Support managing users

[merkata]

This is a PR that enables managing users (add, remove). It closes #143. It updates on a password change only as changing the display name does not correspond to a juju API call. To be consistent with the juju CLI, it won't manipulate model access here, that would be done with granting additional permission in #144 .

[juanmanuel-tirado]

Could you add some TF plans and use cases to test this manually?

[mthaddon]

One question here @juanmanuel-tirado do you think it might be better for us to disable users rather than deleting them, given that deleting a user in Juju doesn't actually delete them, but means you can no longer use that username? Disabling them would mean it's a reversible operation, so would be safer, but possibly less expected.

[juanmanuel-tirado]

That's a good question. Following the CRUD policy used in terraform I will go with the remove-users as it is right now. However, it is true that we can find some problems if a user is removed by mistake. This is something that should be addressed on the Juju side rather than here.

[merkata]

Reproducing the change locally:

• populate ~/.terraformrc with:

plugin_cache_dir   = "$HOME/.terraform.d/plugin-cache"
disable_checkpoint = true

• prepare a plugin directory with mkdir -p ~/.terraform.d/plugins/merkata.com/juju/juju/0.3.1/linux_amd64/
• install the provider via go install
• copy the provider cp $HOME/go/bin/terraform-provider-juju ~/.terraform.d/plugins/merkata.com/juju/juju/0.3.1/linux_amd64/
• prepare a main.tf:

terraform {
  required_providers {
    juju = {
      version = "~> 0.3.1"
      source  = "merkata.com/juju/juju"
    }
  }
}

provider "juju" {}

resource "juju_user" "this" {
  name         = "user-test"
  display_name = format("%s - terraform managed", "user-test")
  password     = var.password
}

• prepare a variables.tf:

variable "password" {
  sensitive = true
  type      = string
}

• initialize provider via terraform init
• optionally set password with export TF_VAR_password=<some password>
• run terraform plan

Terraform used the selected providers to generate the following execution plan. Resource
actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # juju_user.this will be created
  + resource "juju_user" "this" {
      + display_name = "user-test - terraform managed"
      + id           = (known after apply)
      + name         = "user-test"
      + password     = (sensitive)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

• run terraform apply

Terraform used the selected providers to generate the following execution plan. Resource
actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # juju_user.this will be created
  + resource "juju_user" "this" {
      + display_name = "user-test - terraform managed"
      + id           = (known after apply)
      + name         = "user-test"
      + password     = (sensitive)
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

juju_user.this: Creating...
juju_user.this: Creation complete after 0s [id=user-test]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

• verify the user is created with juju users

Controller: mk8s

Name       Display name                   Access     Date created    Last connection
admin*     admin                          superuser  2023-02-08      just now
user-test  user-test - terraform managed  login      37 seconds ago  never connected

• logout as admin and login with the new user juju login -u user-test

please enter password for user-test on mk8s: 
Welcome, user-test. You are now logged into "mk8s".

There are no models available. You can add models with
"juju add-model", or you can ask an administrator or owner
of a model to grant access to that model with "juju grant".

• change the password for the user and run terraform plan

juju_user.this: Refreshing state... [id=user-test]

Terraform used the selected providers to generate the following execution plan. Resource
actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # juju_user.this will be updated in-place
  ~ resource "juju_user" "this" {
        id           = "user-test"
        name         = "user-test"
      ~ password     = (sensitive)
        # (1 unchanged attribute hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

• run terraform apply

juju_user.this: Refreshing state... [id=user-test]

Terraform used the selected providers to generate the following execution plan. Resource
actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # juju_user.this will be updated in-place
  ~ resource "juju_user" "this" {
        id           = "user-test"
        name         = "user-test"
      ~ password     = (sensitive)
        # (1 unchanged attribute hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

juju_user.this: Modifying... [id=user-test]
juju_user.this: Modifications complete after 0s [id=user-test]

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

• logout and login again as the user with the new password

please enter password for user-test on mk8s: 
Welcome, user-test. You are now logged into "mk8s".

There are no models available. You can add models with
"juju add-model", or you can ask an administrator or owner
of a model to grant access to that model with "juju grant".

• cleanup with terraform destroy

juju_user.this: Refreshing state... [id=user-test]

Terraform used the selected providers to generate the following execution plan. Resource
actions are indicated with the following symbols:
  - destroy

Terraform will perform the following actions:

  # juju_user.this will be destroyed
  - resource "juju_user" "this" {
      - display_name = "user-test - terraform managed" -> null
      - id           = "user-test" -> null
      - name         = "user-test" -> null
      - password     = (sensitive) -> null
    }

Plan: 0 to add, 0 to change, 1 to destroy.

Do you really want to destroy all resources?
  Terraform will destroy all your managed infrastructure, as shown above.
  There is no undo. Only 'yes' will be accepted to confirm.

  Enter a value: yes

juju_user.this: Destroying... [id=user-test]
juju_user.this: Destruction complete after 0s

Destroy complete! Resources: 1 destroyed.

• logout and verify the user is not present in juju via juju login -u user-test

please enter password for user-test on mk8s: 
ERROR cannot log into controller "mk8s": cannot get discharge from "https://localhost:33643/auth": cannot submit form: Post https://localhost:33643/auth/form: user "user-test" is permanently deleted

[juanmanuel-tirado]

Thanks for the PR.

I think the solution is perfectly valid. I just made some comments on how to set the Id of the resource. Could we please for the sake of completeness add some manual steps for QA? Something like in #149
I already saw the manual QA. Thanks.

[mthaddon]

That's a good question. Following the CRUD policy used in terraform I will go with the remove-users as it is right now. However, it is true that we can find some problems if a user is removed by mistake. This is something that should be addressed on the Juju side rather than here.

I've filed https://bugs.launchpad.net/juju/+bug/2007258 about this.

[juanmanuel-tirado]

Thanks for the PR.