From 08856a97fb27026f3b6fcf1253a01d070543a17c Mon Sep 17 00:00:00 2001
From: hkfires <10558748+hkfires@users.noreply.github.com>
Date: Fri, 26 Sep 2025 20:48:20 +0800
Subject: [PATCH] fix(access): Exclude inline provider from reconciliation
 changes

The `ReconcileProviders` function was incorrectly including the default
inline provider (`access.teleport.dev`) in the lists of added, updated,
and removed providers.

The inline provider is a special case managed directly by the access
controller and does not correspond to a separate, reloadable resource.
Including it in the change lists could lead to errors when attempting
to perform lifecycle operations on it.

This commit modifies the reconciliation logic to explicitly ignore the
inline provider when calculating changes. This ensures that only
external, reloadable providers are reported as changed, preventing
incorrect lifecycle management.
---
 sdk/access/reconcile.go | 29 +++++++++++++++++++++--------
 1 file changed, 21 insertions(+), 8 deletions(-)

diff --git a/sdk/access/reconcile.go b/sdk/access/reconcile.go
index d4eda6c8..ca4d7679 100644
--- a/sdk/access/reconcile.go
+++ b/sdk/access/reconcile.go
@@ -31,6 +31,16 @@ func ReconcileProviders(oldCfg, newCfg *config.Config, existing []Provider) (res
 	result = make([]Provider, 0, len(newEntries))
 	finalIDs := make(map[string]struct{}, len(newEntries))
 
+	isInlineProvider := func(id string) bool {
+		return strings.EqualFold(id, config.DefaultAccessProviderName)
+	}
+	appendChange := func(list *[]string, id string) {
+		if isInlineProvider(id) {
+			return
+		}
+		*list = append(*list, id)
+	}
+
 	for _, providerCfg := range newEntries {
 		key := providerIdentifier(providerCfg)
 		if key == "" {
@@ -54,12 +64,12 @@ func ReconcileProviders(oldCfg, newCfg *config.Config, existing []Provider) (res
 		}
 		if _, ok := oldCfgMap[key]; ok {
 			if _, existed := existingMap[key]; existed {
-				updated = append(updated, key)
+				appendChange(&updated, key)
 			} else {
-				added = append(added, key)
+				appendChange(&added, key)
 			}
 		} else {
-			added = append(added, key)
+			appendChange(&added, key)
 		}
 		result = append(result, provider)
 		finalIDs[key] = struct{}{}
@@ -81,9 +91,9 @@ func ReconcileProviders(oldCfg, newCfg *config.Config, existing []Provider) (res
 								return nil, nil, nil, nil, buildErr
 							}
 							if _, existed := existingMap[key]; existed {
-								updated = append(updated, key)
+								appendChange(&updated, key)
 							} else {
-								added = append(added, key)
+								appendChange(&added, key)
 							}
 							result = append(result, provider)
 						}
@@ -93,9 +103,9 @@ func ReconcileProviders(oldCfg, newCfg *config.Config, existing []Provider) (res
 							return nil, nil, nil, nil, buildErr
 						}
 						if _, existed := existingMap[key]; existed {
-							updated = append(updated, key)
+							appendChange(&updated, key)
 						} else {
-							added = append(added, key)
+							appendChange(&added, key)
 						}
 						result = append(result, provider)
 					}
@@ -104,7 +114,7 @@ func ReconcileProviders(oldCfg, newCfg *config.Config, existing []Provider) (res
 					if buildErr != nil {
 						return nil, nil, nil, nil, buildErr
 					}
-					added = append(added, key)
+					appendChange(&added, key)
 					result = append(result, provider)
 				}
 				finalIDs[key] = struct{}{}
@@ -115,6 +125,9 @@ func ReconcileProviders(oldCfg, newCfg *config.Config, existing []Provider) (res
 	removedSet := make(map[string]struct{})
 	for id := range existingMap {
 		if _, ok := finalIDs[id]; !ok {
+			if isInlineProvider(id) {
+				continue
+			}
 			removedSet[id] = struct{}{}
 		}
 	}