terraform-provider-googleworkspace
terraform-provider-googleworkspace copied to clipboard
hashicorp
User aliases idempotency
Hello,
user aliases are not idempotent
After an apply if you do a plan again it want to change aliases (order)
I trie with and without sort it does not solve the issue
Terraform Version
Terraform v1.2.8
Affected Resource(s)
- user
Terraform Configuration Files
resource "googleworkspace_user" "my-user" {
aliases = sort(["[email protected]", "[email protected]"])
name {
family_name = "last"
given_name = "first"
}
primary_email = "[email protected]"
recovery_email = "[email protected]"
external_ids {
type = "organization"
value = "my-user"
}
lifecycle {
ignore_changes = [recovery_phone]
}
}
Expected Behavior
No change
Actual Behavior
Want to change order of aliases
# googleworkspace_user.my-user will be updated in-place
~ resource "googleworkspace_user" "my-user" {
~ aliases = [
- "[email protected]",
"[email protected]",
+ "[email protected]",
]
id = "105082542430018289190"
# (19 unchanged attributes hidden)
# (8 unchanged blocks hidden)
}
Steps to Reproduce
Please list the steps required to reproduce the issue, for example:
terraform plan -out maarc.tfplanterraform apply maarc.tfplanterraform plan -out maarc.tfplan
I'm glad this isn't just me. I have not tested but I assume the issue also exists for group aliases. At the moment, I'm providing the aliases to the resource after lowering, compacting, and then sorting the array. I think doing the same to the aliases array at input, diff and output would be the most expected and predictable result.
To add a bit more information here, it does appear as if Google hands this list back in a predictable order, but it is not the same sort that you get with Terraform's sort() function. So unless you are hand-ordering these alias lists, it appears to be impossible to guarantee that they will appear the same to Terraform, even when they contain the same items in a different order.
It would be nice if this provider would perform a sort on both versions of the list before comparing them.
Apparently the API is returning the aliases in chronological order. I also hit this issue, and worked around it by first reading all users and building a primary_email => aliases map. Using concat and distinct I'm then ensuring the alias that is first in that list stays.
# main.tf
locals {
existing_user_aliases = { for u in data.googleworkspace_users.user.users : u.primary_email => u.aliases }
}
data "googleworkspace_users" "user" {
}
module "user_management" {
source = "./modules/user_management"
...
additional_aliases = [ ... ]
existing_aliases = lookup(local.existing_user_aliases, each.value.email, [])
}
# modules/user_management/main.tf
locals {
...
all_aliases = distinct(concat(var.existing_aliases, var.additional_aliases))
}
Obviously this has a few drawbacks, and you'll have to decide if that fits your needs. Hope it still helps.
See also https://github.com/hashicorp/terraform-provider-googleworkspace/pull/409 for a bug-fix
Removing everyone's aliases, adding sort() and re-applying them all back works for me (40 accts, alias down for about 5-10 minutes). Although I can see why this is still not ideal for big orgs.
# aliases = sort(compact(coalesce(var.aliases, [])))
aliases = []
