terraform-provider-okta
terraform-provider-okta copied to clipboard
okta
DOCUMENTATION: resource okta_app_saml fails with error, subDomain: The field cannot be left blank
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Description
Please update documentation for terraform resource okta_app_saml to include the required "subDomain" field when using "pre-configured" apps. (I'm not sure if all pre-configured apps need this, but the "snowflake" app definitely does.)
New or Affected Resource(s)
- okta_app_saml
Potential Terraform Configuration
I tried to create an Okta application using preconfigured_app as shown below.
resource "okta_app_saml" "snowflake" {
preconfigured_app = "snowflake"
label = var.okta_app_name
status = var.okta_app_enabled ? "ACTIVE" : "INACTIVE"
auto_submit_toolbar = true
}
This resulted in the following error.
okta_app_saml.snowflake: Creating...
╷
│ Error: failed to create SAML application: the API returned an error: Api validation failed: subDomain. Causes: errorSummary: subDomain: The field cannot be left blank
│
│ with okta_app_saml.snowflake,
│ on main.tf line 6, in resource "okta_app_saml" "snowflake":
│ 6: resource "okta_app_saml" "snowflake" {
Adding the following to my okta_app_saml resource resolved the issue. This is not documented anywhere that I could find. I recommended updating the documentation for this terraform resource, maybe to include an example setting the subDomain field.
app_settings_json = jsonencode({
subDomain = var.snowflake_account_name
})
References
https://registry.terraform.io/providers/okta/okta/latest/docs/resources/app_saml
To my knowledge, the content that is acceptable and/or required in app_settings_json is defined by the author of the preconfigured_app (OIN app), in this case snowflake
I'm not sure how the Terraform provider could account for this without the Upstream API adding some sort of new functionality.
e.g the Upstream Okta API creates a new endpoint that returns the app_settings_json schema for a given preconfigured_app
Ah I see what you mean. Not sure how you could solve that issue, short of letting each OIN provider update the terraform documentation (which probably isn't feasible).
For the record, I discovered what I needed for the Snowflake app, by creating an app integration in the console, importing it into terraform, then dumping the config using terraform state pull.
For the record, I discovered what I needed for the Snowflake app, by creating an app integration in the console, importing it into terraform, then dumping the config using terraform state pull.
I've adopted a similar workflow for OIN apps, I use an Okta trail account instead to avoid using my production account(s)
I've raised an Okta idea about this - https://ideas.okta.com/app/#/case/189232
Some nerdsniped sleuthing later, it appears that this endpoint gives some of the data required
oinmanager.okta.com/api/v1/catalog/integrations/<preconfigured_app_name>
I think this endpoint might be what we need, but I think its only internal facing, perhaps its been replaced by the above APIs ¯\(ツ)/¯
example.okta.com/api/internal/app/catalogue/v2
@jeffreymlewis Thank you for logging this issue! We are working on making the schemas of the OIN apps public. However, there are 7,000+ apps in the Okta Integration Network, so this will take some time. 😅 Currently we are focused on our top apps. Please stay tuned as we make more progress in this area.
OKTA internal reference https://oktainc.atlassian.net/browse/OKTA-669851
