search

okta / terraform-provider-okta

A Terraform provider to manage Okta resources, enabling infrastructure-as-code provisioning and management of users, groups, applications, and other Okta objects.
https://registry.terraform.io/providers/okta/okta
Mozilla Public License 2.0
258 stars 208 forks source link

Default Application User Profile Mapping is being cleaned up #1341

Open AndreyZhilinskyCoherent opened 2 years ago

AndreyZhilinskyCoherent commented 2 years ago

Community Note

Terraform Version

Terraform v1.3.3 on windows_386

Affected Resource(s)

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

below is just test code to see what could happen with profile mappings

resource "okta_user_schema_property" "userId" {
  index       = "userId"
  title       = "User Id"
  type        = "string"
  description = "User Id"
  permissions = "READ_WRITE"
}

resource "okta_app_oauth" "test_application" {
  label                 = "Test Application"
  type                  = "web"
  grant_types           = ["authorization_code", "client_credentials"]
  hide_web              = true
  response_types        = ["code"]
  implicit_assignment   = true
  profile               = jsonencode({ implicitAssignment = true })
  consent_method        = "REQUIRED"
  issuer_mode           = "DYNAMIC"
  redirect_uris         = ["https://oauth.tools/callback/code"]
  skip_groups = true
  skip_users = true
}

resource "okta_app_user_schema_property" "userId" {
  app_id      = okta_app_oauth.test_application.id
  index       = "userId"
  title       = "User Id"
  type        = "string"
  permissions = "READ_WRITE"
}

data "okta_user_profile_mapping_source" "okta_user" {}

resource "okta_profile_mapping" "test_mapping" {
  source_id          = data.okta_user_profile_mapping_source.okta_user.id
  target_id          = okta_app_oauth.test_application.id
  delete_when_absent = false

  mappings {
    id          = "userId"
    expression  = "user.userApiId"
    push_status = "PUSH"
  }
}

Debug Output

Panic Output

Expected Behavior

Default mappings should not be removed

Actual Behavior

Default application profile mapping is being cleaned up

Steps to Reproduce

We have encountered with such issue (empty application profile mappings) some times. I added a misspelling into mapping to be able to reproduce that issue in test code.

  1. terraform apply - default mapping exist
  2. terraform apply - default mapping is being cleaned up

Important Factoids

References

monde commented 2 years ago

Thanks @AndreyZhilinskyCoherent , I have this bug triaged into our internal backlog.

Okta internal reference: https://oktainc.atlassian.net/browse/OKTA-546540

github-actions[bot] commented 1 year ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

johnnymongiat commented 1 year ago

Can this issue be reopened? We are observing the exact same behavior reported by @AndreyZhilinskyCoherent using the v3.44.0 terraform provider.

johnnymongiat commented 1 year ago

Per my observations, once you start managing your profile mappings with Terraform, you MUST explicitly configure all mappings blocks within the okta_profile_mapping resource if you decide to set the _delete_whenabsent to true. For example, suppose you initially configured a couple of mappings blocks (i.e. associated with custom attributes) and set _delete_whenabsent to false. At a later time, one of your custom attributes is deprecated and marked for removal, so you remove the associated mappings block, and consequently set the _delete_whenabsent to true for the removal to work. However, by doing so, you will also trigger the removal of all other mappings that are not explicitly configured in your okta_profile_mapping resource, including the default application user profile mappings. The OKTA restful mappings API allows you to remove a mapping without affecting the default application user profile mappings because it performs a "partial update":

curl --location 'https://${yourOrgBaseURL}/api/v1/mappings/${yourProfileMappingID}' \
--header 'Accept: application/json' \
--header 'Content-Type: application/json' \
--header 'Authorization: SSWS ${yourAPIToken}' \
--data '{
    "properties": {
        "exampleAttributeThatIWantToRemove": null
    }
}'

You will need to follow up with an "internal" reapply API request to reapply the mappings (mimicking how the Terraform provider does it). The other mappings are NOT deleted, which is in direct contrast to the Terraform with _delete_whenabsent = true. Maybe the Terraform provider is not flexible enough to handle "partial updates" and forces you to manage every single mapping including the default application user profile mappings. This could be by design, but is not developer friendly.

virgofx commented 1 year ago

While it's not flexible in design; we have ended up managing 100% of our mappings via Terraform. It takes a little more work to setup and include everything; however, results in less issues with the inclusion/defaults as mentioned above. If it makes sense to only go this way and be explicit about it I would be in favor.

github-actions[bot] commented 1 year ago

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

Reflejo commented 1 year ago

Is there a chance for this to be re-opened? I think there has to be a better way here. I want to manage just one field (say userType for admin/non-admin) through a okta_app_user_schema_property. Doing so create spurious changes for all users and all profiles. Am I missing something? How do people manage things like userType per-app otherwise?

Related to