A Terraform provider to manage Okta resources, enabling infrastructure-as-code provisioning and management of users, groups, applications, and other Okta objects.
Please vote on this issue by adding a π reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform Version
Terraform 1.7.4
okta/okta v4.11.0
hashicorp/aws v5.20.1
Affected Resource(s)
okta_app_access_policy_assignment
Terraform Configuration Files
data "okta_app" "aws_govcloudtest1" {
#label = "AWS: GovCloudTest1"
id = "<id-of-AWS-okta-app>"
}
resource "okta_app_access_policy_assignment" "aws_govcloudtest1_assign" {
app_id = data.okta_app.aws_govcloudtest1.id
policy_id = okta_app_signon_policy.any-two-factors.id
}
resource "okta_app_signon_policy" "any-two-factors" {
name = "Any two factors"
description = "Require two factors to access."
}
Debug Output
N/A
Panic Output
N/A
Expected Behavior
The resource should have been created linking the app access policy to the app specified in the data resource. The app specified is an amazon_aws app with the Sign On tab set to "AWS IAM Role" ("signOnMode": "AWS_IAM_ROLE" in app JSON output)
Can this be done in the Admin UI?
Yes, this is our workaround at present.
Can this be done in the actual API call?
Yes: there are no requirements in the App API docs for specific signOnMode types with linking access policies.
Actual Behavior
terraform plan reports that the resource will be created:
Terraform will perform the following actions:
# module.app_policy_module.okta_app_access_policy_assignment.aws_govcloudtest1_assign will be created
+ resource "okta_app_access_policy_assignment" "aws_govcloudtest1_assign" {
+ app_id = "<id-of-aws-app>"
+ id = (known after apply)
+ policy_id = "<id-of-policy>"
}
terraform apply fails with:
β Error: issue with inner app response
β
β with module.app_policy_module.okta_app_access_policy_assignment.aws_govcloudtest1_assign,
β on modules/app-policy/aws_govcloudtest1_assign.tf line 2, in resource "okta_app_access_policy_assignment" "aws_govcloudtest1_assign":
β 2: resource "okta_app_access_policy_assignment" "aws_govcloudtest1_assign" {
β
β okta list applications response does not contain a concrete app
It's understandable that the SDK wouldn't support OIN-specific apps but since there is nothing in the Okta API preventing linking an access policy to an OIN app this feels like a bug.
Community Note
Terraform Version
Affected Resource(s)
okta_app_access_policy_assignmentTerraform Configuration Files
Debug Output
N/A
Panic Output
N/A
Expected Behavior
The resource should have been created linking the app access policy to the app specified in the data resource. The app specified is an
amazon_awsapp with the Sign On tab set to "AWS IAM Role" ("signOnMode": "AWS_IAM_ROLE"in app JSON output)Can this be done in the Admin UI?
Yes, this is our workaround at present.
Can this be done in the actual API call?
Yes: there are no requirements in the App API docs for specific signOnMode types with linking access policies.
Actual Behavior
terraform planreports that the resource will be created:terraform applyfails with:Steps to Reproduce
terraform planterraform applyImportant Factoids
The error seems to stem from resource_okta_app_access_policy_assignment.go :
concreteAppIDonly iterates through the main Okta SDK application types.It's understandable that the SDK wouldn't support OIN-specific apps but since there is nothing in the Okta API preventing linking an access policy to an OIN app this feels like a bug.
References
0000