terraform-provider-okta: okta_policy_rule_signon identity_provider variable causing API error Invalid condition type specified: identityProvider

Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
Please do not leave “+1” or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v1.0.10
on linux_amd64
+ provider registry.terraform.io/hashicorp/aws v3.75.1
+ provider registry.terraform.io/okta/okta v3.25.0

Affected Resource(s)

resource.okta_policy_rule_signon
resource.okta_policy_signon

Terraform Configuration Files

resource "okta_policy_signon" "mnovitsk_policy" {
  name        = "mnovitsk_signon_policy"
  description = "Signon Policy for certain users"
  priority    = 1
  status      = "INACTIVE"
  groups_included = [
    resource.okta_group.mnovitsk_test.id
  ]
  depends_on = [
    resource.okta_group.mnovitsk_test
  ]
}

resource "okta_policy_rule_signon" "mnovitsk_policy_rule" {
  policy_id          = resource.okta_policy_signon.mnovitsk_policy.id
  status             = "INACTIVE"
  name               = "mnovitsk_signon_policy_rule"
  authtype           = "ANY"
  access             = "ALLOW"
  primary_factor     = "PASSWORD_IDP"
  network_connection = "ANYWHERE"
  session_idle       = 120 # 2 hour idle session
  session_lifetime   = 720 # 12 hour session lifetime
  depends_on = [
    resource.okta_policy_signon.mnovitsk_policy
  ]
}

Debug Output

Panic Output

Expected Behavior

Create a Global Session Policy (resource.okta_policy_signon) with a Policy Rule (resource.okta_policy_rule_signon)

Actual Behavior

Terraform errors out when trying to apply the configuration. It automatically supplies an identity_provider = "ANY" variable, even if it is not manually supplied, and then errors out. I encounter the same error when manually supplying identity_provider = "ANY" in the Terraform resource configuration.

Terraform used the selected providers to generate the following execution plan. Resource actions are
indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # okta_policy_rule_signon.mnovitsk_policy_rule will be created
  + resource "okta_policy_rule_signon" "mnovitsk_policy_rule" {
      + access              = "ALLOW"
      + authtype            = "ANY"
      + id                  = (known after apply)
      + identity_provider   = "ANY"
      + mfa_remember_device = false
      + mfa_required        = false
      + name                = "mnovitsk_signon_policy_rule"
      + network_connection  = "ANYWHERE"
      + policy_id           = (known after apply)
      + primary_factor      = "PASSWORD_IDP"
      + risc_level          = "ANY"
      + session_idle        = 120
      + session_lifetime    = 720
      + session_persistent  = false
      + status              = "INACTIVE"
    }

  # okta_policy_signon.mnovitsk_policy will be created
  + resource "okta_policy_signon" "mnovitsk_policy" {
      + description     = "Signon Policy for certain users"
      + groups_included = [
          + "<okta_group_id>",
        ]
      + id              = (known after apply)
      + name            = "mnovitsk_signon_policy"
      + priority        = 1
      + status          = "INACTIVE"
    }

Plan: 2 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

okta_policy_signon.mnovitsk_policy: Creating...
okta_policy_signon.mnovitsk_policy: Creation complete after 0s [id=00p3k04nmpYoSa3eq1d7]
okta_policy_rule_signon.mnovitsk_policy_rule: Creating...
╷
│ Error: failed to create sign-on policy rule: failed to create policy rule: the API returned an error: Api validation failed: conditions. Causes: errorSummary: conditions: Invalid condition type specified: identityProvider.
│ 
│   with okta_policy_rule_signon.mnovitsk_policy_rule,
│   on main.tf line 60, in resource "okta_policy_rule_signon" "mnovitsk_policy_rule":
│   60: resource "okta_policy_rule_signon" "mnovitsk_policy_rule" {
│ 
╵
Releasing state lock. This may take a few moments...

Steps to Reproduce

terraform apply

Important Factoids

References

I checked the Terraform Provider Documentation: https://registry.terraform.io/providers/okta/okta/latest/docs/resources/policy_rule_signon#identity_provider and it states that “Use of identity_provider requires a feature flag to be enabled.”, but I do not see a flag in the tenant features related to this setting.

I am able to create Global Session Policies and Policy Rules via the UI with no issues, but attempting to create these resources via Terraform does not work. The policy itself is successfully created via Terraform, but there are no policy rules associated with it.

#1028 : I also am experiencing a similar issue when trying to assign a specific priority to a new okta_policy_signon resource. I’m currently just providing priority = 1 to get around this issue for now, but it is going to cause larger problems when trying to declare and configure multiple sign on policies.

About this issue

Original URL
State: closed
Created 2 years ago
Reactions: 8
Comments: 27 (7 by maintainers)

Commits related to this issue

Fix default value regression on okta_policy_rule_sign_on's attribute identity_provider. Closes #1079 . Correct acceptance tests. Discovered there isn't an identity provider condition for policy sign o... — committed to okta/terraform-provider-okta by monde 2 years ago
Reverting 0ebeae7c5e062a084809397ca93b194cdef17a94 which incorrectly setup around SPECIFIC_IDP. Passing ACC tests: - TestAccOktaPolicyRuleSignon_crud - TestAccOktaPolicySignOn_defaultError - TestAccOk... — committed to okta/terraform-provider-okta by monde 2 years ago

Most upvoted comments

@miguelpuiggarcia @mnovitsk I’ll make it a priority to get to the bottom of this today and do a patch release ASAP

monde on May 25, 2022

This bug is still present in 3.30.0

Mrorya on Jun 28, 2022

Just adding my voice here. Experiencing this on 3.29.0. If I can provide any useful info @monde please let me know.

tim-fitzgerald on Jun 14, 2022

Hi @monde This issue is happening again with version v3.28.0 if this helps Error: failed to update sign-on policy rule: the API returned an error: Api validation failed: conditions. Causes: errorSummary: conditions: Invalid condition type specified: identityProvider.

miguelpuiggarcia on May 25, 2022

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

github-actions[bot] on Jan 11, 2023

This bug still exists. Commenting to prevent auto-closure.

lucascantor on Oct 25, 2022

I can confirm adding

lifecycle {
    ignore_changes = [identity_provider]
}

resolves my issue, allowing me to use 3.31.0.

lucascantor on Jul 13, 2022

@monde while the problem with priority bug is real and annoying, IMHO the main issue here is the identityProvider attribute (as stated in the subject). To my understanding it’s behind a feature flag in the Okta tenant configurations, and without enabling, the API doesn’t like to see it used. Right?

Would removing the default value be sufficient fix? Or should the API be changed to ignore the attribute?

tmatilai on Jul 11, 2022

This one is still on my todo list. I’m on vacation for a week and can give it priority when I get back.

monde on Jul 9, 2022

@lucascantor I’ve not had a chance to look at this one yet, nothing related to it is in v3.29.0

monde on Jun 10, 2022

I have a fix queued up in PR #1081 and am waiting for a colleague to review it before releasing.

monde on Apr 26, 2022

@mnovitsk I’m trying to get a bug fix out today and will address both the original bug and try to see if there is a fix and/or flexibility dealing with the error in v3.24.0 you are seeing.

monde on Apr 26, 2022