Closed exitcode0 closed 5 months ago
OKTA internal reference https://oktainc.atlassian.net/browse/OKTA-669839
@exitcode0. I'm trying to understand what you're trying to fix. If your goals is just to surface the change of authentication_policy in terraform, then PR #1993 should also fixed that. Is there anything else you're trying to do?
This is an old issue so my memory of it is vague It seems that I was concerned that the default behaviour of the upstream APIs is not properly surfaced in the provider This would be exceedingly difficult to address based on my current understanding, so not sure if this one is worth spending much thought on
Community Note
Affected Resource(s)
Terraform Configuration Files
Expected Behavior
Terraform Plan
should outline all changes that would result from executingTerraform Apply
Actual Behavior
When the upstream API chooses default behavior we don't expose this in the
Terraform Plan
In this case the existing well known behavior is that omitting
authentication_policy
onokta_app*
resources results in the default authentication policy being used This can unexpectedly replace a authentication policy that was click-ops provisioned to an applicationI believe this has something to do with this API not supporting partial updates and assuming that an omitted value is equivalent to a null value
Steps to Reproduce
terraform apply
terraform apply
Important Factoids
Most of our engineers expect that
Terraform Plan
will outline all changes that would result from executingTerraform Apply
When this contract is broken, it understandably catches most engineers unaware and can cause outagesOne of the benefits of Terraform is that it can be rolled out gradually because it does not attempt to modify resources that are not under management But in this case this is being undermined by default behaviors in the upstream API
Some ideas below for paths forward to more intuitive behavior Things within Okta Terraform's control
Terraform plan
by manually constructing plan info (not sure if this is possible)okta_app*
resources"default"
as a stringThings outside the Okta TF provider's control
null
(requiring explicit null-ish values on endpoints that don't support partial updates seems like less of a footgun imo)