Can no longer lookup users by email address
Created by: acw-eng
Versions
Terraform v1.1.5 on darwin_amd64
Gitlab provider version 3.8
Affected Resource(s)
data.gitlab_user
And presumably any data lookup or resource where you can up users by emails such as data.gitlab_users
Terraform Configuration Files
data "gitlab_user" "gitlab_users" {
for_each = local.users
email = "${each.value}@company.com"
}Output
│ Error: couldn't find a user matching: first.last@company.com
│
│ with module.gitlab.data.gitlab_user.gitlab_users["first.last"],
│ on ../modules/gitlab/data.tf line 1, in data "gitlab_user" "gitlab_users":
│ 1: data "gitlab_user" "gitlab_users" {Description
We use a data lookup with our user's email addresses (an array of first.last names, which will always match the email address) to get the user ID's of our users, which are used in other parts of our terraform configuration.
Until this morning (03/02/2022 GMT) this worked. However from this morning our terraform has been failing with the errors above.
It looks like there was a change to the Gitlab API overnight as using the v4 api I cannot search for using using email address any more. Our CI/CD token and my local token have full owner privileges to all required resources. The resource page says that the email argument requires administrator privileges. However that is not something that is available to customers using Gitlab SaaS (we are an organisation using Premium Gitlab) but has always worked before today.
While swapping to username could fix terraform run, this isn't a good solution. The reason we a data lookup with email is we use SAML SSO, and all of our users are automatically created using SCIM provisioning. We know what some user's email address is, or will be. However there is no guarantee that the username will be the same as the prefix of the email. This is because SCIM provisioning tries to create a user with the email prefix. For example if your email address is john.smith@company.com, a user with the username john.smith will be provisioned. However as john.smith is a taken username, Gitlab will select some other username, such as john.smith15.
So to use username with our gitlab configuration, we'd have to ask every user what their username is. This rather defeats the point of having a seamless JML process with SSO.