Inconsisten Result after apply on pingfederate_authentication_policies

[colinhuckstep]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Thank you for opening an issue. Please note that we try to keep the Terraform issue tracker reserved for bug reports and feature requests. For general usage questions, please see: https://www.terraform.io/community.html.

PingFederate Terraform provider Version

0.13.0

PingFederate Version

11.3.5

Terraform Version

v1.9.3

Affected Resource(s)

Please list the resources as a list, for example:

• pingfederate_authentication_policies

Terraform Configuration Files

resource "pingfederate_authentication_policies" "authenticationPolicies" {
  fail_if_no_selection = false
  authn_selection_trees = [
    {
      id                      = "SupportLogin"
      name                    = "Support Login"
      enabled                 = true
      handle_failures_locally = false
      root_node = {
        action = {
          authn_selector_policy_action = {
            authentication_selector_ref = {
              id = pingfederate_authentication_selector.InstitutionalLoginSelector.id
            }
          }
        }
        children = [
          {
            action = {
              authn_selector_policy_action = {
                context = pingfederate_authentication_selector.InstitutionalLoginSelector.id
                authentication_selector_ref = {
                  id = pingfederate_authentication_selector.EmployeeRequestParamSelector.id
                }
              }
            }
            children = [
              {
                action = {
                  authn_selector_policy_action = {
                    context = pingfederate_authentication_selector.EmployeeRequestParamSelector.id
                    authentication_selector_ref = {
                      id = pingfederate_authentication_selector.InternalNetworks.id
                    }
                  }
                }
                children = [
                  {
                    action = {
                      continue_policy_action = {
                        context = "No"
                      }
                    }
                  },
                  {
                    action = {
                      authn_source_policy_action = {
                        context = "Yes"
                        authentication_source = {
                          type = "IDP_ADAPTER"
                          source_ref = {
                            id = pingfederate_idp_adapter.InternalADKerberosAdapter.id
                          }
                        }
                      }
                    }
                    children = [
                      {
                        action = {
                          authn_source_policy_action = {
                            context = "Fail"
                            authentication_source = {
                              type = "IDP_ADAPTER"
                              source_ref = {
                                id = pingfederate_idp_adapter.InternalADHTMLAdapter.id
                              }
                            }
                          }
                        }
                        children = [
                          {
                            action = {
                              done_policy_action = {
                                context = "Fail"
                              }
                            }
                          },
                          {
                            action = {
                              apc_mapping_policy_action = {
                                context = "Success"
                                authentication_policy_contract_ref = {
                                  id = pingfederate_authentication_policy_contract.InstitutionalPolicyContract.id
                                }
                                attribute_mapping = {
                                  attribute_sources = [
                                    {
                                      ldap_attribute_source = {
                                        type = "LDAP"
                                        data_store_ref = {
                                          id = pingfederate_data_store.LDAP-INTERNAL.id
                                        }
                                        id            = "EmployeeAD"
                                        description   = "Employee AD"
                                        base_dn       = "OU=Users,OU=Accounts,DC=internal,DC=domain,DC=net"
                                        search_scope  = "SUBTREE"
                                        search_filter = "sAMAccountName=$${ad.InternalADHTMLAdapter.username}"
                                        search_attributes = [
                                          "Subject DN",
                                          "mail",
                                          "memberOf"
                                        ]
                                        member_of_nested_group = false
                                      }
                                    }
                                  ]
                                  attribute_contract_fulfillment = {
                                    "MVSUserID" = {
                                      source = {
                                        type = "TEXT"
                                      }
                                      value = "\"\""
                                    }
                                    "mail" = {
                                      source = {
                                        type = "LDAP_DATA_STORE"
                                        id = "EmployeeAD"
                                      }
                                      value = "mail"
                                    }
                                    "subject" = {
                                      source = {
                                        type = "ADAPTER"
                                        id = pingfederate_idp_adapter.InternalADHTMLAdapter.id
                                      }
                                      value = "username"
                                    }
                                    "token" = {
                                      source = {
                                        type = "EXPRESSION"
                                      }
                                      value = "#cn = #this.get(\"ad.InternalADHTMLAdapter.CN\"), #cn == null ? \"null\" : #cn, #token = new net.domain.tokens.Token(#cn, \"JV2\"), #result= #token.getToken()"
