pingfederate_oauth_client resources raise errors when persistent_grant attributes are not declared

[carloprone]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

v1.3.9, on linux_amd64

provider version v0.1.1

PingFedeerate v11.1.1

Affected Resource(s)

• pingfederate_oauth_client

Terraform Configuration Files

resource "pingfederate_oauth_client" "test" {
  client_id   = "test"
  name        = "test"
  description = "This client is a test client"

  grant_types = [
    "ACCESS_TOKEN_VALIDATION"
  ]

  client_auth = {
    type                      = "PRIVATE_KEY_JWT"
    enforce_replay_prevention = false
  }

  jwks_settings = {
    jwks_url = "https://localhost/"
  }

  validate_using_all_eligible_atms = true

  oidc_policy = {
    grant_access_session_revocation_api = false
    logout_uris                         = null
    ping_access_logout_capable          = false
  }

  ## Enabling the following three lines "solves" the issue (but it is more like a workaround though)
  # persistent_grant_expiration_time = 90
  # persistent_grant_expiration_time_unit = "DAYS"
  # persistent_grant_expiration_type = "OVERRIDE_SERVER_DEFAULT"
}

Debug Output

https://gist.github.com/rkl3ss/1621f7e8c70e99feb2243a66ed4696f7

Panic Output

╷
│ Error: Provider produced inconsistent result after apply
│
│ When applying changes to pingfederate_oauth_client.test, provider "provider[\"registry.terraform.io/iwarapter/pingfederate\"]" produced an unexpected new value: .persistent_grant_expiration_time: was cty.NumberIntVal(0), but now null.
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
╵

Expected Behavior

Being able to configure a pingfederate_oauth_client resource without explicitly declaring persistent_grant attributes.

Actual Behavior

When a client is created without any value for the persistent_grant attributes, or with persistent_grant_expiration_type = "SERVER_DEFAULT" (which is the default value), the error above is raised. The only way to get rid of the error is to explicitly declare the persistent_grant attributes, as in the last lines of the example aboce. Or, at least, this is the only workaround that I could find.

Steps to Reproduce

1. Copy the resource above in any test configuration
2. terraform plan
3. terraform apply

Important Factoids

n/a

References

• n/a

[iwarapter]

hi @rkl3ss,

https://github.com/iwarapter/terraform-provider-pingfederate/commit/71e7e8af61275ff8411f3cfeb5849ce8dad24cb1

The reproducer you provided doesn't show the issue, is there some other configuration you may have missed out?

[carloprone]

Hi @iwarapter I'm not sure: the issue happens to me every time I declare a client resource without the three parameters, but it might be related to some other config we have in place.

I can't upload the full TF config due to the privacy restriction of my employee. But I will try to reproduce the issue on a local, clean, test environment and let you know.

[iwarapter]

Hi @rkl3ss as long as that resource is accurate the only thing I can think of is client backing store, all of my tests instances use the xml store, which I guess is not your case?

[carloprone]

@iwarapter this is probably a good hint! I tried to reproduce the error myself on a local instance of PF, which is configured with the standard XML-based clients store, and nothing happens.

In our company's environments we use an LDAP store for that, more specifically a PingDirectory cluster.

I'm going to set-up a similar store in my local environment, let's see if this changes the outcome.

[iwarapter]

hey would it be possible to get the output of that resource apply whilst running terraform with debug (env TF_LOG=DEBUG) this would be a great help!

[carloprone]

@iwarapter sorry for being late, I've been quite busy and I had to set-up a local PD instance to reproduce the error.

Here's the output of the terraform apply command reproducing the error: https://gist.github.com/rkl3ss/74faaff1c596edf306c124315a843ab4

Please let me know if you need any other information.

[iwarapter]

This has been fixed in v0.2.0