search

pulumi / pulumi-okta

An Okta Pulumi resource package, providing multi-language access to Okta
Apache License 2.0
9 stars 2 forks source link

OAuth app loses assignements when updating #52

Closed Sodki closed 2 weeks ago

Sodki commented 4 years ago

Hi, I have an OAuth app followed by a group assignment:

app = okta.app.OAuth("app"
    label="app",
    type="web",
    grant_types=["authorization_code"],
    hide_web=False,
    response_types=["code"],
    opts=pulumi.ResourceOptions(provider=provider))

okta.app.GroupAssignment(mygroup,
    app_id=app.id,
    group_id=<group id>,
    opts=pulumi.ResourceOptions(parent=app, provider=provider))

If I do any change to the OAuth app, like for example changing hide_web from False to True, only that resource will change, but in Okta the group is no longer assigned to the application.

leezen commented 4 years ago

When you perform the update, does it show an update being applied to the group assignment?

Sodki commented 4 years ago

No, it only shows an update to the hideWeb field:

 ~   ├─ okta:app:OAuth       àpp      update     [diff: ~hideWeb]

Just as a note, I've just tried using version 2.4.0 of the Plugin, which was released yesterday, and the problem still persists.

As a workaround I've been using the group and user input property of app.OAuth, which the documentation says it's not recommended, but works.

Sodki commented 4 years ago

I've now followed the warning on the documentation and added an ignore_changes on the app.OAuth resource, but still made no difference:

app = okta.app.OAuth("app"
    label="app",
    type="web",
    grant_types=["authorization_code"],
    hide_web=False,
    response_types=["code"],
    opts=pulumi.ResourceOptions(ignore_changes=["groups", "users"], provider=provider))

I want to point out that this only made sense after I read this latest patch upstream, which actually explains why that would be needed: https://github.com/oktadeveloper/terraform-provider-okta/pull/172/files

For reference:

!> NOTE When using this resource in conjunction with other application resources (e.g. okta_app_oauth) it is advisable to add the following lifecycle argument to the associated app_* resources to prevent the groups being unassigned on subsequent runs:

So I think this is definitely related to my problem, but the solution doesn't work for me.

leezen commented 4 years ago

If there's no diff, then I wouldn't expect any changes to be made in the provider, so I'm not sure why the group would no longer be assigned. If you run a pulumi refresh is it able to read the state of the group assignment?

jizzaki commented 3 years ago

I've now followed the warning on the documentation and added an ignore_changes on the app.OAuth resource, but still made no difference:

app = okta.app.OAuth("app"
    label="app",
    type="web",
    grant_types=["authorization_code"],
    hide_web=False,
    response_types=["code"],
    opts=pulumi.ResourceOptions(ignore_changes=["groups", "users"], provider=provider))

I want to point out that this only made sense after I read this latest patch upstream, which actually explains why that would be needed: https://github.com/oktadeveloper/terraform-provider-okta/pull/172/files

For reference:

!> NOTE When using this resource in conjunction with other application resources (e.g. okta_app_oauth) it is advisable to add the following lifecycle argument to the associated app_* resources to prevent the groups being unassigned on subsequent runs:

So I think this is definitely related to my problem, but the solution doesn't work for me.

I'm having the exact same problem. Have you found a workaround?

I tried adding the DeleteBeforeReplace option and this doesn't seem to work either. I verified in the console that the application is not deleted and that it still creates the Okta Application with the same ID. I dont think the custom resource options is being applied to Okta resources.

}, new CustomResourceOptions { DeleteBeforeReplace = true, IgnoreChanges = new List<string> { "groups" } });

Sodki commented 3 years ago

I'm sorry, I don't use Okta any more, so I can't help with this issue.

rodriguesgm commented 2 years ago

Just to share, I do not have this error when updating my oauth app. But I'm not defining the flag hideWeb, I can change any property in my app that it will update without removing the group assign. 

export const myApp = new okta.app.OAuth('okta-facade-health-test', {
    label: 'My label',
    type: 'native',
    status: config.status,
    grantTypes: ['authorization_code', 'password'],
    responseTypes: ['code'],
    tokenEndpointAuthMethod: 'client_secret_basic',
    clientId: config.clientId,
    clientBasicSecret: config.clientSecret,
    redirectUris: [
        `https://${okta.config.orgName}.${okta.config.baseUrl}/callback`
    ],
    postLogoutRedirectUris: [
    ],
});

But I tried to add hideWeb=True just to test and it indeed remove the group assignment once I ran the code. I can see the changes in the update, not sure why it's removing the group. Weird I don't see the hideweb changes.

image

After I tried to remove the hideWeb=True and the group was not assigned back, it just changed this property.

image

mjeffryes commented 1 month ago

Unfortunately, it looks like this issue hasn't seen any updates in a while. If you're still encountering this problem, could you leave a quick comment to let us know so we can prioritize it?