Cannot assign custom roles to teams when using Team sync with SCIM enabled

[joe-hutchinson-cko]

If you enabled Team sync with SCIM you cannot use the launchdarkly_team resource as it errors with the following error:

Error when creating team "app.launchdarkly.developer-platform": 403 Forbidden: {"code":"forbidden","message":"teams are managed by your IdP"}

What this means is that you have no way to assign custom roles to teams managed by SCIM. What you'd typically see is a new resource type to define the relationship between role and team or having a variable on launchdarkly_custom_role where you can list teams that use it.

[ldhenry]

Hey @joe-hutchinson-cko,

This is happening because the team is not yet in Terraform's state so Terraform thinks it needs to create the team. Currently the best way to get around this is to do a Terraform import along the lines of:

terraform import launchdarkly_team.platform_team platform_team

After running that you should be able to manage the team's custom roles using Terraform.

It is also worth mentioning that you can only make changes to your synced teams' names and memberships via Okta, so I would recommend using Terraform's ignore_changes lifecycle meta-argument to ensure Terraform does not try to update these attributes on subsequent applys. As an example, I would expect your launchdarkly_team resource to look like this:

resource "launchdarkly_team" "platform_team" {
  key                   = "platform_team"
  name                  = "Platform team"
  description           = "Team to manage internal infrastructure"
  member_ids            = []
  maintainers           = ["12ab3c45de678910abc12345"]
  custom_role_keys      = ["platform", "nomad-administrators"]
  
  lifecycle {
    ignore_changes = [
        # Ignore changes to name and member_ids because these are managed externally by Okta
        "name",
        "member_ids",
    ]
  }
}

With that being said, I recognize that this is not as clean as what you would get with a new resource dedicated to managing the custom role <> team relationship. I'll be sure to bring this up to the team after the 4th of July holiday.

Thanks,
Henry

[joe-hutchinson-cko]

Hey Henry. Thanks for looking into it, sadly the workaround isn't viable for me as I'm trying to write a single TF module that teams can use to setup project, team and roles in a standardised way. Given these are all new teams to LD it's not, as you say a great first experience.

I wonder when you do a TF import how it behaves when you're doing a TF destroy.

Do let me know what the team says as this issue prevents me from rolling out LD for further teams.

[ldhenry]

Sorry to hear that @joe-hutchinson-cko. I'll let keep you updated about the new resource later this week.

With regards to my workaround, deletion is a fair concern - see my comment below.

[ldhenry]

Hey @joe-hutchinson-cko, I did some more investigating on this and discovered that Terraform recently added the import block to Terraform v1.5.0. This should make it possible to work with the launchdarkly_team resource in a module. Here's a Terraform config that I used to test applying a custom role to a team that was created externally:

resource "launchdarkly_custom_role" "terraform_defined_role" {
  key         = "tf-role"
  name        = "Terraform defined role"
  description = "This is an example role"

  policy_statements {
    effect    = "allow"
    resources = ["proj/*:env/production:flag/*"]
    actions   = ["*"]
  }
  policy_statements {
    effect    = "allow"
    resources = ["proj/*:env/production"]
    actions   = ["*"]
  }
}

import {
  to = launchdarkly_team.synced_team
  id = "synced-team"
}

resource "launchdarkly_team" "synced_team" {
  key         = "synced-team"
  name        = "Synced Team"
  description = "This team is managed externally"
  member_ids  = []
  maintainers = ["12ab3c45de678910abc12345"]
  custom_role_keys = [
    launchdarkly_custom_role.terraform_defined_role.key,
  ]

  lifecycle {
    # The Team should be deleted via Okta before destroying it from the Terraform state
    prevent_destroy = true
    ignore_changes = [
      # Ignore changes to name and member_ids because these are managed externally by Okta
      name,
      member_ids,
    ]
  }
}

Also note, I added the prevent_destroy meta lifecycle argument to prevent Terraform from trying to delete the synced team (this would also fail with a 403). I did test that if the team is first deleted via Okta then you can safely set prevent_destroy to false and successfully run a terraform destroy. However, this may not be necessary depending on how you are managing Okta in Terraform. The main thing is the Team should be deleted via Okta before destroying the launchdarkly_team resource.

Do you think this will work for you?

Thanks,
Henry

[joe-hutchinson-cko]

Sadly not viable for my use case as you can't use import blocks within a module. I'm grouping project, team and role into a single TF module so I can enforce standard settings.

[Gilles95]

Hello,
I believe a solution that would work, would be a new resource type. That resource type, maybe named like team_role_binding, would do the role binding of the team only, as this is something we actually can do manually in the UI for a team managed with SCIM.

[ldhenry]

Hey @joe-hutchinson-cko and @Gilles95, we are planning to start dev work on the new resource tomorrow. I'll let you know when it's available.

[joe-hutchinson-cko]

That works for me, thanks both for dealing with this so quickly. If you want me to test it I'm happy to.

[Gilles95]

Excellent! Thank you! Same here we can help to test.

[ldhenry]

@joe-hutchinson-cko and @Gilles95,

After a tough battle with our release pipeline, I just published v2.13.0 of the Terraform provider. This release includes the new launchdarkly_team_role_mapping resource which you can use to manage custom roles for a team that is managed via Okta SCIM.

Let me know if you run into any issues.

Also, I just noticed that the heading on the new docs page is incorrect. We'll fix that on the next release.

Cheers,
Henry

[ldhenry]

I just released v2.13.1 with the docs fix.

[joe-hutchinson-cko]

Hey Henry, tested the fix, works great.

Only feedback is that the doc has a typo an -> and.

This resource allows you to manage the custom roles associated with LaunchDarkly team. This is useful if the LaunchDarkly team is created and managed externally, such as via Okta SCIM. If you wish to create an manage the team using Terraform, we recommend using the launchdarkly_team resource instead.

I'd also recommend using the term "Team sync with SCIM" to guide users who use that feature that they can't use launchdarkly_team resource and must use this if they want to programatically manage permissions to sync'd teams. Personal opinion here but it tripped me up when I first started integrating.

Thanks again for turning this around so quickly.

Joe

[ldhenry]

Hey Henry, tested the fix, works great.

Only feedback is that the doc has a typo an -> and.

This resource allows you to manage the custom roles associated with LaunchDarkly team. This is useful if the LaunchDarkly team is created and managed externally, such as via Okta SCIM. If you wish to create an manage the team using Terraform, we recommend using the launchdarkly_team resource instead.

I'd also recommend using the term "Team sync with SCIM" to guide users who use that feature that they can't use launchdarkly_team resource and must use this if they want to programatically manage permissions to sync'd teams. Personal opinion here but it tripped me up when I first started integrating.

Thanks again for turning this around so quickly.

Joe

I'm glad to hear it's working for you.

Also, docs feedback is always welcome. I'm happy to make that change.

[ldhenry]

We just released v2.13.2 to incorporate documentation feedback.

I'm going to close this issue since it seems to be resolved with the new resource. Feel free to reopen it if you run into any problems.