Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Resource Overlap: Same Config Managed Twice #2181

Open
exitcode0 opened this issue Jan 20, 2025 · 1 comment
Open

Resource Overlap: Same Config Managed Twice #2181

exitcode0 opened this issue Jan 20, 2025 · 1 comment
Labels
triaged Triaged into internal Jira

Comments

@exitcode0
Copy link
Contributor

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Affected Resource(s)

  • okta_app_saml
  • okta_app_oauth
  • okta_profile_mapping

Terraform Configuration Files

resource "okta_app_saml" "test" {
  label                   = "example"
  preconfigured_app       = "sharepoint_onpremise"
  saml_version            = "1.1"
  status                  = "ACTIVE"
  user_name_template      = "user.secondaryEmail"
  user_name_template_type = "CUSTOM"
}

resource "okta_profile_mapping" "example" {
  source_id          = "<source id>"
  target_id          = "<target id>"

  mappings {
    id         = "firstName"
    expression = "appuser.firstName"
  }
}

Expected Behavior

An applications username template should be manageable via only one resource in the Okta Terraform provider to ensure that Terraform configuration remains deterministic

Actual Behavior

The username template for an Okta application can currently be configured via the application resource or the profile mapping resource, these resources can then disagree or attempt to correct "drift" caused by one another

Thoughts / Questions

I think the best path forward here is to decide if this configuration should be managed via the mappings resource or via the application resource.
The Okta administrator UI seems to be opinionated and chooses to direct users to the application configuration, perhaps we should do the same
I'm curious what the provider team thinks about how we should resolve this moving forward and if this is something we can achieve in V4 or if this would need to wait for V5?

Steps to Reproduce

  1. Create an application via terraform and create it's username template at the same time
  2. Some time later, Create a profile mapping for an unrelated attribute due to a new requirement, e.g "role"
  3. Note that Terraform plan shows that terraform will attempt to remove the mapping for username unless delete_when_absent is used

Important Factoids

References

  • #0000
@monde monde added the triaged Triaged into internal Jira label Jan 28, 2025
@monde
Copy link
Collaborator

monde commented Jan 28, 2025

https://oktainc.atlassian.net/browse/OKTA-858184

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
triaged Triaged into internal Jira
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@monde @exitcode0