terraform-provider-gitlab
terraform-provider-gitlab copied to clipboard
gitlabhq
Delete group_membership removes the member from subgroups by default
GitLab Provider version
3.1.3 - via https://github.com/pulumi/pulumi-gitlab/tree/v4.7.1
GitLab version
saas
Terraform version
N/A
Relevant Terraform Configuration
resource "gitlab_group_membership" "main_group" {
group_id = "123"
user_id = 1337
access_level = "Developer"
expires_at = "2020-12-31"
}
resource "gitlab_group_membership" "sub_group" {
group_id = "456"
user_id = 1337
access_level = "Maintainer"
expires_at = "2020-12-31"
}
Relevant log output
I0802 12:12:46.759338 243789 eventsink.go:59] Delete gitlab group membership 11773188 for 11037388
I0802 12:12:46.759362 243789 eventsink.go:62] eventSink::Debug(<{%reset%}>Delete gitlab group membership 11773188 for 11037388<{%reset%}>)
I0802 12:12:46.759702 243789 eventsink.go:59] GitLab API Request Details:
I0802 12:12:46.759726 243789 eventsink.go:62] eventSink::Debug(<{%reset%}>GitLab API Request Details:<{%reset%}>)
I0802 12:12:46.759907 243789 eventsink.go:59] ---[ REQUEST ]---------------------------------------
I0802 12:12:46.759929 243789 eventsink.go:62] eventSink::Debug(<{%reset%}>---[ REQUEST ]---------------------------------------<{%reset%}>)
I0802 12:12:46.760139 243789 eventsink.go:59] DELETE /api/v4/groups/11037388/members/11773188 HTTP/1.1
I0802 12:12:46.760157 243789 eventsink.go:62] eventSink::Debug(<{%reset%}>DELETE /api/v4/groups/11037388/members/11773188 HTTP/1.1<{%reset%}>)
I0802 12:12:46.760336 243789 eventsink.go:59] Host: gitlab.com
I0802 12:12:46.760357 243789 eventsink.go:62] eventSink::Debug(<{%reset%}>Host: gitlab.com<{%reset%}>)
I0802 12:12:46.760550 243789 eventsink.go:59] User-Agent: Terraform/ (+https://www.terraform.io) Terraform-Plugin-SDK/2.10.1 terraform-provider-gitlab
I0802 12:12:46.760570 243789 eventsink.go:62] eventSink::Debug(<{%reset%}>User-Agent: Terraform/ (+https://www.terraform.io) Terraform-Plugin-SDK/2.10.1 terraform-provider-gitlab<{%reset%}>)
I0802 12:12:46.760736 243789 eventsink.go:59] Accept: application/json
I0802 12:12:46.760753 243789 eventsink.go:62] eventSink::Debug(<{%reset%}>Accept: application/json<{%reset%}>)
I0802 12:12:46.760919 243789 eventsink.go:59] Authorization: Bearer glpat-2epAd4JyF9fnpyNJhQy9
I0802 12:12:46.760936 243789 eventsink.go:62] eventSink::Debug(<{%reset%}>Authorization: Bearer glpat-2epAd4JyF9fnpyNJhQy9<{%reset%}>)
I0802 12:12:46.761107 243789 eventsink.go:59] Accept-Encoding: gzip
I0802 12:12:46.761127 243789 eventsink.go:62] eventSink::Debug(<{%reset%}>Accept-Encoding: gzip<{%reset%}>)
I0802 12:12:46.761284 243789 eventsink.go:59]
I0802 12:12:46.761301 243789 eventsink.go:62] eventSink::Debug(<{%reset%}><{%reset%}>)
I0802 12:12:46.761452 243789 eventsink.go:59]
I0802 12:12:46.761467 243789 eventsink.go:62] eventSink::Debug(<{%reset%}><{%reset%}>)
I0802 12:12:46.761643 243789 eventsink.go:59] -----------------------------------------------------
I0802 12:12:46.761670 243789 eventsink.go:62] eventSink::Debug(<{%reset%}>-----------------------------------------------------<{%reset%}>)
I0802 12:12:46.964291 243789 eventsink.go:59] GitLab API Response Details:
I0802 12:12:46.964345 243789 eventsink.go:62] eventSink::Debug(<{%reset%}>GitLab API Response Details:<{%reset%}>)
I0802 12:12:46.964745 243789 eventsink.go:59] ---[ RESPONSE ]--------------------------------------
I0802 12:12:46.964786 243789 eventsink.go:62] eventSink::Debug(<{%reset%}>---[ RESPONSE ]--------------------------------------<{%reset%}>)
I0802 12:12:46.965141 243789 eventsink.go:59] HTTP/2.0 404 Not Found
I0802 12:12:46.965177 243789 eventsink.go:62] eventSink::Debug(<{%reset%}>HTTP/2.0 404 Not Found<{%reset%}>)
Description
Hello,
The problem
My GitLab structure:
main_group (id 123)
/sub_group (id 456) - gitlab reference main_group/sub_group
When I define a group membership for both groups and remove main_group it will also remove the member from sub_group.
However API this line calls client.GroupMembers.RemoveGroupMember which according to API docs https://docs.gitlab.com/ee/api/members.html#remove-a-member-from-a-group-or-project accepts parameter skip_subresources which is by default False causing the removal of the sub_group membership.
Then the state is wrong thinking that sub_group membership still exists until terraform refresh
https://github.com/gitlabhq/terraform-provider-gitlab/blob/5c1b5250b38bf4e207ee4381b9c6e27e8e577f52/internal/provider/resource_gitlab_group_membership.go#L154
Steps to reproduce
- Define 2 resources
gitlab_group_membershipone formain_group, one forsub_group - Delete resource
main_group - Delete
sub_groupand receiveerror 404resource deletion failed
@1oglop1 I think a viable solution for this is to provide the skip_subresources field as attribute in the gitlab_group_membership resource. I've implemented this in #1209 - to avoid confusions I've suffixed the fields with _on_destroy.
With that change you are able to do the following:
resource "gitlab_group_membership" "main_group" {
group_id = "123"
user_id = 1337
access_level = "Developer"
expires_at = "2020-12-31"
skip_subresources_on_destroy = true
}
resource "gitlab_group_membership" "sub_group" {
group_id = "456"
user_id = 1337
access_level = "Maintainer"
expires_at = "2020-12-31"
}
WDYT? Would this fully solve your issue? 🏓
@timofurrer I've been thinking about the same solution! For me, it is good enough. Thank you for implementing it!
This functionality has been released in v3.17.0 of the Terraform GitLab Provider. Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.
For further feature requests or bug reports with this functionality, please create a new GitHub issue. Thank you!
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}