terraform-provider-okta: priority = 0 is ignored for okta_app_signon_policy_rule resource
Community Note
- Please vote on this issue by adding a š reaction to the original issue to help the community and maintainers prioritize this request
- Please do not leave ā+1ā or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
- If you are interested in working on this issue or have submitted a pull request, please leave a comment
Terraform Version
Terraform v1.1.5 on darwin_amd64
- provider registry.terraform.io/okta/okta v3.33.0
Affected Resource(s)
- okta_app_signon_policy_rule
Terraform Configuration Files
resource "okta_app_signon_policy" "policy_test" {
name = "Auth Policy"
description = "Auth Policy Test"
}
resource "okta_app_signon_policy_rule" "rule_test" {
policy_id = okta_app_signon_policy.policy_test.id
name = "Rule A - Priority 0"
priority = 0
}
resource "okta_app_signon_policy_rule" "rule_test_2" {
policy_id = okta_app_signon_policy.policy_test.id
name = "Rule B - Priority 1"
priority = 1
}
Debug Output
Panic Output
Expected Behavior
The Okta API stores policy rules with a priority starting with 0 (this can be seen by doing a GET on existing policy application rules)
The expectation from the above configuration is that the policy=0 rule will be set with the highest priority, and all other rules will go below until the catch-all rule (set defaulted to priority=99)
Actual Behavior
The provider treats policy = 0 as a null value, and does not include it in the terraform plan or apply. See below for plan:
# okta_app_signon_policy_rule.rule_test will be created
+ resource "okta_app_signon_policy_rule" "rule_test" {
+ access = "ALLOW"
+ factor_mode = "2FA"
+ id = (known after apply)
+ inactivity_period = "PT1H"
+ name = "Rule A - Priority 0"
+ network_connection = "ANYWHERE"
+ policy_id = "rst4c2lxb9APB6xdK1d7"
+ re_authentication_frequency = "PT2H"
+ status = "ACTIVE"
+ type = "ASSURANCE"
}
# okta_app_signon_policy_rule.rule_test_2 will be created
+ resource "okta_app_signon_policy_rule" "rule_test_2" {
+ access = "ALLOW"
+ factor_mode = "2FA"
+ id = (known after apply)
+ inactivity_period = "PT1H"
+ name = "Rule B - Priority 1"
+ network_connection = "ANYWHERE"
+ policy_id = "rst4c2lxb9APB6xdK1d7"
+ priority = 1
+ re_authentication_frequency = "PT2H"
+ status = "ACTIVE"
+ type = "ASSURANCE"
}
Note the lack of priority = 0 on the resource created with policy=0 - this will result in the rule being created by default at the lowest priority above the catch all rule.
Steps to Reproduce
- Create an app signon policy rule with the priority set to 0
- Terraform plan/apply
- Rule will be created with incorrect priority
Important Factoids
References
About this issue
- Original URL
- State: closed
- Created 2 years ago
- Reactions: 1
- Comments: 15
This is not resolved and should still be addressed - can this be re-opened @monde?
@Mrorya, coincidentally, Iām working on a PR to fix the currency issue on all the resources that have a priority property as described in https://github.com/okta/terraform-provider-okta/issues/1198. The solution will be using good concurrency protections protections https://github.com/okta/terraform-provider-okta/pull/1248