                                    }
                                    "memberOf" = {
                                      source = {
                                        type = "LDAP_DATA_STORE"
                                        id = "EmployeeAD"
                                      }
                                      value = "memberOf"
                                    }
                                    "token2" = {
                                      source = {
                                        type = "EXPRESSION"
                                      }
                                      value = "#cn = #this.get(\"ad.InternalADHTMLAdapter.CN\"), #cn == null ? \"null\" : #cn, #dn = #this.get(\"ad.InternalADHTMLAdapter.DistinguishedName\"), #dn == null ? \"null\" : #dn, #token = new net.domain.tokens.Token(\"JV2\", #cn, #dn, \"0.0.0.0\",\"Encrypt\", null), #result = #token.getToken()"
                                    }
                                    "userid" = {
                                      source = {
                                        type = "ADAPTER"
                                        id = pingfederate_idp_adapter.InternalADHTMLAdapter.id
                                      }
                                      value = "username"
                                    }
                                  }
                                }
                              }
                            }
                          }
                        ]
                      },
                      {
                        action = {
                          apc_mapping_policy_action = {
                            context = "Success"
                            authentication_policy_contract_ref = {
                              id = pingfederate_authentication_policy_contract.InstitutionalPolicyContract.id
                            }
                            attribute_mapping = {
                              attribute_sources = [
                                {
                                  ldap_attribute_source = {
                                    type = "LDAP"
                                    data_store_ref = {
                                      id = pingfederate_data_store.LDAP-INTERNAL.id
                                    }
                                    id            = "EmployeeADKerb"
                                    description   = "Employee AD"
                                    base_dn       = "OU=Users,OU=Accounts,DC=internal,DC=domain,DC=net"
                                    search_scope  = "SUBTREE"
                                    search_filter = "userPrincipalName=$${ad.InternalADKerberosAdapter.Username}"
                                    search_attributes = [
                                      "Subject DN",
                                      "mail",
                                      "memberOf"
                                    ]
                                    member_of_nested_group = false
                                  }
                                }
                              ]
                              attribute_contract_fulfillment = {
                                "MVSUserID" = {
                                  source = {
                                    type = "TEXT"
                                  }
                                  value = "\"\""
                                }
                                "mail" = {
                                  source = {
                                    type = "LDAP_DATA_STORE"
                                    id = "EmployeeADKerb"
                                  }
                                  value = "mail"
                                }
                                "subject" = {
                                  source = {
                                    type = "ADAPTER"
                                    id = pingfederate_idp_adapter.InternalADKerberosAdapter.id
                                  }
                                  value = "Username"
                                }
                                "token" = {
                                  source = {
                                    type = "EXPRESSION"
                                  }
                                  value = "#cn = #this.get(\"ad.InternalADKerberosAdapter.CN\"), #cn == null ? \"null\" : #cn, #token = new net.domain.tokens.Token(#cn, \"JV2\"), #result= #token.getToken()"
                                }
                                "memberOf" = {
                                  source = {
                                    type = "LDAP_DATA_STORE"
                                    id = "EmployeeADKerb"
                                  }
                                  value = "memberOf"
                                }
                                "token" = {
                                  source = {
                                    type = "EXPRESSION"
                                  }
                                  value = "#cn = #this.get(\"ad.InternalADKerberosAdapter.CN\"), #cn == null ? \"null\" : #cn, #dn = #this.get(\"ad.InternalADKerberosAdapter.DistinguishedName\"), #dn == null ? \"null\" : #dn, #token = new net.domain.tokens.Token(\"JV2\", #cn, #dn, \"0.0.0.0\",\"Encrypt\", null), #result = #token.getToken()"
                                }
                                "userid" = {
                                  source = {
                                    type = "ADAPTER"
                                    id = pingfederate_idp_adapter.InternalADKerberosAdapter.id
                                  }
                                  value = "Username"
                                }
                              }
                            }
                          }
                        }
                      }
                    ]
                  }
                ]
              },
              {
                action = {
                  continue_policy_action = {
                    context = "No Match"
                  }
                }
              }
            ]
          }
        ]
      }
    }
  ]
}

Debug Output

Please provide your debug output with TF_LOG=DEBUG enabled on your terraform plan or terraform apply. Please provide a link to a GitHub Gist containing the complete debug output: https://www.terraform.io/docs/internals/debugging.html. Please do NOT paste the debug output in the issue; just paste a link to the Gist.

Panic Output

If Terraform produced a panic, please provide your debug output from the GO panic

Expected Behavior

Application Policies Created/Updated without error.

Actual Behavior

The policy gets created however the validation fails resulting in the below error. It seems like there's an issue with checking the type when creating an LDAP Attribute Source on and Authentication Policy Contract.

│ Error: Provider produced inconsistent result after apply │ │ When applying changes to pingfederate_authentication_policies.authenticationPolicies, provider │ "provider[\"registry.terraform.io/pingidentity/pingfederate\"]" produced an unexpected new value: │ .authn_selection_trees[0].root_node.children[0].children[0].children[1].children[0].children[1].action.apc_mapping_policy_action.attribute_mapping.attribute_sources: │ planned set element │ cty.ObjectVal(map[string]cty.Value{"custom_attribute_source":cty.NullVal(cty.Object(map[string]cty.Type{"attribute_contract_fulfillment":cty.Map(cty.Object(map[string]cty.Type{"source":cty.Object(map[string]cty.Type{"id":cty.String, │ "type":cty.String}), "value":cty.String})), "data_store_ref":cty.Object(map[string]cty.Type{"id":cty.String}), │ "description":cty.String, "filter_fields":cty.Set(cty.Object(map[string]cty.Type{"name":cty.String, │ "value":cty.String})), "id":cty.String, "type":cty.String})), │ "jdbc_attribute_source":cty.NullVal(cty.Object(map[string]cty.Type{"attribute_contract_fulfillment":cty.Map(cty.Object(map[string]cty.Type{"source":cty.Object(map[string]cty.Type{"id":cty.String, │ "type":cty.String}), "value":cty.String})), "column_names":cty.List(cty.String), │ "data_store_ref":cty.Object(map[string]cty.Type{"id":cty.String}), "description":cty.String, "filter":cty.String, │ "id":cty.String, "schema":cty.String, "table":cty.String, "type":cty.String})), │ "ldap_attribute_source":cty.ObjectVal(map[string]cty.Value{"attribute_contract_fulfillment":cty.UnknownVal(cty.Map(cty.Object(map[string]cty.Type{"source":cty.Object(map[string]cty.Type{"id":cty.String, │ "type":cty.String}), "value":cty.String}))), │ "base_dn":cty.StringVal("OU=Users,OU=Accounts,DC=internal,DC=domain,DC=net"), │ "binary_attribute_settings":cty.NullVal(cty.Map(cty.Object(map[string]cty.Type{"binary_encoding":cty.String}))), │ "data_store_ref":cty.ObjectVal(map[string]cty.Value{"id":cty.StringVal("LDAP-INTERNAL")}), │ "description":cty.StringVal("Employee AD"), "id":cty.StringVal("EmployeeAD"), │ "member_of_nested_group":cty.False, "search_attributes":cty.SetVal([]cty.Value{cty.StringVal("Subject DN"), │ cty.StringVal("mail"), cty.StringVal("memberOf")}), │ "search_filter":cty.StringVal("sAMAccountName=${ad.InternalADHTMLAdapter.username}"), │ "search_scope":cty.StringVal("SUBTREE"), "type":cty.StringVal("LDAP")})}) does not correlate with any element in │ actual. │ │ This is a bug in the provider, which should be reported in the provider's own issue tracker.

Steps to Reproduce

Please list the steps required to reproduce the issue, for example:

1. terraform apply

[henryrecker-pingidentity]

@colinhuckstep, thank you for the clear bug report. We have noted this internally and will update you on any progress.

[henryrecker-pingidentity]

This fix will be included in the next provider release.

[henryrecker-pingidentity]

This fix was included in the v0.15.0 release - https://registry.terraform.io/providers/pingidentity/pingfederate/0.15.0