artifactory_unmanaged_user attaches default groups even when not shown in plan

[Dragotic]

Describe the bug
Terraform version: v1.5.5
Terraform JFrog Artifactory Provider version: 10.0.2
Using JFrog Cloud with Artifactory version: 7.81.1

Hello there,

I'm trying to create some users for my JFrog Artifactory, and using the docs with a very simple artifactory_unmanaged_user resource, the users are being attached to the default readers group.
If the groups variable is empty then the readers group membership is not added, as correctly written in the docs

groups - (Optional) List of groups this user is a part of. Notes: If this attribute is not specified then user's group membership is set to empty. User will not be part of default "readers" group automatically.

However, if I add a mygroup in the groups variable, then the plan shows only the mygroup being added. However, after the apply the user is also added to the default readers group.

terraform {
  required_providers {
    artifactory = {
      source  = "registry.terraform.io/jfrog/artifactory"
      version = "10.0.2"
    }
  }
}

provider "artifactory" {
  url           = "JFROG_HOST"
  access_token  = "ACCESS_TOKEN"
}

resource "artifactory_unmanaged_user" "test-user" {
  name     = "alexis-test-user"
  email    = "alexis@example.com"
  groups   = ["mygroup"]
}

Terraform will perform the following actions:

  # artifactory_unmanaged_user.test-user will be created
  + resource "artifactory_unmanaged_user" "test-user" {
      + admin                      = false
      + disable_ui_access          = true
      + email                      = "alexis@example.com"
      + groups                     = [
          + "mygroup",
        ]
      + id                         = (known after apply)
      + internal_password_disabled = false
      + name                       = "alexis-test-user"
      + profile_updatable          = true
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Running terraform apply a second time, shows that the readers group is being removed.

Terraform will perform the following actions:

  # artifactory_unmanaged_user.test-user will be updated in-place
  ~ resource "artifactory_unmanaged_user" "test-user" {
      ~ groups                     = [
          - "readers",
            # (1 unchanged element hidden)
        ]
        id                         = "alexis-test-user"
        name                       = "alexis-test-user"
        # (5 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Requirements for and issue

• A description of the bug
• A fully functioning terraform snippet that can be copy&pasted (no outside files or ENV vars unless that's part of the issue). If this is not supplied, this issue will likely be closed without any effort expended.
• Your version of artifactory (you can curl it at $host/artifactory/api/system/version
• Your version of terraform
• Your version of terraform provider

Expected behavior
I would expect to only add the groups under groups variable, exactly as shown in the terraform plan. Not the default ones.

Thank you for the support.

[alexhung]

@Dragotic Thanks for the report, I've added this to our plan to investigate.

[alexhung]

@Dragotic When an new user is created in JFrog, the system always add readers group to the user. This is default behavior. To avoid state drift, please include readers in your groups attribute.

The only exception is when groups attribute is not set/defined and the provider explicitly removes readers group from the user after creation.

[Dragotic]

@alexhung but that’s not a correct behavior. If I add the user from the UI I can remove the readers group. On terraform that’s not possible if I add a different group

[alexhung]

@Dragotic Yes, it requires a separate API request to add/remove groups. By default the readers groups is always added to the user when creates using user API. I'm adding a step to set the groups per defined by the groups attribute.