Feature Request: Manage Group Members for Groups #66
Comments
|
Hi @jeffchao! Thanks for the recommendation; this is definitely on our radar. I'd be curious to get your input if you're willing! We've hit some challenges in referencing Doppler users in Terraform; both for this resource and others. It probably isn't a good idea for us to model users as Terraform resources because they can't really be "created"; Doppler invites become users once the invite has been accepted. With this in mind, we've explored two options for referencing users in other resources: # This is the group resource that exists today
resource "doppler_group" "backend" {
name = "backend"
}
# Option 1: Reference Users By Email
# Would throw an error if the user does not exist in the workplace
resource "doppler_group_member" "backend" {
for_each = toset(["[email protected]", "[email protected]", "[email protected]"])
group = doppler_group.backend.id
user_email = each.value
}
# Option 2: Reference Users as Data Sources
data "doppler_user" "nic" {
email = "[email protected]"
}
data "doppler_user" "brian" {
email = "[email protected]"
}
data "doppler_user" "andre" {
email = "[email protected]"
}
resource "doppler_group_member" "backend" {
for_each = toset([doppler_user.nic.id, doppler_user.brian.id, doppler_user.andre.id])
group = doppler_group.backend.id
user = each.value
}Which of these options do you prefer? Option 1 is certainly more concise but less precise because a user could be removed and re-added with the same email address, resulting in a different Doppler user ID under the hood. |
|
Hey @nmanoogian! Great to hear you're working on this. Few comments. Option 1 will be difficult on the user-end because we'd have to maintain a list of addresses which would easily get out of sync with the source of truth (Doppler). On the Doppler side, you'll have to add in extra validations because we (as the user) are essentially passing in arbitrary strings. This would be problematic for you because the DevEx would be worse because you'd probably have to do that validation on apply. For systems that do merge -> apply (such as Terraform Cloud and Spacelift), this would be bad. Then, if you want to do it on plan, then you'd have to modify your provider to make calls out to Doppler using some sort of hook. I like Option 2 because it clarifies that the data source is a read-only thing which is managed by Doppler. In particular, as a user, I would create users via Doppler UI through invites and such, then if I want some automation via Terraform/IaC, I can query Doppler for my users. I also get a bit of validation via the data source which means I can also use my IDE autocompletion to help me write my configurations. Also as you pointed out, the re-adding/removing of user IDs might be an issue, particularly around audit functionality for Enterprise-y team management use cases. |
|
Awesome! Thanks for the detailed feedback, @jeffchao. I'll keep this issue updated with any developments 👍 |
|
We actually came to the same situation when we need to be able to manage membership of the users in the specific group via Terraform due to our Entra ID related processes within the company (we can't sync groups to Doppler). So, Option 2 looks fine to use as a possible solution. |
|
Saw #72 . Thanks folks. Will take a look. |
|
Thanks again for your input on this, y'all! Please provide any feedback you may have on the new resources! |
|
@ViacheslavKudinov - tagging you here too and thanks for the input! |
You have a Doppler Terraform Provider which has a
groupresource. It would be nice to have the ability to manage (add/remove) users from a group. This would be useful for us to manage access to groups programmatically via Terraform.The text was updated successfully, but these errors were encountered: