search

okta / terraform-provider-okta

A Terraform provider to manage Okta resources, enabling infrastructure-as-code provisioning and management of users, groups, applications, and other Okta objects.
https://registry.terraform.io/providers/okta/okta
Mozilla Public License 2.0
256 stars 207 forks source link

App cant be updated anymore after role assignment #2025

Closed eduardluft closed 3 months ago

eduardluft commented 4 months ago

Description

The resource okta_app_oauth can be created, but not changed if the okta_app_oauth_role_assignment resource is used.

Terraform Version

❯ tf --version
Terraform v1.5.6

Provider Version

okta = {
  source  = "okta/okta"
  version = "4.8.1"
}

Affected Resource(s)

Terraform Configuration Files

resource "okta_app_oauth" "test" {
  label          = "test"
  type           = "service"
  grant_types    = ["client_credentials"]
  response_types = ["token"]
}

resource "okta_app_oauth_role_assignment" "test" {
  client_id = okta_app_oauth.test.client_id
  type      = "APP_ADMIN"
}

Actual Behavior

Tried with all scopes. Error is always thrown. Error: failed to update OAuth application: the API returned an error: You do not have permission to perform the requested action

Expected Behavior

Applies should be successful as before a role was assigned.

Can this be done in the Admin UI?

Yes

Workaround

Adding the lifecycle: replace_triggered_by. Not sure if this is the wanted behavior, its not mentioned anywhere.

resource "okta_app_oauth_role_assignment" "test" {
  client_id = okta_app_oauth.test.client_id
  type      = "APP_ADMIN"

  lifecycle {
    replace_triggered_by = [okta_app_oauth.test]
  }
}

Steps to Reproduce

  1. terraform apply the provided Terraform Configuration Files
  2. Change for example the label to test 2
  3. terraform apply will now throw the error
duytiennguyen-okta commented 4 months ago

@eduardluft I tried to use your tf script to reproduce the issue but could not. Which authentication method were you using? Can you provide the full tf script and the log when you run TF_LOG=debug terrraform apply?

eduardluft commented 4 months ago

authentication method: private_key

full tf:

resource "okta_app_oauth" "test" {
  label          = "test 2"
  type           = "service"
  grant_types    = ["client_credentials"]
  response_types = ["token"]
}

resource "okta_app_oauth_role_assignment" "test" {
  client_id = okta_app_oauth.test.client_id
  type      = "APP_ADMIN"
}

provider "okta" {
  org_name       = "xxx"
  base_url       = "xxx.com"
  client_id      = "xxx"
  private_key_id = "xxx"
  private_key    = "xxx"
  scopes = [
    "okta.apps.read", "okta.apps.manage",
    "okta.policies.read",
    "okta.appGrants.read", "okta.appGrants.manage",
    "okta.roles.read", "okta.roles.manage",
    "okta.schemas.read", "okta.schemas.manage",
  ]
}

debug log

duytiennguyen-okta commented 3 months ago

@eduardluft This is not a bug from the provider. You reassigned the role from okta_app_oauth to app_admin which no longer have the required permission to update the okta_app_oauth you created https://help.okta.com/en-us/content/topics/security/administrators-admin-comparison.htm