From 60f88c7107204f3ea77b7f54cf4ebb825b434941 Mon Sep 17 00:00:00 2001
From: Alan Parra <alan.parra@goteleport.com>
Date: Tue, 30 Jul 2024 18:34:15 -0300
Subject: [PATCH 1/4] Document SSO caveats on UserSpecV2.TrustedDeviceIDs

---
 api/proto/teleport/legacy/types/types.proto | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/api/proto/teleport/legacy/types/types.proto b/api/proto/teleport/legacy/types/types.proto
index 66cf4a2f51c6e..0736b6488be12 100644
--- a/api/proto/teleport/legacy/types/types.proto
+++ b/api/proto/teleport/legacy/types/types.proto
@@ -3490,6 +3490,13 @@ message UserSpecV2 {
   LocalAuthSecrets LocalAuth = 9 [(gogoproto.jsontag) = "local_auth,omitempty"];
 
   // TrustedDeviceIDs contains the IDs of trusted devices enrolled by the user.
+  //
+  // Note that SSO users are transient and thus may contain an empty
+  // TrustedDeviceIDs field, even though the user->device association exists
+  // under the Device Trust subsystem. Do not rely on this field to determine
+  // device associations or ownership, it exists for legacy/informative purposes
+  // only.
+  //
   // Managed by the Device Trust subsystem, avoid manual edits.
   repeated string TrustedDeviceIDs = 10 [(gogoproto.jsontag) = "trusted_device_ids,omitempty"];
 }

From 08e4f1b70658eea6d626466f94d88ec83ae20be0 Mon Sep 17 00:00:00 2001
From: Alan Parra <alan.parra@goteleport.com>
Date: Tue, 30 Jul 2024 18:35:30 -0300
Subject: [PATCH 2/4] Update generated protos

---
 api/types/types.pb.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/api/types/types.pb.go b/api/types/types.pb.go
index fddb10c579a2c..bcb7bb591a659 100644
--- a/api/types/types.pb.go
+++ b/api/types/types.pb.go
@@ -8757,6 +8757,13 @@ type UserSpecV2 struct {
 	// authentication
 	LocalAuth *LocalAuthSecrets `protobuf:"bytes,9,opt,name=LocalAuth,proto3" json:"local_auth,omitempty"`
 	// TrustedDeviceIDs contains the IDs of trusted devices enrolled by the user.
+	//
+	// Note that SSO users are transient and thus may contain an empty
+	// TrustedDeviceIDs field, even though the user->device association exists
+	// under the Device Trust subsystem. Do not rely on this field to determine
+	// device associations or ownership, it exists for legacy/informative purposes
+	// only.
+	//
 	// Managed by the Device Trust subsystem, avoid manual edits.
 	TrustedDeviceIDs     []string `protobuf:"bytes,10,rep,name=TrustedDeviceIDs,proto3" json:"trusted_device_ids,omitempty"`
 	XXX_NoUnkeyedLiteral struct{} `json:"-"`

From f9f7a0c72bf7ee48e9d052b33af3e35dac1e2a70 Mon Sep 17 00:00:00 2001
From: Alan Parra <alan.parra@goteleport.com>
Date: Wed, 31 Jul 2024 10:22:08 -0300
Subject: [PATCH 3/4] Run `make -C integrations/operator manifests`

---
 .../operator-crds/resources.teleport.dev_users.yaml       | 8 ++++++--
 .../config/crd/bases/resources.teleport.dev_users.yaml    | 8 ++++++--
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_users.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_users.yaml
index f8720f714d3c9..0c5221f64b369 100644
--- a/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_users.yaml
+++ b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_users.yaml
@@ -119,8 +119,12 @@ spec:
                 type: object
               trusted_device_ids:
                 description: TrustedDeviceIDs contains the IDs of trusted devices
-                  enrolled by the user. Managed by the Device Trust subsystem, avoid
-                  manual edits.
+                  enrolled by the user.  Note that SSO users are transient and thus
+                  may contain an empty TrustedDeviceIDs field, even though the user->device
+                  association exists under the Device Trust subsystem. Do not rely
+                  on this field to determine device associations or ownership, it
+                  exists for legacy/informative purposes only.  Managed by the Device
+                  Trust subsystem, avoid manual edits.
                 items:
                   type: string
                 nullable: true
diff --git a/integrations/operator/config/crd/bases/resources.teleport.dev_users.yaml b/integrations/operator/config/crd/bases/resources.teleport.dev_users.yaml
index f8720f714d3c9..0c5221f64b369 100644
--- a/integrations/operator/config/crd/bases/resources.teleport.dev_users.yaml
+++ b/integrations/operator/config/crd/bases/resources.teleport.dev_users.yaml
@@ -119,8 +119,12 @@ spec:
                 type: object
               trusted_device_ids:
                 description: TrustedDeviceIDs contains the IDs of trusted devices
-                  enrolled by the user. Managed by the Device Trust subsystem, avoid
-                  manual edits.
+                  enrolled by the user.  Note that SSO users are transient and thus
+                  may contain an empty TrustedDeviceIDs field, even though the user->device
+                  association exists under the Device Trust subsystem. Do not rely
+                  on this field to determine device associations or ownership, it
+                  exists for legacy/informative purposes only.  Managed by the Device
+                  Trust subsystem, avoid manual edits.
                 items:
                   type: string
                 nullable: true

From ef782a19593f71bf8cefc06362821ad21edc5fdb Mon Sep 17 00:00:00 2001
From: Alan Parra <alan.parra@goteleport.com>
Date: Thu, 1 Aug 2024 17:54:36 -0300
Subject: [PATCH 4/4]  Run `make -C integrations/terraform docs`

---
 docs/pages/reference/terraform-provider/data-sources/user.mdx | 2 +-
 docs/pages/reference/terraform-provider/resources/user.mdx    | 2 +-
 integrations/terraform/tfschema/types_terraform.go            | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/pages/reference/terraform-provider/data-sources/user.mdx b/docs/pages/reference/terraform-provider/data-sources/user.mdx
index b2b12619f9268..67f8e507b287e 100644
--- a/docs/pages/reference/terraform-provider/data-sources/user.mdx
+++ b/docs/pages/reference/terraform-provider/data-sources/user.mdx
@@ -46,7 +46,7 @@ Optional:
 - `roles` (List of String) Roles is a list of roles assigned to user
 - `saml_identities` (Attributes List) SAMLIdentities lists associated SAML identities that let user log in using externally verified identity (see [below for nested schema](#nested-schema-for-specsaml_identities))
 - `traits` (Map of List of String)
-- `trusted_device_ids` (List of String) TrustedDeviceIDs contains the IDs of trusted devices enrolled by the user. Managed by the Device Trust subsystem, avoid manual edits.
+- `trusted_device_ids` (List of String) TrustedDeviceIDs contains the IDs of trusted devices enrolled by the user.  Note that SSO users are transient and thus may contain an empty TrustedDeviceIDs field, even though the user->device association exists under the Device Trust subsystem. Do not rely on this field to determine device associations or ownership, it exists for legacy/informative purposes only.  Managed by the Device Trust subsystem, avoid manual edits.
 
 ### Nested Schema for `spec.github_identities`
 
diff --git a/docs/pages/reference/terraform-provider/resources/user.mdx b/docs/pages/reference/terraform-provider/resources/user.mdx
index f65fd9bb950db..989c39616ab6d 100644
--- a/docs/pages/reference/terraform-provider/resources/user.mdx
+++ b/docs/pages/reference/terraform-provider/resources/user.mdx
@@ -92,7 +92,7 @@ Optional:
 - `roles` (List of String) Roles is a list of roles assigned to user
 - `saml_identities` (Attributes List) SAMLIdentities lists associated SAML identities that let user log in using externally verified identity (see [below for nested schema](#nested-schema-for-specsaml_identities))
 - `traits` (Map of List of String)
-- `trusted_device_ids` (List of String) TrustedDeviceIDs contains the IDs of trusted devices enrolled by the user. Managed by the Device Trust subsystem, avoid manual edits.
+- `trusted_device_ids` (List of String) TrustedDeviceIDs contains the IDs of trusted devices enrolled by the user.  Note that SSO users are transient and thus may contain an empty TrustedDeviceIDs field, even though the user->device association exists under the Device Trust subsystem. Do not rely on this field to determine device associations or ownership, it exists for legacy/informative purposes only.  Managed by the Device Trust subsystem, avoid manual edits.
 
 ### Nested Schema for `spec.github_identities`
 
diff --git a/integrations/terraform/tfschema/types_terraform.go b/integrations/terraform/tfschema/types_terraform.go
index 443c362088dca..a2c90a344eff7 100644
--- a/integrations/terraform/tfschema/types_terraform.go
+++ b/integrations/terraform/tfschema/types_terraform.go
@@ -2582,7 +2582,7 @@ func GenSchemaUserV2(ctx context.Context) (github_com_hashicorp_terraform_plugin
 				},
 				"traits": GenSchemaTraits(ctx),
 				"trusted_device_ids": {
-					Description: "TrustedDeviceIDs contains the IDs of trusted devices enrolled by the user. Managed by the Device Trust subsystem, avoid manual edits.",
+					Description: "TrustedDeviceIDs contains the IDs of trusted devices enrolled by the user.  Note that SSO users are transient and thus may contain an empty TrustedDeviceIDs field, even though the user->device association exists under the Device Trust subsystem. Do not rely on this field to determine device associations or ownership, it exists for legacy/informative purposes only.  Managed by the Device Trust subsystem, avoid manual edits.",
 					Optional:    true,
 					Type:        github_com_hashicorp_terraform_plugin_framework_types.ListType{ElemType: github_com_hashicorp_terraform_plugin_framework_types.StringType},
 				},