Managing the membership of the owners team tries to remove hidden Hashicorp-owned members

[zhimsel]

Terraform Enterprise version

Using HCP Terraform (Terraform Cloud)

Terraform version

Terraform v1.5.7
on darwin_arm64
+ provider registry.terraform.io/hashicorp/aws v5.58.0
+ provider registry.terraform.io/hashicorp/tfe v0.58.0

Terraform Configuration Files

data "tfe_team" "owners" {
  name = "owners"
}

data "tfe_organization_membership" "owners" {
  for_each = toset([
    REDACTED@example.com,
    REDACTED@example.com,
    REDACTED@example.com,
    REDACTED@example.com,
    REDACTED@example.com,
  ])

  email = each.value
}

# Intentionally using the "memberS" version of this resource, which will drift
# if users are added to the team outside of this resource.
resource "tfe_team_organization_members" "owners" {
  team_id                     = data.tfe_team.owners.id
  organization_membership_ids = values(data.tfe_organization_membership.owners)[*].id
}

import {
  to = tfe_team_organization_members.owners
  id = "team-<REDACTED>"
}

Debug Output

N/A

Expected Behavior

The team membership to import, and the plan to show no changes (since the members defined in the HCL above are already members of the team).

Actual Behavior

The team membership does successfully import and shows the 5 expected users, but it also shows Terraform's intent to remove 3 members that don't appear in the Terraform Cloud web UI for the team:

Terraform will perform the following actions:

  # tfe_team_organization_members.owners will be updated in-place
  # (imported from "team-<REDACTED>")
  ~ resource "tfe_team_organization_members" "owners" {
        id                          = "team-<REDACTED>"
      ~ organization_membership_ids = [
          - "ou-E17<REDACTED>",
          - "ou-JJs<REDACTED>",
          - "ou-Jjv<REDACTED>",
            "ou-<REDACTED>",
            "ou-<REDACTED>",
            "ou-<REDACTED>",
            "ou-<REDACTED>",
            "ou-<REDACTED>",
        ]
        team_id                     = "team-<REDACTED>"
    }

Upon investigating who these hidden users were, I discovered that they have hashicorp.com email addresses and appear to be "internal" users for Hashicorp's systems/etc. Those three to-be-removed member IDs resolve to:

users = {
  ou-E17REDACTED = {
      email                      = "[email protected]"
      id                         = "ou-E17REDACTED"
      organization               = "REDACTED"
      organization_membership_id = "ou-E17REDACTED"
      user_id                    = "user-REDACTED"
      username                   = "gh-webhooks-REDACTED"
    }
  ou-JJsREDACTED = {
      email                      = "[email protected]"
      id                         = "ou-JJsREDACTED"
      organization               = "REDACTED"
      organization_membership_id = "ou-JJsREDACTED"
      user_id                    = "user-REDACTED"
      username                   = "api-org-REDACTED"
    }
  ou-JjvREDACTED = {
      email                      = "[email protected]"
      id                         = "ou-JjvREDACTED"
      organization               = "REDACTED"
      organization_membership_id = "ou-JjvREDACTED"
      user_id                    = "user-REDACTED"
      username                   = "api-team_REDACTED"
    }
}

Since these users do not appear in the Terraform Cloud web UI, it probably makes sense to have this provider silently omit them from its search results when looking up members of the owners team. Otherwise, to avoid removing these users (or get an API error when trying), they will have to be added manually to the tfe_team_organization_members resource (which is obviously fragile).

Additional Context

The TFE provider is authenticated with a user token from a member of the owners team. Not sure if this affects this, but since nobody but the owners team can modify the owners team, it doesn't really matter.