-
Notifications
You must be signed in to change notification settings - Fork 206
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Behavior change in okta_group_memberships resource >=3.26 #1149
Comments
Personally I think that having However, I understand the other side of the coin. Either way, adding documentation to the provider resource docs would help clarity-wise. |
Linking related issues #1119, #1094 I see the strong case for reverting to the previous behavior of Reverting back to the established behavior and accounting for the new behavior using a flag is the solution I'm thinking about. Check out this example on my thoughts. data "okta_group" "example" {
name = "Some Group"
}
resource "okta_group_memberships" "specific_users" {
group_id = data.okta_group.example.id
users = ["a", "b"]
# classic/default behavior only cares if users a or b are removed or
# if the hard coded users slice is changed in the config file
}
resource "okta_group_memberships" "all_users" {
group_id = data.okta_group.example.id
users = data.okta_group.example.users
track_all_users = true
# will show drift if users are added/removed from the group
# outside of this resource after the last apply
} Looking for feedback from @parente @tmatilai @exitcode0 @dli-spoton @virgofx |
I'm in favor of the flag. It satisfies both use cases. As for what the default action is -- no preference there - maybe revert to how it was before such that it's opt-in. |
I'm also in favor of the flag. Personally, I think the default should be the new behavior, since it's more inline with how generally Terraform resources are expected to behave. But it is more disruptive and probably not worth it. One nice to have that's beyond the scope of this issue is to have the option to only ignore users added by group rules, but be authoritative for all manually managed users. The UI reports if the user is manual or group rule managed, but I don't think the APIs return this information, so it probably a much bigger ask. |
That one sounds cool. I just checked in postman that the response to |
A flag would be perfect for me, too.
I agree on this. The downside is that it's still a breaking change to the earlier behaviour, but that has been like this already for a couple of releases. But for me personally that wouldn't matter much. @monde sorry for not responding to your request earlier. Been busy weeks, and now I'll be probably even offline for a couple of weeks. 🙂 |
This comment was marked as resolved.
This comment was marked as resolved.
@lucascantor that's a pagination bug introduced in |
@dli-spoton thanks so much for the heads up. Unfortunately, we can't upgrade to |
Working on this PR " Reestablish old behavior of okta_group_memberships resource" #1161 . Trying to get a v3.29.0 release out today. |
Hey all, let me know if https://github.com/okta/terraform-provider-okta/releases/tag/v3.29.0 fixes this for you. |
|
Going to close this one 🤞 |
Community Note
Terraform Version
Terraform v1.0.4
on linux_amd64
Affected Resource(s)
Terraform Configuration Files
Debug Output
Panic Output
Expected Behavior
In
<=3.25
, the resource only tracked the state of the users defined in the config. Would ignore all drift in the target group.In the example, it would ignore any users synced from
group b
by the group rule.Actual Behavior
In
>=3.26
, the resource tracks all group members and will mark any users added outside of the Terraform resource as drift.In the example, it'll mark all users synced from
group b
by the group rule as drift and try to remove them.Steps to Reproduce
terraform apply
Important Factoids
This is a recreation of #1094 as requested there.
I can work around this if needed by restructuring groups. (unpleasant but doable)
Mainly looking for confirmation this is an intended behavior change and won't be fixed.
References
The text was updated successfully, but these errors were encountered: