feat(coderd_user): add service account support (#357)

Adds an `is_service_account` attribute to the `coderd_user` resource and
data source, closing the Terraform/API parity gap for service accounts.
Service accounts are admin-managed, login-less accounts that — unlike a
`login_type = "none"` user — carry no email and do not consume a
licensed user seat.

Changes:

- **Resource**: add `is_service_account` (optional, defaults `false`,
`ForceNew` since it is immutable server-side). When `true`, the user is
created via `CreateUserWithOrgs` with `ServiceAccount: true` (no email,
`login_type` `none`); the existing `CreateUser` path is unchanged for
regular users.
- **Plan-time validation** (`ValidateConfig`) mirrors the server rules:
`email` is required unless `is_service_account` is `true`, in which case
`email`, `password`, and a non-`none` `login_type` are rejected.
- **Data source**: expose `is_service_account` (read-only).
- `email` becomes `Optional + Computed` (was `Required`) so it can be
omitted for service accounts; it remains effectively required for
regular users via `ValidateConfig`.
- Add an acceptance test (`TestAccUserResourceServiceAccount`, gated on
a licensed deployment via `UseLicense` since service accounts are
Premium) and regenerate docs/examples.

The attribute name matches the API's `is_service_account` field,
consistent with how `is_default` is named on the `coderd_organization`
data source; on create it maps to the `service_account` field of
`CreateUserRequestWithOrgs` (the create request uses the unprefixed
name), the same attribute-name-to-request-field mapping already used for
`suspended`.

Verified locally: `go build ./...`, `golangci-lint run` (clean), `make
gen` (idempotent). Acceptance tests require a licensed deployment and
run in CI.

Fixes #356

---------

Co-authored-by: PushTheLimit <591079+PushTheLimit@users.noreply.github.com>
Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Co-authored-by: Ethan Dickson <ethanndickson@gmail.com>

Author: 3 people

docs/data-sources/user.md

@@ -47,6 +47,7 @@ resource "coderd_group" "bosses" {
 - `avatar_url` (String) URL of the user's avatar.
 - `created_at` (Number) Unix timestamp of when the user was created.
 - `email` (String) Email of the user.
+- `is_service_account` (Boolean) Whether the user is a service account: an admin-managed account that cannot log in interactively and does not consume a licensed user seat.
 - `last_seen_at` (Number) Unix timestamp of when the user was last seen.
 - `login_type` (String) Type of login for the user. Valid types are `none`, `password', `github`, and `oidc`.
 - `name` (String) Display name of the user.

docs/resources/user.md

@@ -41,18 +41,28 @@ resource "coderd_user" "admin" {
   suspended = true
   email     = "admin@example.com"
 }
+
+// Create a service account for automation (Premium). Unlike a `login_type =
+// none` user, a service account has no email and does not consume a user seat.
+resource "coderd_user" "automation" {
+  username           = "automation"
+  name               = "Automation"
+  roles              = ["template-admin"]
+  is_service_account = true
+}
 ```
 
 <!-- schema generated by tfplugindocs -->
 ## Schema
 
 ### Required
 
-- `email` (String) Email address of the user.
 - `username` (String) Username of the user.
 
 ### Optional
 
+- `email` (String) Email address of the user. Required unless `is_service_account` is `true`, in which case it must be omitted (service accounts have no email).
+- `is_service_account` (Boolean) Whether the user is a service account. Service accounts are admin-managed accounts that cannot log in interactively: they have no password or email and use `login_type` `none`. Unlike a regular `login_type = none` user, a service account does not consume a licensed user seat. Changing this attribute forces replacement.
 - `login_type` (String) Type of login for the user. Valid types are `none`, `password`, `github`, and `oidc`.
 - `name` (String) Display name of the user. Defaults to username.
 - `password` (String, Sensitive) Password for the user. Required when `login_type` is `password`. Passwords are saved into the state as plain text and should only be used for testing purposes.

examples/resources/coderd_user/resource.tf

@@ -26,3 +26,12 @@ resource "coderd_user" "admin" {
   suspended = true
   email     = "admin@example.com"
 }
+
+// Create a service account for automation (Premium). Unlike a `login_type =
+// none` user, a service account has no email and does not consume a user seat.
+resource "coderd_user" "automation" {
+  username           = "automation"
+  name               = "Automation"
+  roles              = ["template-admin"]
+  is_service_account = true
+}

internal/provider/user_data_source.go

@@ -32,15 +32,16 @@ type UserDataSourceModel struct {
 	ID       UUID         `tfsdk:"id"`
 	Username types.String `tfsdk:"username"`
 
-	Name            types.String `tfsdk:"name"`
-	Email           types.String `tfsdk:"email"`
-	Roles           types.Set    `tfsdk:"roles"`      // owner, template-admin, user-admin, auditor (member is implicit)
-	LoginType       types.String `tfsdk:"login_type"` // none, password, github, oidc
-	Suspended       types.Bool   `tfsdk:"suspended"`
-	AvatarURL       types.String `tfsdk:"avatar_url"`
-	OrganizationIDs types.Set    `tfsdk:"organization_ids"`
-	CreatedAt       types.Int64  `tfsdk:"created_at"` // Unix timestamp
-	LastSeenAt      types.Int64  `tfsdk:"last_seen_at"`
+	Name             types.String `tfsdk:"name"`
+	Email            types.String `tfsdk:"email"`
+	Roles            types.Set    `tfsdk:"roles"`      // owner, template-admin, user-admin, auditor (member is implicit)
+	LoginType        types.String `tfsdk:"login_type"` // none, password, github, oidc
+	Suspended        types.Bool   `tfsdk:"suspended"`
+	IsServiceAccount types.Bool   `tfsdk:"is_service_account"`
+	AvatarURL        types.String `tfsdk:"avatar_url"`
+	OrganizationIDs  types.Set    `tfsdk:"organization_ids"`
+	CreatedAt        types.Int64  `tfsdk:"created_at"` // Unix timestamp
+	LastSeenAt       types.Int64  `tfsdk:"last_seen_at"`
 }
 
 func (d *UserDataSource) Metadata(ctx context.Context, req datasource.MetadataRequest, resp *datasource.MetadataResponse) {
@@ -83,6 +84,10 @@ func (d *UserDataSource) Schema(ctx context.Context, req datasource.SchemaReques
 				MarkdownDescription: "Whether the user is suspended.",
 				Computed:            true,
 			},
+			"is_service_account": schema.BoolAttribute{
+				MarkdownDescription: "Whether the user is a service account: an admin-managed account that cannot log in interactively and does not consume a licensed user seat.",
+				Computed:            true,
+			},
 			"avatar_url": schema.StringAttribute{
 				MarkdownDescription: "URL of the user's avatar.",
 				Computed:            true,
@@ -175,6 +180,7 @@ func (d *UserDataSource) Read(ctx context.Context, req datasource.ReadRequest, r
 	data.Roles = types.SetValueMust(types.StringType, roles)
 	data.LoginType = types.StringValue(string(user.LoginType))
 	data.Suspended = types.BoolValue(user.Status == codersdk.UserStatusSuspended)
+	data.IsServiceAccount = types.BoolValue(user.IsServiceAccount)
 
 	orgIDs := make([]attr.Value, 0, len(user.OrganizationIDs))
 	for _, orgID := range user.OrganizationIDs {

internal/provider/user_data_source_test.go

@@ -10,6 +10,7 @@ import (
 	"github.com/coder/coder/v2/coderd/util/ptr"
 	"github.com/coder/coder/v2/codersdk"
 	"github.com/coder/terraform-provider-coderd/integration"
+	"github.com/google/uuid"
 	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
