-
Notifications
You must be signed in to change notification settings - Fork 204
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Group Membership Issue With Versions >=3.29 #1216
Comments
Thanks for the details @smistephenresmed . Not sure if this is regression or not. I will mark it as such since it changed the behavior you were experiencing previously. |
Was thinking this was a missing feature flag on the org, but looking at the commit history it seems like this is a bug from a recent PR, will keep it as a bug.
|
Okta internal reference: https://oktainc.atlassian.net/browse/OKTA-524210 |
What's contained here? I don't have access, unfortunately. |
It's a our internal Jira, private to the public; dropping it here for other Okta people to reference. Also, we are trying to manage the work from GH issues better with Jira. |
@monde Do you have any ETA for fixing this issue? The same problem is present with versions newer than v3.28. In our company, we are not allowed to manage admins via terraform. It would be great to make this behavior optional. |
@andrei-korviakov @smistephenresmed Does the error go away if you use This is where the admin users are set, and only if if https://registry.terraform.io/providers/okta/okta/latest/docs/data-sources/user#arguments-reference For example data "okta_user" "group_users" {
skip_roles = true
count = length(var.user_emails)
search {
name = "profile.email"
value = var.user_emails[count.index]
}
} |
It does, but I have two questions:
1. Why?
2. Will this break anything else?
[signature_2162668279]
Stephen Smith
Engineer, Product Security
ResMed 300-38 Solutions Drive, Halifax, NS B3S 0H1 Canada
E ***@***.******@***.***> W ResMed.com<http://www.resmed.com>
[Facebook]<https://www.facebook.com/resmed> [Twitter] <https://twitter.com/resmed> [LinkedIn] <https://www.linkedin.com/company/resmed> [YouTube] <https://www.youtube.com/ResMedAmericas>
From: Mike Mondragon ***@***.***>
Reply-To: okta/terraform-provider-okta ***@***.***>
Date: Wednesday, October 12, 2022 at 13:35
To: okta/terraform-provider-okta ***@***.***>
Cc: Stephen Smith ***@***.***>, Mention ***@***.***>
Subject: [External] Re: [okta/terraform-provider-okta] Group Membership Issue With Versions >=3.29 (Issue #1216)
@andrei-korviakov<https://github.com/andrei-korviakov> @smistephenresmed<https://github.com/smistephenresmed>
Does the error go away if you use skip_roles in your okta_user data source?
This is where the admin users are set, and only if if skip_roles is false
https://github.com/okta/terraform-provider-okta/blob/master/okta/data_source_okta_user.go#L132-L139
https://registry.terraform.io/providers/okta/okta/latest/docs/data-sources/user#arguments-reference
For example
data "okta_user" "group_users" {
skip_roles = true
count = length(var.user_emails)
search {
name = "profile.email"
value = var.user_emails[count.index]
}
}
—
Reply to this email directly, view it on GitHub<#1216 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/A2FLW7ORTYLSNJUTL2PFSN3WC3SFJANCNFSM54IRAVYQ>.
You are receiving this because you were mentioned.Message ID: ***@***.***>
Caution: This email originated outside of ResMed's email system. Do not click on links or attachments unless you recognize the sender and know the content is safe.
…----------------------------------------------------------------------
Warning: Copyright ResMed. Where the contents of this email and/or attachment includes materials prepared by ResMed, the use of those materials is subject exclusively to the conditions of engagement between ResMed and the intended recipient.
This communication is confidential and may contain legally privileged information. By the use of email over the Internet or other communication systems, ResMed is not waiving either confidentiality of, or legal privilege in, the content of the email and of any attachments. If the recipient of this message is not the intended addressee, please call ResMed immediately on 1 (800) 424-0737 USA.
|
Ohh, my bad: in my case, the problem is related to okta_user resource, not data source. It happens when I create users: Users
I saw that the data source has the option not to include roles, but the resource hasn't |
Sounds good. Will this be fixed in a future release?
…----------------------------------------------------------------------
Warning: Copyright ResMed. Where the contents of this email and/or attachment includes materials prepared by ResMed, the use of those materials is subject exclusively to the conditions of engagement between ResMed and the intended recipient.
This communication is confidential and may contain legally privileged information. By the use of email over the Internet or other communication systems, ResMed is not waiving either confidentiality of, or legal privilege in, the content of the email and of any attachments. If the recipient of this message is not the intended addressee, please call ResMed immediately on 1 (800) 424-0737 USA.
|
@andrei-korviakov is this representative of the config you are having problems with? terraform {
required_providers {
okta = {
source = "okta/okta"
}
}
}
locals {
users_list = [
{
first_name = "A"
last_name = "Person"
email = "a.person@example.com"
user_name = "a.person@example.com"
},
{
first_name = "B"
last_name = "Person"
email = "b.person@example.com"
user_name = "b.person@example.com"
},
]
}
resource "okta_user" "this" {
for_each = { for user in local.users_list : "${user.user_name}" => user }
first_name = each.value.first_name
last_name = each.value.last_name
login = each.value.email
email = each.value.email
password = "A!fdsdafdsioajdfdsds8u79asdfd9s"
lifecycle {
ignore_changes = [
expire_password_on_create,
password,
primary_phone,
manager,
manager_id,
mobile_phone,
second_email,
status
]
}
} |
@andrei-korviakov when I run my plan with
|
Never mind @andrei-korviakov , I'm able to repo this, we are discussing a fix. |
while using a non-super admin API token. Closes #1216
Community Note
Terraform Version
0.13.6
Affected Resource(s)
Terraform Configuration Files
Debug Output
A lot of this debug output seems pretty sensitive, AWS credentials and such, could you specify what you require?
Expected Behavior
The specified Okta users are associated to the specified AWS role.
Actual Behavior
Error: failed to set user's admin roles: failed to get admin roles: the API returned an error: You do not have permission to perform the requested action
Steps to Reproduce
As far as I know, the issue was introduced in one of the below references. For us, the above code worked with v3.28, and broke with v3.29, and has remained broken through v3.31.
References
The text was updated successfully, but these errors were encountered: