func APIErrorFromResponse(code int, body io.ReadCloser) error {
+	errorStr := fmt.Sprintf("HTTP status code %d", code)
+
+	var jsonError interface{}
+	err := json.NewDecoder(body).Decode(&jsonError)
+	if err != nil {
+		return errors.New(errorStr)
+	}
+
+	if jsonError != nil {
+		if jsonErrorStr, ok := jsonError.(string); ok {
+			// If the error is a string, just append it to the error message
+			errorStr = fmt.Sprintf("%s\n\n%s", errorStr, jsonErrorStr)
+		} else {
+			prettyJSON, err := json.MarshalIndent(jsonError, "", "  ")
+			if err == nil {
+				errorStr = fmt.Sprintf("%s\n%s", errorStr, string(prettyJSON))
+			}
+		}
+	}
+
+	return errors.New(errorStr)
+}
@@ -70,11 +70,8 @@ func (a *pamAPI) AddAccount(ctx context.Context, credential Credential) (*Creden
 		return nil, err
 	}
 
-	if response.StatusCode == 409 {
-		tflog.Info(ctx, fmt.Sprintf("Account [%s] already exists.", *credential.Name))
-		return nil, nil
-	} else if response.StatusCode != 201 {
-		return nil, fmt.Errorf("failed to add account, expected status code 201, got %d", response.StatusCode)
+	if response.StatusCode != 201 {
+		return nil, APIErrorFromResponse(response.StatusCode, response.Body)
 	}
 
 	createdAccount := CredentialResponse{}
@@ -83,9 +80,6 @@ func (a *pamAPI) AddAccount(ctx context.Context, credential Credential) (*Creden
 		return nil, err
 	}
 
-	tflog.Info(ctx, fmt.Sprintf("Successfully added new account [%s]: Name [%s] - ID [%v]",
-		*createdAccount.UserName, *createdAccount.Name, *createdAccount.CredID))
-
 	return &createdAccount, nil
 }
 
@@ -104,7 +98,7 @@ func (a *pamAPI) GetAccount(ctx context.Context, accountID string) (*CredentialR
 	}
 
 	if response.StatusCode != 200 {
-		return nil, fmt.Errorf("failed to get account. Expected status code 200, got %d", response.StatusCode)
+		return nil, APIErrorFromResponse(response.StatusCode, response.Body)
 	}
 
 	account := CredentialResponse{}
@@ -133,7 +127,7 @@ func (a *pamAPI) FilterAccounts(ctx context.Context, search string, filter []str
 	}
 
 	if response.StatusCode != 200 {
-		return nil, fmt.Errorf("failed to filter accounts. Expected status code 200, got %d", response.StatusCode)
+		return nil, APIErrorFromResponse(response.StatusCode, response.Body)
 	}
 
 	searchAccounts := CredentialSearchResponse{}
@@ -198,8 +192,7 @@ func (a *pamAPI) UpdateAccount(ctx context.Context, accountID string, credential
 	}
 
 	if response.StatusCode != 200 {
-		tflog.Error(ctx, fmt.Sprintf("failed to update account, got response: %s", response.Body))
-		return nil, fmt.Errorf("failed to update account. Expected status code 200, got %d", response.StatusCode)
+		return nil, APIErrorFromResponse(response.StatusCode, response.Body)
 	}
 
 	updatedAccount := CredentialResponse{}
@@ -208,9 +201,6 @@ func (a *pamAPI) UpdateAccount(ctx context.Context, accountID string, credential
 		return nil, err
 	}
 
-	tflog.Info(ctx, fmt.Sprintf("Successfully updated account [%s]: Name [%s] - ID [%v]",
-		*updatedAccount.UserName, *updatedAccount.Name, *updatedAccount.CredID))
-
 	return &updatedAccount, nil
 }
 
