Error when trying to update okta_policy_rule_profile_enrollment resource

[emanor-okta]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v0.15.3
on darwin_amd64
+ provider registry.terraform.io/okta/okta v3.31.0

Affected Resource(s)

• okta_policy_rule_profile_enrollment

Terraform Configuration Files

resource "okta_policy_profile_enrollment" "terraform_enroll" {
  name            = "terraform_enroll2"
  status          = "ACTIVE"
}

resource "okta_group" "terraform_group" {
  name        = "terraform_group2"
  description = "terraform group"
}

resource "okta_policy_rule_profile_enrollment" "terraform_rule" {
  policy_id           = okta_policy_profile_enrollment.terraform_enroll.id
  target_group_id     = okta_group.terraform_group.id
  unknown_user_action = "REGISTER"
  email_verification  = false
  access              = "ALLOW"
  profile_attributes {
    name     = "email"
    label    = "Primary Email"
    required = true
  }
  profile_attributes {
    name     = "firstName"
    label    = "First Name"
    required = true
  }
  profile_attributes {
    name     = "lastName"
    label    = "Last Name"
    required = true
  }
}

Debug Output

https://gist.github.com/emanor-okta/c754b2ac4ace42e1f234b97b46e57344

Panic Output

Expected Behavior

Profile Enrollment Rule should have been updated

Actual Behavior

Update returns:
"errorSummary": "Api validation failed: actions.profileEnrollment.uiSchemaId"

Steps to Reproduce

1. Use the above .tf
2. run terraform plan/apply to create the Enrollment Policy/Rule
3. Update the .tf file, for example flip (email_verification = false) too true.
4. Run terraform plan
5. Run terraform apply (error will be returned here)

Important Factoids

References

The issue appears to be terraform-provider-okta (https://github.com/okta/terraform-provider-okta/blob/master/okta/resource_okta_policy_rule_profile_enrollment.go) which relies on okta-sdk-golang (https://github.com/okta/okta-sdk-golang/blob/master/okta/profileEnrollmentPolicyRuleAction.go), which I believe is built off of the open-api spec (https://github.com/okta/okta-management-openapi-spec/blob/master/dist/spec.json#L22607) do not model the uiSchemaId attribute.

The API docs also do not show the uiSchemaId attribute in the object definition, https://developer.okta.com/docs/reference/api/policy/#profile-enrollment-action-object

So uiSchemaId is dropped from the API call (https://fake.oktapreview.com/api/v1/policies/rst44fglytHV52wMY1d7/rules/rul44fglyu6oQKQGB1d7)

Example of returned rule with with uiSchemaId
GET https://fake.oktapreview.com/api/v1/policies/rst44fglytHV52wMY1d7/rules/rul44fglyu6oQKQGB1d7

{
 "id": "rul44fglyu6oQKQGB1d7",
 "status": "ACTIVE",
 "name": "Catch-all Rule",
 "priority": 99,
 "created": "2022-07-20T19:32:34.000Z",
 "lastUpdated": "2022-07-20T19:34:29.000Z",
 "system": true,
 "conditions": null,
 "actions": {
  "profileEnrollment": {
   "access": "ALLOW",
   "preRegistrationInlineHooks": null,
   "profileAttributes": [
    {
     "name": "email",
     "label": "Primary Email",
     "required": true
    },
    {
     "name": "firstName",
     "label": "First Name",
     "required": true
    },
    {
     "name": "lastName",
     "label": "Last Name",
     "required": true
    }
   ],
   "targetGroupIds": [
    "00g44ff3..."
   ],
   "unknownUserAction": "REGISTER",
   "activationRequirements": {
    "emailVerification": true
   },
   "uiSchemaId": "uis44fio9ifOCwJAO1d7"
  }
 },
 "_links": {
  "self": {
   "href": "https://fake.oktapreview.com/api/v1/policies/rst44fglytHV52wMY1d7/rules/rul44fglyu6oQKQGB1d7",
   "hints": {
    "allow": [
     "GET",
     "PUT"
    ]
   }
  }
 },
 "type": "PROFILE_ENROLLMENT"
}

• #0000

[monde]

Thanks @emanor-okta I'll take a look.

[emanor-okta]

PR to update Docs with this attribute.

[emanor-okta]

okta/okta-management-openapi-spec#144

[monde]

Okta internal reference: https://oktainc.atlassian.net/browse/OKTA-524622

[zubinmadon]

Hello. We've run into this issue. Was working up until recently, so I'm guessing the public-facing API changed recently?

[monde]

Hello. We've run into this issue. Was working up until recently, so I'm guessing the public-facing API changed recently?

@zubinmadon do you know what release of the provider you were using previously? Our latest release v3.36.0 was 16 days ago but this issue was originally reported July 20th whose nearest previous release would have been v3.31.0

[zubinmadon]

Thanks @monde! We were using v3.20.0. I think I had been trying to get terraform to work, and it happened to work with that version -- however, since that time we needed to upgrade to v3.31.0 for other features, so we cannot downgrade back anything before that.

Initially the bug didn't affect us because our okta_policy_rule_profile_enrollment resource had already been created, so terraform didn't need to make that call. However, we now need to create/update those resources on the newer version of the provider.

[monde]

Released https://github.com/okta/terraform-provider-okta/releases/tag/v3.37.0

[zubinmadon]

Hi again @monde - thanks for fixing this.

When settting up an okta_policy_rule_profile_enrollment resource, now we end up needing to run a somewhat complex curl to find the ui_schema_id and set the internal okta resource ID. What makes matters more confusing, is that sometimes there is no ui_schema_id, and then eventually, without changing anything on our side, it's added, and we need to manually add the internal resource id to our terraform code.

Given the way terraform usually works, I would expect to never have to set an internal resource id.

Would you like me to open another issue for this?

[sebman-metro]

I support what @zubinmadon is saying. We are now forced to hardcode the ui schema id in terraform files or get it via additional scripts.

[monde]

Our Jira on this is still on the backlog internally. Re-opening for a second look given @zubinmadon and @sebman-metro feedback.

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days