Terraform script drop and recreate the same keyspace leading to the admin user loses access to the recreated keyspace

[GLZ9568]

The customer has reported that after they use Terraform script to drop and recreate keyspace cssservice, their admin user admin-ocp-p-p-uspd-css-cass-01 loses access to the recreated keyspace.

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:

 + create
 ~ update in-place
Terraform will perform the following actions:
 # module.ds-astra-cluster.astra_keyspace.this["dekms"] will be created
 + resource "astra_keyspace" "this" {
   + database_id = "51a23389-1499-4d64-b73a-c958f96e79a0"
   + id     = (known after apply)
   + name    = "dekms"
  }
 # module.ds-astra-cluster.astra_role.admin will be updated in-place
 ~ resource "astra_role" "admin" {
    id     = "d031a210-7a6b-4310-a993-fdf05409c3ed"
   ~ resources  = [
      "drn:astra:org:aa277a78-b6d6-495a-a67f-3715f6a9524a:db:51a23389-1499-4d64-b73a-c958f96e79a0:keyspace:default_unused",
     + "drn:astra:org:aa277a78-b6d6-495a-a67f-3715f6a9524a:db:51a23389-1499-4d64-b73a-c958f96e79a0:keyspace:dekms",
    ]
    # (5 unchanged attributes hidden)
  }
Plan: 1 to add, 1 to change, 0 to destroy.

Below is the output from Terraform:

147 # module.ds-astra-cluster.astra_role.admin will be updated in-place
148 ~ resource "astra_role" "admin" {
149 ~ description = "admin-ocp-p-p-uspd-css-cass-01" -> "Admin role"
150 id = "5d19d90a-7cee-4d1f-abaa-d4b11eaf28eb"
...
164Plan: 0 to add, 1 to change, 1 to destroy.
165module.ds-astra-cluster.astra_keyspace.this["cssservice"]: Destroying... [id=c2db6b6d-844c-4963-a225-58b9f91550dd/keyspace/cssservice]
166module.ds-astra-cluster.astra_role.admin: Modifying... [id=5d19d90a-7cee-4d1f-abaa-d4b11eaf28eb]
167module.ds-astra-cluster.astra_keyspace.this["cssservice"]: Destruction complete after 0s
168module.ds-astra-cluster.astra_role.admin: Modifications complete after 1s [id=5d19d90a-7cee-4d1f-abaa-d4b11eaf28eb]
...

it appears the astra_role.admin table is modified when a keyspace is dropped, does terraform modify the user roles when removing a keyspace? if so, does it add the correct access for the role back when the keyspace is recreated?

[pgier]

@GLZ9568 Can you provide the version of Terraform and the Astra provider/plugin, and also an example main.tf to reproduce the issue? The Terraform Astra provider shouldn't modify the contents of the role if the contents are directly specified. I'm guessing in this case there is a loop to dynamically create the permissions, which would cause the resources to be automatically added/removed, but I can't tell without the source main.tf.