Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Terraform Fails to Create Okta Group Rule Due to "Empty Access Token" #2161

Open
ronballesteros opened this issue Dec 11, 2024 · 1 comment
Open

Terraform Fails to Create Okta Group Rule Due to "Empty Access Token" #2161

ronballesteros opened this issue Dec 11, 2024 · 1 comment

Comments

@ronballesteros
Copy link

ronballesteros commented Dec 11, 2024
edited
Loading

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v1.7.5
on darwin_arm64
+ provider registry.terraform.io/okta/okta v4.12.0

Affected Resource(s)

  • okta_provider

Terraform Configuration Files

terraform {
  required_providers {
    okta = {
      source  = "okta/okta"
      version = "~> 4.12.0"
    }
  }
}

provider "okta" {
  org_name  = "org_name"
  base_url  = "okta.com"
  client_id = "client_id"
  scopes    = ["okta.groups.manage"]
}

resource "okta_group_rule" "rule_test" {
  name              = "Test Rule"
  expression_type   = "urn:okta:expression:1.0"
  expression_value  = <expression_value>
  group_assignments = <group_assignments>
  status            = "ACTIVE"
}

Note: we pass in the private_key secret in our github actions as an env secret.

Debug Output

Panic Output

Expected Behavior

Terraform should have applied the rule config.

Can this be done in the Admin UI?

Yes, but we want to control this via TF

Can this be done in the actual API call?

Actual Behavior

When attempting to create an Okta group rule using Terraform (with using the private-key), the process fails with the following error:

Plan: 1 to add, 0 to change, 0 to destroy.
okta_group_rule.test_rule: Creating...
╷
│ Error: failed to create group rule: empty access token

This issue occurs during the execution of terraform apply, despite the fact that:

Terraform validates the private key and does not flag it as invalid.
When running the same Terraform configuration with an invalid private key, the error explicitly states:

okta_group_rule.test_rule: Creating...
╷
│ Error: failed to create group rule: invalid private key

This indicates that the private key in use is potentially valid. However, the Terraform provider is unable to generate or utilize a valid access token to communicate with Okta's API.

If we don't provide the private_key in the github action env var (secret), it defaults to looking for a token and the tf plan fails:

Error: [ERROR] failed to load sdk clients: your Okta API token is missing. You can generate one in the Okta Developer Console. Follow these instructions: https://bit.ly/get-okta-api-token

Steps to Reproduce

  1. Use the same provider setup (with passing the private_key as a env secret.
  2. Create a okta group resource
resource "okta_group_rule" "rule_test" {
  name              = "Test Rule"
  expression_type   = "urn:okta:expression:1.0"
  expression_value  = <expression_value>
  group_assignments = <group_assignments>
  status            = "ACTIVE"
}
  1. Run terraform plan and approve the plan with terraform apply.

Important Factoids

  • So when I run terraform apply with the correct okta private-key, I get an error with an empty token.
  • When I run terraform apply with an invalid private-key, I get the expected error.

Shouldn't I be able to run terraform apply using the okta-provider with just the private-key and no access token?

References

  • #0000
@ronballesteros ronballesteros changed the title Terraform Fails to Create Okta Group Rule Due to "Empty Access Token Terraform Fails to Create Okta Group Rule Due to "Empty Access Token" Dec 11, 2024
@ronballesteros
Copy link
Author

I also did something like this in the provider to pass in the private_key to confirm this issue:

provider "okta" {
  org_name  = "okta-dev-satoshi"
  base_url  = "okta.com"
  client_id = "client_id"
  scopes    = ["okta.groups.manage"]
  private_key = <<EOT
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDJnVby0DiMCVqU
...
EOT
}

resource "okta_group_rule" "test_rule" {
  name   = "Test Rule"
  status = "ACTIVE"
  group_assignments = [
  "blah"]
  expression_type  = "urn:okta:expression:1.0"
  expression_value = "isMemberOfAnyGroup(\"blah\")"

}

This is what happens:

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # okta_group_rule.test_rule will be created
  + resource "okta_group_rule" "test_rule" {
      + expression_type   = "urn:okta:expression:1.0"
      + expression_value  = "isMemberOfAnyGroup(\"blah\")"
      + group_assignments = [
          + "blah",
        ]
      + id                = (known after apply)
      + name              = "Test Rule"
      + status            = "ACTIVE"
    }

Plan: 1 to add, 0 to change, 0 to destroy.
okta_group_rule.test_rule: Creating...
╷
│ Error: failed to create group rule: empty access token
│ 
│   with okta_group_rule.test_rule,
│   on group-rules.tf line 1, in resource "okta_group_rule" "test_rule":
│    1: resource "okta_group_rule" "test_rule" {

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@ronballesteros