terraform-provider-okta: attribute_statements always triggers a change in okta_app_saml when using preconfigured_app

Community Note

  • Please vote on this issue by adding a đź‘Ť reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave “+1” or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

❯ terraform -v
Terraform v0.14.7
+ provider registry.terraform.io/hashicorp/null v3.1.0
+ provider registry.terraform.io/oktadeveloper/okta v3.10.1

Affected Resource(s)

  • okta_app_saml

Terraform Configuration Files

resource "okta_app_saml" "preconfigured_app" {
  label                    = var.app_name
  preconfigured_app        = var.app_market_name
  app_settings_json        = jsonencode({"baseUrl"= var.app_base_url})

  attribute_statements {
    type         = "GROUP"
    name         = "group"
    filter_type  = "REGEX"
    filter_value = ".*"
  }

  // groups are assigned through okta_app_group_assignment resource
  lifecycle {
    ignore_changes = [groups]
  }
}

Terraform Output

The above always produces the following diff in a plan/apply:

  # module.elevation_K8s_preconfigured_saml_apps["elevation-ci-sbx-usc1"].okta_app_saml.preconfigured_app will be updated in-place
  ~ resource "okta_app_saml" "preconfigured_app" {
        id                         = "0oab68hcz4iJtFkKt5d6"
        name                       = "jenkins"
        # (24 unchanged attributes hidden)

      + attribute_statements {
          + filter_type  = "REGEX"
          + filter_value = ".*"
          + name         = "group"
          + namespace    = "urn:oasis:names:tc:SAML:2.0:attrname-format:unspecified"
          + type         = "GROUP"
        }
    }

Expected Behavior

The resource should define the attribute_statements once and not show any diff unless the configuration was changed.

Actual Behavior

Every plan produces the above diff.

Steps to Reproduce

  1. create an okta_app_saml with a preconfigured_app (we use Jenkins)
  2. apply the code
  3. run plan and see the diff appears

Important Factoids

Commenting the attribute_statements block after initial provisioning of the resource stops the diffs from showing up, but not really a fix.

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Reactions: 1
  • Comments: 15 (13 by maintainers)

Most upvoted comments

@dkulchinsky no updates from Hashicorp so-far

+2
bogdanprodan-okta on Apr 27, 2021

@Liath The Terraform registry isn’t my area at all… have y’all reached out to terraform-registry@hahshicorp.com to ask for help there? I thought registry updates were handled via webhooks, so maybe something’s broken.

+1
SwampDragons on May 14, 2021

@dkulchinsky, yes, I think it can be done either by superadmin or Okta support.

+1
bogdanprodan-okta on Apr 25, 2021

Hi, @dkulchinsky! Thanks for submitting this issue! I’ll investigate the problem and will create a PR to fix it.

+1
bogdanprodan-okta on Apr 7, 2021
Read more comments on GitHub
← terraform-provider-okta: app_user_schema_property: cannot use country code & language code data types
terraform-provider-okta: Cannot set the okta_policy_password password_history_count to 0 →