@@ -237,6 +227,19 @@ func generateAccountPatch(existing *CredentialResponse, desired *Credential) ([]
 			"path":  "/address",
 			"value": *desired.Address,
 		})
+	} else if desired.Address != nil && existing.Address == nil {
+		// If existing has no address but desired does, add it
+		patch = append(patch, map[string]interface{}{
+			"op":    "add",
+			"path":  "/address",
+			"value": *desired.Address,
+		})
+	} else if desired.Address == nil && existing.Address != nil {
+		// If existing has an address but desired does not, remove it
+		patch = append(patch, map[string]interface{}{
+			"op":   "remove",
+			"path": "/address",
+		})
 	}
 
 	if desired.UserName != nil && existing.UserName != nil && *existing.UserName != *desired.UserName {
@@ -332,11 +335,9 @@ func (a *pamAPI) DeleteAccount(ctx context.Context, accountID string) error {
 	}
 
 	if response.StatusCode != 204 {
-		tflog.Error(ctx, fmt.Sprintf("failed to delete account, got response: %s", response.Body))
-		return fmt.Errorf("failed to delete account. Expected status code 204, got %d", response.StatusCode)
+		return APIErrorFromResponse(response.StatusCode, response.Body)
 	}
 
-	tflog.Info(ctx, fmt.Sprintf("Successfully deleted account with ID [%s]", accountID))
 	return nil
 }
 
@@ -359,11 +360,8 @@ func (a *pamAPI) AddSafe(ctx context.Context, safe SafeData) (*SafeData, error)
 		return nil, err
 	}
 
-	if response.StatusCode == 409 {
-		tflog.Info(ctx, fmt.Sprintf("Safe [%s] already exists.", *safe.Name))
-		return nil, nil
-	} else if response.StatusCode != 201 {
-		return nil, fmt.Errorf("failed to add safe, expected status code 201, got %d", response.StatusCode)
+	if response.StatusCode != 201 {
+		return nil, APIErrorFromResponse(response.StatusCode, response.Body)
 	}
 
 	savedSafe := SafeData{}
@@ -372,9 +370,6 @@ func (a *pamAPI) AddSafe(ctx context.Context, safe SafeData) (*SafeData, error)
 		return nil, err
 	}
 
-	tflog.Info(ctx, fmt.Sprintf("Successfully added new safe [%s]: Name [%s] - ID [%v]",
-		*savedSafe.Name, *savedSafe.URLID, *savedSafe.NUMBER))
-
 	return &savedSafe, nil
 }
 
@@ -393,7 +388,7 @@ func (a *pamAPI) GetSafe(ctx context.Context, safeID string) (*SafeData, error)
 	}
 
 	if response.StatusCode != 200 {
-		return nil, fmt.Errorf("failed to get safe. Expected status code 200, got %d", response.StatusCode)
+		return nil, APIErrorFromResponse(response.StatusCode, response.Body)
 	}
 
 	safe := SafeData{}
@@ -425,8 +420,7 @@ func (a *pamAPI) UpdateSafe(ctx context.Context, safeID string, safe SafeData) (
 	}
 
 	if response.StatusCode != 200 {
-		tflog.Error(ctx, fmt.Sprintf("failed to update safe, got response: %s", response.Body))
-		return nil, fmt.Errorf("failed to update safe. Expected status code 200, got %d", response.StatusCode)
+		return nil, APIErrorFromResponse(response.StatusCode, response.Body)
 	}
 
 	updatedSafe := SafeData{}
@@ -435,9 +429,6 @@ func (a *pamAPI) UpdateSafe(ctx context.Context, safeID string, safe SafeData) (
 		return nil, err
 	}
 
-	tflog.Info(ctx, fmt.Sprintf("Successfully updated safe [%s]: Name [%s] - ID [%v]",
-		*updatedSafe.Name, *updatedSafe.URLID, *updatedSafe.NUMBER))
-
 	return &updatedSafe, nil
 }
 
@@ -456,11 +447,9 @@ func (a *pamAPI) DeleteSafe(ctx context.Context, safeID string) error {
 	}
 
 	if response.StatusCode != 204 {
-		tflog.Error(ctx, fmt.Sprintf("failed to delete safe, got response: %s", response.Body))
-		return fmt.Errorf("failed to delete safe. Expected status code 204, got %d", response.StatusCode)
+		return APIErrorFromResponse(response.StatusCode, response.Body)
 	}
 
-	tflog.Info(ctx, fmt.Sprintf("Successfully deleted safe with ID [%s]", safeID))
 	return nil
 }
 
@@ -489,11 +478,8 @@ func (a *pamAPI) AddSafeMember(ctx context.Context, safe SafeData) (*Member, err
 		return nil, err
 	}
 
