Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

okta_auth_server_policy priority related repeat deployments #2140

Open
richard-collette-precisely opened this issue Nov 19, 2024 · 3 comments
Open

okta_auth_server_policy priority related repeat deployments #2140

richard-collette-precisely opened this issue Nov 19, 2024 · 3 comments
Labels
breaking-change Will break established behavior of the current minor version of the provider triaged Triaged into internal Jira

Comments

@richard-collette-precisely
Copy link

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform 1.9.8

Affected Resource(s)

  • okta_auth_server_policy

Terraform Configuration Files

I'm using terraform CDK but the issue is with the underlying provider.

    this.authServerPolicy = new AuthServerPolicy(
      this,
      `${configuration.label}_AccessPolicy`,
      {
        authServerId:
          this._options.authorizationServerConstruct.authorizationServer.id,
        clientWhitelist: [this._options.appOauth.id],
        description: configuration.label + " Access Policy",
        name: configuration.accessPolicyName,
        priority: 100,
        dependsOn: this._options.dependsOn
          ? [this._options.dependsOn]
          : undefined,
      },
    );
  }

Debug Output

This is not debug output but sufficient to show the issue. In these logs, you can see that an update is being performed to put the priority back to 100.

                      # okta_auth_server_policy.dis-dis-suiteadmin-accessmanagementapi-dev_ApplicationAccessPolicy_DIS-SuiteAdmin-AccessManagementApi-dev_AccessPolicy_5E343DCB (dis-dis-suiteadmin-accessmanagementapi-dev_ApplicationAccessPolicy/DIS-SuiteAdmin-AccessManagementApi-dev_AccessPolicy) will be updated in-place
                      ~ resource "okta_auth_server_policy" "dis-dis-suiteadmin-accessmanagementapi-dev_ApplicationAccessPolicy_DIS-SuiteAdmin-AccessManagementApi-dev_AccessPolicy_5E343DCB" {
                            id               = "00p28nks0t5Y2eA3G0h8"
                            name             = "SuiteAdmin-AccessManagementApi-dev"
                          ~ priority         = 1 -> 100
                            # (4 unchanged attributes hidden)
                        }
                      # okta_auth_server_policy.dis-dis-suiteadmin-fulfillmentapi-dev_ApplicationAccessPolicy_DIS-SuiteAdmin-FulfillmentApi-dev_AccessPolicy_B71FDA12 (dis-dis-suiteadmin-fulfillmentapi-dev_ApplicationAccessPolicy/DIS-SuiteAdmin-FulfillmentApi-dev_AccessPolicy) will be updated in-place
                      ~ resource "okta_auth_server_policy" "dis-dis-suiteadmin-fulfillmentapi-dev_ApplicationAccessPolicy_DIS-SuiteAdmin-FulfillmentApi-dev_AccessPolicy_B71FDA12" {
                            id               = "00p28nksep9WH09Yc0h8"
                            name             = "SuiteAdmin-FulfillmentApi-dev"
                          ~ priority         = 2 -> 100
                            # (4 unchanged attributes hidden)
                        }
                      # okta_auth_server_policy.dis-dis-suiteadmin-uiintegrationhooktest-dev_ApplicationAccessPolicy_DIS-SuiteAdmin-UIIntegrationHookTest-dev_AccessPolicy_D42DBBDF (dis-dis-suiteadmin-uiintegrationhooktest-dev_ApplicationAccessPolicy/DIS-SuiteAdmin-UIIntegrationHookTest-dev_AccessPolicy) will be updated in-place
                      ~ resource "okta_auth_server_policy" "dis-dis-suiteadmin-uiintegrationhooktest-dev_ApplicationAccessPolicy_DIS-SuiteAdmin-UIIntegrationHookTest-dev_AccessPolicy_D42DBBDF" {
                            id               = "00p299bmienjPQ54Y0h8"
                            name             = "SuiteAdmin-UIIntegrationHookTest-dev"
                          ~ priority         = 3 -> 100
                            # (4 unchanged attributes hidden)
                        }

Expected Behavior

Updates should not occur when no changes have been made to the configuration. (i.e. Idempotent).

Can this be done in the Admin UI?

I don't know

Can this be done in the actual API call?

Yes, because priority is not a required field in the API.

image

Actual Behavior

Priority is mandatory in the provider. A high number is used so that policies will be inserted in dependency order. Upon creation, the policy is assigned a new priority but that new priority is not captured in state. On the next deployment, the current priority (ex. 1) does not match the plan priority (100) and a change update occurs.
@duytiennguyen-okta duytiennguyen-okta added waiting-response Waiting on collaborator to responde to follow on disucussion breaking-change Will break established behavior of the current minor version of the provider labels Nov 19, 2024
@duytiennguyen-okta
Copy link
Contributor

duytiennguyen-okta commented Nov 19, 2024
edited
Loading

@richard-collette-precisely So just to be clear, you have issue with an authorization server policy or an access policy? You are showing in postman a different policy type than the one in CDK

@richard-collette-precisely
Copy link
Author

@duytiennguyen-okta - Thank you for the correction. It is an authorization server policy, not access policy but it can also be created without specifying a priority.

image

@duytiennguyen-okta duytiennguyen-okta removed the waiting-response Waiting on collaborator to responde to follow on disucussion label Nov 26, 2024
@duytiennguyen-okta duytiennguyen-okta added the triaged Triaged into internal Jira label Dec 3, 2024
@duytiennguyen-okta
Copy link
Contributor

OKTA internal reference https://oktainc.atlassian.net/browse/OKTA-839358

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
breaking-change Will break established behavior of the current minor version of the provider triaged Triaged into internal Jira
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@duytiennguyen-okta @richard-collette-precisely