monde
commented
2 years ago Hi @Cylock , I appreciate all of the debugging details, I will look into this.
Closed Cylock closed 1 year ago
monde
commented
2 years ago Hi @Cylock , I appreciate all of the debugging details, I will look into this.
okta-mikeb
commented
2 years ago @monde - I am seeing the same behavior for both the SAML and OIDC IdP resources. Sometimes the plan/apply works, sometimes I get the same error with "App instance operation not allowed".
In addition to that, I have also tried to manually activate the IdP in the UI after being created with Terraform and receive the same error as above in the Network tab of Developer tools.
monde
commented
2 years ago @okta-mikeb thanks for the additional details.
github-actions[bot]
commented
2 years ago This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days
RomanVlasenko
commented
2 years ago @monde is there any update or workaround for this? I'm having the same issue with OIDC resource. At the moment it is unusable. Even if I create resource manually and import to terraform - it becomes deactivated after apply and further activation is not possible, UI would throw the same error as @Cylock has mentioned.
monde
commented
2 years ago Okta internal reference: https://oktainc.atlassian.net/browse/OKTA-544480
github-actions[bot]
commented
1 year ago This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days
monde
commented
1 year ago @Cylock @okta-mikeb are you all still experiencing this? The issue was reported nearly a year ago so it might have just been stability issues in the Okta service itself.
I did receive one 500 error while fiddling around working up my example. Otherwise it was all 200s doing apply/destroy in a loop.
$ for i in {1..10}; do
tf apply -auto-approve 2>&1 > /dev/null
if [ $? -ne 0 ] ; then echo "fail apply"; else echo "pass apply"; fi
tf destroy -auto-approve 2>&1 > /dev/null
if [ $? -ne 0 ] ; then echo "fail destroy"; else echo "pass destroy"; fi
done
pass apply
pass destroy
pass apply
pass destroy
pass apply
pass destroy
pass apply
pass destroy
pass apply
pass destroy
pass apply
pass destroy
pass apply
pass destroy
pass apply
pass destroy
pass apply
pass destroy
pass apply
pass destroythis is my tf code based off @Cylock's example with the VARs hack out
terraform {
required_providers {
okta = {
source = "okta/okta"
}
}
}
resource "okta_idp_oidc" "BindID" {
account_link_action = "AUTO"
#user_info_url = var.bindid_user_info_url
user_info_url = "https://idp.example.com/userinfo"
#token_url = var.bindid_token_url
token_url = "https://idp.example.com/token"
#jwks_url = var.bindid_jwks_url
jwks_url = "https://idp.example.com/keys"
#issuer_url = var.bindid_issuer_url
issuer_url = "https://id.example.com"
#client_secret = var.bindid_client_secret
client_secret = "01234567890123456789012345678901"
#authorization_url = var.bindid_authorization_url
authorization_url = "https://idp.example.com/authorize"
authorization_binding = "HTTP-REDIRECT"
client_id = "efg456"
deprovisioned_action = "NONE"
groups_action = "NONE"
groups_assignment = []
groups_filter = []
issuer_mode = "ORG_URL"
jwks_binding = "HTTP-REDIRECT"
max_clock_skew = 0
name = "BindID"
profile_master = true
provisioning_action = "AUTO"
scopes = [
"email",
"openid",
]
subject_match_type = "USERNAME"
suspended_action = "NONE"
token_binding = "HTTP-POST"
user_info_binding = "HTTP-REDIRECT"
username_template = "idpuser.email"
}This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days
Community Note
Terraform Version
v1.1.6
General description
Hello,
I'm trying to create an OIDC Identity Provider resource to my Okta developer instance.
At
terraform applyit creates the remote object but an error pops up during the process:Debugging
I have enabled debug logs for terraform and seems the culprit for the error above is this following call to /api/v1/idps/.../lifecycle/activate
Attempts to solve
status= "ACTIVE" explicit in the resource - the documentation states that active is by defaultAffected Resource(s)
Terraform Configuration Files
Expected Behavior
Create the remote object cleanly after each destroy and apply without any issues and track it.
Actual Behavior
It creates the remote object, but because there is an error it taints the resource mapped to it in the terraform.tfstate.
There is an inconsistent behavior: In a few tests running multiple
terraform destroy / terraform apply, sometimes the resource is created without any errors, other instances it displays the errors above.Seems strange to be able to send the same requests to /lifecycle/activate and receive a 200 once and after to get a 403 for a destroyed and re-applied resource.
Throwing a wild guess: I would assume it could be a token from the client side which is a 1 time use and expires but somewhere down the line it is stored and that's why on follow up requests it shows unauthorized.
Steps to Reproduce
terraform apply/destroymultiple timesImportant Factoids
Working with a free Okta developer account.
References