search

temporalio / terraform-provider-temporalcloud

Terraform provider for Temporal Cloud
Mozilla Public License 2.0
12 stars 10 forks source link

[Bug] Service Account's namespace_accesses attribute is unordered #176

Open briankassouf opened 1 week ago

briankassouf commented 1 week ago

Describe the bug

The API returns the namespace access information back as a map and the terraform provider specifies it as a List. This presents a problem since go's map iteration is non-deterministic and causes fake drift between the stored state and the data we get back from Read.

Plan output:

Terraform will perform the following actions:

  # temporalcloud_service_account.namespace_admin will be updated in-place
  ~ resource "temporalcloud_service_account" "namespace_admin" {
        id                 = "5e5...ab2"
        name               = "developer"
      ~ namespace_accesses = [
          ~ {
              ~ namespace_id = "terraform2.d4h3u" -> "terraform.d4h3u"
              ~ permission   = "write" -> "admin"
            },
          ~ {
              ~ namespace_id = "terraform.d4h3u" -> "terraform2.d4h3u"
              ~ permission   = "admin" -> "write"
            },
        ]
        # (2 unchanged attributes hidden)
    }

Additionally, applying this change results in an error because the API detects this as no change and returns an error:

╷
│ Error: Failed to update Service Account
│
│   with temporalcloud_service_account.namespace_admin,
│   on user.tf line 69, in resource "temporalcloud_service_account" "namespace_admin":
│   69: resource "temporalcloud_service_account" "namespace_admin" {
│
│ nothing to change

Minimal Reproduction

Apply two namespaces and a service account with access to both:

resource "temporalcloud_namespace" "terraform" {
  name           = "terraform"
  regions        = ["aws-us-east-1"]
  retention_days = 14
  api_key_auth   = true
}

resource "temporalcloud_namespace" "terraform2" {
  name           = "terraform2"
  regions        = ["aws-us-east-1"]
  retention_days = 14
  api_key_auth   = true
}

resource "temporalcloud_service_account" "namespace_admin" {
  name           = "developer"
  account_access = "Developer"
  namespace_accesses = [
    {
      namespace_id = temporalcloud_namespace.terraform.id
      permission   = "admin"
    },
    {
      namespace_id = temporalcloud_namespace.terraform2.id
      permission   = "write"
    }
  ]
}

Run terraform plan until a change is detected

briankassouf commented 1 week ago

This will also affect the User resource once #177 merges