terraform-provider-okta icon indicating copy to clipboard operation
terraform-provider-okta copied to clipboard

Published 20 hours ago verified publisher icon okta

okta_policy_rule_signon Invalid condition type specified: identity Provider

Open Pyrovisionary opened this issue 2 years ago • 3 comments

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Please note This seems like the same issue as this previously raised issue (#953), which was resolved in v3.2.0 and seems to have been reintroduced in v3.25.0

Terraform Version 1.0.8 Okta provider version 3.28.0

Affected Resource(s)

  • okta_policy_rule_signon

Terraform Configuration Files

// Assign a rule to the policy
resource "okta_policy_rule_signon" "SignOnPolicyRule" {
  policy_id				= okta_policy_signon.SignOnPolicy.id
  name 					= var.SignOnPolicyRuleName
  priority 				= 1
  status 				= "ACTIVE"
  authtype				= "ANY"
  access 				= "ALLOW"
  mfa_required			= true
  mfa_remember_device = true
  mfa_prompt 			= "DEVICE" 
  session_lifetime		= "120" 
  session_persistent	= true 
  network_connection    = "ANYWHERE"
  risc_level 			= "ANY" 
  identity_provider = "ANY"
}

Debug Output

│ Error: failed to create sign-on policy rule: failed to create policy rule: the API returned an error: Api validation failed: conditions. Causes: errorSummary: conditions: Invalid condition type specified: identityProvider.
│ 
│   with module.serviceAccountsAndPolicies.okta_policy_rule_signon.signOnPolicyRule,
│   on modules/serviceAccountsAndPolicies/serviceAccountsAndPolicies.tf line 247, in resource "okta_policy_rule_signon" "signOnPolicyRule":
│  247: resource "okta_policy_rule_signon" "signOnPolicyRule" {

Important Factoids

Issue #953 indicates that reverting to v3.20.8 resolves this issue, however, my wider code okta_email_customization, released in 3.26.0

References

  • #953

Feel free to request any further info.

Pyrovisionary avatar Jun 16 '22 14:06 Pyrovisionary

Thanks @Pyrovisionary . As you point out this seems to be a duplicate of other issues reported for okta_policy_rule_signon I'll have to make time to work on a fix.

monde avatar Jun 16 '22 15:06 monde

@Pyrovisionary - Do you see this in a *.oktapreview.com or *.okta.com Org? I am testing v3.30.0 in *.oktapreview.com and am able to create a rule with/without identity_provider.

In my *.oktapreview.com Org it worked and in *.okta.com Org I receive the same error you do. In my preview Org there is a feature that I had enabled that is not set up in prod. After enabling this feature I was able to create the rule in prod.

You will need to open a support case and ask to enable the feature that allows IdP based sign-on policies. I suggest to reference this post as well.

emanor-okta avatar Jul 12 '22 22:07 emanor-okta

@emanor-okta For example, I had the same issue at the okta.com organization, not a preview. More details https://github.com/okta/terraform-provider-okta/issues/953#issuecomment-1141099192

ivan-sukhomlyn avatar Jul 13 '22 08:07 ivan-sukhomlyn

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

github-actions[bot] avatar Oct 24 '22 00:10 github-actions[bot]

We'll be dedicating a sprint to the "policy" related issues.

monde avatar Oct 24 '22 18:10 monde

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

github-actions[bot] avatar Jan 04 '23 00:01 github-actions[bot]