[ISSUE] Issue with `databricks_user` resource loses admin role with force = true

Question

[ISSUE] Issue with `databricks_user` resource loses admin role with force = true

Closed this issue 10 months ago · 3 comments

force = true ignores user's admin role when pulling user from admin console, and user loses the admin role as a outcome.

Configuration

resource "databricks_user" "this" {
  user_name    = "grzegorz.rusin@someplace.com"
  display_name = "Grzegorz Rusin"
  active       = true
  force        = true
}

Expected Behavior

User's admin role defined in account console should be preserved if user is importeed for the first time.

Actual Behavior

When force = true tries to import a user, the admin role is being lost, due to this on mass import due to terraform state removal all users in account console will lose their admin status. Luckily attempt to remove the admin role for last user from console makes account API to throw the error.

Steps to Reproduce

make grzegorz.rusin@someplace.com account admin, make other user account admin too
remove state
terraform apply
grzegorz.rusin@someplace.com will no longer be account admin, or error will be throw if grzegorz.rusin@someplace.com was the last account admin (there always has to be at least account admin or API will fail)

Terraform and provider versions

1.24.1

Answer 1 · 2023-09-08T10:53:08.000Z

the same bug is also on "databricks_group", I just accidentally removed "uc-admins-groups" admin role.

I am also guessing it will happen on SPNs as well (not tested)

Answer 2 · 2023-09-21T12:31:29.000Z

@grusin-db once #2706 is completed (and a new release is out) - could you share the debug logs, so we understand which API calls are being made?

As far as I can tell, we do not make any calls to replace the user roles, so need to understand if this behaviour happens in the backend

Answer 3 · 2023-10-23T13:15:46.000Z

Any news about this error Im facing the same problem in my terraform code I'm trying to add users dynamically from group that I have in azure when I add new user in group the terraform somehow try to destroy old users and recreate all users from beginning

data "databricks_group" "admins" {
  display_name = "admins"
}

resource "databricks_user" "adb-user" {
  for_each             = { for i, v in var.users_list : i => v }
  user_name            = each.value.mail
  display_name         = each.value.display_name
  allow_cluster_create = true
}

resource "databricks_group_member" "adb-admin-member" {
  for_each  = databricks_user.adb-user
  group_id  = data.databricks_group.admins.id
  member_id = each.value.id
}

I got this error :

╷
│ Error: cannot delete group member: Failed to update members of group users
│
│
╵
╷
│ Error: cannot delete group member: Failed to update members of group users
│
│
╵
╷
│ Error: cannot delete group member: Failed to update members of group users
│
│
╵
╷
│ Error: cannot delete group member: Failed to update members of group users
│
│
╵
╷
│ Error: cannot delete user: user Either missing permissions to delete  bbb.aaa@xyz.com or deleting own account.
│
│
╵
╷
│ Error: cannot delete group member: Failed to update members of group users
│
│
╵
╷
│ Error: cannot delete group member: Failed to update members of group users
│
│
╵
╷
│ Error: cannot create user: User with username bbb.aaa@xyz.com already exists.