From 40631625109165f195acbc250305f8893a810d5e Mon Sep 17 00:00:00 2001
From: Alan Parra <alan.parra@goteleport.com>
Date: Tue, 30 Jul 2024 18:34:15 -0300
Subject: [PATCH 1/4] Document SSO caveats on UserSpecV2.TrustedDeviceIDs

---
 api/proto/teleport/legacy/types/types.proto | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/api/proto/teleport/legacy/types/types.proto b/api/proto/teleport/legacy/types/types.proto
index 5b909502bb7b8..55c9078370f7a 100644
--- a/api/proto/teleport/legacy/types/types.proto
+++ b/api/proto/teleport/legacy/types/types.proto
@@ -3467,6 +3467,13 @@ message UserSpecV2 {
   LocalAuthSecrets LocalAuth = 9 [(gogoproto.jsontag) = "local_auth,omitempty"];
 
   // TrustedDeviceIDs contains the IDs of trusted devices enrolled by the user.
+  //
+  // Note that SSO users are transient and thus may contain an empty
+  // TrustedDeviceIDs field, even though the user->device association exists
+  // under the Device Trust subsystem. Do not rely on this field to determine
+  // device associations or ownership, it exists for legacy/informative purposes
+  // only.
+  //
   // Managed by the Device Trust subsystem, avoid manual edits.
   repeated string TrustedDeviceIDs = 10 [(gogoproto.jsontag) = "trusted_device_ids,omitempty"];
 }

From 81749144e49515e6917f7dfea52eb6a193440515 Mon Sep 17 00:00:00 2001
From: Alan Parra <alan.parra@goteleport.com>
Date: Tue, 30 Jul 2024 18:35:30 -0300
Subject: [PATCH 2/4] Update generated protos

---
 api/types/types.pb.go | 7 +++++++
 1 file changed, 7 insertions(+)

diff --git a/api/types/types.pb.go b/api/types/types.pb.go
index c1ccbdd9a2a1d..cb23b68b643fc 100644
--- a/api/types/types.pb.go
+++ b/api/types/types.pb.go
@@ -8622,6 +8622,13 @@ type UserSpecV2 struct {
 	// authentication
 	LocalAuth *LocalAuthSecrets `protobuf:"bytes,9,opt,name=LocalAuth,proto3" json:"local_auth,omitempty"`
 	// TrustedDeviceIDs contains the IDs of trusted devices enrolled by the user.
+	//
+	// Note that SSO users are transient and thus may contain an empty
+	// TrustedDeviceIDs field, even though the user->device association exists
+	// under the Device Trust subsystem. Do not rely on this field to determine
+	// device associations or ownership, it exists for legacy/informative purposes
+	// only.
+	//
 	// Managed by the Device Trust subsystem, avoid manual edits.
 	TrustedDeviceIDs     []string `protobuf:"bytes,10,rep,name=TrustedDeviceIDs,proto3" json:"trusted_device_ids,omitempty"`
 	XXX_NoUnkeyedLiteral struct{} `json:"-"`

From 657cb3dcfae70dd2d332f10d0aad11f35a2189f6 Mon Sep 17 00:00:00 2001
From: Alan Parra <alan.parra@goteleport.com>
Date: Wed, 31 Jul 2024 10:22:08 -0300
Subject: [PATCH 3/4] Run `make -C integrations/operator manifests`

---
 .../operator-crds/resources.teleport.dev_users.yaml       | 8 ++++++--
 .../config/crd/bases/resources.teleport.dev_users.yaml    | 8 ++++++--
 2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_users.yaml b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_users.yaml
index f8720f714d3c9..0c5221f64b369 100644
--- a/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_users.yaml
+++ b/examples/chart/teleport-cluster/charts/teleport-operator/operator-crds/resources.teleport.dev_users.yaml
@@ -119,8 +119,12 @@ spec:
                 type: object
               trusted_device_ids:
                 description: TrustedDeviceIDs contains the IDs of trusted devices
-                  enrolled by the user. Managed by the Device Trust subsystem, avoid
-                  manual edits.
+                  enrolled by the user.  Note that SSO users are transient and thus
+                  may contain an empty TrustedDeviceIDs field, even though the user->device
+                  association exists under the Device Trust subsystem. Do not rely
+                  on this field to determine device associations or ownership, it
+                  exists for legacy/informative purposes only.  Managed by the Device
+                  Trust subsystem, avoid manual edits.
                 items:
                   type: string
                 nullable: true
diff --git a/integrations/operator/config/crd/bases/resources.teleport.dev_users.yaml b/integrations/operator/config/crd/bases/resources.teleport.dev_users.yaml
index f8720f714d3c9..0c5221f64b369 100644
--- a/integrations/operator/config/crd/bases/resources.teleport.dev_users.yaml
+++ b/integrations/operator/config/crd/bases/resources.teleport.dev_users.yaml
@@ -119,8 +119,12 @@ spec:
                 type: object
               trusted_device_ids:
                 description: TrustedDeviceIDs contains the IDs of trusted devices
-                  enrolled by the user. Managed by the Device Trust subsystem, avoid
-                  manual edits.
+                  enrolled by the user.  Note that SSO users are transient and thus
+                  may contain an empty TrustedDeviceIDs field, even though the user->device
+                  association exists under the Device Trust subsystem. Do not rely
+                  on this field to determine device associations or ownership, it
+                  exists for legacy/informative purposes only.  Managed by the Device
+                  Trust subsystem, avoid manual edits.
                 items:
                   type: string
                 nullable: true

