terraform-provider-okta icon indicating copy to clipboard operation
terraform-provider-okta copied to clipboard

Published 20 hours ago verified publisher icon okta

okta_app_group_assignment sorting in samlRoles of profiles trigger continuous changes

Open fatbasstard opened this issue 2 years ago • 6 comments

Hi,

Okta does not preserve the sorting as given in the profile json of the okta_app_group_assignment resource. As a result Teraform keeps updating the group assignment.

Terraform Version

  • Terraform 1.1.3
  • Okta 3.20.2

Affected Resource(s)

  • okta_app_group_assignment

Terraform Configuration Files

resource "okta_app_group_assignment" "aws" {
  app_id   = data.okta_app.aws.id
  group_id = module.xxx.group_id
  priority = 1
  profile = jsonencode(
    {
      "role" : null,
      "samlRoles" : [
        "[${module.xxx_cb_analytics.account_alias}] -- XXXRole",
        "[${module.xxx_cb_data.account_alias}] -- XXXRole"
      ]
  })

  lifecycle {
    ignore_changes = [priority]
  }
}

Output

Terraform will perform the following actions:

  # okta_app_group_assignment.aws will be updated in-place
  ~ resource "okta_app_group_assignment" "aws" {
        id                = "xxx"
      ~ profile           = jsonencode(
          ~ {
              ~ samlRoles = [
                  - "[xxx-cb-data-eu-west-1] -- XXXRole",
                    "[xxx-prd-analytics-eu-west-1] -- XXXRole",
                  + "[xxx-cb-data-eu-west-1] -- XXXRole",
                ]
                # (1 unchanged element hidden)
            }
        )
        # (4 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Expected Behavior

No Changes.

Actual Behavior

Resource keep updating

fatbasstard avatar Jan 10 '22 10:01 fatbasstard

Hi, @fatbasstard! Thanks for submitting this issue! I'll investigate the problem and get back to you asap.

bogdanprodan-okta avatar Jan 12 '22 16:01 bogdanprodan-okta

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

github-actions[bot] avatar Mar 14 '22 00:03 github-actions[bot]

@bogdanprodan-okta Saw the issue got closed (missed the stale bit) and I cannot reopen it.

Any update on this issue?

fatbasstard avatar Mar 21 '22 13:03 fatbasstard

Thanks @fatbasstard I've reopened the issue.

monde avatar Mar 21 '22 13:03 monde

@monde Double check manipulated sorting in resources

bretterer avatar Jun 27 '22 15:06 bretterer

Are you able to pull the API response in a debug session to see if this is an issue with the API responding in this order, or something happening when the object is being parsed?

If its the former, since this is a raw JSON interface, I'm not sure we'll be able to "fix" this using terraform/code, since we wouldn't know if the individual items are "lists" or "sets".

If it's the latter, there's probably something we can do to prevent sorting or other activities from occurring on the converted response.

ymylei avatar Aug 28 '22 18:08 ymylei

Okta internal reference: https://oktainc.atlassian.net/browse/OKTA-544488

monde avatar Oct 25 '22 17:10 monde

@monde I don't have access to the Internal reference you shared. Any summary about what it states?

fatbasstard avatar Nov 17 '22 13:11 fatbasstard

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

github-actions[bot] avatar Jan 26 '23 00:01 github-actions[bot]

FYI: Still an issue

fatbasstard avatar Jan 26 '23 22:01 fatbasstard

Hi @fatbasstard

  1. Because profile is free form JSON, so managing change detection doesn’t make sense as okta API may return equivalent values in a different representation (API response does not guarantee the ordering is the same as in the request)
  2. Is using lifecycle ignore on profile acceptable to your use case?

duytiennguyen-okta avatar Mar 01 '23 03:03 duytiennguyen-okta

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

github-actions[bot] avatar May 01 '23 00:05 github-actions[bot]

Is using lifecycle ignore on profile acceptable to your use case

This looks like an AWS app assignment so my guess would be that wouldn't be acceptable for most use-cases if you're managing the permissions via Terraform, you probably want Terraform to be validating that groups have the desired permissions and would want to correct drift

exitcode0 avatar May 02 '23 00:05 exitcode0

Hi, exactly what @exitcode0 mentions. The App assignments are also actually updated and are vital to be kept in sync.

fatbasstard avatar Jun 27 '23 13:06 fatbasstard

Something i think I've learned since my last comment on this one is about diffsupressfunc

This is likely another case for diffsupressfunc in the provider I've raised a few issues regarding how json normalisation by the underlying okta Api causes permadrift Diffsupressfunc on json object would be great, I wonder if these can all be solved for at the same time

E.g #1597 and #1518

exitcode0 avatar Jun 27 '23 13:06 exitcode0

@fatbasstard: I can't reproduce this issue in terraform (in the newest version 4.0.2). When I check manually using the API, the order of the attribute is still being preserved from what I can see. Can you provide the log detail for us to debug?

duytiennguyen-okta avatar Jun 28 '23 21:06 duytiennguyen-okta

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

github-actions[bot] avatar Aug 28 '23 00:08 github-actions[bot]

I'll try to setup an anonymous test setup. We've still got this all over the place.

fatbasstard avatar Sep 15 '23 16:09 fatbasstard