 	"github.com/stretchr/testify/require"
 )
@@ -49,6 +50,7 @@ func TestAccUserDataSource(t *testing.T) {
 		resource.TestCheckResourceAttr("data.coderd_user.test", "roles.0", "auditor"),
 		resource.TestCheckResourceAttr("data.coderd_user.test", "login_type", "password"),
 		resource.TestCheckResourceAttr("data.coderd_user.test", "suspended", "false"),
+		resource.TestCheckResourceAttr("data.coderd_user.test", "is_service_account", "false"),
 	)
 	t.Run("UserByUsernameOk", func(t *testing.T) {
 		cfg := testAccUserDataSourceConfig{
@@ -127,6 +129,51 @@ func TestAccUserDataSource(t *testing.T) {
 	})
 }
 
+// TestAccUserDataSourceServiceAccount verifies the data source surfaces
+// is_service_account==true and an empty email for a service account. Service
+// accounts are a Premium feature, so a licensed deployment is required.
+func TestAccUserDataSourceServiceAccount(t *testing.T) {
+	t.Parallel()
+	if os.Getenv("TF_ACC") == "" {
+		t.Skip("Acceptance tests are disabled.")
+	}
+	ctx := t.Context()
+	client := integration.StartCoder(ctx, t, "user_data_service_account_acc", integration.UseLicense)
+	firstUser, err := client.User(ctx, codersdk.Me)
+	require.NoError(t, err)
+	user, err := client.CreateUserWithOrgs(ctx, codersdk.CreateUserRequestWithOrgs{
+		Username:        "service-account",
+		Name:            "Service Account",
+		UserLoginType:   "none",
+		OrganizationIDs: []uuid.UUID{firstUser.OrganizationIDs[0]},
+		ServiceAccount:  true,
+	})
+	require.NoError(t, err)
+
+	cfg := testAccUserDataSourceConfig{
+		URL:      client.URL.String(),
+		Token:    client.SessionToken(),
+		Username: ptr.Ref(user.Username),
+	}
+	resource.Test(t, resource.TestCase{
+		IsUnitTest:               true,
+		PreCheck:                 func() { testAccPreCheck(t) },
+		ProtoV6ProviderFactories: testAccProtoV6ProviderFactories,
+		Steps: []resource.TestStep{
+			{
+				Config: cfg.String(t),
+				Check: resource.ComposeAggregateTestCheckFunc(
+					resource.TestCheckResourceAttr("data.coderd_user.test", "username", "service-account"),
+					resource.TestCheckResourceAttr("data.coderd_user.test", "is_service_account", "true"),
+					// Service accounts have no email.
+					resource.TestCheckResourceAttr("data.coderd_user.test", "email", ""),
+					resource.TestCheckResourceAttr("data.coderd_user.test", "login_type", "none"),
+				),
+			},
+		},
+	})
+}
+
 type testAccUserDataSourceConfig struct {
 	URL   string
 	Token string

internal/provider/user_resource.go

@@ -13,6 +13,7 @@ import (
 	"github.com/hashicorp/terraform-plugin-framework/resource"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema/booldefault"
+	"github.com/hashicorp/terraform-plugin-framework/resource/schema/boolplanmodifier"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema/planmodifier"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringdefault"
 	"github.com/hashicorp/terraform-plugin-framework/resource/schema/stringplanmodifier"
@@ -27,6 +28,7 @@ import (
 // Ensure provider defined types fully satisfy framework interfaces.
 var _ resource.Resource = &UserResource{}
 var _ resource.ResourceWithImportState = &UserResource{}
+var _ resource.ResourceWithValidateConfig = &UserResource{}
 
 func NewUserResource() resource.Resource {
 	return &UserResource{}
@@ -41,13 +43,14 @@ type UserResource struct {
 type UserResourceModel struct {
 	ID UUID `tfsdk:"id"`
 
-	Username  types.String `tfsdk:"username"`
-	Name      types.String `tfsdk:"name"`
-	Email     types.String `tfsdk:"email"`
-	Roles     types.Set    `tfsdk:"roles"`      // owner, template-admin, user-admin, auditor (member is implicit)
-	LoginType types.String `tfsdk:"login_type"` // none, password, github, oidc
-	Password  types.String `tfsdk:"password"`   // only when login_type is password
-	Suspended types.Bool   `tfsdk:"suspended"`
+	Username         types.String `tfsdk:"username"`
+	Name             types.String `tfsdk:"name"`
+	Email            types.String `tfsdk:"email"`
+	Roles            types.Set    `tfsdk:"roles"`      // owner, template-admin, user-admin, auditor (member is implicit)
+	LoginType        types.String `tfsdk:"login_type"` // none, password, github, oidc
+	Password         types.String `tfsdk:"password"`   // only when login_type is password
+	Suspended        types.Bool   `tfsdk:"suspended"`
+	IsServiceAccount types.Bool   `tfsdk:"is_service_account"`
 }
 
 func (r *UserResource) Metadata(ctx context.Context, req resource.MetadataRequest, resp *resource.MetadataResponse) {
@@ -83,8 +86,13 @@ func (r *UserResource) Schema(ctx context.Context, req resource.SchemaRequest, r
 				},
 			},
 			"email": schema.StringAttribute{
-				MarkdownDescription: "Email address of the user.",
-				Required:            true,
+				MarkdownDescription: "Email address of the user. Required unless `is_service_account` is `true`, in which case it must be omitted (service accounts have no email).",
+				Optional:            true,
