iam_access_group_members not working expected: deletes all existing users and replaces them

[bastianentrup]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform CLI and Terraform IBM Provider Version

Affected Resource(s)

• ibm_iam_access_group_members

Terraform Configuration Files

Please include all Terraform configurations required to reproduce the bug. Bug reports without a functional reproduction may be closed without investigation.

provider ibm {
  # Uncomment if running locally
  ibmcloud_api_key      = var.ibmcloud_api_key
  region                = var.region
  ibmcloud_timeout      = 60
}

##############################################################################
# list of projects, i.e., ressource groups and minimum one owner!
##############################################################################
#name could also be a list, would allow to have dev, test etc. environments per projects if needed

locals {
  resource_groups = [
    {
      owners = ["[email protected]"]
      name   = "pic_temp_test"
    }
  ]
}    

##############################################################################
# Invite users, setup resource groups and access groups
##############################################################################

#invite all owner to account
resource "ibm_iam_user_invite" "invite_user" {
  for_each = {
    for proj in local.resource_groups : proj.name => proj
  }
  users = each.value.owners
}
#create the above defined resource groups
resource "ibm_resource_group" "resourceGroup" {
  for_each = {
    for proj in local.resource_groups : proj.name => proj
  }
  name      = each.key
}

#create an access group for each resource group
resource "ibm_iam_access_group" "accessgroups" {
  for_each = {
    for proj in local.resource_groups : proj.name => proj
  }
  name       = "${each.key}_owners"
  description = "Admin access group for ${each.key} project."
}

#assign access and owners to access group
resource "ibm_iam_access_group_members" "accgroupmem" {
  for_each = {
    for proj in local.resource_groups : proj.name => proj
  }
  access_group_id       = ibm_iam_access_group.accessgroups["${each.key}"].id
  ibm_ids         = each.value.owners
}

resource "ibm_iam_access_group_policy" "policy_rg" {
  #get all access groups
  for_each = {
    for proj in local.resource_groups : proj.name => proj
  }
  access_group_id       = ibm_iam_access_group.accessgroups["${each.key}"].id
  #create roles
  roles           = ["Editor", "Viewer"]

  resource_attributes {
    name  = "resourceType"
    value = "resource-group"
  }
  resource_attributes {
    name  = "resource"
    value = ibm_resource_group.resourceGroup["${each.key}"].id
  }
}

Debug Output

Panic Output

Expected Behavior

When running the resource ibm_iam_access_group to create an access group and adding policies via ibm_iam_access_group_policy to it, it leaves policies in place that were created outside of terraform (e.g., manually via the IBM Cloud GUI by a user). In this case you have the set of policies that are in place, plus the ones defined in terraform. But when using iam_access_group_members, it actually removes all existing users, also those that have been added manually. You end up with only the users that were defined in terraform, not those that were added manually. This is incoherent and unexpected.

Actual Behavior

Steps to Reproduce

You need of course to connect the script via an api key to the IBM Cloud and then run:

1. terraform apply

Important Factoids

References

• #0000