search

okta / terraform-provider-okta

A Terraform provider to manage Okta resources, enabling infrastructure-as-code provisioning and management of users, groups, applications, and other Okta objects.
https://registry.terraform.io/providers/okta/okta
Mozilla Public License 2.0
258 stars 208 forks source link

Terraform loses track of READ_ONLY_ADMIN `okta_group_role` after editing `target_group_list` of GROUP_MEMBERSHIP_ADMIN `okta_group_role` #597

Closed lucascantor closed 3 years ago

lucascantor commented 3 years ago

Community Note

Terraform Version

Terraform v1.0.5
on linux_amd64
okta provider 3.13.6

Affected Resource(s)

Terraform Configuration Files

resource "okta_group_role" "okta_admin_prod_support_group_membership" {
  group_id  = okta_group.terraform_assigned_groups["okta_admin_prod_support"].id
  role_type = "GROUP_MEMBERSHIP_ADMIN"
  target_group_list = [
    okta_group.okta_assigned_groups["ambra_dicom_grid"].id,
    okta_group.okta_assigned_groups["athenahealth_clienttrain"].id,
    okta_group.okta_assigned_groups["athenahealth_preview"].id,
    okta_group.okta_assigned_groups["athenahealth_production"].id,
    okta_group.okta_assigned_groups["auth0_prod"].id,
    okta_group.okta_assigned_groups["cleartriage"].id,
    okta_group.okta_assigned_groups["five9"].id,
    okta_group.okta_assigned_groups["five9_plus_adapter_for_salesforce"].id,
    okta_group.okta_assigned_groups["five9_swa"].id,
    okta_group.okta_assigned_groups["grand_rounds"].id,
    okta_group.okta_assigned_groups["grand_rounds_hub"].id,
    okta_group.okta_assigned_groups["nice_eem"].id,
    okta_group.okta_assigned_groups["nice_eem_admin"].id,
    okta_group.okta_assigned_groups["nice_qci"].id,
    okta_group.okta_assigned_groups["nice_qci_superuser"].id,
    okta_group.okta_assigned_groups["nice_qci_quality_admin"].id,
    okta_group.okta_assigned_groups["nice_qci_supervisor"].id,
    okta_group.okta_assigned_groups["nice_wfm"].id,
    okta_group.okta_assigned_groups["nice_wfm_admin"].id,
    okta_group.okta_assigned_groups["textexpander"].id,
    okta_group.okta_assigned_groups["textexpander_care_team"].id,
    okta_group.okta_assigned_groups["textexpander_careteam_leadership"].id,
    okta_group.okta_assigned_groups["textexpander_record_spec_leadership"].id,
    okta_group.okta_assigned_groups["textexpander_record_specialists"].id,
    okta_group.okta_assigned_groups["textexpander_the_clinic"].id,
    okta_group.okta_assigned_groups["textexpander_the_clinic_leadership"].id,
    okta_group.okta_assigned_groups["zoom_telemedicine_admin_basic"].id,
    okta_group.okta_assigned_groups["zoom_telemedicine_admin_pro"].id,
    okta_group.okta_assigned_groups["zoom_telemedicine_member_basic"].id,
    okta_group.okta_assigned_groups["zoom_telemedicine_member_pro"].id,
  ]
}

resource "okta_group_role" "okta_admin_prod_support_help_desk" {
  group_id  = okta_group.terraform_assigned_groups["okta_admin_prod_support"].id
  role_type = "HELP_DESK_ADMIN"
  target_group_list = [
    okta_group.okta_inherited_groups["all_non_admins"].id,
    okta_group.terraform_assigned_groups["okta_admin_prod_support"].id,
  ]
}

resource "okta_group_role" "okta_admin_prod_support_read_only" {
  group_id  = okta_group.terraform_assigned_groups["okta_admin_prod_support"].id
  role_type = "READ_ONLY_ADMIN"
}

Debug Output

Panic Output

Expected Behavior

Actual Behavior

Steps to Reproduce

  1. Create an okta_group_role with role_type = "READ_ONLY_ADMIN" assigned to a group
  2. Create an okta_group_role with role_type = "GROUP_MEMBERSHIP_ADMIN" assigned to the same group
  3. terraform apply
  4. Edit the target_group_list for the okta_group_role with role_type = "GROUP_MEMBERSHIP_ADMIN"
  5. terraform apply

The subsequent terraform_plan will result in the following, which will cause an Okta API error if applied:

Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the
last terraform apply:

  # okta_group_role.okta_admin_it_read_only has been deleted
  - resource okta_group_role okta_admin_it_read_only {
      - group_id  = 00g11j1mroVuGr4KV1d7 -> null
      - id        = gra17iwf7nuqEiHcl1d7 -> null
      - role_type = READ_ONLY_ADMIN -> null
    }

Unless you have made equivalent changes to your configuration, or ignored the
relevant attributes using ignore_changes, the following plan may include
actions to undo or respond to these changes.

─────────────────────────────────────────────────────────────────────────────

Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # okta_group_role.okta_admin_it_read_only will be created
  + resource okta_group_role okta_admin_it_read_only {
      + group_id  = 00g11j1mroVuGr4KV1d7
      + id        = (known after apply)
      + role_type = READ_ONLY_ADMIN
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Important Factoids

References

bogdanprodan-okta commented 3 years ago

Hi @lucascantor! Thanks for submitting this issue! I'll try to reproduce the scenario you've provided and fix the problem.

bogdanprodan-okta commented 3 years ago

Hi @lucascantor! I've used this scenario to reproduce the issue (I'm using Terraform v1.0.6)

  1. Run terraform apply to create these resources 
    
resource "okta_group" "test" {
name        = "testAcc_replace_with_uuid"
description = "testing"
lifecycle {
ignore_changes = [users]
}
}

resource "okta_group_role" "test" { group_id = okta_group.test.id role_type = "READ_ONLY_ADMIN" }

resource "okta_group" "test_target1" { name = "testTarget1Acc_replace_with_uuid" description = "testing" }

resource "okta_group" "test_target2" { name = "testTarget2Acc_replace_with_uuid" description = "testing" }

resource "okta_group_role" "test_app" { group_id = okta_group.test.id role_type = "GROUP_MEMBERSHIP_ADMIN" target_group_list = [okta_group.test_target1.id, okta_group.test_target2.id] }

2. Edit `okta_group_role.test_app` to have only one item in the `target_group_list` and run `terraform apply`

//...

resource "okta_group_role" "test_app" { group_id = okta_group.test.id role_type = "GROUP_MEMBERSHIP_ADMIN" target_group_list = [okta_group.test_target2.id] }

Output:
```Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # okta_group_role.test_app will be updated in-place
  ~ resource "okta_group_role" "test_app" {
        id                = "I5JE6VKQL5GUKTKCIVJFGSCJKBPUCRCNJFHA"
      ~ target_group_list = [
          - "00g11jl6x78hYw8Az0h8",
            # (1 unchanged element hidden)
        ]
        # (2 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

  1. Remove target_group_list field from the okta_group_role.test_app resource and run terraform apply

    resource "okta_group_role" "test_app" {
group_id  = okta_group.test.id
role_type = "GROUP_MEMBERSHIP_ADMIN"
}

    Output:

    
Terraform will perform the following actions:

# okta_group_role.test_app must be replaced
-/+ resource "okta_group_role" "test_app" {
  ~ id                = "I5JE6VKQL5GUKTKCIVJFGSCJKBPUCRCNJFHA" -> (known after apply)
  - target_group_list = [
      - "00g11jl8q84lPZXSB0h8",
    ] -> null # forces replacement
    # (2 unchanged attributes hidden)
}

Plan: 1 to add, 0 to change, 1 to destroy.

Now terraform forces replacement of the `okta_group_role.test_app` resource. The reason for this behavior can be found in the API docs:

Note: Don't remove the last Group target from a role assignment, as it causes an exception. If you need a role assignment that applies to all Groups, the API consumer should delete the role assignment and recreate it.

The actual error from the API

Error: failed to remove group target from admin role assignment I5JE6VKQL5GUKTKCIVJFGSCJKBPUCRCNJFHA of group 00g11jl08ouOSS9AC0h8: the API returned an error: The provided role type was not the same as required role type., Status: 405 Method Not Allowed

bogdanprodan-okta commented 3 years ago

Ok, now I get the problem. I'm not sure why this is happening, but if I remove "GROUP_MEMBERSHIP_ADMIN" role from the group and then add it back, the ID of "READ_ONLY_ADMIN" role will change. That's a very weird behavior and I'll ask the team responsible for this functionality what may cause this problem.

lucascantor commented 3 years ago

@bogdanprodan-okta thanks so much for this. I thought I was losing my mind, but I'm glad to know it's not just me.

monde commented 3 years ago

@lucascantor we have a conversation started with the team in Okta core that will help us get the upstream issue fixed.

bogdanprodan-okta commented 3 years ago

@lucascantor I will create a workaround for this. Basically, I will hot-swap the ID, so only this message might appear. 

Terraform detected the following changes made outside of Terraform since the last "terraform apply":

  # okta_group_role.test has been changed
  ~ resource "okta_group_role" "test" {
      ~ id        = "gra11jyo80pMq1UL20h8" -> "gra11jyrcuaHbVIDx0h8"
        # (2 unchanged attributes hidden)
    }

Unless you have made equivalent changes to your configuration, or ignored the relevant attributes using ignore_changes, the following plan may include actions to undo or respond to these changes.
────────────────────────────────────────────────────────

No changes. Your infrastructure matches the configuration.

I know it's not the best solution, but at least it fixes the problem for now.

lucascantor commented 3 years ago

@bogdanprodan-okta thank you! This is still infinitely better than the current behavior 🙏🏼

bogdanprodan-okta commented 3 years ago

@lucascantor this issue is resolved and right now this is behind an ENG flag to be rolled out to preview in the next monthly release. In the meantime, you can make a request to the support so they enable this flag ENG_GROUP_ROLE_ASSIGNMENT_PERF_AND_SIMPLIFY.