Open exitcode0 opened 2 years ago
Thanks @exitcode0 , this sounds good to me.
Okta internal reference: https://oktainc.atlassian.net/browse/OKTA-524620
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days
@monde Just wanting to clarify if this was closed by stale-bot or if this is considered a won't fix?
Keeping open.
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days
Hey @monde - could you please re-open this one? π
I just tired to add and remove user from the group using okta_user_group_memberships
resource - and it's working as expected (provider v4.6.1).
@ilia-faraway - you're correct, the resource is currently working as expected This issue is to request that additional functionality be added to this resource The original issue is poorly worded though, I'll tweak it now to improve it
Community Note
Description
tl;dr - We should add
track_all_groups
tookta_user_group_memberships
similar tookta_group_memberships
Currently the
okta_user_group_memberships
only manages user memberships it created, this allows it to co-exist with other management strategies such as click-ops or Okta WorkflowsHowever, there are use-cases for wanting to
okta_user_group_memberships
to be the Definitive source of truth for all of a user's Okta group memberships, e.g service accounts.Having
track_all_users
okta_group_memberships
would allow me to prevent group membership drift on service account group memberships and allow me to be confident that my service accounts are still least privilegedtrack_all_users
would also allows for some interesting Terraform modules, For example, create a Terraform provider that accepts a group ID & justification string, you can then use a variable validator to ensure the justification string matches the expected format (e.g contains a ticketing system URL)The only current workaround that I know of is to manage all groups with Terraform and use
track_all_users
on everyokta_group_memberships
but this is unrealistic as in my environment some groups are managed by systems outside of TerraformNew or Affected Resource(s)
okta_user_group_memberships
Potential Terraform Configuration
References
0000