Service account is being added to all new teams when the teams are created in terraform using ```cloudsmith_team```

[scott-doyland-burrows]

Terraform Version

Terraform v1.10.0
on linux_amd64

• provider registry.terraform.io/cloudsmith-io/cloudsmith v0.0.57

Affected Resource(s)

cloudsmith_team

Terraform Configuration Files

terraform {

  required_providers {
    cloudsmith = {
      source = "cloudsmith-io/cloudsmith"
    }
  }
}

provider "cloudsmith" {
  api_key = "[redacted]"
}

resource "cloudsmith_team" "team" {
  organization = "hogarth"
  slug         = "scott-test"
  name         = "scott-test"
  visibility   = "Visible"
}

Expected Behavior

Team is created without any members.

What actually happened?

Team is created. The service account that ran terraform apply becomes a member of the team.

I see this in the audit logs:

I do not know if this is expected behaviour or not? If so I need to update my actual code (above code is simplified) to ignore changes to the service account team membership.

If I remove the service account from the teams, then terraform does not add it back in again. So its only at team creation time that the service accounts gets added to the teams - which is also odd?

[BartoszBlizniak]

Hey @scott-doyland-burrows 👋 This is the expected behaviour as per our API behaviour. Our terrform provider will always be based on how our APIs have been developed and mimic that behaviour, so often when you see a behaviour like this, we work with engineers to get this fixed.

[scott-doyland-burrows]

OK - that does make sense, as I see I am added to the team if I create one manually via the UI.

What maybe needs to be considered then, is that I also have the service account created in terraform using cloudsmith_service.

What I do not have is any team blocks in that resource.

What I then see, is once I have applied terraform to create a new team, on a second apply the cloudsmith_service shows a diff and wants to remove itself from the teams. And this just stays as a constant diff - ie the service account is not removed from the teams.

So it looks like the service account resource needs some tweaking. Maybe I have complicated it by having the service account that is doing the terraforming, actually in terraform itself (ie I imported it into terraform after I created it).

My other option is to maybe just ignore any changes to the (not configured) team block.

[BartoszBlizniak]

Hey @scott-doyland-burrows - thank you for the feedback.

I do think one way around this would be to like you said, have a separate (externally managed) account that's doing the terraforming as this will constantly happen. Unless you do not mind having that service account in each team (so you can manage them via that Service account), then you can add that specific service account to each team during your provisioning which should get rid off the diffs.