terraform-provider-okta: okta_group_role does not recognize role_type of "group_admin"
When trying to create a group role so that I can add an administrator role to a group the role “group_admin” is missing from the terraform whitelist.
resource "okta_group_role" "group_admin" {
group_id = "..."
role_type = "GROUP_ADMIN"
}
Error comes back as:
Error: expected value to be one of 'SUPER_ADMIN', 'ORG_ADMIN', 'API_ACCESS_MANAGEMENT_ADMIN', 'APP_ADMIN', 'USER_ADMIN', 'MOBILE_ADMIN', 'READ_ONLY_ADMIN', 'HELP_DESK_ADMIN', 'REPORT_ADMIN', 'GROUP_MEMBERSHIP_ADMIN', got 'GROUP_ADMIN'
Group Admin is an important admin role and is a standard okta role. Listed here in the okta documentation for admin roles: https://help.okta.com/en-us/Content/Topics/Security/administrators-admin-comparison.htm
Currently this means that I have to manually manage that resource in the UI
Community Note
- Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave “+1” or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform Version
“3.34.0”
Affected Resource(s)
- okta_group_role
Terraform Configuration Files
# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp
Expected Behavior
I expect terraform to allow me to assign the role “Group Administrator” to a group
Actual Behavior
Error: expected value to be one of 'SUPER_ADMIN', 'ORG_ADMIN', 'API_ACCESS_MANAGEMENT_ADMIN', 'APP_ADMIN', 'USER_ADMIN', 'MOBILE_ADMIN', 'READ_ONLY_ADMIN', 'HELP_DESK_ADMIN', 'REPORT_ADMIN', 'GROUP_MEMBERSHIP_ADMIN', got 'GROUP_ADMIN'
Steps to Reproduce
Assign the role to a group:
resource "okta_group_role" "group_admin" {
group_id = "..."
role_type = "GROUP_ADMIN"
}
terraform apply
Important Factoids
I am running version “3.34.0”. My Okta tenant was just upgraded to OIE
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Comments: 19 (2 by maintainers)
Commits related to this issue
- Add `CUSTOM` role to list of possible admin roles. Clean up code and documentation also. Closes #1315 — committed to okta/terraform-provider-okta by monde 2 years ago
Thanks for the reminder @CodyHR , our API docs are going through an upgrade based on an established OpenAPI spec for the Okta Management API and I see that
GROUP_ADMINis still missing as a valid type: https://developer.okta.com/docs/api/openapi/okta-management/management/tag/RoleAssignment/#tag/RoleAssignment/operation/assignRoleToUser!path=type&t=requestI’m looking at the actual code in the Okta service and running down a developer that can tell me which role, if any, matches up with what is being described for “Group Admin” in https://help.okta.com/en-us/content/topics/security/administrators-admin-comparison.htm . I’m not seeing
GROUP_ADMINin our service code either.@monde Please see the User Management Section, from that link. The
GROUP_ADMINrole has the ability to Create Users, Delete Users, Update Profiles and more. TheGROUP_MEMBERSHIP_ADMINreally focusses on adding and removing users from groups.the
GROUP_ADMINrole is very useful for managing admin access to our okta tenant, and the okta docs clearly show that it is a valid standard okta admin role. The only way I can do this currently is by managing this manually since the terraform project does not support it.ill forward that on to the relevant parties, ive moved off the project since.
@monde Can you re open this? Im assuming its not resolved yet.
I’ll take a look at this again.
Sorry to see this @pljeskavica . Thanks for the documentation reference. I see our public API docs need to be updated as well https://developer.okta.com/docs/reference/api/roles/#role-types
Note to self, code change will be here: https://github.com/okta/terraform-provider-okta/blob/master/okta/user.go#L179