okta_user_group_memberships - track_all_groups

[exitcode0]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

tl;dr - We should add track_all_groups to okta_user_group_memberships similar to okta_group_memberships

Currently the okta_user_group_memberships only manages user memberships it created, this allows it to co-exist with other management strategies such as click-ops or Okta Workflows

However, there are use-cases for wanting to okta_user_group_memberships to be the Definitive source of truth for all of a user's Okta group memberships, e.g service accounts.

Having track_all_users okta_group_memberships would allow me to prevent group membership drift on service account group memberships and allow me to be confident that my service accounts are still least privileged track_all_users would also allows for some interesting Terraform modules, For example, create a Terraform provider that accepts a group ID & justification string, you can then use a variable validator to ensure the justification string matches the expected format (e.g contains a ticketing system URL)

The only current workaround that I know of is to manage all groups with Terraform and use track_all_users on every okta_group_memberships but this is unrealistic as in my environment some groups are managed by systems outside of Terraform

New or Affected Resource(s)

• okta_user_group_memberships

Potential Terraform Configuration

resource "okta_user" "this" {
  login      = "example@acme.com"
  email      = "example@acme.com"
  first_name = "example"
  last_name  = "service-account"
  status     = "ACTIVE"
}

resource "okta_user_group_memberships" "this" {
  user_id = okta_user.this.id
  track_all_groups = true
  groups = [
    okta_group.service_accounts.id,
    okta_group.google_users.id,
  ]
}

References

• 0000

[monde]

Thanks @exitcode0 , this sounds good to me.

[monde]

Okta internal reference: https://oktainc.atlassian.net/browse/OKTA-524620

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

[exitcode0]

@monde Just wanting to clarify if this was closed by stale-bot or if this is considered a won't fix?

[monde]

Keeping open.

[github-actions[bot]]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

[exitcode0]

Hey @monde - could you please re-open this one? 🙂

[ilia-faraway]

I just tired to add and remove user from the group using okta_user_group_memberships resource - and it's working as expected (provider v4.6.1).

[exitcode0]

@ilia-faraway - you're correct, the resource is currently working as expected This issue is to request that additional functionality be added to this resource The original issue is poorly worded though, I'll tweak it now to improve it