-
Notifications
You must be signed in to change notification settings - Fork 206
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Group Membership Requires Canonical ID of user but okta_users data source does not provide this information. #2066
Comments
The datasource |
resource okta_group_memberships "default" {
group_id = okta_group.default[0].id
users = local.user_ids
}
data okta_users "default" {
count = length(var.group_assignment.members)
search {
name = "profile.login"
value = var.group_assignment.members[count.index]
comparison = "eq"
}
}
locals {
user_ids = [for user in data.okta_users.default : user.id]
} Output: |
As @exitcode0 has pointed out, datasource |
Yes - you can see the output of my tf in my previous comment. It is returning the users but, the id attribute of the user returned is in not in a useable format for adding users to a group. It is a large string of integers and should be in a format like: 00u12cd3chXBC2x1H4n9, which I am calling the canonical id for lack of a better term. |
Appreciate you guys taking the time to help, did you see my latest message? |
I think your config might be incorrect locals {
user_ids = [for user in data.okta_users.default : user.id]
} should instead be locals {
user_ids = [for user in data.okta_users.default.users : user.id]
} I'd probably even recommend doing the following to avoid attempting to assign a deprovisioned user to a group or application locals {
user_ids = [for user in data.okta_users.default.users : user.id if user.status != "DEPROVISIONED"]
} |
Thanks but that doesn't seem to be right either. I played around with trying to parse the list out and it's still not working. Maybe I'm reading the docs wrong - but that doesn't seem to be in line with the schema. https://registry.terraform.io/providers/okta/okta/latest/docs/data-sources/users#nestedatt--users
|
that error message suggests that you need to do something like the following to access a specific instance of this multi-instance resource definition, due to the use of the you'll need to do one of the following user_ids = [for user in data.okta_users.default[*].users : user.id if user.status != "DEPROVISIONED"]
user_ids = [for user in data.okta_users.default[0].users : user.id if user.status != "DEPROVISIONED"] |
The exported attribute id for the okta_users data source does not export the canonical id, (e.g., 00gab6mseryB5VryV3g8) which is required to add a user to a group's membership. Ideally, managing group membership in terraform should not require a okta_group_rule.
New or Affected Resource(s)
data okta_users
resource okta_group_memberships
Potential Terraform Configuration
It would be best if the group memberships would accept the user's login id and not just the canonical id. Or allow the okta_users data source to export the canonical id of the user, instead of a random integer which does not appear to be used anywhere in Okta's api's.
The text was updated successfully, but these errors were encountered: