[AccessPolicy] Incorrect management of "require" with multiple Okta IdPs

[notdodo]

Confirmation

• [X] This is a bug with an existing resource and is not a feature request or enhancement. Feature requests should be submitted with Cloudflare Support or your account team.
• [X] I have searched the issue tracker and my issue isn't already found.
• [X] I have replicated my issue using the latest version of the provider and it is still present.

Terraform and Cloudflare provider version

Terraform v1.9.0 on darwin_arm64

• provider registry.terraform.io/cloudflare/cloudflare v4.36.0

Affected resource(s)

cloudflare_access_policy

Terraform configuration files

resource "cloudflare_access_application" "poc1" {
  account_id = var.account_id
  name = "TEST-NOTDODO"
  domain = "mytest.example.com"
  type = "self_hosted"
  session_duration          = "24h"
  auto_redirect_to_identity = false
}

variable idp_prod {
  default = "<idp_prod_id>"
}

variable idp_stag {
  default = "<idp_prod_id>"
}

resource "cloudflare_access_policy" "poc1policy1" {
  name           = "staging policy"
  account_id     = var.account_id
  application_id = cloudflare_access_application.poc1.id
  precedence     = "1"
  decision       = "allow"
  include {
    login_method = [var.idp_prod, var.idp_stag]
  }
  require {
    okta {
      identity_provider_id =  var.idp_prod
      name = ["mygrouponprod"]
    }
    okta {
      identity_provider_id =  var.idp_stag
      name = ["mygrouponstag"]
    }
  }
}

Link to debug output

https://gist.github.com/notdodo/c3524ed143e5574632a4ce63a337e158

Panic output

No response

Expected output

No changes during the plan.

Actual output

Terraform plan shows chagens to apply even though there aren't, apparently.

  # cloudflare_access_policy.poc1policy1 will be updated in-place
  ~ resource "cloudflare_access_policy" "poc1policy1" {
        id                             = "7f0042d7-983b-407d-aa13-a4f20a9e418f"
        name                           = "staging policy"
        # (8 unchanged attributes hidden)

      ~ require {
            # (16 unchanged attributes hidden)

          ~ okta {
              ~ identity_provider_id = "<idp_prod_id>" -> "<idp_stag_id>"
              ~ name                 = [
                    "mygrouponprod",
                  - "mygrouponstag",
                ]
            }
          + okta {
              + identity_provider_id = "<idp_stag_id>"
              + name                 = [
                  + "mygrouponstag",
                ]
            }
        }

        # (1 unchanged block hidden)
    }

It seems that multiple requires are not correctly parsed during the refresh so wrong changes are always shown

Steps to reproduce

I manually created a policy that accept 2 possible Okta IdPs with different groups on Cloudflare Access for an application.

I imported the application resource with

terraform import cloudflare_access_application.poc1 <account_id>/<application_id>

Creating the same policy on terraform with 2 Okta IdPs and require the plan shows that the refresh/get of the remote resource has a bug:

The okta.identity_provider_id is set to the last value present during the apply and the okta.name contains a list of both groups.

          ~ okta {
              ~ identity_provider_id = "<idp_prod_id>" -> "<idp_stag_id>"
              ~ name                 = [
                    "mygrouponprod",
                  - "mygrouponstag",
                ]
            }
          + okta {
              + identity_provider_id = "<idp_stag_id>"
              + name                 = [
                  + "mygrouponstag",
                ]
            }

The same is also valid when using new reusable access policies

Additional factoids

I think that the bug is generated here: the OktaID is a single value and not append like the groups. Here is the generated output that is not expected.

References

No response

[github-actions[bot]]

Community Note

Voting for Prioritization

• Please vote on this issue by adding a 👍 reaction to the original post to help the community and maintainers prioritize this request.
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request.

Volunteering to Work on This Issue

• If you are interested in working on this issue, please leave a comment.
• If this would be your first contribution, please review the contribution guide.

[notdodo]

@jacobbednarz sorry to bump this but is this bug valid? are you tackling this internally?

[github-actions[bot]]

This functionality has been released in v4.40.0 of the Terraform Cloudflare Provider.

Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!