[Bug] Adding a user to multi namespaces seems to re-create the user each time and not just give them read access

tony-powell-sp commented 2 months ago

What are you really trying to do?

Create a user and assign to a namespace with a defined role so this is managed through code but each time it appears to re-create the user and they only have access to last namespace created.

Describe the bug

Minimal Reproduction

Environment/Versions

OS and processor: [e.g. M1 Mac, x86 Windows, Linux] Mac running Terraform
Temporal Version: [e.g. 1.14.0?] and/or SDK version terraform provider 0.0.11
Are you using Docker or Kubernetes or building Temporal from source? --- NO

Additional context

rohitgup14 commented 1 month ago

@swgillespie Can I close this issue ?

jlacefie commented 2 weeks ago

This should be resolved with the solution for #109

jlacefie commented 1 week ago

@tony-powell-sp we're struggling to recreate this scenario. Do you have more details or ways we can reproduce.

jlacefie commented 5 days ago

I was able to reproduce.

Here are the steps

Create a terraform1.TF file with a Namespace Resource for NS1 and a User Resource User1 with Namespace Access to NS1
Create a second terraform.2TF file with a Namespace Resource for NS2 and the same User Resource with Namespace Access to NS2
Run terraform1.TF -- NS1 Createdtemporalcloud_namespace.namespace: Creation complete after 1m46s [id=multinsusertest1.ksfop] -- User1 Created with access to NS1 temporalcloud_user.developer: Creation complete after 1s [id=7772d588ae404f8dbe41fa4a74dc7084]
Run terraform2.TF -- NS2 Created temporalcloud_namespace.namespace: Creation complete after 1m42s [id=multinsusertest2.ksfop] -- User1's Namespace Access is wiped and the user has access to NS2 only temporalcloud_user.developer: Creation complete after 1s [id=7772d588ae404f8dbe41fa4a74dc7084]

terraform1.TF

esource "temporalcloud_namespace" "namespace" {
        name               = "multinsusertest1"
        regions            = ["aws-us-east-1"]
        accepted_client_ca = base64encode(file("../ca.pem"))
        retention_days     = 30
}

resource "temporalcloud_user" "developer" {
  email          = "mut1@gmail.io"
  account_access = "Developer"
  namespace_accesses = [
      {
      namespace_id = temporalcloud_namespace.namespace.id
      permission = "Read"
    }
 ]
}

terraform2.TF

resource "temporalcloud_namespace" "namespace" {
        name               = "multinsusertest2"
        regions            = ["aws-us-east-1"]
        accepted_client_ca = base64encode(file("../ca.pem"))
        retention_days     = 30
}

resource "temporalcloud_user" "developer" {
  email          = "mut1@gmail.io"
  account_access = "Developer"
  namespace_accesses = [
      {
      namespace_id = temporalcloud_namespace.namespace.id
      permission = "Read"
    }
 ]
}

jlacefie commented 3 days ago

RCA - current logic for creating a user in Temporal allows for "re-inviting" users while their invitation is open, "not accepted".

The impact from the API is that the API will not fail a create request for an existing user.

jlacefie commented 3 days ago

document as side-effect and behavior of the current underlying API. Also, recommend this is not best practice for TF.

jlacefie commented 2 days ago

docs addressed by #192

jlacefie commented 2 days ago

also addressed by the Temporal docs PR https://github.com/temporalio/documentation/pull/3219

tony-powell-sp commented 2 days ago

thanks @jlacefie I agree that terraform is not the best place but we have had issues trying to use the sdk to do the user management so we are just wanting to find a reliable method so that this is not a hand driven process and uniformity is across the environment!!

tony-powell-sp commented 2 days ago

glad you where able to re-create the condition :)

temporalio / terraform-provider-temporalcloud