Empty lists as resource attribute value resolve to the predefined default, rather than an empty list.

[eelginUPS]

• A description of the bug
  When setting roles: [] in a project_group resource, rather than the group having no project roles, it gets assigned the default value of ["viewer"]. I have noticed this issue before when defining users to a project in Terraform. What is peculiar is that the plan will clearly mark the "viewer" role to be removed from the plan, but after applying the permission still exists. Manually removing the viewer role resolves the issues as it is never recreated on apply once it is gone.

• A fully functioning terraform snippet that can be copy&pasted (no outside files or ENV vars unless that's part of the issue). If this is not supplied, this issue will likely be closed without any effort expended.

resource "project_group" "pipeline-reader-groups" {
  for_each = var.team_to_users_map

  project_key = var.sdg
  name        = "${each.key}-pipeline-reader"
  roles       = []
  depends_on  = [resource.artifactory_group.pipeline-reader-groups]
}

The plan correctly points out the roles to be removed

# xxx["dct-gbs-mera"] will be updated in-place
  ~ resource "project_group" "pipeline-reader-groups" {
        id          = "dct:dct-gbs-mera-pipeline-reader"
        name        = "dct-gbs-mera-pipeline-reader"
      ~ roles       = [
          - "Viewer",
        ]
        # (1 unchanged attribute hidden)
    }

  # xxx["dct-runteam"] will be updated in-place
  ~ resource "project_group" "pipeline-reader-groups" {
        id          = "dct:dct-runteam-pipeline-reader"
        name        = "dct-runteam-pipeline-reader"
      ~ roles       = [
          - "Viewer",
        ]
        # (1 unchanged attribute hidden)
    }

It also claims in the apply that the updates were applied.

Versions of tf + providers:
terraform_1.7.5_linux_amd64.zip
jfrog/project v1.5.2
jfrog/platform v1.7.4
jfrog/artifactory v10.8.0

Expected behavior
roles: [] should apply what the plan states, and remove the default 'viewer' role.

[alexhung]

@eelginUPS Thank you for the report. Projects do not allows group without a role assigned to it. You can verify this on the web UI.

When a new project_group is created with empty roles, Artifactory returns the group with one role which it defaults to the "Viewer" role since that has the least permission.

I missed this use case when I created this resource and did not have a test for this.

To avoid state drift, you should include "Viewer" in the roles list.

I'll be updating the resource to ensure roles attribute must have at least one item.