`okta_policy_mfa` - various bugs, incl tfstate deadlock

exitcode0 commented 1 year ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Affected Resource(s)

resource okta_policy_mfa

Expected Behavior

okta_policy_mfa should:

not instantiate with authenticators that are not enabled (e.g symantic_vip)
not save to state if a drift remediation / update fails
detect if an authenticator is disabled completely as this will require setting enroll = "NOT_ALLOWED" which should be considered drift if the configuration is either enroll = "REQUIRED" or enroll = "OPTIONAL"

Actual Behavior

okta_policy_mfa behaves as follows:

can instantiate with certain authenticators blocks present in config that are not enabled in the okta instance (symantic_vip in my example)
can save a invalid authenticators to the state file if present in config during drift remediation / update
fails to detect if an authenticator have since been disabled in the okta instance
- it will detect and attempt to remediate when another change happens to a attributes it does consider drift
- will re-enable the authenticator in some circumstances (likely due to how authenticators are only ever soft deleted)

Do you have a workaround?

These bugs can be worked around using the Admin UI or Admin Management API because the bugs are in the terraform provider layer (as far as I can tell)

Important Factoids

I've come across these bugs whilst attempting to troubleshoot one of my own, it's unclear to me if these are the bug(s) I'm experiencing I suspect that this resource may be buggy when authenticators are disabled, which is what I suspected caused my current issue

References / Related issues

#1359 / https://oktainc.atlassian.net/browse/OKTA-556732
Potential Duplicates?
- #1533 / https://oktainc.atlassian.net/browse/OKTA-604154
- #1393 / https://oktainc.atlassian.net/browse/OKTA-555401
#1331 / https://oktainc.atlassian.net/browse/OKTA-544023

Terraform Version

Terraform v1.1.6
on darwin_arm64
+ provider registry.terraform.io/hashicorp/http v3.4.0
+ provider registry.terraform.io/okta/okta v3.41.0

Terraform Configuration Files

Click to Expand | main.tf

`main.tf` ```hcl terraform { required_providers { okta = { source = "okta/okta" version = "3.41.0" } } } provider "okta" { org_name = var.OKTA_ORG_NAME base_url = var.OKTA_BASE_URL api_token = var.OKTA_API_TOKEN max_api_capacity = 90 } variable "OKTA_ORG_NAME" {} variable "OKTA_BASE_URL" {} variable "OKTA_API_TOKEN" { sensitive = true } ```

Click to Expand | policy_mfa.tf

`policy_mfa.tf` ```hcl resource "okta_group" "test_group" { name = "test_mfa_policy" description = "Requires both Okta Verify and WebAuthn" skip_users = true } locals { instance_url = "https://${var.OKTA_ORG_NAME}.${var.OKTA_BASE_URL}" } data "http" "authenticators" { url = "${local.instance_url}/api/v1/authenticators" request_headers = { Authorization = "SSWS ${var.OKTA_API_TOKEN}" } } output "raw_authenticators" { value = jsondecode(data.http.authenticators.body) } output "authenticators" { value = { for factor in jsondecode(data.http.authenticators.body) : factor.key => factor.status } } output "group_id" { value = okta_group.test_group.id } resource "okta_policy_mfa" "test_mfa_policy" { priority = 1 is_oie = true status = "ACTIVE" name = "test_mfa_policy" groups_included = [ okta_group.test_group.id, ] okta_email = { "enroll" = "REQUIRED" } okta_verify = { "enroll" = "REQUIRED" } okta_password = { "enroll" = "REQUIRED" } webauthn = { "enroll" = "REQUIRED" } security_question = { "enroll" = "NOT_ALLOWED" } symantec_vip = { "enroll" = "NOT_ALLOWED" } # duo = { # "enroll" = "NOT_ALLOWED" # } } resource "okta_policy_rule_mfa" "mfa_rule_require_verify_webauthn" { priority = 1 status = "ACTIVE" name = "Enrolment Rule" enroll = "CHALLENGE" network_connection = "ANYWHERE" policy_id = okta_policy_mfa.test_mfa_policy.id users_excluded = [] } ```

