Skip to content

fix: support unmanaged roles on user resource #250

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 5 commits into from
Aug 19, 2025
Merged

fix: support unmanaged roles on user resource #250

merged 5 commits into from
Aug 19, 2025

Conversation

ethanndickson
Copy link
Member

@ethanndickson ethanndickson commented Aug 18, 2025
edited
Loading

A customer ran into an issue when creating an OIDC user while role sync was enabled on the deployment:

Error: 'User Role Field' is set in the OIDC configuration. All role changes must come from the oidc identity provider.

This is because we always call UpdateUserRoles on Create and Update.

OIDC User roles cannot be managed via the API if role sync is used, as the API always returns an error on any role update request.

With this PR, roles can now be set to null in the config, whereby the Terraform provider will not attempt to read or update the user's roles under any circumstances. This prevents config drift when roles are set via Role Sync.

@ethanndickson Graphite App
Copy link
Member Author

This stack of pull requests is managed by Graphite. Learn more about stacking.

@ethanndickson ethanndickson mentioned this pull request Aug 18, 2025
Closed
ethanndickson
ethanndickson commented Aug 18, 2025
View reviewed changes
internal/provider/user_resource_test.go
@@ -77,7 +80,7 @@ func TestAccUserResource(t *testing.T) {
ImportStateVerify: true,
ImportStateId: "example",
// We can't pull the password from the API.
ImportStateVerifyIgnore: []string{"password"},
ImportStateVerifyIgnore: []string{"password", "roles"},
Copy link
Member Author

@ethanndickson ethanndickson Aug 18, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Because we're using null to signify that roles shouldn't be managed by Terraform, we have the same problem we have with the group resource: we don't know whether or not the null value was set in the config, or is null because it's an import. Frustratingly, the provider framework doesn't provide a way to differentiate the two.

@ethanndickson ethanndickson marked this pull request as ready for review August 18, 2025 07:47
@ethanndickson Graphite App
Copy link
Member Author

ethanndickson commented Aug 19, 2025
edited
Loading

Merge activity

  • Aug 19, 12:31 AM UTC: A user started a stack merge that includes this pull request via Graphite.
  • Aug 19, 12:31 AM UTC: @ethanndickson merged this pull request with Graphite.

@ethanndickson ethanndickson merged commit 99877ea into main Aug 19, 2025
14 checks passed
@ethanndickson ethanndickson deleted the ethan/user-unmanaged-roles branch August 19, 2025 00:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@deansheather deansheather deansheather approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@ethanndickson @deansheather