Not able to import mongodbatlas_org_invitation (suggestion of improvement of manage organization users)

[bartier]

Terraform CLI and Terraform MongoDB Atlas Provider Version

Terraform v1.0.11
on darwin_amd64
+ provider registry.terraform.io/mongodb/mongodbatlas v1.1.1

Terraform Configuration File

resource "mongodbatlas_org_invitation" "myuser" {
  username    = "[email protected]"
  org_id      = local.organization_id
  roles       = [ "ORG_OWNER" ]
}

Steps to Reproduce

1. terraform init
2. terraform import mongodbatlas_org_invitation.myuser "<ORG_ID>[email protected]"

Expected Behavior

Actual Behavior

Import invitation to Terraform with success.

╷
│ Error: could not import Organization Invitation for <ORG_ID>[email protected]
│ 
│ 
╵

Debug Output

Crash Output

Additional Context

I am using an API Key with Organization Owner permissions and the Org ID I copy from the Organization -> Settings -> Organization ID.

I am able to import other resources, like clusters.

[themantissa]

@bartier Did you happen to capture debug or trace logs? Just helps us determine the potential issue a bit quicker. Thank you!

[bartier]

@themantissa Hi. Sure!

I added only some part of the DEBUG trace. I discovered that when I request for invites for my organization I got a empty array.

---[ REQUEST ]---------------------------------------
GET /api/atlas/v1.0/orgs/<changed_to_hide_id>/invites HTTP/1.1
Host: cloud.mongodb.com
User-Agent: terraform-provider-mongodbatlas/1.1.1 go-mongodbatlas/0.14.0 (darwin;amd64)
Accept: application/json
Accept-Encoding: gzip


-----------------------------------------------------: timestamp=2021-12-10T17:30:23.223-0300
2021-12-10T17:30:23.227-0300 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2021-12-10T17:30:23.229-0300 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/hashicorp/random/3.1.0/darwin_amd64/terraform-provider-random_v3.1.0_x5 pid=10422
2021-12-10T17:30:23.229-0300 [DEBUG] provider: plugin exited
2021-12-10T17:30:25.986-0300 [INFO]  provider.terraform-provider-mongodbatlas_v1.1.1: 2021/12/10 17:30:25 [DEBUG] MongoDB Atlas API Response Details:
---[ RESPONSE ]--------------------------------------
HTTP/2.0 200 OK
Content-Length: 2
Content-Type: application/json
Date: Fri, 10 Dec 2021 20:30:26 GMT
Referrer-Policy: strict-origin-when-cross-origin
Server: envoy
Strict-Transport-Security: max-age=31536000; includeSubdomains; preload;
Vary: Accept-Encoding, User-Agent
X-Envoy-Upstream-Service-Time: 62
X-Frame-Options: DENY
X-Mongodb-Service-Version: gitHash=fda8ea3ded0f247591e688b1ca6faf7728138d33; versionString=v20211202
X-Permitted-Cross-Domain-Policies: none

[]

The problem is that I can import other resources using this ORG ID. I checked multiple times and it is the correct org id. =/

[themantissa]

@bartier (re doing comment). Have you had any network errors? It almost looks like an interrupt. But in your comment you note that you can import other resources I'm assuming around the same time, same network config? I can have the team look either way - just want to make sure we check any easy to correct issues.

[bartier]

@themantissa I haven’t seen any network error. I import other resources using the same network config. Since I got a 200 OK from the API I assume this is not the problem.

I'm not sure if I'm missing any detail but if you find useful I can open a support issue in MongoDB Atlas dashboard specifying this problem using my organization account. This way I can share the organization ID facing the issue.

[bartier]

@themantissa I think I understood what it is going on.

If the invitation is pending on the UI, it is going to be possible to import, otherwise it will not be possible.

Is this the expected behavior? I mean, I would like to start managing the organization users with only Terraform and the manually created users can't be migrated.

[themantissa]

@bartier correct, you can't import an invitation for a user that already accepted. At that point they are simply a user. This resource is specifically to mange the invitations, not the user beyond that.

[bartier]

@themantissa

My use case is to import existing users to Terraform code, currently this is not possible. Do you have any suggestions regarding the use of the provider to this?

[themantissa]

@bartier if you can let me know why you want to import the users, i.e. how you want/need to manage them I may be able to point you in a better direction. Right now w/ the provider you can manage invitations (so inviting users to your org) and teams but we do not have resources currently beyond that for Atlas user management.

[bartier]

@themantissa Sure! Here are the details:

As the team is growing, it is becoming unpractical to manage organization users manually (i.e accessing UI and manually creating them without any tracking).

Our use case is to manage organization users using Infrastructure as Code, with the benefit of code review and source of truth of existing users. But we already have users in our MongoDB Atlas account and importing existing users would be required to keep track in our code of previous created users.

My suggestion is somehow to have an mongodb_atlas_org_user representing an organization user with an invitation state (PENDING, ACCEPTED, etc).

Currently, it only exists mongodbatlas_org_invitation, that represents the invitation with a state of pending and after the user accepts the invitation, the terraform resource is no longer managing it. Because of that, terraform plan gets an error after accepting the invite.

╷
│ Error: error getting Organization Invitation information: GET https://cloud.mongodb.com/api/atlas/v1.0/orgs/<org>/invites/<invite-id>: 404 (request "INVALID_INVITATION_ID") An invalid invitation ID <ID> was specified.
│ 
│ 
╵
Releasing state lock. This may take a few moments...

[pitthecat]

We are now at the same point as @bartier. It would be great to be able to manage the users with Terraform.

I tried something like this:

variable "users " {
  type = map(list(string))
}

users = {
    "[email protected]": ["GROUP_READ_ONLY"], 
    "[email protected]": ["GROUP_READ_ONLY", "GROUP_DATA_ACCESS_READ_ONLY"],
    "[email protected]": ["GROUP_READ_ONLY", "GROUP_DATA_ACCESS_READ_ONLY"]
    "[email protected]": ["GROUP_READ_ONLY", "GROUP_DATA_ACCESS_ADMIN"],
  }

resource "mongodbatlas_project_invitation" "user" {
  for_each = var.users
  
  username = each.key
  project_id = var.project_id
  roles = each.value
}

The code seems to work fine, but it's kind of pointless to just manage the invitation and not the real user. With the suggestion from @bartier you could manage the whole user in Terraform. Create + Invite and delete them once they leave the project.

[themantissa]

Closing issue - we will continue to improve invitations as is possible and hope to eventually be able to add in Atlas user management as well. Thank you to all for the feedback: cc @Zuhairahmed

[mallikarjunkantu7]

@themantissa Has this been fixed in the provider? Was there a release of terraform that handles the user invitations through terraform? We have a long list of users and would prefer to handle the user access through terraform, can you please provide an update?

[Zuhairahmed]

Hi @mallikarjunkantu7 supporting Altas Users resource is Terraform is on our roadmap, but still a few quarters away before we will be able to release. Feel free leave feedback (or upvote an exciting item) at feedback.mongodb.com and we can keep you updated there when this feature has been released. Hope this helps.

[Zuhairahmed]

hi @mallikarjunkantu7 and @bartier have you considered Atlas Federated Authentication? This will allow you to configure MongoDB Atlas to authenticate using data passed from your IdP. Hope this helps, if easier and if you would like to share more details to inform our potential future mongodbatlas_atlas_users resource feel free to email me as well and we can find time for a quick zoom call as well. [email protected]