Import of an organization is not possible without instance level permission

[yann-soubeyrand]

Preflight Checklist

• I could not find a solution in the documentation, the existing issues or discussions
• I have joined the ZITADEL chat

Version

2.0.2

ZITADEL Version

v2.67.1

Describe the problem caused by this bug

An organization cannot be imported when the user is “only” org owner and has no instance level permission. This does not allow setting the organization name, nor getting its primary domain.

To reproduce

1. Create a service user and give it the org owner role.
2. Create a key and configure Terraform to use it.
3. Try to import the organization: terraform import zitadel_org.imported '123456789012345678'.

Result:

Error: error while getting org by id 123456789012345678: rpc error: code = PermissionDenied desc = No matching permissions found (AUTH-5mWD2)

Screenshots

No response

Expected behavior

As an org owner, I would like to be able to import my organization.

Relevant Configuration

No response

Additional Context

No response

[muhlemmer]

This is correct, as the ORG_** memberships are assigned on organization objects. You can't have such membership on one org and then expect the ability to create a new org. The new org didn't exist yet and therefore the user can't be the ORG_OWNER. Creation or import of organizations always need instance level membership because the org belongs to the instance.

We have another role which is probably suitable for your use-case: IAM_ORG_MANAGER

[yann-soubeyrand]

@muhlemmer of course, one cannot create an org without permissions at the instance level, however importing it (for example to modify its name) should be possible, right?

[muhlemmer]

The import endpoint of zitadel allows setting of orgMembers. I'm not sure how this translates to terraform, I'm not familiar with this repo, just handling the inbox.

Let me know if you can;t figure it out and I will re-open and ping someone.

[yann-soubeyrand]

I think we do not speak of the same import: in Terraform, one can import an existing resource, to manage it using Terraform configuration.

An instance admin can create an organization, create a service user giving it org owner role on this new organization and I would like to use this service user to import the organization in Terraform to further manage it. But it’s actually not possible at the time, because it seems that there is no management API endpoint to get an organization by ID.

[muhlemmer]

When using the resource API (v2) the create organization already returns the organization ID in the response: https://zitadel.com/docs/apis/resources/org_service_v2/organization-service-add-organization

[muhlemmer]

@stebenz can you have a look to above conversation and give a suggestion? I believe our APIs are fully capable of supporting the desired use-case, I'm just not sure how that translates to terraform.

[stebenz]

We would need to rework the org resource in terraform to use the new resource API, currently the admin API is still used.

terraform-provider-zitadel/zitadel/org/funcs.go

Line 106 in 2309373

func get(ctx context.Context, d *schema.ResourceData, m interface{}) diag.Diagnostics {