User can't use apps despite being added to role

[at-k]

Example.

resource "onelogin_roles" "role" {
  name   = "Sample"
  apps   = local.foobar.id
  users  = [
    usera.id,
    userb.id,
  ]
}

In this case, I expect "usera" and "userb" can use "fooabr" app via onelogin portal, but it doesnt work. "foobar" app doesnt apear on usera/userb portal site even though terraform plan doesnt show any diff.

This terraform resource uses update user api, and I also confirmed it is reproducible by curl base implementation.

Is it correct behavior?

And I also find that add role user api works as expected for me.

Following script delete/add users from Role.

# delete
curl -H "Authorization: bearer $TOKEN" -X DELETE -H "Content-Type: application/json" -d "[$users]" "https://api.us.onelogin.com/api/2/roles/${roleid}/users"

# add
curl -H "Authorization: bearer $TOKEN" -X POST -H "Content-Type: application/json" -d "[$users]" "https://api.us.onelogin.com/api/2/roles/${roleid}/users"

If it is not bug and correct specification, I propose to add "onelogin_user_role_attachments" resource, similar to existing resource "onelogin_app_role_attachments". Onelogin go sdk is needed to change for this proposal, too.

Give me your idea, please.

[schroedjan]

We experience the same behaviour and can confirm that using the default role update API does not give access to applications for newly added users. However, the AddRoleUsers api works and also maps applications to users.

Is there any update on this topic?

[Jmfwolf]

We are in the process of standardizing our SDKs by using OpenAPI specifications. I have an OpenAPI generated terraform-provider-onelogin in prerelease if you would like t try it out. https://github.com/onelogin/terraform-provider-onelogin/tree/openapi