[13:03:45] topranks: I have some renamed hosts (cloudrabbit200[123]) that need IPs in cloud-private-b1-codfw. Can you walk me through that process? [14:21:39] andrewbogott: he's out today, it's a bank holiday in Ireland today [14:22:01] that's reasonable! [16:40:51] chuckonwu: did those policy patches fix your tofu things? [17:07:39] andrewbogott: it did fix things for a while but now they're broken again in the same way this time for toolsbeta [17:08:57] Ok, that's surely the member+reader thing. If you just remove and replace the user in horizon it should fix it [17:18:06] andrewbogott would that cause the keys to reset? [17:19:11] It already has member+reader permissions on toolsbeta [17:19:21] hm, it might delete app credentials. Is this the same username? [17:20:14] ok, so policies and project membership are the same for tools-tofu/tools and toolsbeta-tofu/toolsbeta [17:20:28] So the behavior really should be the same. What specific error are you seeing? [17:24:57] you're using 'tofu-provisioning' app credentials in tools and 'gitlab-tofu-provision' in toolsbeta? [17:26:25] Those are the credentials. I'm getting a 403 error on creating the dns zone [17:26:37] oh, so a totally different call than before [17:26:42] so different policy. [17:27:21] Zone creation with opentofu probably won't work with tofu because it requires coordination between projects. [17:27:40] So maybe that means we shouldn't try to do it with tofu... I can create it on the cli and then it'll be there when tofu checks but maybe that's silly. [17:28:03] well... [17:28:19] no, it's not actually because of the multiple project thing. It's just generally not allowed I think. [17:28:38] I think it's because only the dns bots can create new zones [17:29:44] yeah [17:30:00] I created toolsbeta.org on the cli with admin creds. Maybe that'll make tofu happy for now? [17:30:21] I think it trying and failing is slightly better than it not knowing about it but I'm not especially confident about that opinion