Use of NewFinder with all=true requires root vCenter permissions

[phillip-constantine]

Community Guidelines

• I have read and agree to the HashiCorp Community Guidelines .
• Vote on this issue by adding a 👍 reaction to the original issue initial description to help the maintainers prioritize.
• Do not leave "+1" or other comments that do not add relevant information or questions.
• If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Terraform

Terraform v1.9.5 on linux_amd64

Terraform Provider

2.8.3

VMware vSphere

7.0.3

Description

I do not have root vCenter permissions, but I have full admin permissions to a specific datacenter. When I use Terraform to create a folder in my DC, the folder gets created, but then Terraform says "cannot find datacenter in path: No Permission" and exists. Digging into the code, it looks like this is because during resourceVSphereFolderRead, the getDatacenter function creates a NewFinder with all=true. As far as I can tell, this attempts to list all datacenters, which I am not allowed to do. But if I set that to false, my Terraform works fine.

In the vSphere web ui, I can create and destroy any resource within my DC, which is what I expect with full admin over the DC. So it seems like a bug that in the provider it requires root permissions. Grepping for this shows there are 18 total uses of all=true in the vsphere directory, which I assume means that all affected code requires full vCenter admin permissions to run? Would it not be better to set all of these to false, or better yet, not use the Finder at all if an id is already given?

Affected Resources or Data Sources

resource/resource_vsphere_folder

Terraform Configuration

resource "vsphere_folder" "test" {
  path          = "my-folder"
  type          = "vm"
  datacenter_id = data.vsphere_datacenter.dc.id
}

### Debug Output

│ Error: cannot find datacenter from path "/US/datacenter1": NoPermission
│ 
│   with vsphere_folder.test,
│   on main.tf line 96, in resource "vsphere_folder" "test":
│   96: resource "vsphere_folder" "test" {
│ 

Panic Output

No response

Expected Behavior

If I have full admin over a datacenter, I should be able to create and destroy resources without needing permissions above the datacenter. This is how it works in the vSphere web console.

Actual Behavior

I cannot fully create and destroy resources without admin permissions over all of vCenter.

Steps to Reproduce

Terraform apply on a vsphere_folder resource when the user does not have permissions above the datacenter.

Environment Details

No response

Screenshots

No response

References

No response

[github-actions]

Hello, phillip-constantine! 🖐

Thank you for submitting an issue for this provider. The issue will now enter into the issue lifecycle.

If you want to contribute to this project, please review the contributing guidelines and information on submitting pull requests.