terraform-provider-cloudflare
terraform-provider-cloudflare copied to clipboard
cloudflare
`cloudflare_access_identity_provider` does not import config block settings
Confirmation
- [X] My issue isn't already found on the issue tracker.
- [X] I have replicated my issue using the latest version of the provider and it is still present.
Terraform and Cloudflare provider version
terraform -v
Terraform v1.1.4 on linux_amd64
- provider registry.terraform.io/cloudflare/cloudflare v3.8.0
Affected resource(s)
- cloudflare_access_identity_provider
Terraform configuration files
resource "cloudflare_access_identity_provider" "okta" {
account_id = local.account_id
name = "Okta SAML"
type = "saml"
config {
attributes = ["email", "groups"]
issuer_url = var.issuer_url
sso_target_url = var.sso_target_url
email_attribute_name = ""
sign_request = false
idp_public_cert = local.okta_sso_cert
}
}
Debug output
Notice how the result from the API call includes a config {} block. I would expect this to get imported.
-----------------------------------------------------: timestamp=2022-01-31T23:57:51.029Z
2022-01-31T23:57:51.262Z [INFO] provider.terraform-provider-cloudflare_v3.8.0: 2022/01/31 23:57:51 [DEBUG] Cloudflare API Response Details:
---[ RESPONSE ]--------------------------------------
HTTP/2.0 200 OK
Cf-Cache-Status: DYNAMIC
Cf-Ray: 6d66e27b3c4e7118-SJC
Content-Security-Policy: frame-ancestors 'none'; default-src https: 'unsafe-inline'
Content-Type: application/json; charset=UTF-8
Date: Mon, 31 Jan 2022 23:57:51 GMT
Expect-Ct: max-age=604800, report-uri="https://report-uri.cloudflare.com/cdn-cgi/beacon/expect-ct"
Server: cloudflare
Strict-Transport-Security: max-age=31536000; includeSubDomains
Vary: Accept-Encoding
X-Content-Type-Options: nosniff
X-Envoy-Upstream-Service-Time: 4
X-Frame-Options: DENY
X-Xss-Protection: 1; mode=block
{
"result": {
"id": "1241a7e1-92ad-4c9d-9e97-22024662201f",
"type": "saml",
"uid": "1241a7e1-92ad-4c9d-9e97-22024662201f",
"name": "Okta SAML",
"config": {
"acs_url": "<REDACTED>",
"attributes": [
"email",
"groups"
],
"email_attribute_name": "",
"header_attributes": null,
"idp_public_cert": "**********************************",
"issuer_url": "<REDACTED>",
"sign_request": false,
"sso_target_url": "<REDACTED>"
},
"version": "a261190c440acc4d945728355612ab11"
},
"success": true,
"errors": [],
"messages": []
}
-----------------------------------------------------: timestamp=2022-01-31T23:57:51.262Z
cloudflare_access_identity_provider.okta: Import prepared!
Prepared cloudflare_access_identity_provider for import
cloudflare_access_identity_provider.okta: Refreshing state... [id=1241a7e1-92ad-4c9d-9e97-22024662201f]
Panic output
No response
Expected output
I expected the existing saml config {} block to be imported into the state file.
Actual output
The config {} block of settings was not imported.
# terraform import cloudflare_access_identity_provider.okta <accountid>/1241a7e1-92ad-4c9d-9e97-22024662201f
cloudflare_access_identity_provider.okta: Importing from ID "<REDACTED>/1241a7e1-92ad-4c9d-9e97-22024662201f"...
cloudflare_access_identity_provider.okta: Import prepared!
Prepared cloudflare_access_identity_provider for import
cloudflare_access_identity_provider.okta: Refreshing state... [id=1241a7e1-92ad-4c9d-9e97-22024662201f]
Import successful!
The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.
Releasing state lock. This may take a few moments...
# terraform state show cloudflare_access_identity_provider.okta
# cloudflare_access_identity_provider.okta:
resource "cloudflare_access_identity_provider" "okta" {
account_id = "<REDACTED>"
id = "1241a7e1-92ad-4c9d-9e97-22024662201f"
name = "Okta SAML"
type = "saml"
}
Steps to reproduce
import any identity providers with a config block.
Additional factoids
No response
References
No response
FWIW, if I make the following change and test that, the import works as expected. I'm unclear of the history or why it looks for that to begin with, so figured I'd leave it up to you to figure out the best way forward.
diff --git a/cloudflare/resource_cloudflare_access_identity_provider.go b/cloudflare/resource_cloudflare_access_identity_provider.go
index ca838496..e5fe0f0b 100644
--- a/cloudflare/resource_cloudflare_access_identity_provider.go
+++ b/cloudflare/resource_cloudflare_access_identity_provider.go
@@ -212,10 +212,6 @@ func convertSchemaToStruct(d *schema.ResourceData) (cloudflare.AccessIdentityPro
}
func convertStructToSchema(d *schema.ResourceData, options cloudflare.AccessIdentityProviderConfiguration) []interface{} {
- if _, ok := d.GetOk("config"); !ok {
- return []interface{}{}
- }
-
attributes := make([]string, 0)
for _, value := range options.Attributes {
attributes = append(attributes, value)
The problem has still not been resolved, although PR is attached. Is there any chance that case will be resolved?
I was searching through open issues before I opened a new one regarding this same topic. I can confirm on v3.26.0 this is still an issue. I think it's due to the fact that the provider is confusing types here, since config is identified as a Block List, which really could be think of as a "repeatable block". I don't believe an identity provider can have more than one config though.
If you'd like to fix this temporarily, you can edit your tfstate file directly and add your config attributes inside the config array, such as:
{
"mode": "managed",
"type": "cloudflare_access_identity_provider",
"name": "okta",
"provider": "provider[\"registry.terraform.io/cloudflare/cloudflare\"]",
"instances": [
{
"schema_version": 0,
"attributes": {
"account_id": "<account_id>",
"config": [{
"client_id": "<client_id>",
"client_secret": "**********************************",
"okta_account": "https://<tenant>.okta.com",
"pkce_enabled": true,
"redirect_url": "https://<team_name>.cloudflareaccess.com/cdn-cgi/access/callback"
}],
"id": "<id>",
"name": "Okta",
"type": "okta",
"zone_id": null
},
"sensitive_attributes": [],
"private": "<private>"
}
]
},
This will result in zero changes being planned.
