Skip to content

[IPL-6481] Ignore non-service account member ids for tfe_team_organization_memberships resource #1850

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 4 commits into
base: main
Choose a base branch
from
Open

[IPL-6481] Ignore non-service account member ids for tfe_team_organization_memberships resource #1850

wants to merge 4 commits into from
+38 −4

Conversation

smishra96
Copy link

@smishra96 smishra96 commented Sep 19, 2025
edited
Loading

Description

This PR address a bug where service account users where visible while using team tokens. tfe_team_organization_memberships resource was modified to ignore non-service account member ids during operations.

Note: If an user has a service-account organization membership id in the tfe_team_organization_memberships memberships list, they would keep on seeing drifts even after a successful apply as the resource would not be managing a sa membership id.

Testing plan

  1. Use a team token to create organization memberships using tfe_team_organization_memberships resource
  2. There should be no Drift detected while doing so

Output from acceptance tests

Example

Bug: A drift appears when doing terraform plan using team token in the list of membership ids in tfe_team_organization_memberships resource because the service account members are not being ignored.

IPL-6481.mp4

@smishra96 smishra96 requested a review from a team as a code owner September 19, 2025 13:45
@hashicorp-cla-app HashiCorp CLA App
Copy link

hashicorp-cla-app bot commented Sep 19, 2025
edited
Loading

CLA assistant check
All committers have signed the CLA.

@Maed223
Copy link
Contributor

Maed223 commented Sep 29, 2025

Hey @smishra96, I think we could better solve this issue through smarter use of the API rather than the added filtering for non-service accounts.

Currently the resource uses go-tfe's TeamMembers.ListOrganizationMemberships where we just return the result of the include of organization memberships on a Team. A better route here would be to use OrganizationMemberships.List, where the endpoint automatically filters out service accounts so we can avoid the overhead of doing this in the provider. The one catch is that go-tfe currently doesn't implement the filter[team]=team_external_id query param that would be needed and is otherwise present on the OrganizationMemberships controller. I think a better route for a solution here would be to update go-tfe's OrganizationMembershipListOptions to have a Team filter, and to then make use of it here in the provider.

@smishra96
Copy link
Author

the endpoint automatically filters out service accounts so we

Hello @Maed223,

The reason why I did the implementation this way was that UI also functions in a similar way, ignoring service accounts using the is-service-account flag. Hence, a similar approach was suggested by @brandonc here: https://hashicorp.slack.com/archives/C01BR9FR8KZ/p1758053460838739?thread_ts=1758014882.375959&cid=C01BR9FR8KZ

But let me also explore the approach that you are suggesting. Will post my findings as soon as I am done.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@smishra96 @Maed223