go provider/user_resource: owner account_access

[jroof88]

This commit adds 'owner' as a valid value for the user.account_access attribute to fix this.

What was changed

Added owner field to user_resource.account_access possible options.

Why?

I am experiencing an issue after Account Owners have been assigned to my account. I change the account_access for the users that are now AccountOwners from 'admin' --> 'owner' but terraform is complaining with:

│ Error: Invalid Attribute Value Match
| Attribute account_access value must be one of: ['admin' 'developer' 'read'], got: 'owner'

If I don't do this, then our terraform consistently fails because Temporal reports these users as owners but our tf state has no drifted from what is actually in cloud.

Checklist

1. Closes [Bug] Update user resource to accept the new finadmin and account owner roles #132

2. How was this tested:
   ✅ Unit Tests
   ⏲️ Would need someone else to run integration tests with the setup

3. Any docs updates needed?
   I updated the tf documentation with:

go generate ./...

[CLAassistant]

All committers have signed the CLA.

[jlacefie]

@jroof88 TY for the contribution and PR. I'm going to fork this and test out locally.

2 items:

• we would want to add the new financeadmin to the list of account access
• I don't know how TF will behave given the restriction that account owners are only assignable by Temporal.
  The API will return "unable to update user: rpc error: code = InvalidArgument desc = please contact support to set the account owner role (type: bad-request, retryable: false)" if someone tries to add this role to a user.

[jroof88]

@jlacefie

• Do you want me to add FinanceAdmin to the list then?
• What would the solution be then? Why are Account Owners only assignable by Temporal? If that is the case, I don't know how we would fix this if the role for a terraform managed user has to be managed outside of terraform 🤔

[jlacefie]

Hi,

After testing this locally, it fails because the underlying API does not allow a user/service account to be updated/created with account owner. error - please contact support to set the account owner role (type: bad-request, retryable: false)

Instead of adding this as an option for account_access, are you able to import existing Account Owners? For example
terraform import temporalcloud_user.owner <owner userid>

Our docs on import are admittedly not that helpful and we'll file an issue to improve those. The import process requires

• an entry in the terraform.tf file that matches temporalcloud_user.owner
• passing in the id of the user which can be found using tcld user list

This PR could be ported to add support for the financeadmin role. That is optional as it's not clear that is helpful for you. If you would be willing to do this, here are the recommended changes:

• add "financeadmin" as an account_acess option to the user_resource and service_account resource files
• add "financeadmin" to each resources test files in this section of the tests

[jroof88]

@jlacefie

I am going to skip adding FinanceAdmin support cause it's not particularly useful to us right now.

The import solution feels only halfway there but is that the only option? If we implement it that way, we will have to:

1. Create users that aren't Account Owners
2. Reach out to Temporal to add that user as an Account Owner
3. Import the user to update tfstate

And by doing this, the actual terraform file will still have my user marked as admin which is incorrect and terraform will continue to try to update that user back to admin which will fail.

I'm curious where the gap is in being able to assign Account Owner as a role programmatically?

[jlacefie]

Hi,

The gap is actually policy, it was a deliberate design choice by Temporal. IIUC, because the Account Owner role is designed to have the highest level of permissions, Temporal made the decision to create a human-in-the-loop step as way to mitigate potential malicious behavior associated with undesired credential access or provisioning of the role.

For context, we are sharing this feedback with the team that manages RBAC for Temporal to share the experience and challenge created with TF use.

TY for this use case - the actual terraform file will still have my user marked as admin which is incorrect and terraform will continue to try to update that user back to admin which will fail.

Is this accurate:

• you have a .TF file with admins today
• a number of those admins will be promoted to owner
• the owner resource can be imported
• after import, drift occurs between terraform's state and the .tf file where state includes owner and .tf file includes admin
• at this point there is no way to use the .tf file because owner is not an acceptable value for account access

[jlacefie]

Hi Jack, TY for your patience.

After testing the scenario again, I'm +1 to this approach given the hard rule on Account Owners. While we can add this owner to account_access it can only be used in import scenarios and will fail in others.

I'll start a review for the PR now

[jlacefie]

please add a comment that owner can only be used for import purposes. Users will receive an error if they try to create or update a user with owner as this role can only be assigned by Temporal.

[jlacefie]

@jroof88 Did you see this item by chance?

[jlacefie]

made the small doc changes and merging now. TY again for the contribution.

[jlacefie]

test suite passed locally, doesn't run for outside contributions yet due to #131

merging

[jroof88]

Hi @jlacefie! I was on vacation the past week and a half. Thank you so much for getting this through. Very much appreciated.

I will close out the corresponding support ticket.