Change engineer to any other role

[pavelpulec]

Terraform Version

Terraform v1.7.4
on linux_amd64

Affected Fastly Terraform Resource(s)

Please list the affected resources, for example:

• fastly_user

Terraform Configuration Files

terraform {
  required_providers {
    fastly = {
      source  = "fastly/fastly"
      version = "5.6.0"
    }
  }
}

variable "role" {
  default = "engineer"
}

resource "fastly_user" "this" {
  login = "name@example.com"
  name  = "Mr. Example"
  role  = var.role
}

resource "fastly_service_authorization" "this" {
  count      = var.role == "engineer" ? 1 : 0
  service_id = "<service_id>"
  user_id    = fastly_user.this.id
  permission = "full"
}

Expected Behavior

Terraform fails to change a role for existing users from engineer to anything else (e.g. user). The Terraform run fails with:

│ Error: 400 - Bad Request:
│ 
│     Title:  Record invalid
│     Detail: Role 'user' is not allowed to be service limited
│     RateLimitRemaining: 988
│     RateLimitReset:     1709467200
│ 
│   with fastly_user.this,
│   on example.tf line 14, in resource "fastly_user" "this":
│   14: resource "fastly_user" "this" {

I would expect that when all service authorizations are removed, then I will be able to change the role by Terraform without any manual intervention.

Actual Behavior

Terraform fails that the role user is not allowed to be service limited.

There is a manual workaround to go to Fastly UI, find user, check his access control and choose Access all services as it can be seen in the picture below.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform apply
2. Change a role in the variable role to user
3. terraform apply

[pavelpulec]

Hello Fastly,

I hit this issue again with another scenario. In this case, the Service Access switcher is on the Limit access to select services option and can't be changed by Terraform.

This behavior can be replicated by these steps:

1. Create an user by the fastly_user resource with the engineer role.
2. Create a service authorization to this user by the fastly_service_authorization resource.
3. Remove this fastly_service_authorization resource.

Now, the user is left without access to any services because it has the engineer role but no authorized services.

To resolve this issue, there needs to be an option that will manage the "Service access" switcher.

Could you look into this issue and implement an option that manages this configuration?
Thank you!

[kpfleming]

We are investigating this now, thanks for the report. Most likely the solution we'll implement will make the limit_services attribute on a fastly_user directly manageable from within the provider. We've been told that some customers actually make use of limit_services == true without any service authorizations, so we can't automatically set limit_services to false when the service authorizations are removed, it will have to be explicit.