octopusdeploy_user_role resource tries to remove and add permissions if they are out of order

[Clare-Octopus]

Describe the bug
When adding permissions to a user role, if you add the permissions out of order to what is in the UI the terraform apply will remove the permissions that are out of order and re-add them. This creates unnecessary removal and addition of permissions and noise in the log files.

See below for an example of the removal and re-add of permissions.

Steps to reproduce

1. Have Terraform installed and your main file updated to include an octopusdeploy_user_role resource.
2. Add permissions to that resource in order of what is in the UI - ie AccountCreate, AccountDelete, AccountEdit, ArtifactEdit etc:

resource "octopusdeploy_user_role" "TFUserRole" {
  can_be_deleted             = true
  description                = "Responsible for all development-related operations."
  granted_space_permissions  = ["AccountCreate", "AccountDelete", "AccountEdit", "ArtifactEdit", "ArtifactCreate", "ArtifactDelete"]
  name                       = "TFUserRole"

}

4.. Run the terraform apply and you will see the permissions added correctly:

Terraform will perform the following actions:

  # octopusdeploy_user_role.TFUserRole will be updated in-place
  ~ resource "octopusdeploy_user_role" "TFUserRole" {
      ~ granted_space_permissions      = [
          - "AccountView",
          - "ArtifactView",
            "AccountCreate",
            # (5 unchanged elements hidden)
        ]
        id                             = "UserRoles-165"
        name                           = "TFUserRole"
        # (6 unchanged attributes hidden)
    }

5. Now reverse the permissions so they are out of UI list order - ie put the artifact permissions before the account ones:

resource "octopusdeploy_user_role" "TFUserRole" {
  can_be_deleted             = true
  description                = "Responsible for all development-related operations."
  granted_space_permissions  = ["ArtifactEdit", "ArtifactCreate", "ArtifactDelete", "AccountCreate", "AccountDelete", "AccountEdit"]
  name                       = "TFUserRole"

}

6. Run terraform apply again and see the provider remove the Artifact permissions and then re-add them as they are out of order:

  # octopusdeploy_user_role.TFUserRole will be updated in-place
  ~ resource "octopusdeploy_user_role" "TFUserRole" {
      ~ granted_space_permissions      = [
          - "AccountView",
          - "ArtifactView",
          - "AccountCreate",
          - "AccountDelete",
          - "AccountEdit",
            "ArtifactEdit",
            # (1 unchanged element hidden)
            "ArtifactDelete",
          + "AccountCreate",
          + "AccountDelete",
          + "AccountEdit",
        ]
        id                             = "UserRoles-165"
        name                           = "TFUserRole"
        # (6 unchanged attributes hidden)
    }

Expected behavior
The Octopus Terraform provider should not be removing permissions to then re-add them, it should apply the permissions (if new) regardless of the order in which they are listed in the main file.

Known Workarounds

Whilst this is not ideal the easiest way to resolve this would be to re-order your main file so the permissions match the order in the UI, this way when you run the terraform apply it wont remove any permissions it will just add the ones required.

Software Versions

Terraform Version - 1.3.4
Octopus Terraform Plugin Version - 0.12.6

[Clare-Octopus]

Initial customer ticket for this (internal) - https://octopus.zendesk.com/agent/tickets/149927

[joechchung]

+1

This happens to me too and it causes our Terraform Cloud to trigger runs and holds them when no changes have actually happened. We can work around this by adding trigger patterns but it's not the best solution