constant change-loops in the 'okta_app_group_assignments' resource

[elena-rico]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v1.0.6
on darwin_amd64
+ provider registry.terraform.io/okta/okta v3.13.12

Affected Resource(s)

• okta_app_group_assignments

Terraform Configuration Files

resource "okta_app_oauth" "myapp_name" {
  label                      = "AppName"
  type                       = "browser"
  grant_types                = ["authorization_code"]
  redirect_uris              = ["${var.myapp_name_url}implicit/callback"]
  post_logout_redirect_uris  = [var.myapp_name_url]
  response_types             = ["code"]
  consent_method             = "TRUSTED"
  hide_ios                   = true
  hide_web                   = true
  skip_users                 = true
  skip_groups                = true
  issuer_mode                = "CUSTOM_URL"
  token_endpoint_auth_method = "none"
  lifecycle {
    // for some reason "consent_method" is always flagged as having changed
    // https://www.terraform.io/docs/configuration/resources.html#ignore_changes
    ignore_changes = [
      groups,
      users,
    ]
  }
}

resource "okta_app_group_assignments" "myapp_name" {
  app_id = okta_app_oauth.myapp_name.id

  dynamic "group" {
    for_each = data.okta_group.super_admin_groups
    content {
      id = group.value.id
    }
  }
}

Debug Output

Panic Output

Expected Behavior

Running terraform apply several times shows No changes. Your infrastructure matches the configuration.

Actual Behavior

~ resource "okta_app_group_assignments" "myapp_name" {
    id     = <app_id>
    # (1 unchanged attribute hidden)

  - group {
      - id       = "<group_id_one>" -> null
      - priority = 1 -> null
      - profile  = jsonencode({}) -> null
    }
  + group {
      + id      = "<group_id_one>"
      + profile = jsonencode({})
    }
  + group {
      + priority = 1
      + profile  = jsonencode({})
    }
    # (1 unchanged block hidden)
}

Steps to Reproduce

1. terraform apply

Important Factoids

References

This behavior was expected to be fixed in v.3.13.11 PR #644

• #0000

[bogdanprodan-okta]

Hi @elena-rico! Thanks for submitting this issue! Unfortunately, this bug still exists. The problem is that terraform's schema.TypeSet doesn't work well when element contains required/optional elements (found this issue). To make things work, either I'll make priority field as required, or try to TypeList.

[fschmager]

Is there something that could be done using lifecycle.ignore_changes? I haven't been able use that because priority and profile are on nested group properties.

  lifecycle {
    ignore_changes = [
      // none of these work
      group.profile
      group.*.profile
      group.[*].profile
      ...
    ]
  }

Here's someone with a similar conundrum: https://stackoverflow.com/questions/64431159/terraform-ignore-changes-on-dynamic-resources

[bogdanprodan-okta]

@elena-rico @fschmager I've created a PR that should fix constant change-loops. I had to switch from TypeSet to TypeList. It might show some strange updates in place because if you change elements in the middle, the list will 'shift', but the provider will only do the necessary operations.

[elena-rico]

Hi @bogdanprodan-okta, I was testing your earlier suggestions. I'll wait for your changes to be merged and test again.
Thank you.
PS. I love the PR Title

[bogdanprodan-okta]

@elena-rico new release is out so you can check if that fixes this issue.