From 8edba54ab0968dd8b110a2512330cd14797fad1d Mon Sep 17 00:00:00 2001
From: Alan Parra <alan.parra@goteleport.com>
Date: Thu, 1 Aug 2024 17:54:36 -0300
Subject: [PATCH 4/4]  Run `make -C integrations/terraform docs`

---
 docs/pages/reference/terraform-provider/data-sources/user.mdx | 2 +-
 docs/pages/reference/terraform-provider/resources/user.mdx    | 2 +-
 integrations/terraform/tfschema/types_terraform.go            | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/docs/pages/reference/terraform-provider/data-sources/user.mdx b/docs/pages/reference/terraform-provider/data-sources/user.mdx
index b2b12619f9268..67f8e507b287e 100644
--- a/docs/pages/reference/terraform-provider/data-sources/user.mdx
+++ b/docs/pages/reference/terraform-provider/data-sources/user.mdx
@@ -46,7 +46,7 @@ Optional:
 - `roles` (List of String) Roles is a list of roles assigned to user
 - `saml_identities` (Attributes List) SAMLIdentities lists associated SAML identities that let user log in using externally verified identity (see [below for nested schema](#nested-schema-for-specsaml_identities))
 - `traits` (Map of List of String)
-- `trusted_device_ids` (List of String) TrustedDeviceIDs contains the IDs of trusted devices enrolled by the user. Managed by the Device Trust subsystem, avoid manual edits.
+- `trusted_device_ids` (List of String) TrustedDeviceIDs contains the IDs of trusted devices enrolled by the user.  Note that SSO users are transient and thus may contain an empty TrustedDeviceIDs field, even though the user->device association exists under the Device Trust subsystem. Do not rely on this field to determine device associations or ownership, it exists for legacy/informative purposes only.  Managed by the Device Trust subsystem, avoid manual edits.
 
 ### Nested Schema for `spec.github_identities`
 
diff --git a/docs/pages/reference/terraform-provider/resources/user.mdx b/docs/pages/reference/terraform-provider/resources/user.mdx
index f65fd9bb950db..989c39616ab6d 100644
--- a/docs/pages/reference/terraform-provider/resources/user.mdx
+++ b/docs/pages/reference/terraform-provider/resources/user.mdx
@@ -92,7 +92,7 @@ Optional:
 - `roles` (List of String) Roles is a list of roles assigned to user
 - `saml_identities` (Attributes List) SAMLIdentities lists associated SAML identities that let user log in using externally verified identity (see [below for nested schema](#nested-schema-for-specsaml_identities))
 - `traits` (Map of List of String)
-- `trusted_device_ids` (List of String) TrustedDeviceIDs contains the IDs of trusted devices enrolled by the user. Managed by the Device Trust subsystem, avoid manual edits.
+- `trusted_device_ids` (List of String) TrustedDeviceIDs contains the IDs of trusted devices enrolled by the user.  Note that SSO users are transient and thus may contain an empty TrustedDeviceIDs field, even though the user->device association exists under the Device Trust subsystem. Do not rely on this field to determine device associations or ownership, it exists for legacy/informative purposes only.  Managed by the Device Trust subsystem, avoid manual edits.
 
 ### Nested Schema for `spec.github_identities`
 
diff --git a/integrations/terraform/tfschema/types_terraform.go b/integrations/terraform/tfschema/types_terraform.go
index 8778b4c65099b..5b77cc5b1dbf5 100644
--- a/integrations/terraform/tfschema/types_terraform.go
+++ b/integrations/terraform/tfschema/types_terraform.go
@@ -2556,7 +2556,7 @@ func GenSchemaUserV2(ctx context.Context) (github_com_hashicorp_terraform_plugin
 				},
 				"traits": GenSchemaTraits(ctx),
 				"trusted_device_ids": {
-					Description: "TrustedDeviceIDs contains the IDs of trusted devices enrolled by the user. Managed by the Device Trust subsystem, avoid manual edits.",
+					Description: "TrustedDeviceIDs contains the IDs of trusted devices enrolled by the user.  Note that SSO users are transient and thus may contain an empty TrustedDeviceIDs field, even though the user->device association exists under the Device Trust subsystem. Do not rely on this field to determine device associations or ownership, it exists for legacy/informative purposes only.  Managed by the Device Trust subsystem, avoid manual edits.",
 					Optional:    true,
 					Type:        github_com_hashicorp_terraform_plugin_framework_types.ListType{ElemType: github_com_hashicorp_terraform_plugin_framework_types.StringType},
 				},