terraform-provider-okta icon indicating copy to clipboard operation
terraform-provider-okta copied to clipboard

Published 20 hours ago verified publisher icon okta

okta_app_oauth is removing group assignments

Open ahmei0 opened this issue 2 years ago • 1 comments

I'm using okta_app_group_assignment resource to assign different group to oauth app created by okta_app_oauth

But weirdly, okta_app_oauth resource is removing group assignments set by okta_app_group_assignment

okta_app_oauth.ast_app_oauth will be updated in-place

~ resource "okta_app_oauth" "ast_app_oauth" { ~ groups = [ - "00g15vat2jlL0VM4a3l7", - "00g1iewhmbYZFVibZ3l7", - "00g1k29ud1B8p9qYh3l7", ] id = "0oa15vcqam6H9RH5Y3l7" name = "oidc_client" ~ user_name_template = "user.login" -> "${source.login}" ~ user_name_template_type = "CUSTOM" -> "BUILT_IN" # (31 unchanged attributes hidden)

  - users {
      - id       = "00u1k6luuuu87x89m3l7" -> null
      - scope    = "USER" -> null
      - username = "[email protected]" -> null
    }
}

app code is as below, you can see I'm not using groups param at all

resource "okta_app_oauth" "ast_app_oauth" {
  label          = "${local.name_perfix}-nat"
  type           = "native"
  response_types = ["code", "token", "id_token"]
  grant_types    = "${var.enable_password_grant == true ? concat(var.grant_types, ["password"]) : var.grant_types}"
  consent_method = "REQUIRED"
  redirect_uris = var.redirect_uris
  login_uri     = var.login_uri
  post_logout_redirect_uris = var.post_logout_redirect_uris
  token_endpoint_auth_method = "none"
  implicit_assignment = false
}

ahmei0 avatar Jun 24 '22 05:06 ahmei0

@ahmei0 did this just start happening for you? Looking at the documentation https://registry.terraform.io/providers/okta/okta/latest/docs/resources/app_group_assignment I see this note that might be pertinent to your situation:

Note
When using this resource in conjunction with other application resources (e.g. okta_app_oauth) it is advisable to add the following lifecycle argument to the associated app_* resources to prevent the groups being unassigned on subsequent runs:
resource "okta_app_oauth" "app" {
  //...
  lifecycle {
     ignore_changes = [groups]
  }
}
Important
When the app_group_assignment is retained, by setting retain_assignment to true, it is no longer managed by Terraform after it is destroyed. To truly delete the assignment, you will need to remove it either through the Okta Console or API. This argument exists for the use case where the same group is assigned in multiple places in order to prevent a single destruction removing all of them.

monde avatar Jun 24 '22 14:06 monde

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

github-actions[bot] avatar Aug 24 '22 00:08 github-actions[bot]