terraform-provider-okta
terraform-provider-okta copied to clipboard
okta
Cannot edit access policy rule
I'm using following code to create access policy rule, it is created fine but I cannot edit it on UI. When I edit it and click on "Update Rule" it just hangs there and does nothing.
On the other hand, if I create exact a ditto copy of rule using UI, it works fine.
Please advise what terraform is doing differently that causes this problem
resource "okta_auth_server_policy_rule" "ast_auth_server_policy_rule" {
auth_server_id = okta_auth_server.ast-auth-server.id
policy_id = okta_auth_server_policy.ast_auth_server_policy.id
status = "ACTIVE"
name = "${local.app_name_perfix}-policy-rule"
priority = 1
grant_type_whitelist = ["client_credentials", "authorization_code", "password"]
scope_whitelist = ["openid", "profile", "email", "AST"]
group_whitelist = [okta_group.ASTUsers.id]
}
@ahmei0 does the account that you log into the UI with have less privileges than superadmin associated with the API token the Okta provider is using? Double check that for me, that will give me next steps for bug escalation.
No, both are superadmin
From: Mike Mondragon @.> Sent: Saturday, October 16, 2021 4:54:00 AM To: okta/terraform-provider-okta @.> Cc: Ahmed, Ishtiaq @.>; Mention @.> Subject: Re: [okta/terraform-provider-okta] Cannot edit access policy rule (#713)
@ahmei0https://github.com/ahmei0 does the account that you log into the UI with have less privileges than superadmin associated with the API token the Okta provider is using? Double check that for me, that will give me next steps for bug escalation.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/okta/terraform-provider-okta/issues/713#issuecomment-944488023, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AO2Y7QHJ2B323PARZS2Y4X3UHBTDRANCNFSM5GA4IPIA. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
The content of this email is confidential and intended for the recipient only. Any unauthorised use, disclosure, copying or distribution is strictly prohibited and may be unlawful. If you have received this message in error, confidentiality is not waived and you must not disclose or use the information in it. Please reply to this message and delete it from your system. Our Privacy Policy available at alintaenergy.com.au/privacy tells you how we handle your personal information, including how you can access it, have it corrected, or make a complaint. Please do not print this email unless it is necessary. Every unprinted email helps the environment.
We have moved! The Alinta Melbourne office has moved and is now located at Lvl 16, HWT Tower – 40 City Road, SOUTHBANK, VIC 3006
@ahmei0 could you check if "AST" scope exists in your Auth Server? Also, you can check the console to see what request UI is making when you heat the Edit sign.
Quoting the reply from the team who maintain this functionality :
I've never encountered something like this before. You should see if there are any errors
in the console log or if any network requests are failing
Here's the rules config I pulled using postman if that helps. 'backup_rule_ast' was created manually and works fine. retail-digital-ast-ec-nat-uat-policy-rule was created using tf and it has edit issue
[
{
"id": "0prx75efaYBTYjYek3l6",
"status": "ACTIVE",
"name": "retail-digital-ast-ec-nat-uat-policy-rule",
"priority": 1,
"created": null,
"lastUpdated": null,
"system": false,
"conditions": {
"people": {
"users": {
"exclude": []
},
"groups": {
"include": [
"00gx76jencRKTvlHA3l6"
]
}
},
"grantTypes": {
"include": [
"password",
"client_credentials",
"authorization_code"
]
},
"scopes": {
"include": [
"openid",
"profile",
"email",
"AST"
]
}
},
"actions": {
"token": {
"accessTokenLifetimeMinutes": 60,
"refreshTokenLifetimeMinutes": 0,
"refreshTokenWindowMinutes": 10080
}
},
"_links": {
"self": {
"href": "https://xxxx-uat.okta.com/api/v1/authorizationServers/xxx/policies/xxx/rules/xxx",
"hints": {
"allow": [
"GET",
"PUT",
"DELETE"
]
}
},
"deactivate": {
"href": "https://xxxx-uat.okta.com/api/v1/authorizationServers/xxx/policies/xx/rules/xx/lifecycle/deactivate",
"hints": {
"allow": [
"POST"
]
}
}
},
"type": "RESOURCE_ACCESS"
},
{
"id": "0prxte2b4cnA1qrgb3l6",
"status": "ACTIVE",
"name": "backup_rule_ast",
"priority": 2,
"created": null,
"lastUpdated": null,
"system": false,
"conditions": {
"people": {
"users": {
"include": [],
"exclude": []
},
"groups": {
"include": [
"00gx76jencRKTvlHA3l6"
],
"exclude": []
}
},
"grantTypes": {
"include": [
"client_credentials",
"password",
"authorization_code"
]
},
"scopes": {
"include": [
"openid",
"profile",
"email",
"AST"
]
}
},
"actions": {
"token": {
"accessTokenLifetimeMinutes": 60,
"refreshTokenLifetimeMinutes": 0,
"refreshTokenWindowMinutes": 10080
}
},
"_links": {
"self": {
"href": "https://xxxx-uat.okta.com/api/v1/authorizationServers/xx/policies/xx/rules/xx",
"hints": {
"allow": [
"GET",
"PUT",
"DELETE"
]
}
},
"deactivate": {
"href": "https://xxx-uat.okta.com/api/v1/authorizationServers/xx/policies/xx/rules/xx/lifecycle/deactivate",
"hints": {
"allow": [
"POST"
]
}
}
},
"type": "RESOURCE_ACCESS"
}
]
Could not load content for webpack://AuthorizationServer/./src/models/ResourceAccessRule.js (HTTP error: status code 404, net::ERR_UNKNOWN_URL_SCHEME)
Hi @ahmei0! The team responsible for this functionality is aware of the problem. I'll keep you posted once they give me some updates.
Were they able to reproduce it?
From: bogdanprodan-okta @.> Sent: Saturday, October 23, 2021 12:11:33 AM To: okta/terraform-provider-okta @.> Cc: Ahmed, Ishtiaq @.>; Mention @.> Subject: Re: [okta/terraform-provider-okta] Cannot edit access policy rule (#713)
Hi @ahmei0https://github.com/ahmei0! The team responsible for this functionality is aware of the problem. I'll keep you posted once they give me some updates.
— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHubhttps://github.com/okta/terraform-provider-okta/issues/713#issuecomment-949618427, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AO2Y7QHVSFOUHS6PQA67SKTUIFPILANCNFSM5GA4IPIA. Triage notifications on the go with GitHub Mobile for iOShttps://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675 or Androidhttps://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub.
The content of this email is confidential and intended for the recipient only. Any unauthorised use, disclosure, copying or distribution is strictly prohibited and may be unlawful. If you have received this message in error, confidentiality is not waived and you must not disclose or use the information in it. Please reply to this message and delete it from your system. Our Privacy Policy available at alintaenergy.com.au/privacy tells you how we handle your personal information, including how you can access it, have it corrected, or make a complaint. Please do not print this email unless it is necessary. Every unprinted email helps the environment.
We have moved! The Alinta Melbourne office has moved and is now located at Lvl 16, HWT Tower – 40 City Road, SOUTHBANK, VIC 3006
@ahmei0 I've managed to reproduce this bug. It's clearly some UI issue and the team responsible for this functionality will check it. I'll keep you posted.
I too faced the same issue, the issue seems to exist only when the group_whitelist is set to any groups other than "EVERYONE"
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days
OKTA-441274 is still on the backlog of the responsible internal team. Trying to escalate this internally with a team dependency.
Dropping this example for the upcoming v3.34.0 release that demonstrates how to chain resources (that will now have proper concurrency coordination) using the depends_on meta argument so that the Okta service will respect the desired priority assignments.
data "okta_group" "all" {
name = "Everyone"
}
resource "okta_auth_server" "test" {
name = "testAcc_replace_with_uuid"
description = "test"
audiences = ["whatever.rise.zone"]
}
resource "okta_auth_server_policy" "test" {
name = "test"
description = "test"
priority = 1
client_whitelist = ["ALL_CLIENTS"]
auth_server_id = okta_auth_server.test.id
}
resource "okta_auth_server_policy_rule" "test_00" {
auth_server_id = okta_auth_server.test.id
policy_id = okta_auth_server_policy.test.id
status = "ACTIVE"
name = "Test Policy Rule 00"
priority = 1
group_whitelist = [data.okta_group.all.id]
grant_type_whitelist = ["implicit"]
}
resource "okta_auth_server_policy_rule" "test_01" {
auth_server_id = okta_auth_server.test.id
policy_id = okta_auth_server_policy.test.id
status = "ACTIVE"
name = "Test Policy Rule 01"
priority = 2
group_whitelist = [data.okta_group.all.id]
grant_type_whitelist = ["implicit"]
depends_on = [okta_auth_server_policy_rule.test_00]
}
resource "okta_auth_server_policy_rule" "test_02" {
auth_server_id = okta_auth_server.test.id
policy_id = okta_auth_server_policy.test.id
status = "ACTIVE"
name = "Test Policy Rule 02"
priority = 3
group_whitelist = [data.okta_group.all.id]
grant_type_whitelist = ["implicit"]
depends_on = [okta_auth_server_policy_rule.test_01]
}
resource "okta_auth_server_policy_rule" "test_03" {
auth_server_id = okta_auth_server.test.id
policy_id = okta_auth_server_policy.test.id
status = "ACTIVE"
name = "Test Policy Rule 03"
priority = 4
group_whitelist = [data.okta_group.all.id]
grant_type_whitelist = ["implicit"]
depends_on = [okta_auth_server_policy_rule.test_02]
}
resource "okta_auth_server_policy_rule" "test_04" {
auth_server_id = okta_auth_server.test.id
policy_id = okta_auth_server_policy.test.id
status = "ACTIVE"
name = "Test Policy Rule 04"
priority = 5
group_whitelist = [data.okta_group.all.id]
grant_type_whitelist = ["implicit"]
depends_on = [okta_auth_server_policy_rule.test_03]
}
resource "okta_auth_server_policy_rule" "test_05" {
auth_server_id = okta_auth_server.test.id
policy_id = okta_auth_server_policy.test.id
status = "ACTIVE"
name = "Test Policy Rule 05"
priority = 6
group_whitelist = [data.okta_group.all.id]
grant_type_whitelist = ["implicit"]
depends_on = [okta_auth_server_policy_rule.test_04]
}
resource "okta_auth_server_policy_rule" "test_06" {
auth_server_id = okta_auth_server.test.id
policy_id = okta_auth_server_policy.test.id
status = "ACTIVE"
name = "Test Policy Rule 06"
priority = 7
group_whitelist = [data.okta_group.all.id]
grant_type_whitelist = ["implicit"]
depends_on = [okta_auth_server_policy_rule.test_05]
}
resource "okta_auth_server_policy_rule" "test_07" {
auth_server_id = okta_auth_server.test.id
policy_id = okta_auth_server_policy.test.id
status = "ACTIVE"
name = "Test Policy Rule 07"
priority = 8
group_whitelist = [data.okta_group.all.id]
grant_type_whitelist = ["implicit"]
depends_on = [okta_auth_server_policy_rule.test_06]
}
resource "okta_auth_server_policy_rule" "test_08" {
auth_server_id = okta_auth_server.test.id
policy_id = okta_auth_server_policy.test.id
status = "ACTIVE"
name = "Test Policy Rule 08"
priority = 9
group_whitelist = [data.okta_group.all.id]
grant_type_whitelist = ["implicit"]
depends_on = [okta_auth_server_policy_rule.test_07]
}
resource "okta_auth_server_policy_rule" "test_09" {
auth_server_id = okta_auth_server.test.id
policy_id = okta_auth_server_policy.test.id
status = "ACTIVE"
name = "Test Policy Rule 09"
priority = 10
group_whitelist = [data.okta_group.all.id]
grant_type_whitelist = ["implicit"]
depends_on = [okta_auth_server_policy_rule.test_08]
}
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days