Datadog user role not working as designed

[hashibot]

This issue was originally opened by @s4mur4i as hashicorp/terraform#16337. It was migrated here as a result of the provider split. The original body of the issue is below.

---

Hi there,

Datadog Read-only user is not created, but a standard user is created

Terraform Version

Terraform version:

~/Downloads/terraform -v
Terraform v0.10.7

Terraform Configuration Files

resource "datadog_user" "test" {
  email  = "test@test.com"
  handle = "test@test.com"
  name   = "Test User"
  is_admin = false
  role = "ro"
}

Debug Output

Since we have a higher amount of other resources, only part is being inserted:

2017/10/13 11:17:52 [TRACE] root: eval: *terraform.EvalDiff
2017/10/13 11:17:52 [TRACE] root: eval: *terraform.EvalDiff
2017/10/13 11:17:52 [TRACE] root: eval: *terraform.EvalReadDiff
2017/10/13 11:17:52 [TRACE] root: eval: *terraform.EvalCompareDiff
2017/10/13 11:17:52 [TRACE] root: eval: *terraform.EvalGetProvider
2017/10/13 11:17:52 [TRACE] root: eval: *terraform.EvalReadState
2017/10/13 11:17:52 [TRACE] root: eval: *terraform.EvalApplyPre
2017/10/13 11:17:52 [TRACE] root: eval: *terraform.EvalApply
2017/10/13 11:17:52 [DEBUG] apply: datadog_user.test: executing Apply
datadog_user.test: Creating...
  disabled: "" => "false"
  email:    "" => "test@test.com"
  handle:   "" => "test@test.com"
  is_admin: "" => "false"
  name:     "" => "Test User"
  role:     "" => "ro"
  verified: "" => "<computed>"
2017/10/13 11:17:52 [TRACE] root: eval: *terraform.EvalReadDiff
2017/10/13 11:17:52 [TRACE] root: eval: *terraform.EvalReadDiff
2017/10/13 11:17:52 [TRACE] root: eval: *terraform.EvalReadDiff
2017/10/13 11:17:52 [TRACE] root: eval: *terraform.EvalCompareDiff
2017/10/13 11:17:52 [TRACE] root: eval: *terraform.EvalGetProvider
2017/10/13 11:17:52 [TRACE] root: eval: *terraform.EvalCompareDiff
2017/10/13 11:17:52 [TRACE] root: eval: *terraform.EvalGetProvider
2017/10/13 11:17:52 [TRACE] root: eval: *terraform.EvalReadDiff
2017/10/13 11:17:52 [TRACE] root: eval: *terraform.EvalReadState
2017/10/13 11:17:52 [TRACE] root: eval: *terraform.EvalCompareDiff
2017/10/13 11:17:52 [TRACE] root: eval: *terraform.EvalGetProvider
2017/10/13 11:17:52 [TRACE] root: eval: *terraform.EvalReadState
2017/10/13 11:17:52 [TRACE] root: eval: *terraform.EvalApplyPre
2017/10/13 11:17:52 [TRACE] root: eval: *terraform.EvalReadState
2017/10/13 11:17:52 [TRACE] root: eval: *terraform.EvalApplyPre
2017/10/13 11:17:52 [TRACE] root: eval: *terraform.EvalApply

After running again I see following:

2017/10/13 11:17:52 [TRACE] root: eval: *terraform.EvalDiff
2017/10/13 11:17:52 [TRACE] root: eval: *terraform.EvalDiff
2017/10/13 11:17:52 [TRACE] root: eval: *terraform.EvalDiff
datadog_user.test: Modifying... (ID: test@test.com)
  role: "" => "ro"
2017/10/13 11:17:52 [TRACE] root: eval: *terraform.EvalDiff
2017/10/13 11:17:52 [TRACE] root: eval: *terraform.EvalDiff
2017/10/13 11:17:52 [TRACE] root: eval: *terraform.EvalReadDiff
2017/10/13 11:17:52 [TRACE] root: eval: *terraform.EvalCompareDiff
2017/10/13 11:17:52 [TRACE] root: eval: *terraform.EvalGetProvider
2017/10/13 11:17:52 [TRACE] root: eval: *terraform.EvalReadState
2017/10/13 11:17:52 [TRACE] root: eval: *terraform.EvalApplyPre
2017/10/13 11:17:52 [TRACE] root: eval: *terraform.EvalApply

On Datadog dashboard I see user as a standard user, not a read-only user.
If I manually edit the user to read-only after next terraform run it will be converted to standard user

Expected Behavior

Read Only user is created

Actual Behavior

Standard user is created, and modifications are not changing to read-only user

Steps to Reproduce

Please list the full steps required to reproduce the issue, for example:

1. terraform init
2. terraform apply

[nyanshak]

I believe you're actually looking for 'access_role' field (that's what it's called in the Datadog api), but it's unfortunately not yet supported by this provider. Issue #4 is an open feature request to add the behavior you're looking for.

The current 'role' field refers to something different, something akin to "title" (such as "SRE" or "Lead Developer"). Unfortunately, there is a bug with this field referenced here #12, where it's impossible to actually set that role field after creation.

[s4mur4i]

Then there is the second behavior which is strange, why is the read-only user converted back to standard user?
Could it be that: https://docs.datadoghq.com/api/#user-update
if no access_role is defined it reverts back to standard user? which would sound strange to me.

[nyanshak]

As far as I can tell, with 0.10.7 terraform, 1.0.0 datadog provider, the provider never specifically sets access_role. The go-datadog-api user struct doesn't even have an access_role field.

Since we're not specifically sending access_role, this should be the equivalent of doing:

user="example@example.com"

curl -X PUT -H "Content-type: application/json" \                               
     -d "{\"email\": \"${user}\", \"name\": \"alt user\"}" \
    "https://app.datadoghq.com/api/v1/user/${user}?api_key=${api_key}&application_key=${app_key}"

I've tested this (on a read-only user), and I still get back a read-only user. I've also tested sending both of these:

"access_role":  "", # empty string
"access_role": null, # explicitly send null

Sending either of those did not result in the role being changed back to 'st' for standard.

[crivetechie]

as of go-datadog-api v2.8 the user struct supports the access_role field and the is_admin field has been marked as deprecated. any chance to leverage on this to add feature #4 ?

[masci]

The role argument is confusing to say the least, I'm going to close this issue as the provider behaviour is (unfortunately) correct in terms of API calls. Going to schedule work to deprecate role (was removed from datadog docs too) and is_admin in favor of the solutions proposed in #4.