Group membership changes when "group_id" property not explicitly set for "cloudconnexa_user" resource

[sahaqaa]

Steps to reproduce 1/ Manually create via UI new group with name "testgroup"

2/ Manually create via UI new user with next properties:

Username: "test" Groups: "testgroup" Roles: "Member" First name: "AAAAA" Last Name: "BBBBB" Email: "xxx@xxx.xxx" # replace with valid email

3/ Create test block and run "terraform plan":

resource "cloudconnexa_user" "this" {
  username   = "test"
  email      = "xxx@xxx.xxx" # replace with valid email
  first_name = "AAAAA"
  last_name  = "BBBBB"
}

4/ perform import via "terraform import cloudconnexa_user.this test@replace_with_your_tenant_name"

5/ run "terraform plan" // you will see that there are no changes.

6/ run "terraform apply" // you will see that there are no changes.

7/ Now do any change in TF code, and run "terraform apply", for example:

resource "cloudconnexa_user" "this" {
  username   = "test"
  email      = "xxx@xxx.xxx" # replace with valid email
  first_name = "AAAAA"
  last_name  = "CCCC"
}

Output:

  # cloudconnexa_user.this will be updated in-place
  ~ resource "cloudconnexa_user" "this" {
        id         = "test@replace_with_your_tenant_name"
      ~ last_name  = "BBBBB" -> "CCCC"
        # (4 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

8/ Now refresh UI and see that not only "Last Name" was changed, but also Group has changed from "testgroup" to "Default" But as you can see, this change was not displayed in output above

This is not critical or high importance "bug", but ideally Terraform should have displayed that it's going to change Group to avoid unexpected changes.

Probably need to check CloudConnexa Go Client and data structure, since when resource is being destroyed it doesn't even show group field:

  # cloudconnexa_user.this will be destroyed
  - resource "cloudconnexa_user" "this" {
      - email      = "xxx@xxx.xxx" -> null
      - first_name = "AAAAA" -> null
      - id         = "test@replace_with_your_tenant_name" -> null
      - last_name  = "CCCC" -> null
      - role       = "MEMBER" -> null
      - username   = "test" -> null
    }

PS. To avoid ambiguity it is better to specify "group_id" for "cloudconnexa_user" resource, example:

data "cloudconnexa_user_group" "this" {
  name = "testgroup"
}
resource "cloudconnexa_user" "this" {
  username   = "test"
  email      = "xxx@xxx.xxx" # replace with valid email
  first_name = "AAAAA"
  last_name  = "CCCC"
  group_id    = data.cloudconnexa_user_group.this.user_group_id
}

[sahaqaa]

Created this as backlog task for visibility

[sahaqaa]

Side note, if we do steps from 1 to 6, but on step 7 we make like this:

data "cloudconnexa_user_group" "this" {
  name = "testgroup"
}
resource "cloudconnexa_user" "this" {
  username   = "test"
  email      = "xxx@xxx.xxx" # replace with valid email
  first_name = "AAAAA"
  last_name  = "CCCC"
  group_id    = data.cloudconnexa_user_group.this.user_group_id
}

then we will see that Terraform during apply will add property "group_id"

  # cloudconnexa_user.this will be updated in-place
  ~ resource "cloudconnexa_user" "this" {
      + group_id   = "382ffd23-5fda-4b0f-bd82-590cfdd75e49"
        id         = "test@replace_with_your_tenant_name"
        # (5 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

I.e. Originally group in UI was "testgroup" and after "teerraform apply" it was still "testgroup"

And when running "terraform destroy" we can see that resource "cloudconnexa_user" has property "group_id":

  # cloudconnexa_user.this will be destroyed
  - resource "cloudconnexa_user" "this" {
      - email      = "xxx@xxx.xxx" -> null
      - first_name = "AAAAA" -> null
      - group_id   = "382ffd23-5fda-4b0f-bd82-590cfdd75e49" -> null
      - id         = "test@replace_with_your_tenant_name" -> null
      - last_name  = "CCCC" -> null
      - role       = "MEMBER" -> null
      - username   = "test" -> null
    }

Plan: 0 to add, 0 to change, 1 to destroy.