bug: Oracle: missing defined_tags on oracle_compute_instances resource

[gianluca-ava]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

cloudquery return {} on defined_tags attribute for oracle_compute_instances resource even the defined_tags are defined at source.

• [ ]

Expected Behavior

defined_tags returned as defined in Oracle

CloudQuery (redacted) config

kind: source
spec:
  # Source spec section
  name: drcc
  path: "cloudquery/oracle"
  version: "v4.3.5"
  tables: ["*"]
  skip_tables:
    - "oracle_compute_images"
    - "oracle_compute_vnic_attachments"
    - "oracle_virtualnetwork_fast_connect_provider_services"
    - "oracle_networkfirewall_network_firewall_policies"
    - "oracle_networkfirewall_network_firewalls"
    - "oracle_networkfirewall_work_requests"
    - "oracle_networkloadbalancer_work_requests"
    - "oracle_virtualnetwork_vlans"
  destinations: ["postgresql"] 
  spec:
    concurrency: 500
---
kind: destination
spec:
  name: "postgresql"
  path: "cloudquery/postgresql"
  version: "v7.1.5"
  spec:
    write_mode: "overwrite-delete-stale"
    connection_string: "postgresql://gamadm:${password}@${host}:${port}/${database}?sslmode=require"

Steps To Reproduce

No response

CloudQuery (redacted) logs

unuseful

CloudQuery version

4.4.0

Additional Context

No response

Pull request (optional)

• I can submit a pull request

[erezrokah]

Hi @gianluca-ava, I created a compute instance on our testing account and was able to see defined_tags tags on it after a sync:

Can you confirm those are indeed applied to the resource? Looks like they require specific permissions https://docs.oracle.com/en-us/iaas/Content/General/Concepts/resourcetags.htm

[gianluca-ava]

Hi @erezrokah , I know how tags works in OCI, thanks anyway for the info. It's strange because I can see in CloudQuery defined_tags for other type of resources (vcns for example) but not for compute instances...I should definitively check with the IAM team how privs are set on the CloudQuery technical account. Just to know, which version of the plugin are you running on your test env? the last one?

[erezrokah]

Thanks for the additional context, I was trying to verify I'm reproducing the issue correctly.
I'm using the latest version v5.0.1 (https://hub.cloudquery.io/plugins/source/cloudquery/oracle/v5.0.1/versions) and latest CLI v5.18.0.

If there's additional information you can think of that would allow us to reproduce this locally please let us know. We'll do some more research on the tags, maybe there are some exceptions for compute instances.

[erezrokah]

We'll also try to update the Oracle Go SDK, we're using 65.28.3, seems like we're do for an upgrade https://github.com/oracle/oci-go-sdk/blob/master/CHANGELOG.md

[bbernays]

Hi @gianluca-ava - We have released v6.0.0 of the Oracle Plugin where we upgraded the SDK to the latest version (v65.28.3). Have you been able to talk with your IAM team to see if this is a permissions limitation?

If you are still experiencing the issue, Can you try running this command to list the Instances to see if the tags appear as expected. This will help us to narrow down the source of the issue:

 oci compute instance list --compartment-id <REPLACE_WITH_YOUR_Compartment-id>

[gianluca-ava]

Hi, I talk with the IAM team. The cloudquery technical user has the following: policy statement:

• Allow group xxxxx/grp-drcc-ch-app-cloudquery to inspect all-resources in tenancy
  I asked to add the one related to tag-namespaces but nothing changed.
• Allow group xxxxx/grp-drcc-ch-app-cloudquery to inspect tag-namespaces in tenancy

if I run the command you listed with my personal account I can see the defined_tags. Now I have to run it with the technical account but right now I'm not able to use it interactively. I will be back.
Thanks

[gianluca-ava]

@bbernays: definitively the issue was related to the policy. Inspect is not enough to read user meta-data. read is need.