terraform-provider-tfe
terraform-provider-tfe copied to clipboard
hashicorp
Managing the membership of the `owners` team tries to remove hidden Hashicorp-owned members
Terraform Enterprise version
Using HCP Terraform (Terraform Cloud)
Terraform version
Terraform v1.5.7
on darwin_arm64
+ provider registry.terraform.io/hashicorp/aws v5.58.0
+ provider registry.terraform.io/hashicorp/tfe v0.58.0
Terraform Configuration Files
data "tfe_team" "owners" {
name = "owners"
}
data "tfe_organization_membership" "owners" {
for_each = toset([
[email protected],
[email protected],
[email protected],
[email protected],
[email protected],
])
email = each.value
}
# Intentionally using the "memberS" version of this resource, which will drift
# if users are added to the team outside of this resource.
resource "tfe_team_organization_members" "owners" {
team_id = data.tfe_team.owners.id
organization_membership_ids = values(data.tfe_organization_membership.owners)[*].id
}
import {
to = tfe_team_organization_members.owners
id = "team-<REDACTED>"
}
Debug Output
N/A
Expected Behavior
The team membership to import, and the plan to show no changes (since the members defined in the HCL above are already members of the team).
Actual Behavior
The team membership does successfully import and shows the 5 expected users, but it also shows Terraform's intent to remove 3 members that don't appear in the Terraform Cloud web UI for the team:
Terraform will perform the following actions:
# tfe_team_organization_members.owners will be updated in-place
# (imported from "team-<REDACTED>")
~ resource "tfe_team_organization_members" "owners" {
id = "team-<REDACTED>"
~ organization_membership_ids = [
- "ou-E17<REDACTED>",
- "ou-JJs<REDACTED>",
- "ou-Jjv<REDACTED>",
"ou-<REDACTED>",
"ou-<REDACTED>",
"ou-<REDACTED>",
"ou-<REDACTED>",
"ou-<REDACTED>",
]
team_id = "team-<REDACTED>"
}
Upon investigating who these hidden users were, I discovered that they have hashicorp.com email addresses and appear to be "internal" users for Hashicorp's systems/etc. Those three to-be-removed member IDs resolve to:
users = {
ou-E17REDACTED = {
email = "[email protected]"
id = "ou-E17REDACTED"
organization = "REDACTED"
organization_membership_id = "ou-E17REDACTED"
user_id = "user-REDACTED"
username = "gh-webhooks-REDACTED"
}
ou-JJsREDACTED = {
email = "[email protected]"
id = "ou-JJsREDACTED"
organization = "REDACTED"
organization_membership_id = "ou-JJsREDACTED"
user_id = "user-REDACTED"
username = "api-org-REDACTED"
}
ou-JjvREDACTED = {
email = "[email protected]"
id = "ou-JjvREDACTED"
organization = "REDACTED"
organization_membership_id = "ou-JjvREDACTED"
user_id = "user-REDACTED"
username = "api-team_REDACTED"
}
}
Since these users do not appear in the Terraform Cloud web UI, it probably makes sense to have this provider silently omit them from its search results when looking up members of the owners team. Otherwise, to avoid removing these users (or get an API error when trying), they will have to be added manually to the tfe_team_organization_members resource (which is obviously fragile).
Additional Context
The TFE provider is authenticated with a user token from a member of the owners team. Not sure if this affects this, but since nobody but the owners team can modify the owners team, it doesn't really matter.
These users (gh-webhooks-*, api-*) seem to have is-service-account flag set.
https://support.hashicorp.com/hc/en-us/articles/14077445395347-Terraform-Enterprise-service-accounts
Can the provider omit these users when looking up users?
This is a real sticky one for those of us wanting to use Terraform to Manage Terraform. Sure would love to see some motion on it, as it's been over a year now!
