Closed eduardluft closed 3 months ago
@eduardluft I tried to use your tf script to reproduce the issue but could not. Which authentication method were you using?
Can you provide the full tf script and the log when you run TF_LOG=debug terrraform apply
?
authentication method: private_key
full tf:
resource "okta_app_oauth" "test" {
label = "test 2"
type = "service"
grant_types = ["client_credentials"]
response_types = ["token"]
}
resource "okta_app_oauth_role_assignment" "test" {
client_id = okta_app_oauth.test.client_id
type = "APP_ADMIN"
}
provider "okta" {
org_name = "xxx"
base_url = "xxx.com"
client_id = "xxx"
private_key_id = "xxx"
private_key = "xxx"
scopes = [
"okta.apps.read", "okta.apps.manage",
"okta.policies.read",
"okta.appGrants.read", "okta.appGrants.manage",
"okta.roles.read", "okta.roles.manage",
"okta.schemas.read", "okta.schemas.manage",
]
}
@eduardluft This is not a bug from the provider. You reassigned the role from okta_app_oauth to app_admin which no longer have the required permission to update the okta_app_oauth you created https://help.okta.com/en-us/content/topics/security/administrators-admin-comparison.htm
Description
The resource
okta_app_oauth
can be created, but not changed if theokta_app_oauth_role_assignment
resource is used.Terraform Version
Provider Version
Affected Resource(s)
Terraform Configuration Files
Actual Behavior
Tried with all scopes. Error is always thrown.
Error: failed to update OAuth application: the API returned an error: You do not have permission to perform the requested action
Expected Behavior
Applies should be successful as before a role was assigned.
Can this be done in the Admin UI?
Yes
Workaround
Adding the lifecycle:
replace_triggered_by
. Not sure if this is the wanted behavior, its not mentioned anywhere.Steps to Reproduce
terraform apply
the providedTerraform Configuration Files
test 2
terraform apply
will now throw the error