Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Upstream Bug - Rapid okta_app_user_schema_property deletions #1972

Open
exitcode0 opened this issue Apr 17, 2024 · 0 comments
Open

Upstream Bug - Rapid okta_app_user_schema_property deletions #1972

exitcode0 opened this issue Apr 17, 2024 · 0 comments

Comments

@exitcode0
Copy link
Contributor

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v1.7.5
on darwin_arm64
+ provider registry.terraform.io/okta/okta v4.5.0

Your version of Terraform is out of date! The latest version
is 1.8.0. You can update by downloading from https://www.terraform.io/downloads.html

Affected Resource(s)

  • okta_app_group_assignments
  • okta_app_user_schema_property

Terraform Configuration Files

Click me 
resource "okta_app_saml" "example" {
  label                    = "example"
  sso_url                  = "https://example.com"
  recipient                = "https://example.com"
  destination              = "https://example.com"
  audience                 = "https://example.com/audience"
  subject_name_id_template = "$${user.userName}"
  subject_name_id_format   = "urn:oasis:names:tc:SAML:1.1:nameid-format:emailAddress"
  response_signed          = true
  signature_algorithm      = "RSA_SHA256"
  digest_algorithm         = "SHA256"
  honor_force_authn        = false
  authn_context_class_ref  = "urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport"
}
# resource "okta_app_user_schema_property" "customPropertyName_A" {
#   app_id      = okta_app_saml.example.id
#   index       = "customPropertyName_A"
#   title       = "customPropertyName_A"
#   type        = "string"
#   description = "My custom property name"
#   master      = "OKTA"
# }
# resource "okta_app_user_schema_property" "customPropertyName_B" {
#   app_id      = okta_app_saml.example.id
#   index       = "customPropertyName_B"
#   title       = "customPropertyName_B"
#   type        = "string"
#   description = "My custom property name"
#   master      = "OKTA"
# }
resource "okta_group" "test_group_1" {name = "test_group_1"}
resource "okta_group" "test_group_2" {name = "test_group_2"}
resource "okta_app_group_assignments" "example" {
  app_id = okta_app_saml.example.id
  group {
    id = okta_group.test_group_1.id
    priority = 0
    profile = jsonencode({
      customPropertyName_A = "A"
      customPropertyName_B = "B"
    })
  }
  group {
    id = okta_group.test_group_2.id
    priority = 1
    profile = jsonencode({
      customPropertyName_A = "C"
      customPropertyName_B = "D"
    })
  }
}

Debug Output

N/A - error is always an API Layer error

Panic Output

N/A - error is always an API Layer error

Expected Behavior

If the okta_app_user_schema_property are then commented out and terraform apply is run
We would expect the upstream APU to strip the relevant values from okta_app_group_assignments.example.groups[*].profile

We would expect some drift to be present in the next terraform plan
We would expect that If the HCL is not modified before the next terraform apply that the apply will fail due to the attributes no-loger existing on the okta app

If the engineer were to capture the drift from the next terraform plan
we would expect the next terraform apply to succeed as normal

Can this be done in the Admin UI?

I don't know

Can this be done in the actual API call?

I don't know

Actual Behavior

After successfully deploying the above in two stages ( okta_app_group_assignments must go out in the 2nd apply due to race conditions)
If the okta_app_user_schema_property are then commented out and terraform apply is run

some attributes (but not all) are removed from the group assignments to the application
depending on what is left in the group assignment, the next terraform plan may fail if the hcl is unmodified, or if the engineer attempts to match the "drift" output from the terraform plan

Steps to Reproduce

  1. Deploy the resources for okta_app_saml, okta_app_user_schema_property, and okta_group
  2. Deploy the okta_app_group_assignments resource
  3. Comment out the okta_app_user_schema_property resources
  4. Terraform Apply
  5. Note that the group assignment `profiles have not purged all of the attributes that have been removed as expected

Important Factoids

  • Okta Support Case 02047587

References

  • Okta Support Case 02047587
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@exitcode0