-	if response.StatusCode == 409 {
-		tflog.Info(ctx, fmt.Sprintf("Safe [%s] already has member [%s].", *safe.Name, *safe.Owner))
-		return nil, nil
-	} else if response.StatusCode != 201 {
-		return nil, fmt.Errorf("failed to add safe member, expected status code 201, got %d", response.StatusCode)
+	if response.StatusCode != 201 {
+		return nil, APIErrorFromResponse(response.StatusCode, response.Body)
 	}
 
 	safeMember := Member{}
@@ -520,7 +506,7 @@ func (a *pamAPI) GetSafeMember(ctx context.Context, safe SafeData) (*Member, err
 	}
 
 	if response.StatusCode != 200 {
-		return nil, fmt.Errorf("failed to get safe member. Expected status code 200, got %d", response.StatusCode)
+		return nil, APIErrorFromResponse(response.StatusCode, response.Body)
 	}
 
 	safeMember := Member{}
@@ -565,18 +551,14 @@ func (a *pamAPI) UpdateSafeMember(ctx context.Context, safe SafeData) (*Member,
 	}
 
 	if response.StatusCode != 200 {
-		tflog.Error(ctx, fmt.Sprintf("failed to update safe member, got response: %s", response.Body))
-		return nil, fmt.Errorf("failed to update safe member, expected status code 200, got %d", response.StatusCode)
+		return nil, APIErrorFromResponse(response.StatusCode, response.Body)
 	}
 
-	tflog.Info(ctx, fmt.Sprintf("Successfully updated member [%s] permissions in safe [%s]", *safe.Owner, *safe.Name))
 	return &updatedSafeMember, nil
 }
 
 // DeleteSafeMember deletes a safe member from the SecretsHub.
 func (a *pamAPI) DeleteSafeMember(ctx context.Context, safeName string, memberName string) error {
-	tflog.Debug(ctx, fmt.Sprintf("Attempting to delete member [%s] from safe [%s]", memberName, safeName))
-
 	response, err := a.client.DoRequest(
 		ctx,
 		"DELETE",
@@ -589,14 +571,10 @@ func (a *pamAPI) DeleteSafeMember(ctx context.Context, safeName string, memberNa
 		return err
 	}
 
-	if response.StatusCode == 404 {
-		tflog.Info(ctx, fmt.Sprintf("Member [%s] not found in safe [%s]", memberName, safeName))
-		return nil
-	} else if response.StatusCode != 204 {
-		return fmt.Errorf("failed to delete safe member, expected status code 204, got %d", response.StatusCode)
+	if response.StatusCode != 204 {
+		return APIErrorFromResponse(response.StatusCode, response.Body)
 	}
 
-	tflog.Info(ctx, fmt.Sprintf("Successfully removed member [%s] from safe [%s]", memberName, safeName))
 	return nil
 }
Original file line number	Diff line number	Diff line change
`@@ -70,11 +70,8 @@ func (a pamAPI) AddAccount(ctx context.Context, credential Credential) (Creden`
`70`	`70`	`return nil, err`
`71`	`71`	`}`
`72`	`72`
`73`		`- if response.StatusCode == 409 {`
`74`		`- tflog.Info(ctx, fmt.Sprintf("Account [%s] already exists.", *credential.Name))`
`75`		`- return nil, nil`
`76`		`- } else if response.StatusCode != 201 {`
`77`		`- return nil, fmt.Errorf("failed to add account, expected status code 201, got %d", response.StatusCode)`
	`73`	`+ if response.StatusCode != 201 {`
	`74`	`+ return nil, APIErrorFromResponse(response.StatusCode, response.Body)`
`78`	`75`	`}`
`79`	`76`
`80`	`77`	`createdAccount := CredentialResponse{}`
`@@ -83,9 +80,6 @@ func (a pamAPI) AddAccount(ctx context.Context, credential Credential) (Creden`
`83`	`80`	`return nil, err`
`84`	`81`	`}`
`85`	`82`
`86`		`- tflog.Info(ctx, fmt.Sprintf("Successfully added new account [%s]: Name [%s] - ID [%v]",`
`87`		`- createdAccount.UserName, createdAccount.Name, *createdAccount.CredID))`
`88`		`-`
`89`	`83`	`return &createdAccount, nil`
`90`	`84`	`}`
`91`	`85`
`@@ -104,7 +98,7 @@ func (a pamAPI) GetAccount(ctx context.Context, accountID string) (CredentialR`
`104`	`98`	`}`
`105`	`99`
`106`	`100`	`if response.StatusCode != 200 {`
`107`		`- return nil, fmt.Errorf("failed to get account. Expected status code 200, got %d", response.StatusCode)`
	`101`	`+ return nil, APIErrorFromResponse(response.StatusCode, response.Body)`
`108`	`102`	`}`
`109`	`103`
`110`	`104`	`account := CredentialResponse{}`
`@@ -133,7 +127,7 @@ func (a *pamAPI) FilterAccounts(ctx context.Context, search string, filter []str`
`133`	`127`	`}`
`134`	`128`
`135`	`129`	`if response.StatusCode != 200 {`
`136`		`- return nil, fmt.Errorf("failed to filter accounts. Expected status code 200, got %d", response.StatusCode)`
	`130`	`+ return nil, APIErrorFromResponse(response.StatusCode, response.Body)`
`137`	`131`	`}`
`138`	`132`
`139`	`133`	`searchAccounts := CredentialSearchResponse{}`
`@@ -198,8 +192,7 @@ func (a *pamAPI) UpdateAccount(ctx context.Context, accountID string, credential`
`198`	`192`	`}`
`199`	`193`
`200`	`194`	`if response.StatusCode != 200 {`
`201`		`- tflog.Error(ctx, fmt.Sprintf("failed to update account, got response: %s", response.Body))`
`202`		`- return nil, fmt.Errorf("failed to update account. Expected status code 200, got %d", response.StatusCode)`
	`195`	`+ return nil, APIErrorFromResponse(response.StatusCode, response.Body)`
`203`	`196`	`}`
`204`	`197`
`205`	`198`	`updatedAccount := CredentialResponse{}`
`@@ -208,9 +201,6 @@ func (a *pamAPI) UpdateAccount(ctx context.Context, accountID string, credential`
`208`	`201`	`return nil, err`
`209`	`202`	`}`
`210`	`203`
`211`		`- tflog.Info(ctx, fmt.Sprintf("Successfully updated account [%s]: Name [%s] - ID [%v]",`
`212`		`- updatedAccount.UserName, updatedAccount.Name, *updatedAccount.CredID))`
`213`		`-`
`214`	`204`	`return &updatedAccount, nil`
`215`	`205`	`}`
`216`	`206`
`@@ -237,6 +227,19 @@ func generateAccountPatch(existing CredentialResponse, desired Credential) ([]`
`237`	`227`	`"path": "/address",`
`238`	`228`	`"value": *desired.Address,`
`239`	`229`	`})`
	`230`	`+ } else if desired.Address != nil && existing.Address == nil {`
	`231`	`+ // If existing has no address but desired does, add it`
	`232`	`+ patch = append(patch, map[string]interface{}{`
	`233`	`+ "op": "add",`
	`234`	`+ "path": "/address",`
