Cannot remove authenticators

cvs-sigrejas commented 2 years ago

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

1.0.6

Affected Resource(s)

okta_authenticator

Terraform Configuration Files

terraform {
  required_providers {
    okta = {
      source  = "okta/okta"
      version = "3.20.2"
    }
  }
}

resource "okta_authenticator" "hc_authenticators" {
  key    = "security_question"
  name   = "Security Question"
  status = "ACTIVE"
  settings = jsonencode({
    allowedFor = "recovery"
  })
}

Debug Output

2022-01-07T16:08:23.274-0500 [DEBUG] ReferenceTransformer: "okta_authenticator.hc_authenticators[\"security_question\"] (orphan)" references: []
[0m[1mokta_authenticator.hc_authenticators["security_question"]: Refreshing state... [id=aut29n6np9apa7gh81d7][0m
2022-01-07T16:08:23.761-0500 [INFO]  provider.terraform-provider-okta_v3.20.2: 2022/01/07 16:08:23 [DEBUG] Okta API Response Details:
---[ RESPONSE ]--------------------------------------
HTTP/2.0 200 OK
Cache-Control: no-cache, no-store
Content-Security-Policy: default-src 'self' {{okta_subdomain}}.oktapreview.com *.oktacdn.com; connect-src 'self' {{okta_subdomain}}.oktapreview.com {{okta_subdomain}}-admin.oktapreview.com *.oktacdn.com *.mixpanel.com *.mapbox.com app.pendo.io data.pendo.io pendo-static-5634101834153984.storage.googleapis.com {{okta_subdomain}}.kerberos.oktapreview.com *.authenticatorlocalprod.com:8769 http://localhost:8769 http://127.0.0.1:8769 *.authenticatorlocalprod.com:65111 http://localhost:65111 http://127.0.0.1:65111 *.authenticatorlocalprod.com:65121 http://localhost:65121 http://127.0.0.1:65121 *.authenticatorlocalprod.com:65131 http://localhost:65131 http://127.0.0.1:65131 *.authenticatorlocalprod.com:65141 http://localhost:65141 http://127.0.0.1:65141 *.authenticatorlocalprod.com:65151 http://localhost:65151 http://127.0.0.1:65151 https://oinmanager.okta.com data:; script-src 'unsafe-inline' 'unsafe-eval' 'self' {{okta_subdomain}}.oktapreview.com *.oktacdn.com; style-src 'unsafe-inline' 'self' {{okta_subdomain}}.oktapreview.com *.oktacdn.com app.pendo.io cdn.pendo.io pendo-static-5634101834153984.storage.googleapis.com; frame-src 'self' {{okta_subdomain}}.oktapreview.com {{okta_subdomain}}-admin.oktapreview.com login.okta.com com-okta-authenticator:; img-src 'self' {{okta_subdomain}}.oktapreview.com *.oktacdn.com *.tiles.mapbox.com *.mapbox.com app.pendo.io data.pendo.io cdn.pendo.io pendo-static-5634101834153984.storage.googleapis.com data: blob:; font-src 'self' {{okta_subdomain}}.oktapreview.com data: *.oktacdn.com fonts.gstatic.com; report-uri https://okta.report-uri.com/r/d/csp/enforce; report-to csp
Content-Type: application/json
Date: Fri, 07 Jan 2022 21:08:23 GMT
Expect-Ct: report-uri="https://oktaexpectct.report-uri.com/r/t/ct/reportOnly", max-age=0
Expires: 0
P3p: CP="HONK"
Pragma: no-cache
Public-Key-Pins-Report-Only: pin-sha256="jZomPEBSDXoipA9un78hKRIeN/+U4ZteRaiX8YpWfqc="; pin-sha256="axSbM6RQ+19oXxudaOTdwXJbSr6f7AahxbDHFy3p8s8="; pin-sha256="SE4qe2vdD9tAegPwO79rMnZyhHvqj3i5g1c2HkyGUNE="; pin-sha256="ylP0lMLMvBaiHn0ihLxHjzvlPVQNoyQ+rMiaj0da/Pw="; max-age=60; report-uri="https://okta.report-uri.com/r/default/hpkp/reportOnly"
Report-To: {"group":"csp","max_age":31536000,"endpoints":[{"url":"https://okta.report-uri.com/a/d/g"}],"include_subdomains":true}
Server: nginx
Set-Cookie: sid=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: autolaunch_triggered=""; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
Set-Cookie: JSESSIONID=AB7E54F6C3288D707EBE7BE2F17663F8; Path=/; Secure; HttpOnly
Strict-Transport-Security: max-age=315360000; includeSubDomains
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Okta-Request-Id: Ydirx06er3Yd93z3DgvZFgAADAg
X-Rate-Limit-Limit: 600
X-Rate-Limit-Remaining: 548
X-Rate-Limit-Reset: 1641589754
X-Xss-Protection: 0

{
 "type": "security_question",
 "id": "aut29n6np9apa7gh81d7",
 "key": "security_question",
 "status": "ACTIVE",
 "name": "Security Question",
 "created": "2022-01-07T20:11:37.000Z",
 "lastUpdated": "2022-01-07T21:07:07.000Z",
 "settings": {
  "allowedFor": "recovery"
 },
 "_links": {
  "self": {
   "href": "https://{{okta_subdomain}}.oktapreview.com/api/v1/authenticators/aut29n6np9apa7gh81d7",
   "hints": {
    "allow": [
     "GET",
     "PUT"
    ]
   }
  },
  "deactivate": {
   "href": "https://{{okta_subdomain}}.oktapreview.com/api/v1/authenticators/aut29n6np9apa7gh81d7/lifecycle/deactivate",
   "hints": {
    "allow": [
     "POST"
    ]
   }
  },
  "methods": {
   "href": "https://{{okta_subdomain}}.oktapreview.com/api/v1/authenticators/aut29n6np9apa7gh81d7/methods",
   "hints": {
    "allow": [
     "GET"
    ]
   }
  }
 }
}
-----------------------------------------------------: timestamp=2022-01-07T16:08:23.761-0500
[1m  # okta_authenticator.hc_authenticators["security_question"][0m will be [1m[31mdestroyed[0m[0m
[0m  [31m-[0m[0m resource "okta_authenticator" "hc_authenticators" {
      [31m-[0m [0m[1m[0mid[0m[0m                          = "aut29n6np9apa7gh81d7" [90m->[0m [0m[90mnull[0m[0m
      [31m-[0m [0m[1m[0mkey[0m[0m                         = "security_question" [90m->[0m [0m[90mnull[0m[0m
      [31m-[0m [0m[1m[0mname[0m[0m                        = "Security Question" [90m->[0m [0m[90mnull[0m[0m
      [31m-[0m [0m[1m[0mprovider_auth_port[0m[0m          = 9000 [90m->[0m [0m[90mnull[0m[0m
      [31m-[0m [0m[1m[0mprovider_hostname[0m[0m           = "localhost" [90m->[0m [0m[90mnull[0m[0m
      [31m-[0m [0m[1m[0mprovider_user_name_template[0m[0m = "global.assign.userName.login" [90m->[0m [0m[90mnull[0m[0m
      [31m-[0m [0m[1m[0msettings[0m[0m                    = jsonencode(
            {
              [31m-[0m [0mallowedFor = "recovery"
            }
        ) [90m->[0m [0m[90mnull[0m[0m
      [31m-[0m [0m[1m[0mstatus[0m[0m                      = "ACTIVE" [90m->[0m [0m[90mnull[0m[0m
      [31m-[0m [0m[1m[0mtype[0m[0m                        = "security_question" [90m->[0m [0m[90mnull[0m[0m
    }

[0m[1mPlan:[0m 0 to add, 0 to change, 1 to destroy.
[0m2022-01-07T16:08:25.973-0500 [INFO]  backend/local: apply calling Apply
2022-01-07T16:08:25.974-0500 [INFO]  terraform: building graph: GraphTypeApply
2022-01-07T16:08:25.977-0500 [DEBUG] ProviderTransformer: "okta_authenticator.hc_authenticators[\"security_question\"] (destroy)" (*terraform.NodeDestroyResourceInstance) needs provider["registry.terraform.io/okta/okta"]
[0m[1mokta_authenticator.hc_authenticators["security_question"]: Destroying... [id=aut29n6np9apa7gh81d7][0m[0m
2022-01-07T16:08:26.554-0500 [INFO]  Starting apply for okta_authenticator.hc_authenticators["security_question"]
2022-01-07T16:08:26.554-0500 [DEBUG] okta_authenticator.hc_authenticators["security_question"]: applying the planned Delete change
[0m[1mokta_authenticator.hc_authenticators["security_question"]: Destruction complete after 0s[0m
2022-01-07T16:08:26.592-0500 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2022-01-07T16:08:26.594-0500 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/okta/okta/3.20.2/darwin_amd64/terraform-provider-okta_v3.20.2 pid=82390
2022-01-07T16:08:26.594-0500 [DEBUG] provider: plugin exited
[0m[1m[32m
Apply complete! Resources: 0 added, 0 changed, 1 destroyed.
[0m

Panic Output

None

Expected Behavior

The authenticator should have been removed.

Actual Behavior

The authenticate was left alone but remove from the statefile. I don't see any calls to authenticator API to delete in the logs. I only see the GET call during the refresh state.

Steps to Reproduce

terraform apply
Confirm the authenticator is created in the UI.
Remove the resource
terraform apply

Important Factoids

None

References

None

bogdanprodan-okta commented 2 years ago

Hi, @cvs-sigrejas! Thanks for submitting this issue! Technically, you can not delete an authenticator. However, you can deactivate it first and then remove it from terraform. From a UI perspective, it might look like the authenticator is being removed, but in reality, it is just being deactivated.

cvs-sigrejas commented 2 years ago

Shouldn't the provider deactivate on removal of the resource. You're saying don't remove the resource and instead deactivate it?

bogdanprodan-okta commented 2 years ago

I think I'll add deactivation call when the resource is being removed

cvs-sigrejas commented 2 years ago

I'd be careful with that. Ideally after destroying, it should go back to what it was before anything was applied. So if some authenticators default to ACTIVE while others default to INACTIVE, then destroy should reset it back to original.

monde commented 2 years ago

Authenticators can only be activated / deactivated by the Okta API management endpoints for authenticators. Authenticators can not be deleted by the API.

https://developer.okta.com/docs/reference/api/authenticators-admin/#authenticators-administration-operations

okta / terraform-provider-okta