cloudflare_access_identity_provider does not import config block settings

[tjstansell]

Confirmation

• My issue isn't already found on the issue tracker.
• I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

terraform -v

Terraform v1.1.4
on linux_amd64

• provider registry.terraform.io/cloudflare/cloudflare v3.8.0

Affected resource(s)

• cloudflare_access_identity_provider

Terraform configuration files

resource "cloudflare_access_identity_provider" "okta" {
  account_id = local.account_id
  name       = "Okta SAML"
  type       = "saml"
  config {
    attributes           = ["email", "groups"]
    issuer_url           = var.issuer_url
    sso_target_url       = var.sso_target_url
    email_attribute_name = ""
    sign_request         = false
    idp_public_cert      = local.okta_sso_cert
  }
}

Debug output

Notice how the result from the API call includes a config {} block. I would expect this to get imported.

-----------------------------------------------------: timestamp=2022-01-31T23:57:51.029Z
2022-01-31T23:57:51.262Z [INFO]  provider.terraform-provider-cloudflare_v3.8.0: 2022/01/31 23:57:51 [DEBUG] Cloudflare API Response Details:
---[ RESPONSE ]--------------------------------------
HTTP/2.0 200 OK
Cf-Cache-Status: DYNAMIC
Cf-Ray: 6d66e27b3c4e7118-SJC
Content-Security-Policy: frame-ancestors 'none'; default-src https: 'unsafe-inline'
Content-Type: application/json; charset=UTF-8
Date: Mon, 31 Jan 2022 23:57:51 GMT
Expect-Ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Envoy-Upstream-Service-Time: 4
X-Frame-Options: DENY
X-Xss-Protection: 1; mode=block

{
  "result": {
    "id": "1241a7e1-92ad-4c9d-9e97-22024662201f",
    "type": "saml",
    "uid": "1241a7e1-92ad-4c9d-9e97-22024662201f",
    "name": "Okta SAML",
    "config": {
      "acs_url": "<REDACTED>",
      "attributes": [
        "email",
"groups"
      ],
      "email_attribute_name": "",
      "header_attributes": null,
      "idp_public_cert": "**********************************",
      "issuer_url": "<REDACTED>",
      "sign_request": false,
      "sso_target_url": "<REDACTED>"
    },
    "version": "a261190c440acc4d945728355612ab11"
  },
  "success": true,
  "errors": [],
  "messages": []
}

-----------------------------------------------------: timestamp=2022-01-31T23:57:51.262Z
cloudflare_access_identity_provider.okta: Import prepared!
  Prepared cloudflare_access_identity_provider for import
cloudflare_access_identity_provider.okta: Refreshing state... [id=1241a7e1-92ad-4c9d-9e97-22024662201f]

Panic output

No response

Expected output

I expected the existing saml config {} block to be imported into the state file.

Actual output

The config {} block of settings was not imported.

# terraform import cloudflare_access_identity_provider.okta <accountid>/1241a7e1-92ad-4c9d-9e97-22024662201f
cloudflare_access_identity_provider.okta: Importing from ID "<REDACTED>/1241a7e1-92ad-4c9d-9e97-22024662201f"...
cloudflare_access_identity_provider.okta: Import prepared!
  Prepared cloudflare_access_identity_provider for import
cloudflare_access_identity_provider.okta: Refreshing state... [id=1241a7e1-92ad-4c9d-9e97-22024662201f]

Import successful!

The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.

Releasing state lock. This may take a few moments...
# terraform state show cloudflare_access_identity_provider.okta
# cloudflare_access_identity_provider.okta:
resource "cloudflare_access_identity_provider" "okta" {
    account_id = "<REDACTED>"
    id         = "1241a7e1-92ad-4c9d-9e97-22024662201f"
    name       = "Okta SAML"
    type       = "saml"
}

Steps to reproduce

import any identity providers with a config block.

Additional factoids

No response

References

No response

[tjstansell]

FWIW, if I make the following change and test that, the import works as expected. I'm unclear of the history or why it looks for that to begin with, so figured I'd leave it up to you to figure out the best way forward.

diff --git a/cloudflare/resource_cloudflare_access_identity_provider.go b/cloudflare/resource_cloudflare_access_identity_provider.go
index ca838496..e5fe0f0b 100644
--- a/cloudflare/resource_cloudflare_access_identity_provider.go
+++ b/cloudflare/resource_cloudflare_access_identity_provider.go
@@ -212,10 +212,6 @@ func convertSchemaToStruct(d *schema.ResourceData) (cloudflare.AccessIdentityPro
 }

 func convertStructToSchema(d *schema.ResourceData, options cloudflare.AccessIdentityProviderConfiguration) []interface{} {
-       if _, ok := d.GetOk("config"); !ok {
-               return []interface{}{}
-       }
-
        attributes := make([]string, 0)
        for _, value := range options.Attributes {
                attributes = append(attributes, value)

[Bakus]

The problem has still not been resolved, although PR is attached. Is there any chance that case will be resolved?

[ruimarinho]

I was searching through open issues before I opened a new one regarding this same topic. I can confirm on v3.26.0 this is still an issue. I think it's due to the fact that the provider is confusing types here, since config is identified as a Block List, which really could be think of as a "repeatable block". I don't believe an identity provider can have more than one config though.

If you'd like to fix this temporarily, you can edit your tfstate file directly and add your config attributes inside the config array, such as:

    {
      "mode": "managed",
      "type": "cloudflare_access_identity_provider",
      "name": "okta",
      "provider": "provider[\"registry.terraform.io/cloudflare/cloudflare\"]",
      "instances": [
        {
          "schema_version": 0,
          "attributes": {
            "account_id": "<account_id>",
            "config": [{
                "client_id": "<client_id>",
                "client_secret": "**********************************",
                "okta_account": "https://<tenant>.okta.com",
                "pkce_enabled": true,
                "redirect_url": "https://<team_name>.cloudflareaccess.com/cdn-cgi/access/callback"
             }],
            "id": "<id>",
            "name": "Okta",
            "type": "okta",
            "zone_id": null
          },
          "sensitive_attributes": [],
          "private": "<private>"
        }
      ]
    },

This will result in zero changes being planned.

[AlexeyDP]

The problem has still not been resolved