Steps to Reproduce

Click to Expand | Steps to Reproduce

```bash #!/usr/bin/env bash echo "$(pwd)" echo 'proceed? (y/n)' read answer if [ "$answer" == "y" ]; then echo "Proceeding..." elif [ "$answer" == "n" ]; then echo "Exiting..." exit 1 fi # TF_LOG=DEBUG # TF_LOG=INFO OKTA_ORG_NAME="" # this script was tested against a dev-xxxxx instance OKTA_BASE_URL="okta.com" OKTA_API_TOKEN="" # ### `Destroy` or `rm` ensure we have a clean starting point terraform destroy --auto-approve \ -var OKTA_ORG_NAME=$OKTA_ORG_NAME \ -var OKTA_BASE_URL=$OKTA_BASE_URL \ -var OKTA_API_TOKEN=$OKTA_API_TOKEN > debug_destroy.txt rm ./*.tfstate* terraform apply --auto-approve \ -var OKTA_ORG_NAME=$OKTA_ORG_NAME \ -var OKTA_BASE_URL=$OKTA_BASE_URL \ -var OKTA_API_TOKEN=$OKTA_API_TOKEN > debug_1.txt # sed -i doesnt want to work for me for some reason - ¯\_(ツ)_/¯ # uncomment duo mfa block pbcopy < ./sandbox.tf && pbpaste | sed 's/ # /\ /g' > ./sandbox.tf terraform apply --auto-approve \ -var OKTA_ORG_NAME=$OKTA_ORG_NAME \ -var OKTA_BASE_URL=$OKTA_BASE_URL \ -var OKTA_API_TOKEN=$OKTA_API_TOKEN > debug_2.txt # sed -i doesnt want to work for me for some reason - ¯\_(ツ)_/¯ # recomment duo mfa block after realising your mistake # note that line numbers are hard-coded 51-53 pbcopy < ./sandbox.tf && pbpaste | sed '51,53 s/^ / # /' > ./sandbox.tf policy_id="$(cat ./terraform.tfstate |jq -r '.resources[] | select(.name == "test_mfa_policy") | .instances[0].attributes.id')" group_id="$(cat ./terraform.tfstate |jq -r '.resources[] | select(.name == "test_group") | .instances[0].attributes.id')" # cause drift on purpose echo "policy_id - \"$policy_id\"" echo "group_id - \"$group_id\"" curl -X 'PUT' -i "https://$OKTA_ORG_NAME.$OKTA_BASE_URL/api/v1/policies/$policy_id" \ -H "Authorization: SSWS $OKTA_API_TOKEN" -H 'Content-Type: application/json' \ --data-raw '{"name":"test_mfa_policy","priority":1,"status":"ACTIVE","system":false,"type":"MFA_ENROLL","conditions":{"people":{"groups":{"include":["'$group_id'"]}}},"settings":{"type":"AUTHENTICATORS","authenticators":[{"key":"okta_email","enroll":{"self":"REQUIRED"}},{"key":"okta_verify","enroll":{"self":"REQUIRED"}},{"key":"okta_password","enroll":{"self":"REQUIRED"}},{"key":"webauthn","enroll":{"self":"OPTIONAL"}},{"key":"security_question","enroll":{"self":"NOT_ALLOWED"}}],"isUserAgreementContent":false}}' \ --compressed terraform apply --auto-approve \ -var OKTA_ORG_NAME=$OKTA_ORG_NAME \ -var OKTA_BASE_URL=$OKTA_BASE_URL \ -var OKTA_API_TOKEN=$OKTA_API_TOKEN > debug_3.txt echo "tf state is in unrecoverable state" echo "running terraform apply will now never succeed" echo "can be fixed by running - \"terraform state rm\" then \"terraform state import\"" ```

duytiennguyen-okta commented 1 year ago

This look like a really big bug. Thanks for the detail walkthrough. cc @jefftaylor-okta how should we prioritize this?

duytiennguyen-okta commented 1 year ago

OKTA internal reference https://oktainc.atlassian.net/browse/OKTA-626962

okta / terraform-provider-okta