Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We鈥檒l occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support reading existing objects that are not managed by tf #68

Open
Taoquitok opened this issue Jan 3, 2020 · 2 comments
Open

Support reading existing objects that are not managed by tf #68

Taoquitok opened this issue Jan 3, 2020 · 2 comments

Comments

@Taoquitok
Copy link

Taoquitok commented Jan 3, 2020
edited

Community Note

  • Please vote on this issue by adding a 馃憤 reaction to the original issue to help the community and maintainers prioritise this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritise the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

I'm currently managing an artifactory instance were some users are managed by TF, and some are not (I know... don't ask...).
Blindly adding users to TF causes their passwords to be reset as TF plan reports it will "add" (create) the users rather than modify, and TF apply just reports they've been created, presumably as it's not aware that it's inadvertently overwriting... which for a bulk import of all users to bring them into state would be very disruptive.

I've experimented with using terraform Import, but it's cumbersome and requires an external loop over all named resources as it doesn't seem to accommodate for importing the whole run.
As a good work around, and useful extension to this provider, It would be useful if either the existing artifactory_user resource did some validation checks against artifactory (or had a flag to allow for this).
Alternatively if there was a data source for each available resource (or at least artifactory_user) to allow for gathering of unmanaged state then that could be used as a base for migrating un-managed to a managed state.

New or Affected Resource(s)

artifactory_user
data artifactory_*

Potential Terraform Configuration

variable "users_group_map" {
  type = list(object({ name = string, email = string, groups = list(string) }))

  default = [
    {
      name   = "managed_user"
      email  = "managed_user@domain.com"
      groups = ["group1"]
    },
    {
      name   = "unmanaged_user1"
      email  = "unmanaged_user1@domain.com"
      groups = ["group1"]
    },
    {
      name   = "unmanaged_user2"
      email  = "unmanaged_user2@domain.com"
      groups = ["group1"]
    }
  ]
}

resource "artifactory_user" "user" {
  count  = length(var.users_group_map)
  name   = var.users_group_map[count.index]["name"]
  email  = var.users_group_map[count.index]["email"]
  groups = var.users_group_map[count.index]["groups"]
}
# example of using terraform import, looping over all users is plausible, but clunky
terraform init
terraform import artifactory_user.user[0] unmanaged_user1
terraform import artifactory_user.user[1] unmanaged_user2
...
terraform import artifactory_user.user[999] unmanaged_user999
# etc
@jamestoyer
Copy link
Contributor

Which version of the provider are you using? By default in v2.0.0-alpha1 if you do not set a password on a user it will not manage the password or change it. I can confirm this is the behaviour as we have imported many users using this method. The docs I have written around this should also confirm this behaviour, although I'm happy to update if incorrect:

Note: User passwords are never returned through the API. Since they are never returned they cannot be managed by directly through Terraform. However, it is possible to store a "known" state for the password and make changes if it's updated in Terraform. If no password is given a random one is created otherwise that value is used. It's also worth noting "removing" the password argument does not reset the password; it just removes Terraform from storing the "known" state.

I also believe your import commands are incorrect for the example you listed. The correct syntax is:

terraform import "artifactory_user.user[1]" unmanaged_user1
terraform import "artifactory_user.user[2]" unmanaged_user2

@Taoquitok
Copy link
Author

Taoquitok commented Jan 6, 2020
edited

Which version of the provider are you using?

We're building the provider off master. A quick comparison to v2.0.0-alpha1 doesn't show any obvious user affecting differences that could explain why passwords are being reset.
For sanity I've just tested with a brand new user, created them manually, confirmed can log in, and then ran terraform. Plan and apply both reported a creation artifactory_user.user[0]: Creation complete after 1s [id=testuser], and relogging with that user confirmed that their password has now been reset, so in the case of attempting to manage an existing object, if it's not already in terraform it will get overridden.

I also believe your import commands are incorrect for the example you listed. The correct syntax is:

Thanks for the correction, I've tested your suggestion and corrected my issue to reflect that it does work as expected to import, though would still be clunky to complete / repeat on a regular basis to resolve any manual creations.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@jamestoyer @Taoquitok