terraform-provider-tfe icon indicating copy to clipboard operation
terraform-provider-tfe copied to clipboard

Published 20 hours ago verified publisher icon hashicorp

```tfe_team``` visibility not being set as defined in Terraform Cloud

Open Saber-fate32 opened this issue 1 year ago • 2 comments
trafficstars

Terraform Cloud

I am using Terraform Cloud

Terraform version

Terraform Cloud remote apply, workspace version 1.8.2

Terraform Configuration Files

resource "tfe_team" "admin" {
  name        = "TF-${var.project_name}-admins"
  sso_team_id = azuread_group.admins.object_id
}

Debug Output

# module.create_project["cpt"].tfe_team.admin will be updated in-place
  ~ resource "tfe_team" "admin" {
        id          = "team-e1UQs1EFHU2krdoc"
        name        = "TF-cpt-admins"
      ~ visibility  = "organization" -> "secret"
        # (1 unchanged attribute hidden)

        # (1 unchanged block hidden)
    }

Expected Behavior

Teams are created in Terraform Cloud with the documented default visibility of "secret" and can be changed if needed.

Actual Behavior

The team is created with visibility set to "organization" which keeps triggering an "update in-place" when running a plan and apply. The apply produces no error but does not change the visibility of the team in Terraform Cloud.

Explicitly defining the visibility in tfe_team does not change the behaviour.

Additional Context

  • Using provider version 0.54
  • Remote apply using a Terraform Cloud provided agent.

Saber-fate32 avatar Apr 30 '24 05:04 Saber-fate32

Managed to find out what was causing my issue. The issue happens when using an organization token. Unsure if this is an issue with the provider or with Terraform Cloud as according to documentation a organization token should have sufficient access.

A ticket was raised with HashiCorp support and they were able to reproduce the behaviour. Internal ticket IPL-6465 was raised.

Saber-fate32 avatar May 03 '24 06:05 Saber-fate32

Team: do we have any update on this one

ravipratap-wpp avatar Jun 18 '24 12:06 ravipratap-wpp

same issue here, looks like it started happening with v202405-1

gl72 avatar Aug 15 '24 07:08 gl72

Hello, thanks for providing so many details about this. The default within the provider is 'secret' visibility, so that has been conflicting with a recent change to force public visibility unless you have permission to create a secret visibility team. I think the right move is to remove the default, mark the schema as optional/computed, and let the API determine the default, which I did in the attached PR... but what is confusing to me is that you should have been able to overcome the default (when you don't have access to secret teams) by setting visibility = "organization" in config.

brandonc avatar Aug 15 '24 16:08 brandonc

I can also note that secret teams can now be managed by organization tokens as of TFE v202407-1

brandonc avatar Aug 15 '24 16:08 brandonc