+				Computed:            true,
+				PlanModifiers: []planmodifier.String{
+					stringplanmodifier.UseStateForUnknown(),
+					stringplanmodifier.RequiresReplaceIfConfigured(),
+				},
 			},
 			"roles": schema.SetAttribute{
 				MarkdownDescription: "Roles assigned to the user. Valid roles are `owner`, `template-admin`, `user-admin`, and `auditor`. If `null`, roles will not be managed by Terraform. This attribute must be null if the user is an OIDC user and role sync is configured",
@@ -119,6 +127,15 @@ func (r *UserResource) Schema(ctx context.Context, req resource.SchemaRequest, r
 				Optional:            true,
 				Default:             booldefault.StaticBool(false),
 			},
+			"is_service_account": schema.BoolAttribute{
+				MarkdownDescription: "Whether the user is a service account. Service accounts are admin-managed accounts that cannot log in interactively: they have no password or email and use `login_type` `none`. Unlike a regular `login_type = none` user, a service account does not consume a licensed user seat. Changing this attribute forces replacement.",
+				Computed:            true,
+				Optional:            true,
+				Default:             booldefault.StaticBool(false),
+				PlanModifiers: []planmodifier.Bool{
+					boolplanmodifier.RequiresReplaceIfConfigured(),
+				},
+			},
 		},
 	}
 }
@@ -143,6 +160,44 @@ func (r *UserResource) Configure(ctx context.Context, req resource.ConfigureRequ
 	r.data = data
 }
 
+func (r *UserResource) ValidateConfig(ctx context.Context, req resource.ValidateConfigRequest, resp *resource.ValidateConfigResponse) {
+	var data UserResourceModel
+	resp.Diagnostics.Append(req.Config.Get(ctx, &data)...)
+	if resp.Diagnostics.HasError() || data.IsServiceAccount.IsUnknown() {
+		return
+	}
+
+	emailKnown := !data.Email.IsUnknown()
+	emailSet := emailKnown && !data.Email.IsNull() && data.Email.ValueString() != ""
+
+	if data.IsServiceAccount.ValueBool() {
+		// Service accounts cannot log in, so they carry no email or credentials
+		// and must use login_type 'none' (enforced server-side).
+		if emailSet {
+			resp.Diagnostics.AddAttributeError(path.Root("email"),
+				"Invalid Attribute Combination",
+				"`email` must not be set when `is_service_account` is `true`.")
+		}
+		if !data.Password.IsNull() {
+			resp.Diagnostics.AddAttributeError(path.Root("password"),
+				"Invalid Attribute Combination",
+				"`password` must not be set when `is_service_account` is `true`.")
+		}
+		// Compared as a string literal to match the schema default/validator and
+		// avoid the deprecated codersdk.LoginTypeNone constant.
+		if !data.LoginType.IsNull() && !data.LoginType.IsUnknown() &&
+			data.LoginType.ValueString() != "none" {
+			resp.Diagnostics.AddAttributeError(path.Root("login_type"),
+				"Invalid Attribute Combination",
+				"`login_type` must be `none` when `is_service_account` is `true`.")
+		}
+	} else if emailKnown && !emailSet {
+		resp.Diagnostics.AddAttributeError(path.Root("email"),
+			"Missing Required Attribute",
+			"`email` is required when `is_service_account` is `false`.")
+	}
+}
+
 func (r *UserResource) Create(ctx context.Context, req resource.CreateRequest, resp *resource.CreateResponse) {
 	var data UserResourceModel
 
@@ -174,17 +229,21 @@ func (r *UserResource) Create(ctx context.Context, req resource.CreateRequest, r
 		resp.Diagnostics.AddError("Data Error", "Password is only allowed when login_type is 'password'")
 		return
 	}
-	user, err := client.CreateUser(ctx, codersdk.CreateUserRequest{
-		Email:          data.Email.ValueString(),
-		Username:       data.Username.ValueString(),
-		Password:       data.Password.ValueString(),
-		UserLoginType:  loginType,
-		OrganizationID: me.OrganizationIDs[0],
+	user, err := client.CreateUserWithOrgs(ctx, codersdk.CreateUserRequestWithOrgs{
+		Email:           data.Email.ValueString(),
+		Username:        data.Username.ValueString(),
+		Name:            data.Name.ValueString(),
+		Password:        data.Password.ValueString(),
+		UserLoginType:   loginType,
+		OrganizationIDs: []uuid.UUID{me.OrganizationIDs[0]},
+		ServiceAccount:  data.IsServiceAccount.ValueBool(),
 	})
 	if err != nil {
 		resp.Diagnostics.AddError("Client Error", fmt.Sprintf("Unable to create user, got error: %s", err))
 		return
 	}
+	data.Email = types.StringValue(user.Email)
+	data.IsServiceAccount = types.BoolValue(user.IsServiceAccount)
 	tflog.Info(ctx, "successfully created user", map[string]any{
 		"id": user.ID.String(),
 	})
@@ -273,6 +332,7 @@ func (r *UserResource) Read(ctx context.Context, req resource.ReadRequest, resp
 	}
 	data.LoginType = types.StringValue(string(user.LoginType))
 	data.Suspended = types.BoolValue(user.Status == codersdk.UserStatusSuspended)
+	data.IsServiceAccount = types.BoolValue(user.IsServiceAccount)
 
 	// The user-by-ID API returns deleted users if the authorized user has
 	// permission. It does not indicate whether the user is deleted or not.