[Bug] Adding a user to multi namespaces seems to re-create the user each time and not just give them read access

[tony-powell-sp]

What are you really trying to do?

Create a user and assign to a namespace with a defined role so this is managed through code but each time it appears to re-create the user and they only have access to last namespace created.

Describe the bug

Minimal Reproduction

Environment/Versions

• OS and processor: [e.g. M1 Mac, x86 Windows, Linux] Mac running Terraform
• Temporal Version: [e.g. 1.14.0?] and/or SDK version terraform provider 0.0.11
• Are you using Docker or Kubernetes or building Temporal from source? --- NO

Additional context

[rohitgup14]

@swgillespie Can I close this issue ?

[jlacefie]

This should be resolved with the solution for #109

[jlacefie]

@tony-powell-sp we're struggling to recreate this scenario. Do you have more details or ways we can reproduce.

[jlacefie]

I was able to reproduce.

Here are the steps

• Create a terraform1.TF file with a Namespace Resource for NS1 and a User Resource User1 with Namespace Access to NS1
• Create a second terraform.2TF file with a Namespace Resource for NS2 and the same User Resource with Namespace Access to NS2
• Run terraform1.TF
  -- NS1 Created temporalcloud_namespace.namespace: Creation complete after 1m46s [id=multinsusertest1.ksfop]
  -- User1 Created with access to NS1 temporalcloud_user.developer: Creation complete after 1s [id=7772d588ae404f8dbe41fa4a74dc7084]
• Run terraform2.TF
  -- NS2 Created temporalcloud_namespace.namespace: Creation complete after 1m42s [id=multinsusertest2.ksfop]
  -- User1's Namespace Access is wiped and the user has access to NS2 only temporalcloud_user.developer: Creation complete after 1s [id=7772d588ae404f8dbe41fa4a74dc7084]

terraform1.TF

esource "temporalcloud_namespace" "namespace" {
        name               = "multinsusertest1"
        regions            = ["aws-us-east-1"]
        accepted_client_ca = base64encode(file("../ca.pem"))
        retention_days     = 30
}

resource "temporalcloud_user" "developer" {
  email          = "mut1@gmail.io"
  account_access = "Developer"
  namespace_accesses = [
      {
      namespace_id = temporalcloud_namespace.namespace.id
      permission = "Read"
    }
 ]
}

terraform2.TF

resource "temporalcloud_namespace" "namespace" {
        name               = "multinsusertest2"
        regions            = ["aws-us-east-1"]
        accepted_client_ca = base64encode(file("../ca.pem"))
        retention_days     = 30
}

resource "temporalcloud_user" "developer" {
  email          = "mut1@gmail.io"
  account_access = "Developer"
  namespace_accesses = [
      {
      namespace_id = temporalcloud_namespace.namespace.id
      permission = "Read"
    }
 ]
}

[jlacefie]

RCA - current logic for creating a user in Temporal allows for "re-inviting" users while their invitation is open, "not accepted".

The impact from the API is that the API will not fail a create request for an existing user.

[jlacefie]

document as side-effect and behavior of the current underlying API. Also, recommend this is not best practice for TF.

[jlacefie]

docs addressed by #192

[jlacefie]

also addressed by the Temporal docs PR temporalio/documentation#3219

[tony-powell-sp]

thanks @jlacefie I agree that terraform is not the best place but we have had issues trying to use the sdk to do the user management so we are just wanting to find a reliable method so that this is not a hand driven process and uniformity is across the environment!!

[tony-powell-sp]

glad you where able to re-create the condition :)

[jlacefie]

The first pass of this issue is resolved with documentation guidance.