Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Manage group & organization members via a separate resource #139

Open
ethanndickson opened this issue Nov 12, 2024 · 0 comments
Open

Manage group & organization members via a separate resource #139

ethanndickson opened this issue Nov 12, 2024 · 0 comments

Comments

@ethanndickson
Copy link
Member

ethanndickson commented Nov 12, 2024
edited
Loading

Currently, coderd_group resources have their members managed via the members field, e.g:

resource "coderd_organization" "myorg" {
  name = "myorg"
  members = ["{uuid}", "{uuid}", "{uuid}", ...]
}

If a user were to be added to a group via the UI, the next terraform apply would detect configuration drift, and remove that user such that the Terraform config is the source of truth. To avoid this behaviour, we allow users to opt out of having the group members managed by Terraform, by simply providing null for the members attribute. When this is the case, the provider won't even inspect the members of the group in any way.

This isn't great UX, as it doesn't allow you to manage some users through Terraform, and still be able to add users manually.

This is also relevant to the new organization resources, which also need to associate members to them via Terraform.
Instead, it might be worthwhile to associate users to groups and orgs via a new resource, i.e.

resource "coderd_organization_member" "user_to_org" {
  id = "{uuid}"
  org = "{uuid)"
}

If the members field on both groups & organizations was then removed, this would enable the org member configuration to safely drift, and may enable more sophisticated Terraform setups (e.g. Associating members to an org in a loop).

From here, members could be assigned to groups in two ways:

resource "coderd_organization_member" "user_to_org" {
  id = "{uuid}"
  org = "{uuid)"
  groups = ["{uuid}", ...]
}

Since groups are org-wide, we could remove the groups attribute on a coderd_user, and have groups be associated when the user is associated with the org, via this new resource. However, this has the same issue mentioned above, where adding a user to a group via the UI will prompt Terraform to detect config drift and remove them from it on the next apply.

resource "coderd_group_member" "user_to_group" {
  id = "{uuid}"
  group = "{uuid}"
}

Alternatively, to address the aforementioned config drift, we could have another resource specifically for assigning users to groups.

We also need to make a similar decision for how roles should be assigned to a user.
@coder-labeler coder-labeler bot added the question Further information is requested label Nov 12, 2024
@ethanndickson ethanndickson removed the question Further information is requested label Nov 12, 2024
@ethanndickson ethanndickson mentioned this issue Nov 12, 2024
Open
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ethanndickson