search

pingidentity / terraform-provider-pingone

Terraform PingOne provider
https://registry.terraform.io/providers/pingidentity/pingone/
Mozilla Public License 2.0
13 stars 5 forks source link

Resources with `default` property cannot be updated after a manual change + `terraform refresh` #737

Closed LubosMagda closed 2 months ago

LubosMagda commented 6 months ago

Community Note

PingOne Terraform provider Version

0.26.0

Terraform Version

1.6.3

Affected Resource(s)

Terraform Configuration Files

terraform {
  required_providers {
    pingone = {
      source  = "pingidentity/pingone"
      version = ">= 0.26"
    }
  }
}

provider "pingone" {
  region                       = "AsiaPacific"
  force_delete_production_type = false

  environment_id = var.admin_environment_id
  client_id      = var.admin_client_id
  client_secret  = var.admin_client_secret
}

resource "pingone_environment" "pingone_mfa_environment" {
  name        = "Test Env"
  region      = "AsiaPacific"
  license_id  = var.license_id

  service {
    type = "MFA"
  }
}

resource "pingone_mfa_fido2_policy" "passkeys_policy" {
  environment_id           = pingone_environment.pingone_mfa_environment.id
  name                     = "My Passkeys"
  device_display_name      = "My Passkeys"
  relying_party_id         = "webauthn.guide"
  discoverable_credentials = "REQUIRED"
  authenticator_attachment = "PLATFORM"
  user_verification        = {
    option                        = "REQUIRED"
    enforce_during_authentication = true
  }
  backup_eligibility = {
    allow                         = true
    enforce_during_authentication = true
  }
  user_display_name_attributes = {
    attributes = [
      { name = "username" }
    ]
  }
  attestation_requirements        = "NONE"
  mds_authenticators_requirements = {
    enforce_during_authentication = true
    option                        = "NONE"
  }
}

Debug Output

terraform-apply.log

Expected Behavior

Terraform should be able to modify resources after the state sync (terraform refresh) post manual changes in the terraformed resources.

Actual Behavior

Terraform is not able to manage the state of a P1MFA resource that was manually modified and synced using terraform refresh.

Steps to Reproduce

  1. terraform apply to create the env with demo resources + My Passkeys FIDO policy
  2. terraform state show module.pingone_environment.pingone_mfa_fido2_policy.passkeys_policy shows that default = false, this is set correctly as the default FIDO policy is the Passkeys demo policy created with the environment (see this bug)
  3. Set My Passkeys as the default policy manually (UI or REST API)
  4. Delete the Passkeys and the Security Keys demo policies manually (UI or REST API) as we don't want them to be present in our production environment (similar reasoning applies to the MFA, authentication, and notification policies)
  5. terraform apply -refresh-only correctly detects a change in the state of the My Passkeys FIDO policy and ignores the demo resources as it is not aware of them: 
    
Note: Objects have changed outside of Terraform

Terraform detected the following changes made outside of Terraform since the last "terraform apply" which may have affected this plan:

module.pingone_environment.pingone_mfa_fido2_policy.passkeys_policy has changed

~ resource "pingone_mfa_fido2_policy" "passkeys_policy" { ~ default = false -> true id = "38bb1ae3-9d7b-49bc-adcb-fe45b7085524" name = "My Passkeys"

(10 unchanged attributes hidden)

}
6. `terraform state show module.pingone_environment.pingone_mfa_fido2_policy.passkeys_policy` shows that `default = true`,
7. `terraform apply` confirms that there are no changes; everything looks good at this stage, but
8. any change to the _My Passkeys_ FIDO policy (eg `device_display_name = 'Passkeys'`) fails with this error:

module.pingone_environment.pingone_mfa_fido2_policy.passkeys_policy: Modifying... [id=38bb1ae3-9d7b-49bc-adcb-fe45b7085524] ╷ │ Error: Error when calling UpdateFIDO2Policy: The request violates a constraint imposed by the service. │ │ with module.pingone_environment.pingone_mfa_fido2_policy.passkeys_policy, │ on .terraform/modules/pingone_environment/modules/administration.tf line 29, in resource "pingone_mfa_fido2_policy" "passkeys_policy": │ 29: resource "pingone_mfa_fido2_policy" "passkeys_policy" { │ │ PingOne Error Details: │ ID: 18d345d8-01dd-431c-aad2-77b2237f61e4 │ Code: REQUEST_FAILED │ Message: The request violates a constraint imposed by the service. │ Details object: [{"code":"CONSTRAINT_VIOLATION","message":"You cannot change the default policy to a non-default policy. Instead, designate a new policy as the default."}] ╵



### Important Factoids
it seems the P1MFA terraform provider does not respect the value of the `default` property in the tf state file.
patrickcping commented 6 months ago

Hi @LubosMagda ! Thanks for raising this issue. This happens because the provider assumes (incorrectly) that it will only be managing non-default resources and will always set the default property to false.

I agree it should be smarter in this situation though. I'll look to adjust this in a patch release in a week or so.

Regarding #631 - this is something we're actively looking in to as we understand the extra work needed to remove this demo configuration from environments. Ideally it will be solved in the API, but in the short term we're looking at a CLI tool that should help.

patrickcping commented 5 months ago

The impacted resources are listed below alphabetically, with an action plan for each: