Adds skip_roles argument to okta_user resource.

Closes #1216
okta · Nov 17, 2022 · 6b36f9c · 6b36f9c
1 parent ab0a140
commit 6b36f9c
Show file tree

Hide file tree

Showing 5 changed files with 59 additions and 6 deletions.
diff --git a/okta/data_source_okta_user_test.go b/okta/data_source_okta_user_test.go
@@ -74,7 +74,7 @@ func TestAccDataSourceOktaUser_SkipAdminRoles(t *testing.T) {
 			{
 				Config: mgr.ConfigReplace(testOktaUserRolesGroupsConfig(false, true), ri),
 				Check: resource.ComposeTestCheckFunc(
-					resource.TestCheckResourceAttr("data.okta_user.test", "admin_roles.#", "0"),       // skipped
+					resource.TestCheckNoResourceAttr("data.okta_user.test", "admin_roles.#"),          // skipped
 					resource.TestCheckResourceAttr("data.okta_user.test", "group_memberships.#", "2"), // Everyone, A Group
 				),
 			},

diff --git a/okta/resource_okta_user.go b/okta/resource_okta_user.go
@@ -84,6 +84,12 @@ func resourceUser() *schema.Resource {
 					ValidateDiagFunc: elemInSlice(validAdminRoles),
 				},
 			},
+			"skip_roles": {
+				Type:        schema.TypeBool,
+				Optional:    true,
+				Default:     false,
+				Description: "Do not populate user roles information (prevents additional API call)",
+			},
 			"city": {
 				Type:        schema.TypeString,
 				Optional:    true,
@@ -470,10 +476,15 @@ func resourceUserRead(ctx context.Context, d *schema.ResourceData, m interface{}
 	if err != nil {
 		return diag.Errorf("failed to set user's properties: %v", err)
 	}
-	err = setAdminRoles(ctx, d, m)
-	if err != nil {
-		return diag.Errorf("failed to set user's roles: %v", err)
+	if val := d.Get("skip_roles"); val != nil {
+		if skip, ok := val.(bool); ok && !skip {
+			err = setAdminRoles(ctx, d, m)
+			if err != nil {
+				return diag.Errorf("failed to set user's admin roles: %v", err)
+			}
+		}
 	}
+
 	// Only sync when it is outlined, an empty list will remove all membership
 	if _, exists := d.GetOk("group_memberships"); exists {
 		err = setGroupUserMemberships(ctx, d, client)

diff --git a/okta/resource_okta_user_test.go b/okta/resource_okta_user_test.go
@@ -481,3 +481,38 @@ resource "okta_user" "test" {
 		},
 	})
 }
+
+func TestAccOktaUser_skip_roles(t *testing.T) {
+	ri := acctest.RandInt()
+	mgr := newFixtureManager(user)
+	config := `
+resource "okta_user" "test" {
+  first_name = "TestAcc"
+  last_name  = "Smith"
+  login      = "testAcc-replace_with_uuid@example.com"
+  email      = "testAcc-replace_with_uuid@example.com"
+  skip_roles = true
+}`
+	config = mgr.ConfigReplace(config, ri)
+	resourceName := fmt.Sprintf("%s.test", user)
+	email := fmt.Sprintf("testAcc-%d@example.com", ri)
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:          testAccPreCheck(t),
+		ErrorCheck:        testAccErrorChecks(t),
+		ProviderFactories: testAccProvidersFactories,
+		CheckDestroy:      testAccCheckUserDestroy,
+		Steps: []resource.TestStep{
+			{
+				Config: config,
+				Check: resource.ComposeTestCheckFunc(
+					resource.TestCheckResourceAttr(resourceName, "first_name", "TestAcc"),
+					resource.TestCheckResourceAttr(resourceName, "last_name", "Smith"),
+					resource.TestCheckResourceAttr(resourceName, "login", email),
+					resource.TestCheckResourceAttr(resourceName, "email", email),
+					resource.TestCheckNoResourceAttr(resourceName, "admin_roles.#"),
+				),
+			},
+		},
+	})
+}
diff --git a/website/docs/d/user.html.markdown b/website/docs/d/user.html.markdown
@@ -50,7 +50,7 @@ data "okta_user" "example" {
   - `expression` - (Optional, but overrides name/comparison/value) A raw search expression string. If present it will override name/comparison/value.
 - `compound_search_operator` - (Optional) Given multiple search elements they will be compounded together with the op. Default is `and`, `or` is also valid.
 - `skip_groups` - (Optional) Additional API call to collect user's groups will not be made.
-- `skip_roles` - (Optional) Additional API call to collect user's roles will not be made.
+- `skip_roles` - (Optional) Additional API call to collect user's roles will not be made. `admin_roles` will not be written to state if skipping roles.
 - `delay_read_seconds` - (Optional) Force delay of the user read by N seconds. Useful when eventual consistency of user information needs to be allowed for.
 
 ## Attributes Reference

diff --git a/website/docs/r/user.html.markdown b/website/docs/r/user.html.markdown
@@ -15,7 +15,12 @@ This resource allows you to create and configure an Okta User.
 ~> **IMPORTANT** If the provider is executed with a non-super user API token a
 403 occurs when the provider attempts to inspect the user's admin roles. This
 403 is swallowed and a warning is logged allowing the resource to continue
-without this error hindering it.
+without this error hindering it. An empty `admin_roles` array will be present in
+the resource state.
+
+~> **IMPORTANT** Use `skip_roles=true` to avoid `admin_roles` being present in
+resource state. This also prevents the underlying API call for those values to
+be made.
 
 ## Example Usage
 
@@ -130,6 +135,8 @@ The following arguments are supported:
 
 - `second_email` - (Optional) User profile property.
 
+- `skip_roles` - (Optional) Additional API call to collect user's roles will not be made. `admin_roles` will not be written to state if skipping roles.
+
 - `state` - (Optional) User profile property.
 
 - `status` - (Optional) User profile property. Valid values are "ACTIVE", "DEPROVISIONED", "STAGED", "SUSPENDED"