Opaque error when adding SAML Application resource

cprice-ping commented 2 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v1.2.8

Affected Resource(s)

pingfederate_idp_sp_connection

Terraform Configuration Files

resource "pingfederate_idp_sp_connection" "sample_saml" {
  name      = "Sample SAML"
  entity_id = "Sample-SAML"
  active    = true
  credentials {
    signing_settings {
      signing_key_pair_ref {
        id = "signing-cert"
      }
      include_cert_in_signature    = false
      include_raw_key_in_signature = false
      algorithm                    = "SHA256withRSA"
    }
  }
  extended_properties {
    key_name = "authNexp"
    values = [
      "Single_Factor"
    ]
  }
  sp_browser_sso {
    protocol = "SAML20"
    enabled_profiles = [
      "IDP_INITIATED_SSO"
    ]
    sso_service_endpoints {
      binding    = "POST"
      url        = "https://decoder.pingidentity.cloud/saml"
      is_default = true
      index      = 0
    }
    sign_assertions               = false
    sign_response_as_required     = true
    sp_saml_identity_mapping      = "STANDARD"
    require_signed_authn_requests = false
    assertion_lifetime {
      minutes_before = 5
      minutes_after  = 5
    }
    encryption_policy {
      encrypt_assertion             = false
      encrypt_slo_subject_name_id   = false
      slo_subject_name_id_encrypted = false
    }
    attribute_contract {
      extended_attributes {
        name        = "firstname"
        name_format = "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
      }
      extended_attributes {
        name        = "ImmutableID"
        name_format = "urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
      }
      extended_attributes {
        name        = "mail"
        name_format = "urn:oasis:names:tc:SAML:2.0:attrname-format:basic"
      }
      extended_attributes {
        name        = "lastname"
        name_format = "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
      }
    }
    authentication_policy_contract_assertion_mappings {
      attribute_contract_fulfillment {
        key_name = "firstname"
        source {
          type = "AUTHENTICATION_POLICY_CONTRACT"
        }
        value = "firstName"
      }
      attribute_contract_fulfillment {
        key_name = "ImmutableID"
        source {
          type = "AUTHENTICATION_POLICY_CONTRACT"
        }
        value = "ImmutableID"
      }
      attribute_contract_fulfillment {
        key_name = "mail"
        source {
          type = "AUTHENTICATION_POLICY_CONTRACT"
        }
        value = "mail"
      }
      attribute_contract_fulfillment {
        key_name = "SAML_SUBJECT"
        source {
          type = "AUTHENTICATION_POLICY_CONTRACT"
        }
        value = "subject"
      }
      attribute_contract_fulfillment {
        key_name = "lastname"
        source {
          type = "AUTHENTICATION_POLICY_CONTRACT"
        }
        value = "lastName"
      }
      authentication_policy_contract_ref {
        id = pingfederate_authentication_policy_contract.facile_default.id
      }
    }
  }
}

Debug Output

https://gist.github.com/cprice-ping/9841e16de0eb62efd34887b86c42fcd1

Panic Output

Expected Behavior

Error would indicate where in the HCL the problem is

Actual Behavior

│ Error: unable to create IdpSpConnections: Validation error(s) occurred. Please review the error(s) and address accordingly.
│ This list cannot contain empty entries.
│ 
│   with pingfederate_idp_sp_connection.sample_saml,
│   on facile-pingfed-apps.tf line 1, in resource "pingfederate_idp_sp_connection" "sample_saml":
│    1: resource "pingfederate_idp_sp_connection" "sample_saml" {

Steps to Reproduce

terraform apply

Important Factoids

References

0000

iwarapter commented 2 years ago

hey @cprice-ping it looks like the provider is swallowing part of the error, if you run this with TF_LOG=DEBUG env var you will also get the request/response json logged, the response will have the full error.

cprice-ping commented 2 years ago

DEBUG is quite chatty -- here's the full error from PF

{"resultId":"validation_error","message":"Validation error(s) occurred. Please review the error(s) and address accordingly.","validationErrors":[{"message":"This list cannot contain empty entries.","fieldPath":"spBrowserSso.attributeContract.coreAttributes","errorId":"list_cannot_contain_empty_entries"}]}

I can fix this in the HCL -- and these logs will be useful as I'm troubleshooting my config

cprice-ping commented 2 years ago

This switches the problem to be the docs -- you have sp_browser_sso as optional, and within that block, attribute _mapping as optional

iwarapter / terraform-provider-pingfederate