Group Membership Requires Canonical ID of user but okta_users data source does not provide this information.

[vennemp]

The exported attribute id for the okta_users data source does not export the canonical id, (e.g., 00gab6mseryB5VryV3g8) which is required to add a user to a group's membership. Ideally, managing group membership in terraform should not require a okta_group_rule.

New or Affected Resource(s)

data okta_users
resource okta_group_memberships

Potential Terraform Configuration

It would be best if the group memberships would accept the user's login id and not just the canonical id. Or allow the okta_users data source to export the canonical id of the user, instead of a random integer which does not appear to be used anywhere in Okta's api's.

 resource okta_group_memberships "default" {
     group_id = okta_group.default.id
     users = ["[email protected]", "[email protected]"]
 }

[exitcode0]

The datasource okta_users should return a list of Okta User IDs
Is this not the behavior you are seeing?

[vennemp]

resource okta_group_memberships "default" {
    group_id = okta_group.default[0].id
    users = local.user_ids
}

data okta_users "default" {
    count = length(var.group_assignment.members)
    search {
        name = "profile.login"
        value = var.group_assignment.members[count.index]
        comparison = "eq"
    } 
}

locals {
    user_ids = [for user in data.okta_users.default : user.id]
}

Output:
module.okta_saml[0].okta_group_memberships.default will be updated in-place
~ resource "okta_group_memberships" "default" {
id = "00gab6dseryH5VryV5h7"
+ users = [
+ "1732668422",
+ "184324822",
+ "693571822",
]
# (2 unchanged attributes hidden)
}

[duytiennguyen-okta]

As @exitcode0 has pointed out, datasourceokta_users is returning a list of users from the query. Have you check your query via API yet?

[vennemp]

Yes - you can see the output of my tf in my previous comment. It is returning the users but, the id attribute of the user returned is in not in a useable format for adding users to a group. It is a large string of integers and should be in a format like: 00u12cd3chXBC2x1H4n9, which I am calling the canonical id for lack of a better term.

[vennemp]

Appreciate you guys taking the time to help, did you see my latest message?

[exitcode0]

I think your config might be incorrect

locals {
    user_ids = [for user in data.okta_users.default : user.id]
}

should instead be

locals {
    user_ids = [for user in data.okta_users.default.users : user.id]
}

I'd probably even recommend doing the following to avoid attempting to assign a deprovisioned user to a group or application

locals {
    user_ids = [for user in data.okta_users.default.users : user.id if user.status != "DEPROVISIONED"]
}

[vennemp]

Thanks but that doesn't seem to be right either. I played around with trying to parse the list out and it's still not working.

Maybe I'm reading the docs wrong - but that doesn't seem to be in line with the schema.

https://registry.terraform.io/providers/okta/okta/latest/docs/data-sources/users#nestedatt--users

user_ids = [for user in data.okta_users.default.users : user.id if user.status != "DEPROVISIONED"]
│ 
│ Because data.okta_users.default has "count" set, its attributes must be accessed on specific instances.
│ 
│ For example, to correlate with indices of a referring resource, use:
│     data.okta_users.default[count.index]

[exitcode0]

that error message suggests that you need to do something like the following to access a specific instance of this multi-instance resource definition, due to the use of the count meta-argument

you'll need to do one of the following

user_ids = [for user in data.okta_users.default[*].users : user.id if user.status != "DEPROVISIONED"]
user_ids = [for user in data.okta_users.default[0].users : user.id if user.status != "DEPROVISIONED"]