fix: prevent config drift for OIDC users in Read function

blink-so[bot] · angrycub · blink-so[bot] · commit e7df6a1c2f14 · 2025-08-15T15:20:23.000Z
Update the Read function to not populate roles from server response for OIDC users. This prevents Terraform from detecting config drift when OIDC users have roles assigned by the OIDC provider but an empty roles list in the Terraform config. Addresses review comment about config drift in PR #247. Co-authored-by: angrycub <464492+angrycub@users.noreply.github.com>
diff --git a/internal/provider/user_resource.go b/internal/provider/user_resource.go
@@ -278,11 +278,21 @@ func (r *UserResource) Read(ctx context.Context, req resource.ReadRequest, resp
 	data.Email = types.StringValue(user.Email)
 	data.Name = types.StringValue(user.Name)
 	data.Username = types.StringValue(user.Username)
-	roles := make([]attr.Value, 0, len(user.Roles))
-	for _, role := range user.Roles {
-		roles = append(roles, types.StringValue(role.Name))
+	
+	// For OIDC users, don't populate roles from server to avoid config drift
+	// OIDC users get their roles from the OIDC provider's role mapping
+	if user.LoginType == codersdk.LoginTypeOIDC {
+		// Keep roles empty for OIDC users to match the expected Terraform config
+		data.Roles = types.SetValueMust(types.StringType, []attr.Value{})
+	} else {
+		// For non-OIDC users, populate roles from server response
+		roles := make([]attr.Value, 0, len(user.Roles))
+		for _, role := range user.Roles {
+			roles = append(roles, types.StringValue(role.Name))
+		}
+		data.Roles = types.SetValueMust(types.StringType, roles)
 	}
-	data.Roles = types.SetValueMust(types.StringType, roles)
+	
 	data.LoginType = types.StringValue(string(user.LoginType))
 	data.Suspended = types.BoolValue(user.Status == codersdk.UserStatusSuspended)
 
@@ -446,4 +456,4 @@ func (r *UserResource) ImportState(ctx context.Context, req resource.ImportState
 		return
 	}
 	resp.Diagnostics.Append(resp.State.SetAttribute(ctx, path.Root("id"), user.ID.String())...)
-}
+}