	`235`	`+ "value": *desired.Address,`
	`236`	`+ })`
	`237`	`+ } else if desired.Address == nil && existing.Address != nil {`
	`238`	`+ // If existing has an address but desired does not, remove it`
	`239`	`+ patch = append(patch, map[string]interface{}{`
	`240`	`+ "op": "remove",`
	`241`	`+ "path": "/address",`
	`242`	`+ })`
`240`	`243`	`}`
`241`	`244`
`242`	`245`	`if desired.UserName != nil && existing.UserName != nil && existing.UserName != desired.UserName {`
`@@ -332,11 +335,9 @@ func (a *pamAPI) DeleteAccount(ctx context.Context, accountID string) error {`
`332`	`335`	`}`
`333`	`336`
`334`	`337`	`if response.StatusCode != 204 {`
`335`		`- tflog.Error(ctx, fmt.Sprintf("failed to delete account, got response: %s", response.Body))`
`336`		`- return fmt.Errorf("failed to delete account. Expected status code 204, got %d", response.StatusCode)`
	`338`	`+ return APIErrorFromResponse(response.StatusCode, response.Body)`
`337`	`339`	`}`
`338`	`340`
`339`		`- tflog.Info(ctx, fmt.Sprintf("Successfully deleted account with ID [%s]", accountID))`
`340`	`341`	`return nil`
`341`	`342`	`}`
`342`	`343`
`@@ -359,11 +360,8 @@ func (a pamAPI) AddSafe(ctx context.Context, safe SafeData) (SafeData, error)`
`359`	`360`	`return nil, err`
`360`	`361`	`}`
`361`	`362`
`362`		`- if response.StatusCode == 409 {`
`363`		`- tflog.Info(ctx, fmt.Sprintf("Safe [%s] already exists.", *safe.Name))`
`364`		`- return nil, nil`
`365`		`- } else if response.StatusCode != 201 {`
`366`		`- return nil, fmt.Errorf("failed to add safe, expected status code 201, got %d", response.StatusCode)`
	`363`	`+ if response.StatusCode != 201 {`
	`364`	`+ return nil, APIErrorFromResponse(response.StatusCode, response.Body)`
`367`	`365`	`}`
`368`	`366`
`369`	`367`	`savedSafe := SafeData{}`
`@@ -372,9 +370,6 @@ func (a pamAPI) AddSafe(ctx context.Context, safe SafeData) (SafeData, error)`
`372`	`370`	`return nil, err`
`373`	`371`	`}`
`374`	`372`
`375`		`- tflog.Info(ctx, fmt.Sprintf("Successfully added new safe [%s]: Name [%s] - ID [%v]",`
`376`		`- savedSafe.Name, savedSafe.URLID, *savedSafe.NUMBER))`
`377`		`-`
`378`	`373`	`return &savedSafe, nil`
`379`	`374`	`}`
`380`	`375`
`@@ -393,7 +388,7 @@ func (a pamAPI) GetSafe(ctx context.Context, safeID string) (SafeData, error)`
`393`	`388`	`}`
`394`	`389`
`395`	`390`	`if response.StatusCode != 200 {`
`396`		`- return nil, fmt.Errorf("failed to get safe. Expected status code 200, got %d", response.StatusCode)`
	`391`	`+ return nil, APIErrorFromResponse(response.StatusCode, response.Body)`
`397`	`392`	`}`
`398`	`393`
`399`	`394`	`safe := SafeData{}`
`@@ -425,8 +420,7 @@ func (a *pamAPI) UpdateSafe(ctx context.Context, safeID string, safe SafeData) (`
`425`	`420`	`}`
`426`	`421`
`427`	`422`	`if response.StatusCode != 200 {`
`428`		`- tflog.Error(ctx, fmt.Sprintf("failed to update safe, got response: %s", response.Body))`
`429`		`- return nil, fmt.Errorf("failed to update safe. Expected status code 200, got %d", response.StatusCode)`
	`423`	`+ return nil, APIErrorFromResponse(response.StatusCode, response.Body)`
`430`	`424`	`}`
`431`	`425`
`432`	`426`	`updatedSafe := SafeData{}`
`@@ -435,9 +429,6 @@ func (a *pamAPI) UpdateSafe(ctx context.Context, safeID string, safe SafeData) (`
`435`	`429`	`return nil, err`
`436`	`430`	`}`
`437`	`431`
`438`		`- tflog.Info(ctx, fmt.Sprintf("Successfully updated safe [%s]: Name [%s] - ID [%v]",`
`439`		`- updatedSafe.Name, updatedSafe.URLID, *updatedSafe.NUMBER))`
`440`		`-`
`441`	`432`	`return &updatedSafe, nil`
`442`	`433`	`}`
`443`	`434`
`@@ -456,11 +447,9 @@ func (a *pamAPI) DeleteSafe(ctx context.Context, safeID string) error {`
