fix(sso): handle unknown team_ids in group mapping CustomizeDiff#728
Merged
tembleking merged 2 commits intomasterfrom Apr 22, 2026
Merged
fix(sso): handle unknown team_ids in group mapping CustomizeDiff#728tembleking merged 2 commits intomasterfrom
tembleking merged 2 commits intomasterfrom
Conversation
CustomizeDiff validation read team_ids via diff.Get which surfaces unknown (known-after-apply) values as empty lists, causing a false "team_ids must be set when is_for_all_teams is false" error during plan when team_ids references resources not yet created. Switch to diff.GetRawPlan().AsValueMap() with cty .IsKnown() checks to skip validation when values are not yet resolved, deferring to apply-time. Matches existing pattern in resource_sysdig_secure_team.
Contributor
There was a problem hiding this comment.
Pull request overview
Updates the sysdig_sso_group_mapping resource diff validation so that team_ids values that are unknown at plan time (e.g., forward references like sysdig_secure_team.*.id) don’t incorrectly appear as empty lists and trigger a false validation error.
Changes:
- Switch
CustomizeDiffvalidation fromdiff.Get(...)todiff.GetRawPlan()withcty.IsKnown()checks to defer validation when values are unknown during plan. - Add an acceptance regression test covering
is_for_all_teams = falsewithteam_idscoming from a newly createdsysdig_secure_team. - Add a new HCL config helper for the regression scenario.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 1 comment.
| File | Description |
|---|---|
| sysdig/resource_sysdig_sso_group_mapping.go | Uses raw plan + known checks to avoid false “missing team_ids” errors during plan for forward references. |
| sysdig/resource_sysdig_sso_group_mapping_test.go | Adds acceptance coverage for team IDs sourced from another resource. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Zone tests used hardcoded names (acc-legacy, acc-expr, acc-migrate, acc-v2rules) causing 409 Conflict when orphaned zones from failed CI runs persisted in the tenant. Adds random suffix to all zone test names to prevent collisions across concurrent/repeated runs.
cristof-ziel
approved these changes
Apr 22, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
CustomizeDiff in sysdig_sso_group_mapping reads team_ids via diff.Get, which surfaces unknown (known-after-apply) values as empty lists. This causes a false "team_ids must be set when is_for_all_teams is false" error during plan when team_ids references resources not yet created (e.g. sysdig_secure_team.*.id).
Switches to diff.GetRawPlan().AsValueMap() with cty .IsKnown() checks to skip validation when values are not yet resolved, deferring to apply-time. Matches existing pattern in resource_sysdig_secure_team. Adds regression test with is_for_all_teams=false + team ID from a forward resource reference.