terraform-provider-okta icon indicating copy to clipboard operation
terraform-provider-okta copied to clipboard

Published 20 hours ago verified publisher icon okta

It is not possible to assign groups to an AppInstance that has Federation Broker Mode enabled

Open ahmei0 opened this issue 2 years ago • 3 comments

I have this error started appearing suddenly and it was working fine 3-4 weeks ago

Error: failed to update application group assignment: the API returned an error: Api validation failed: GroupAppAssignment. Causes: errorSummary: It is not possible to assign groups to an AppInstance that has Federation Broker Mode enabled │ │ with okta_app_group_assignment.group_MyAccountCustomers, │ on app_group_assignment.tf line 1, in resource "okta_app_group_assignment" "group_MyAccountCustomers": │ 1: resource "okta_app_group_assignment" "group_MyAccountCustomers" { │

code is as below

resource "okta_app_group_assignment" "group_MyAccountCustomers" {
  app_id   = okta_app_oauth.myacc_spa.id
  group_id = okta_group.MyAccountCustomers.id
  profile = <<JSON
  {
    "myAccount": "123456"
  }
  JSON
  depends_on = [
    okta_user_schema_property.user_myAccount,
    okta_app_user_schema_property.appuser_myAccount
  ]
}

ahmei0 avatar Jun 22 '22 05:06 ahmei0

@ahmei0 that is an error coming from the API itself, not the terraform provider. resource okta_app_group_assignment makes use of the Application Group Operations endpoints https://developer.okta.com/docs/reference/api/apps/#application-group-operations The update operation of the resource is hitting PUT /api/v1/apps/${applicationId}/groups/${groupId}.

monde avatar Jun 22 '22 16:06 monde

@monde what I'm trying to understand here is either provider behaviour has changed or Okta has made this broker feature effect just now. We always had "implicit_assignment = true" on okta_app_oauth from day one but it never enabled broker mode.

ahmei0 avatar Jun 24 '22 01:06 ahmei0

@ahmei0 there hasn't been a change to the resource code for okta_app_group_assignment in okta/resource_okta_app_group_assignment.go since March. I'm not sure if the behavior on the Okta monolith changed in some subtle manner as the error message is coming from the API and passed through the TF to the runtime. Did settings or feature flags change or be applied to your org?

commit f6a8a4506ab0eb916af3a0a9516473159e62d2e3
Author: Mike Mondragon
Date:   Thu Mar 10 15:17:58 2022 -0800

    Adjust code for okta-sdk-golang v2.11.1 changes.

diff --git a/okta/resource_okta_app_group_assignment.go b/okta/resource_okta_app_group_assignment.go
index cbe4b99b..c12d2ecd 100644
--- a/okta/resource_okta_app_group_assignment.go
+++ b/okta/resource_okta_app_group_assignment.go
@@ -155,8 +155,7 @@ func buildAppGroupAssignment(d *schema.ResourceData) okta.ApplicationGroupAssign
        }
        p, ok := d.GetOk("priority")
        if ok {
-               priority := int64(p.(int))
-               assignment.Priority = &priority
+               assignment.Priority = int64(p.(int))
        }
        return assignment
 }

monde avatar Jun 24 '22 14:06 monde

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

github-actions[bot] avatar Oct 21 '22 00:10 github-actions[bot]