`456`	`447`	`}`
`457`	`448`
`458`	`449`	`if response.StatusCode != 204 {`
`459`		`- tflog.Error(ctx, fmt.Sprintf("failed to delete safe, got response: %s", response.Body))`
`460`		`- return fmt.Errorf("failed to delete safe. Expected status code 204, got %d", response.StatusCode)`
	`450`	`+ return APIErrorFromResponse(response.StatusCode, response.Body)`
`461`	`451`	`}`
`462`	`452`
`463`		`- tflog.Info(ctx, fmt.Sprintf("Successfully deleted safe with ID [%s]", safeID))`
`464`	`453`	`return nil`
`465`	`454`	`}`
`466`	`455`
`@@ -489,11 +478,8 @@ func (a pamAPI) AddSafeMember(ctx context.Context, safe SafeData) (Member, err`
`489`	`478`	`return nil, err`
`490`	`479`	`}`
`491`	`480`
`492`		`- if response.StatusCode == 409 {`
`493`		`- tflog.Info(ctx, fmt.Sprintf("Safe [%s] already has member [%s].", safe.Name, safe.Owner))`
`494`		`- return nil, nil`
`495`		`- } else if response.StatusCode != 201 {`
`496`		`- return nil, fmt.Errorf("failed to add safe member, expected status code 201, got %d", response.StatusCode)`
	`481`	`+ if response.StatusCode != 201 {`
	`482`	`+ return nil, APIErrorFromResponse(response.StatusCode, response.Body)`
`497`	`483`	`}`
`498`	`484`
`499`	`485`	`safeMember := Member{}`
`@@ -520,7 +506,7 @@ func (a pamAPI) GetSafeMember(ctx context.Context, safe SafeData) (Member, err`
`520`	`506`	`}`
`521`	`507`
`522`	`508`	`if response.StatusCode != 200 {`
`523`		`- return nil, fmt.Errorf("failed to get safe member. Expected status code 200, got %d", response.StatusCode)`
	`509`	`+ return nil, APIErrorFromResponse(response.StatusCode, response.Body)`
`524`	`510`	`}`
`525`	`511`
`526`	`512`	`safeMember := Member{}`
`@@ -565,18 +551,14 @@ func (a pamAPI) UpdateSafeMember(ctx context.Context, safe SafeData) (Member,`
`565`	`551`	`}`
`566`	`552`
`567`	`553`	`if response.StatusCode != 200 {`
`568`		`- tflog.Error(ctx, fmt.Sprintf("failed to update safe member, got response: %s", response.Body))`
`569`		`- return nil, fmt.Errorf("failed to update safe member, expected status code 200, got %d", response.StatusCode)`
	`554`	`+ return nil, APIErrorFromResponse(response.StatusCode, response.Body)`
`570`	`555`	`}`
`571`	`556`
`572`		`- tflog.Info(ctx, fmt.Sprintf("Successfully updated member [%s] permissions in safe [%s]", safe.Owner, safe.Name))`
`573`	`557`	`return &updatedSafeMember, nil`
`574`	`558`	`}`
`575`	`559`
`576`	`560`	`// DeleteSafeMember deletes a safe member from the SecretsHub.`
`577`	`561`	`func (a *pamAPI) DeleteSafeMember(ctx context.Context, safeName string, memberName string) error {`
`578`		`- tflog.Debug(ctx, fmt.Sprintf("Attempting to delete member [%s] from safe [%s]", memberName, safeName))`
`579`		`-`
`580`	`562`	`response, err := a.client.DoRequest(`
`581`	`563`	`ctx,`
`582`	`564`	`"DELETE",`
`@@ -589,14 +571,10 @@ func (a *pamAPI) DeleteSafeMember(ctx context.Context, safeName string, memberNa`
`589`	`571`	`return err`
`590`	`572`	`}`
`591`	`573`
`592`		`- if response.StatusCode == 404 {`
`593`		`- tflog.Info(ctx, fmt.Sprintf("Member [%s] not found in safe [%s]", memberName, safeName))`
`594`		`- return nil`
`595`		`- } else if response.StatusCode != 204 {`
`596`		`- return fmt.Errorf("failed to delete safe member, expected status code 204, got %d", response.StatusCode)`
	`574`	`+ if response.StatusCode != 204 {`
	`575`	`+ return APIErrorFromResponse(response.StatusCode, response.Body)`
`597`	`576`	`}`
`598`	`577`
`599`		`- tflog.Info(ctx, fmt.Sprintf("Successfully removed member [%s] from safe [%s]", memberName, safeName))`
`600`	`578`	`return nil`
`601`	`579`	`}`
`602`	`580`