realm_attributes is not updating when terraform config changes

[richardmcsong]

Describe the bug
When the LDAP realm_attributes string is updated on the artifactory_group
resource, the plan reports that the realm string will be updated, but the realm
string is not actually updated.

resource "artifactory_group" "example" {
  name = "example"
  realm = "ldap"
  realm_attributes = "ldapGroupName=example_team;groupsStrategy=DYNAMIC;groupDn=CN=EXAMPLE_TEAM,OU=some,OU=organizational,OU=unit,DC=example,DC=com"
}

Apply, then edit the realm_attribute string.

Expected behavior
Th edit should be persisted on the end server. Instead, the edit is not completed, and then it calculates the same edit on the next run.

Additional context
Artifactory version: 7.90.8
provider version = "~> 11.0"
terraform version = terraform 1.8.4

Findings
When trying to PATCH an LDAP group, it doesn't actually allow for you to update realm_attributes, despite what the documentation says: Updates an Access group's external ID, realm, or realm attributes.

$ curl -vvv -H "Authorization: Bearer $(jf atc | jq -r .access_token)" -XPATCH -d '{"realm_attributes": "<new-string>"}' https://artifactory.example.com/access/api/v2/groups/example_group
{
  "name" : "example_group",
  "auto_join" : false,
  "admin_privileges" : false,
  "realm" : "ldap",
  "realm_attributes" : "<original-string>",
  "members" : [ ]
}

A GET request after confirms that the realm_attributes was not edited.

[richardmcsong]

I thought about destroy then recreate, but this actually can't work for me. deleting the group will invalidate:

• group scoped access tokens (not a huge deal)
• group membership will start from empty again, and as users sign in, they get added to the group.
  • this is huge because LDAP sync only happens on user login, and there is no custom API call to trigger an LDAP sync on demand (feature request here: https://jfrog.atlassian.net/browse/RTFACT-30616). For many of our automation cases, we have an admin account generate access tokens on their behalf.
  • As a workaround, we login once during provisioning to trigger an initial sync. To recreate these groups would mean a mass login event over all users to trigger the sync per each user, which is an untenable solution in our environment.

[alexhung]

@richardmcsong Thanks for the report. This looks like a bug in the REST API. I'll open a bug report internally.

[alexhung]

@richardmcsong The realm_attributes in the Group API is an internal field to the platform and is not intended to be settable or updatable. I'll be updating the resource and make the realm_attribute a read-only field.

What's your use case that needs to set this field?

[alexhung]

@richardmcsong Just noticed that in your previous comment, your curl command is pointed to the new Access API for groups. This API doesn't allow realm_attributes to be updated.

The current group resource in this provider is still using the old, deprecated Artifactory API. This old API allows realm_attributes to be set when group is created, but not updated.

Our plan is to add a new group resource to the Platform provider that uses that Access API, and deprecate the resource in this provider.

[richardmcsong]

Hey @alexhung! Sorry I must've missed these messages.

I'm confused as to how I'm supposed to be configuring my LDAP synced groups if not through realm_attributes. We're currently creating the groups through terraform instead of manually clicking the import group button in the LDAP UI. Given that this is now no longer settable, what would be your suggestion to create the groups, as they are not automatically importable?

I see that only external_id is configurable, but it only supports Azure AD.

[alexhung]

@richardmcsong The ability to automatically import LDAP settings is pending currently (I'm waiting for a bug fix in the JFrog Access service). See this discussion.

[piotrminkina]

This is my case: jfrog/terraform-provider-platform#159