harbor_user fails updating user role when using LDAP auth

[deepbrook]

When using LDAP as authentication method, users created by it may not be updated via PUT /users/<user_id>,
otherwise, a 409 is returned.

However, it's still allowed to set a user's role, specifically setting them as admin, as this uses a different
endpoint: /users/{user_id}/sysadmin.

In order to manage admin access, we have imported existing users - created via LDAP - into our harbor_user resource
blocks. The resource looks as follows:

resource "harbor_user" "admins" {
  full_name = var.user
  email     = "unmanaged"
  username  = "unmanaged"
  password  = "unmanaged"
  admin     = false
  lifecycle {
    ignore_changes = [password, full_name, email, comment]
  }
}

When changing the admin attribute to true, the change is correctly displayed in the plan - only the admin attribute has changes.

However, during the apply operation, the PUT /users/$user_id endpoint is still contacted, despite having no changes to report. The API does not know this, of course, and flat out rejects the update operation on the user (because it's an LDAP user).

expected behaviour

The provider should ignore the 409, as no changes need to be made and the response is irrelevant to the deployment.

Additonal Notes

I can deduce that handling this nicely is probably a difficult task. Since there are several APIs in play, it may be a good idea to separate the admin attribute from the harbor_user resource altogether. For example, in a harbor_user_admin resource block.