Excluded Networks Order in okta_threat_insight_settings

[hi-artem]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v1.0.3
on darwin_amd64
+ provider registry.terraform.io/okta/okta v3.30.0

Affected Resource(s)

• okta_threat_insight_settings

Terraform Configuration Files

resource "okta_network_zone" "networks" {
  count =  20
  name     = "Network ${count.index}"
  type     = "IP"
  gateways = ["0.0.0.${count.index}/32"]
}

resource "okta_threat_insight_settings" "default" {
  action = "block"
  network_excludes = okta_network_zone.networks.*.id
}

Expected Behavior

1. First terraform apply => resources created
2. Next terraform applies => no changes

Actual Behavior

1. First terraform apply => resources created
2. Next terraform applies =>

Terraform will perform the following actions:

  # okta_threat_insight_settings.default will be updated in-place
  ~ resource "okta_threat_insight_settings" "default" {
        id               = "threat_insight_settings"
      ~ network_excludes = [
          - "nzo3zr64xxyFfNE801d7",
            "nzo3zr16zx5GtVUXb1d7",
          + "nzo3zqx61sw2fx5Nx1d7",
          + "nzo3zqx61rXpQZ79u1d7",
            "nzo3zr12wbFzgb0QF1d7",
          - "nzo3zqz69vBn0QHDL1d7",
          + "nzo3zr0q4g36H4yaF1d7",
          + "nzo3zqz5oteAfPkv31d7",
          + "nzo3zqvtc5HmxBidn1d7",
            "nzo3zr7832tnRgncD1d7",
          - "nzo3zqz8jlBq2WK7j1d7",
          - "nzo3zqvovvGR1yH7t1d7",
          - "nzo3zr40eqbhSfRQ71d7",
          - "nzo3zr5vj9scJxFpu1d7",
          - "nzo3zqx61rXpQZ79u1d7",
            "nzo3zr4cuh3nZNJLr1d7",
          - "nzo3zr5oin7TXysJm1d7",
          - "nzo3zqz5oteAfPkv31d7",
          - "nzo3zqx61sw2fx5Nx1d7",
          + "nzo3zr1aixdIwdx8u1d7",
            "nzo3zr3rx6XQdY7su1d7",
          + "nzo3zqz69vBn0QHDL1d7",
          + "nzo3zr5vj9scJxFpu1d7",
          + "nzo3zr64xxyFfNE801d7",
          + "nzo3zr40eqbhSfRQ71d7",
          + "nzo3zr5oin7TXysJm1d7",
            "nzo3zr68ra5779H0d1d7",
          - "nzo3zqvtc5HmxBidn1d7",
          + "nzo3zqz8jlBq2WK7j1d7",
          + "nzo3zqvovvGR1yH7t1d7",
            "nzo3zr5vj8n9ZUT8T1d7",
          - "nzo3zr0q4g36H4yaF1d7",
          - "nzo3zr1aixdIwdx8u1d7",
        ]
        # (1 unchanged attribute hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Basically, the resources will always be reordered in the plan.

Steps to Reproduce

1. terraform apply
2. terraform apply

[monde]

Thanks @hi-artem I will look into this.

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

[hi-artem]

@monde was this fixed?

[monde]

We need to fix this. I've seen other places in the provider where the ordering of a list of items doesn't matter, just the uniqueness of items in the list/set needs to be considered for the state diff.

#1171 Ordering of redirect_uris in resource okta_app_oauth #1171 fixed the inverse case, where ordering matters. #936 is similar also.

Okta internal reference: https://oktainc.atlassian.net/browse/OKTA-544444

[monde]

@hi-artem just double checking - the ordering of items in the network_excludes set does not matter, just that all of the items are present state to state? e.g. [a, b, c] === [b, a, c]

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

[coolbonev2]

Hey @monde,
I encountered the same issue as noted above.

In my terraform code there are 2 network zones defined, one office IP range & one VPN IP range.
I would like to add both zones to the Okta Threat Insight exclude list.

The code snippet I used is:

resource "okta_network_zone" "ip_network_XXX_XXX_office_ip" {
  name     = "XXX_XXX_office_public_IP"
  type     = "IP"
  gateways = ["123.123.123.123-123.123.123.124"]
}

resource "okta_network_zone" "ip_network_XXX_vpn" {
  name     = "XXX_VPN_public_IP"
  type     = "IP"
  gateways = ["123.123.123.111-123.123.123.222"]
}

resource "okta_threat_insight_settings" "Okta_threat_insight_setting" {
  action           = "block"
  network_excludes = [okta_network_zone.ip_network_XXX_XXX_office_ip.id, okta_network_zone.ip_network_XXX_vpn.id]
}

However on every terraform apply I have the same issue as @hi-artem, the network zones are re-ordered resulting in:

 # okta_threat_insight_settings.Okta_threat_insight_setting will be updated in-place
 ~ resource "okta_threat_insight_settings" "Okta_threat_insight_setting" {
       id               = "threat_insight_settings"
     ~ network_excludes = [
         - "nzo4h9mm86wvj3gto417",
           "nzo4h9iyruWqhV8Xj417",
         + "nzo4h9mm86wvj3gto417",
       ]
       # (1 unchanged attribute hidden)
   }

I don't think the order of the network_excludes list in a okta_threat_insight_settings really matters. Just that all the network zones are represented.

I use terraform version v1.3.6 and v3.39.0 of the Okta terraform module.

[coolbonev2]

Seems solved by #1398 released in version v3.40.0

💪 Thanks

[monde]

Thanks for the confirmation @coolbonev2 https://github.com/okta/terraform-provider-okta/releases/tag/v3.40.0