Allow for the Management of Users

[anaghshineh]

Hey, @b-per - me again 😁. I'd love the flexibility to be able to create & remove users via this Terraform provider. I am not seeing a pre-existing user-related endpoint to allow for this. Is this something that you can support?

Example from Fivetran Terraform provider: https://registry.terraform.io/providers/fivetran/fivetran/latest/docs/resources/user

[b-per]

There are endpoints but they are not extremelly documented.

One of the key differences as well with other configs is that we don't create a user but we invite her/him (e.g. it requires some action on the user side to accept the invite). From a quick look this seems to be the way Fivetran works as well so this scenario should still work in the Terraform way of handling config.

I might have a look in the future to try to add the capability but I won't be able to work most likely until after Coalesce.

[will-sargent-dbtlabs]

Also @anaghshineh to add additional info to what @b-per said, currently, users are only "deactivated" in our systems (soft-deleted) rather than fully removed, including separate records for licenses that also need to be de-provisioned. i.e -> It's not trivial to both deactivate a user, and clear their license allocations for a given account.

Full SCIM capabilities (via the dbt Cloud Rest API, not Terraform specifically) are currently in development, which should reduce the amount of complexity necessary to remove users.

That being said, I agree it would be amazing to have via Terraform. I'm a big fan, and look forward to helping Benoit where I can on this.

[anaghshineh]

Thanks, @b-per! I was actually having a similar conversation with @Stevedow99, and he mentioned the invites as well. That makes sense.

He pointed me to these two endpoints:
List Invites
Retrieve Invite

A few questions:

• Do invites expire?
• Looks like invited users are not included in results from hitting the users endpoints. Will the id associated with an invited user be the same as the id for the user after exercising their invite?
• Can you send another invite to a user if they've already been invited?

[anaghshineh]

@will-sargent-dbtlabs - that's awesome. Agree that it would be amazing to be able to do this via Terraform. Selfishly, would love for you to work on this before Coalesce. Let me know if there are more details I can provide!

[b-per]

I just did some quick initial testing of the invite API and here is what I found:

• Do invites expire?
  • Yes, invites expire. I don't remember if this is after 1 or 2 weeks
• Looks like invited users are not included in results from hitting the users endpoints. Will the id associated with an invited user be the same as the id for the user after exercising their invite?
  • From what I saw the id when querying https://emea.dbt.com/api/v2/accounts/<accid>/invites/ is not the same as the id of the user once they accept the invite. I guess that the first id is the invite_id and not the future user_id
• Can you send another invite to a user if they've already been invited?
  • Yes, each invite triggers a new email to the user
  • I have not tested attaching different permissions with each API call though

[github-actions]

This issue has been marked as Stale because it has been open for 90 days with no activity. If you would like the issue to remain open, please comment on the issue or else it will be closed in 7 days.

[b-per]

Reopening if some people are keen to investigate/implement it

[will-sargent-dbtlabs]

@b-per - I think we do need to do something on this front, especially since I think upcoming improvements to our SSO JIT might make this more plausible to use via TF

[github-actions]

This issue has been marked as Stale because it has been open for 90 days with no activity. If you would like the issue to remain open, please comment on the issue or else it will be closed in 7 days.

[kcd83]

Here's my use case for consideration:

We use SSO / Okta which is managed by our central IT team who have a process to add users and we (data platform team) use Terraform to control what users can do. This is true of a number of our platforms e.g. Snowflake.

Therefore for DBT Cloud via Terraform:

1. We allocation User Groups ✔️
2. We want to allocate User License ⛔

In other words the alternative we are not doing is using dbtcloud_license_map

[b-per]

Hi @kcd83

I am not sure that I understand your need here, or if it is related to this issue.

What you are after is to assign people to licenses directly and not using the SSO license mapping?

When the central IT team manages those users, do they assign them SSO groups specific to dbt Cloud?

[jaklan]

@b-per we have a bit different use-case, but related to the lack of user management capabilities in the provider - we want to inject user-level development credentials using Terraform, so we don't have to pass them to users to enter them manually in dbt Cloud.

[b-per]

Hi @jaklan .

I just did some tests and our APIs don't allow users or a service token with Account Admin access to set credentials for other users.

This action is only allowed when connected as the user for which the credentials need to be set. So, this is not something I would be able to add to Terraform for now.

[jaklan]

@b-per thanks for verifying. It seems we would need to wait for Redshift SSO in dbt Cloud then (as I expect it's going to happen faster than changes in API to allow the above)

[github-actions]

This issue has been marked as Stale because it has been open for 90 days with no activity. If you would like the issue to remain open, please comment on the issue or else it will be closed in 7 days.

[kcd83]

@b-per sorry for the delay

What you are after is to assign people to licenses directly and not using the SSO license mapping?

Yes, central IT team assigns users to dbtcloud, and is not responsible for setting a specific SSO groups specific to license, i.e. differentiating read-only vs developer

We need terraform to be able to directly assign licenses to users. Other companies who use dbtcloud_license_map can do it that way.