Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

okta_group_role: [] is the same as null, ghost target lists, API "breaks" state #560

Closed
aguapanelo-glb opened this issue Aug 4, 2021 · 3 comments · Fixed by #570
Closed

okta_group_role: [] is the same as null, ghost target lists, API "breaks" state #560

aguapanelo-glb opened this issue Aug 4, 2021 · 3 comments · Fixed by #570
Labels
needs-investigation Needs further investigation

Comments

@aguapanelo-glb
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v1.0.0
on windows_amd64

Affected Resource(s)

okta_group_role

Terraform Configuration Files

These are the resources for a module which creates a group with an arbitrary subset of the available Okta roles. The problem resides in the okta_group_role resource.

resource "okta_group" "this" {
  name        = var.name
  description = var.description
}

# Because this is a test, there's no okta_group_memberships. Create an empty group.

resource "okta_group_role" "this" {
  for_each = var.admin_roles

  group_id  = okta_group.this.id
  role_type = each.key

  # Create an empty target_group_list if any of these permissions are given
  # TODO: implement a target list for each role
  target_group_list = (contains([
    "GROUP_MEMBERSHIP_ADMIN",
    "HELP_DESK_ADMIN",
    "USER_ADMIN"
    ], each.key)
    # TODO: add support for a specific list of target members
    ? []
    # Don't create if not supported by role
    : null
  )

  # Create an empty target_app_list if APP_ADMIN is being granted
  target_app_list = ((each.key == "APP_ADMIN")
    # TODO: add support for a specific list of target apps
    ? []
    # Don't create if not supported by role
    : null
  )
}

This is the module block I'm using to test the above:

module "role_tftests" {
  source = "/path/to/module/code/"

  name        = "TFRoleModuleTests"
  description = "Group to test the Terraform module"
  admin_roles = [
    "APP_ADMIN",
    "USER_ADMIN",
  ]
}

Debug Output

Panic Output

Expected Behavior

An okta_group_role resource is created and, if supplied a compatible role, also an empty target list. The list is kept empty after several runs of terraform apply unless the Terraform code changes.

Actual Behavior

First problem: when specifying an empty list ([]) no target list is created. But empty != null, right?

Acquiring state lock. This may take a few moments...

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # module.role_tftests.okta_group.this will be created
  + resource "okta_group" "this" {
      + description = "Group to test the Terraform module"
      + id          = (known after apply)
      + name        = "TFRoleModuleTests"
    }

  # module.role_tftests.okta_group_role.this["APP_ADMIN"] will be created
  + resource "okta_group_role" "this" {
      + group_id  = (known after apply)
      + id        = (known after apply)
      + role_type = "APP_ADMIN"
    }

  # module.role_tftests.okta_group_role.this["USER_ADMIN"] will be created
  + resource "okta_group_role" "this" {
      + group_id  = (known after apply)
      + id        = (known after apply)
      + role_type = "USER_ADMIN"
    }

Plan: 3 to add, 0 to change, 0 to destroy.

Second problem: if running terraform plan after 30 seconds of the apply without having changed the code, the Okta API backend has automatically created the empty target list objects. This doesn't break the state, because another apply just passes through, but it's weird becuase the first pass makes one think the target list isn't actually being created.

Acquiring state lock. This may take a few moments...
module.role_tftests.okta_group.this: Refreshing state... [id=<redacted>]
module.role_tftests.okta_group_role.this["APP_ADMIN"]: Refreshing state... [id=<redacted>]
module.role_tftests.okta_group_role.this["USER_ADMIN"]: Refreshing state... [id=<redacted>]

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform apply":

  # module.role_tftests.okta_group_role.this["APP_ADMIN"] has been changed
  ~ resource "okta_group_role" "this" {
        id              = "<redacted>"
      + target_app_list = []
        # (2 unchanged attributes hidden)
    }
  # module.role_tftests.okta_group_role.this["USER_ADMIN"] has been changed
  ~ resource "okta_group_role" "this" {
        id                = "<redacted>"
      + target_group_list = []
        # (2 unchanged attributes hidden)
    }

Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to
these changes.

I tried creating the target lists with just an empty string ([""]) to try forcing the attribute to be created, and I got an API error 😅 (but the roles were assigned, breaking a subsequent apply... but those roles then don't appear when destroying - that should be another issue 🤔). Also, I thought using a data source to figure out how to specify "all apps/users" and injecting that into the target list... but no luck guessing that wildcard.

Steps to Reproduce

  1. terraform apply
  2. sleep 30
  3. terraform plan

Important Factoids

References
@bogdanprodan-okta
Copy link
Contributor

Hi @aguapanelo-glb! Thanks for submitting this issue! I'll investigate the root cause of the problem and get back to you asap.

@bogdanprodan-okta bogdanprodan-okta added the needs-investigation Needs further investigation label Aug 4, 2021
@aguapanelo-glb
Copy link
Author

Hello, @bogdanprodan-okta
Has been there any progress with this? Could you at least reproduce and confirm the behaviour? I tested with v3.13.1 but this keeps happening.

Thx.

@bogdanprodan-okta
Copy link
Contributor

bogdanprodan-okta commented Aug 12, 2021
edited
Loading

Hi, @aguapanelo-glb! The problem is in this piece of code:

apps, err := listGroupAppsTargets(ctx, d, m)
if err != nil {
	return diag.Errorf("unable to list app targets for role %s and group %s: %v", rolesAssigned[i].Id, groupID, err)
}
_ = d.Set("target_app_list", apps)

Provider should not set target_group_list if groupIDs is an empty array. That's why you see + target_app_list = [] in the terraform plan.

I'll create a PR shortly to fix this issue.

@bogdanprodan-okta bogdanprodan-okta mentioned this issue Aug 12, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs-investigation Needs further investigation
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fixed issue with empty target_group_list and target_app_list okta/terraform-provider-okta
2 participants
@aguapanelo-glb @bogdanprodan-okta