terraform-provider-okta: inactivity_period default value causing API error for catch all okta_app_signon_policy_rules

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave “+1” or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v1.1.5 on darwin_amd64

provider registry.terraform.io/okta/okta v3.33.0

Affected Resource(s)

okta_app_signon_policy_rule

Terraform Configuration Files

resource "okta_app_signon_policy" "policy_test" {
  name        = "Auth Policy"
  description = "Auth Policy Test"
}

resource "okta_app_signon_policy_rule" "catch_all" {
  policy_id = okta_app_signon_policy.policy_test.id
  name = "Catch-all Rule"
}

Debug Output

Panic Output

Expected Behavior

Imported a catch all rule to modify allowable attributes as noted in the documentation here: https://registry.terraform.io/providers/okta/okta/latest/docs/resources/app_signon_policy_rule

Changes made to modify allowable attributes in app_signon_policy_rule

Actual Behavior

After importing, an apply will error out due to inactivity_period being an immutable value for the catch all rule


  # okta_app_signon_policy_rule.catch_all will be updated in-place
  ~ resource "okta_app_signon_policy_rule" "catch_all" {
      ~ constraints                 = [
          - jsonencode(
                {
                  - possession = {
                      - deviceBound = "REQUIRED"
                    }
                }
            ),
        ]
        id                          = "rul4c2lxbaIgH5As61d7"
      + inactivity_period           = "PT1H"
        name                        = "Catch-all Rule"
      + network_connection          = "ANYWHERE"
      ~ re_authentication_frequency = "PT12H" -> "PT2H"


│ Error: failed to create app sign on policy rule: the API returned an error: Cannot modify the conditions attribute because it is read-only.
│
│   with okta_app_signon_policy_rule.catch_all,
│   on main.tf line 30, in resource "okta_app_signon_policy_rule" "catch_all":
│   30: resource "okta_app_signon_policy_rule" "catch_all" {
│
╵

Steps to Reproduce

Create or modify an existing app sign on policy
Import the catch all rule
Run terraform apply (no modifications necessary to actual policy configuration as it will attempt to add a default value for inactivity period)
API error

Important Factoid

We have worked around this currently by adding a lifecycle ignore block referencing inactivity_period

References

#1184

About this issue

Original URL
State: closed
Created 2 years ago
Reactions: 13
Comments: 16

Commits related to this issue

Fixes some quirks dealing with the Okta API when the rule imported AND is the default policy rule. Closes #1245 — committed to okta/terraform-provider-okta by monde 8 months ago
Fixes some quirks dealing with the Okta API when the rule imported AND is the default policy rule. Closes #1245 — committed to okta/terraform-provider-okta by monde 8 months ago
Fixes some quirks dealing with the Okta API when the rule imported AND is the default policy rule. Closes #1245 — committed to steveAG/terraform-provider-okta by monde 8 months ago
Fixes some quirks dealing with the Okta API when the rule imported AND is the default policy rule. Closes #1245 — committed to tgoodsell-tempus/terraform-provider-okta by monde 8 months ago

Most upvoted comments

This is not resolved and should still be addressed - can this be re-opened @monde?

Mrorya on Jan 3, 2023

Commenting to remove stale label, still an issue

Mrorya on Mar 6, 2023