terraform-provider-okta
terraform-provider-okta copied to clipboard
okta_app_group_assignment sorting in samlRoles of profiles trigger continuous changes
Hi,
Okta does not preserve the sorting as given in the profile
json of the okta_app_group_assignment
resource. As a result Teraform keeps updating the group assignment.
Terraform Version
- Terraform 1.1.3
- Okta 3.20.2
Affected Resource(s)
- okta_app_group_assignment
Terraform Configuration Files
resource "okta_app_group_assignment" "aws" {
app_id = data.okta_app.aws.id
group_id = module.xxx.group_id
priority = 1
profile = jsonencode(
{
"role" : null,
"samlRoles" : [
"[${module.xxx_cb_analytics.account_alias}] -- XXXRole",
"[${module.xxx_cb_data.account_alias}] -- XXXRole"
]
})
lifecycle {
ignore_changes = [priority]
}
}
Output
Terraform will perform the following actions:
# okta_app_group_assignment.aws will be updated in-place
~ resource "okta_app_group_assignment" "aws" {
id = "xxx"
~ profile = jsonencode(
~ {
~ samlRoles = [
- "[xxx-cb-data-eu-west-1] -- XXXRole",
"[xxx-prd-analytics-eu-west-1] -- XXXRole",
+ "[xxx-cb-data-eu-west-1] -- XXXRole",
]
# (1 unchanged element hidden)
}
)
# (4 unchanged attributes hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
Expected Behavior
No Changes.
Actual Behavior
Resource keep updating
Hi, @fatbasstard! Thanks for submitting this issue! I'll investigate the problem and get back to you asap.
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days
@bogdanprodan-okta Saw the issue got closed (missed the stale bit) and I cannot reopen it.
Any update on this issue?
Thanks @fatbasstard I've reopened the issue.
@monde Double check manipulated sorting in resources
Are you able to pull the API response in a debug session to see if this is an issue with the API responding in this order, or something happening when the object is being parsed?
If its the former, since this is a raw JSON interface, I'm not sure we'll be able to "fix" this using terraform/code, since we wouldn't know if the individual items are "lists" or "sets".
If it's the latter, there's probably something we can do to prevent sorting or other activities from occurring on the converted response.
Okta internal reference: https://oktainc.atlassian.net/browse/OKTA-544488
@monde I don't have access to the Internal reference you shared. Any summary about what it states?
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days
FYI: Still an issue
Hi @fatbasstard
- Because profile is free form JSON, so managing change detection doesn’t make sense as okta API may return equivalent values in a different representation (API response does not guarantee the ordering is the same as in the request)
- Is using lifecycle ignore on profile acceptable to your use case?
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days
Is using lifecycle ignore on profile acceptable to your use case
This looks like an AWS app assignment so my guess would be that wouldn't be acceptable for most use-cases if you're managing the permissions via Terraform, you probably want Terraform to be validating that groups have the desired permissions and would want to correct drift
Hi, exactly what @exitcode0 mentions. The App assignments are also actually updated and are vital to be kept in sync.
Something i think I've learned since my last comment on this one is about diffsupressfunc
This is likely another case for diffsupressfunc in the provider I've raised a few issues regarding how json normalisation by the underlying okta Api causes permadrift Diffsupressfunc on json object would be great, I wonder if these can all be solved for at the same time
E.g #1597 and #1518
@fatbasstard: I can't reproduce this issue in terraform (in the newest version 4.0.2). When I check manually using the API, the order of the attribute is still being preserved from what I can see. Can you provide the log detail for us to debug?
This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days
I'll try to setup an anonymous test setup. We've still got this all over the place.