-
Notifications
You must be signed in to change notification settings - Fork 199
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
okta_policy_rule_signon identity_provider variable causing API error Invalid condition type specified: identityProvider #1079
Comments
@mnovitsk I will look into this, seems like a regression off the just released v3.25.0. Can you pin your provider version to v3.24.0 and let me if you are seeing the correct behavior with that version? |
@monde Pinning the Okta Provider version to v3.24.0 removed the identity_provider variable API error, thanks. I tested assigning the priority of the okta_signon_policy to be lower than the default policy and I got an error: Terraform used the selected providers to generate the following execution plan. Resource actions are
indicated with the following symbols:
+ create
Terraform will perform the following actions:
# okta_policy_rule_signon.mnovitsk_policy_rule will be created
+ resource "okta_policy_rule_signon" "mnovitsk_policy_rule" {
+ access = "ALLOW"
+ authtype = "ANY"
+ id = (known after apply)
+ mfa_remember_device = false
+ mfa_required = false
+ name = "mnovitsk_signon_policy_rule"
+ network_connection = "ANYWHERE"
+ policy_id = (known after apply)
+ primary_factor = "PASSWORD_IDP"
+ priority = 1
+ risc_level = "ANY"
+ session_idle = 120
+ session_lifetime = 720
+ session_persistent = false
+ status = "INACTIVE"
}
# okta_policy_signon.mnovitsk_policy will be created
+ resource "okta_policy_signon" "mnovitsk_policy" {
+ description = "Signon Policy for certain users"
+ groups_included = [
+ "<okta_group_id>",
]
+ id = (known after apply)
+ name = "mnovitsk_signon_policy"
+ priority = 3
+ status = "INACTIVE"
}
Plan: 2 to add, 0 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
okta_policy_signon.mnovitsk_policy: Creating...
╷
│ Error: failed to create sign-on policy: provided priority was not valid, got: 3, API responded with: 2. See schema for attribute details
│
│ with okta_policy_signon.mnovitsk_policy,
│ on main.tf line 47, in resource "okta_policy_signon" "mnovitsk_policy":
│ 47: resource "okta_policy_signon" "mnovitsk_policy" {
│
╵
Releasing state lock. This may take a few moments... I realize that this is not necessarily tied to this bug and is more appropriate to #1028 , but can I assume that Okta always sets the Tenant's default policy to be the lowest priority and you cannot create or assign any sign on policies to be lower than the default policy? |
@mnovitsk I'm trying to get a bug fix out today and will address both the original bug and try to see if there is a fix and/or flexibility dealing with the error in v3.24.0 you are seeing. |
@mnovitsk I can't think of a way to deal with the priority issue with out hacking in retries. I've had a similar experience where I thought the API should correctly infer that if I add rules(s) mixed with existing rules, it should be able know the new position of existing rules. Like if there is a default rule which is 1. Then if I add two new rules, one priority 1, and the other priority 3; thinking that that the API will flexibly make the existing rule be priority 2. I just had to run my apply a couple of times. Here, I ran into that when I was working on enrollment policies. |
I have a fix queued up in PR #1081 and am waiting for a colleague to review it before releasing. |
v3.25.1 is available in the terraform registry |
@mnovitsk I reopened this issue. I had to revert part of this change and it was released as v3.28.0 https://github.com/okta/terraform-provider-okta/releases/tag/v3.28.0 . Can you take a moment if this issue would occur again for you? Feel free to close the issue if you are good. |
Hi @monde This issue is happening again with version v3.28.0 if this helps |
@miguelpuiggarcia @mnovitsk I'll make it a priority to get to the bottom of this today and do a patch release ASAP |
@monde to confirm, is this bug still expected to impact today's new |
@lucascantor I've not had a chance to look at this one yet, nothing related to it is in v3.29.0 |
Just adding my voice here. Experiencing this on |
This bug is still present in 3.30.0 |
Looks like this bug is still present in 3.31.0 as well. I'm sorry I don't understand the nature of the root cause to offer a fix We're stuck on 3.27.0 because of this, and can't make use of other important bug fixes in newer releases. I imagine nearly every Okta customer using the Okta Terraform provider also has |
Can't test it now, but ignoring the attribute should work. Something like: resource "okta_policy_rule_signon" "example" {
lifecycle {
ignore_changes = [identity_provider]
}
# ...
}
By splitting the Okta configurations into multiple root modules, you might be able to use the newer version where needed, while pinning down the version only where you are affected by a certain bug. |
And if it doesn't work in initial creation of the resource, at least by creating the rule manually and then importing to the state, the |
@tmatilai thanks so much for the advice 🙇🏼 |
This one is still on my todo list. I'm on vacation for a week and can give it priority when I get back. |
"bug(s) with resources having a priority setting" #1198 |
@monde while the problem with priority bug is real and annoying, IMHO the main issue here is the Would removing the default value be sufficient fix? Or should the API be changed to ignore the attribute? |
I can confirm adding
resolves my issue, allowing me to use |
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days |
This bug still exists. Commenting to prevent auto-closure. |
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days |
Not stale |
"0" zero value integers was fixed in v3.44.0 release. I'm not sure that will benefit anything here. Looking for feedback. |
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days |
Community Note
Terraform Version
Affected Resource(s)
Terraform Configuration Files
Debug Output
Panic Output
Expected Behavior
Create a Global Session Policy (resource.okta_policy_signon) with a Policy Rule (resource.okta_policy_rule_signon)
Actual Behavior
Terraform errors out when trying to apply the configuration. It automatically supplies an
identity_provider = "ANY"
variable, even if it is not manually supplied, and then errors out. I encounter the same error when manually supplyingidentity_provider = "ANY"
in the Terraform resource configuration.Steps to Reproduce
terraform apply
Important Factoids
References
I checked the Terraform Provider Documentation: https://registry.terraform.io/providers/okta/okta/latest/docs/resources/policy_rule_signon#identity_provider and it states that "Use of identity_provider requires a feature flag to be enabled.", but I do not see a flag in the tenant features related to this setting.
I am able to create Global Session Policies and Policy Rules via the UI with no issues, but attempting to create these resources via Terraform does not work. The policy itself is successfully created via Terraform, but there are no policy rules associated with it.
priority = 1
to get around this issue for now, but it is going to cause larger problems when trying to declare and configure multiple sign on policies.The text was updated successfully, but these errors were encountered: