Cannot use "skip_groups" attribute without removing existing group assignments on subsequent runs.

[NiallJude]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v1.3.4
on darwin_arm64

• provider registry.terraform.io/hashicorp/aws v4.38.0
• provider registry.terraform.io/okta/okta v3.38.0

Affected Resource(s)

• okta_app_group_assignments
• okta_app_saml

Terraform Configuration Files

# Add the foo App to the created Okta group.
resource "okta_app_group_assignments" "okta_foo_app_groups" {
  app_id = okta_app_foo.okta_foo_app.id
  group {
    id = okta_group.okta_group.id
  }
  group {
    id = data.okta_group.all-contoso-development-team.id
  }
  group {
    id = data.okta_group.all-contoso-devops-team.id
  }
}

# Add the bar App to the created Okta group.
resource "okta_app_group_assignments" "okta_bar_app_groups" {
  app_id = okta_app_bar.okta_bar_app.id
  group {
    id = okta_group.okta_group.id
  }
  group {
    id = data.okta_group.all-contoso-development-team.id
  }
  group {
    id = data.okta_group.all-contoso-devops-team.id
  }
}

# Create the bar Connector that will provision users in Cognito to log into.
resource "okta_app_saml" "okta_bar_app" {
  label                    = "${title(var.application)}-${title(var.environment)}-bar-Connector"
  sso_url                  = "https://${var.application}-${var.environment}.auth.${var.region}.amazoncognito.com/saml2/idpresponse"
  recipient                = "https://${var.application}-${var.environment}.auth.${var.region}.amazoncognito.com/saml2/idpresponse"
  destination              = "https://${var.application}-${var.environment}.auth.${var.region}.amazoncognito.com/saml2/idpresponse"
  audience                 = "urn:amazon:cognito:sp:${aws_cognito_user_pool.cognito_user_pool.id}"
  subject_name_id_template = "$${user.userName}"
  subject_name_id_format   = "urn:oasis:names:tc:saml:2.0:nameid-format:persistent"
  response_signed          = true
  assertion_signed         = true
  signature_algorithm      = "RSA_SHA256"
  digest_algorithm         = "SHA256"
  honor_force_authn        = true
  hide_ios                 = true
  hide_web                 = true
  authn_context_class_ref  = "urn:oasis:names:tc:saml:2.0:ac:classes:PasswordProtectedTransport"
  attribute_statements {
    name      = var.okta_attr_statement_email
    values    = ["user.email"]
    namespace = "urn:oasis:names:tc:saml:2.0:attrname-format:unspecified"
  }
  attribute_statements {
    name      = var.okta_attr_statement_username
    values    = ["user.login"]
    namespace = "urn:oasis:names:tc:saml:2.0:attrname-format:unspecified"
  }
  skip_groups = true
}

Debug Output

If we run the config above, Terraform will attempt to remove all the assignment groups from state. As below from a plan:
https://gist.github.com/NiallJude/8ffa8b6f87a78511085f852c76c7ef5d

Expected Behavior

I would like to maintain State on my existing okta_app_group_assignments so Terraform does not try to remove the Group associations. And I would like to do this without any warnings coming up about Deprecated Attributes.

I suspect this is some misconfiguration on my part. Please let know the correct way to persist groups without using deprecated attributes.

Actual Behavior

If we add the below to okta_app_saml then it works around the issue in Debug Output wherein group assignments are being removed. Again, the group assignments stay in State if we add this:

lifecycle {
    ignore_changes = [groups]
}

However, we see the following on every subsequent validate, plan and apply action.

> terraform validate
╷
│ Warning: Deprecated attribute
│ 
│   on okta_groups.tf line 21, in resource "okta_app_bookmark" "okta_bookmark_app":
│   21:     ignore_changes = [groups]
│ 
│ The attribute "groups" is deprecated. Refer to the provider documentation for details.
│ 
│ (and one more similar warning elsewhere)
╵
Success! The configuration is valid, but there were some validation warnings as shown above.

Steps to Reproduce

• Create an okta_app_saml resource.
• Create some okta_app_group_assignments, and associate them to the okta_app_saml above.
• apply
• Try to terraform plan without either groups attempting to unassign, or receiving Deprecated attribute warnings.

[monde]

@NiallJude I'm not completely certain if this a bug with the provider and I need a support engineer to help look at your use case and configuration in more detail. Can you open a support ticket for this additional help? https://support.okta.com/help/s/?language=en_US
Thanks

[NiallJude]

Opening a ticket @monde. Thanks.

[NiallJude]

@monde - I am having trouble logging in to open a ticket at this link. Is there a support email I could send to instead?

[GadgetGeekNI]

The Okta provider is recommending we use a deprecated feature to work around this issue, hence this warning. Unless I am misunderstanding, as per the provider latest documentation in okta_app_group_assigment .

NOTE
When using this resource in conjunction with other application resources (e.g. okta_app_oauth) it is advisable to add the following lifecycle argument to the associated app_* resources to prevent the groups being unassigned on subsequent runs:
resource "okta_app_oauth" "app" { //... lifecycle { ignore_changes = [groups] } }

I'd love to get an answer on this too as it would be nice to get rid of the deprecated warnings. Either by un-deprecating it or providing a working solution without the additional noise.

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

[kouk]

@NiallJude we were seeing this same issue, but upon applying the "problematic" plan we noticed that the actual group assignments and user assignments were unaffected. So perhaps the plan output is misleading and there's no substantial problem?

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

[oeuftete]

This is still an issue; there is still no solution that doesn't result in deprecation warnings.

[andymadge]

Anyone using okta_app_group_assignment in the way recommended in the docs must be seeing this issue.

We have about 40 oauth apps managed in Terraform which means we get 40 deprecation warnings. It's very annoying having to scroll past pages and pages of deprecation warnings, especially on Terraform Cloud which doesn't group similar warnings together like TF CLI does.

I agree with @GadgetGeekNI - surely the official docs should not be recommending a workaround which uses a deprecated feature. The groups attribute should be un-deprecated until a proper solution is available.

[chris-ruddy]

I am also seeing this. I removed

lifecycle {
    ignore_changes = [groups]
}

per the deprecated attribute warning, and an apply removed my groups.

[bothman231]

Hi, I also switched
lifecycle {
ignore_changes = [groups]
}
in
resource { okta_app_oauth
to
ignore_changes = [okta_app_group_assignments]
per the docs at
#1338
but now get..

Error: Unsupported attribute
│
│ on .terraform/modules/okta-object-deployment/main.tf line 43, in resource "okta_app_oauth" "gpi_app_dev":
│ 43: ignore_changes = [okta_app_group_assignments]

[github-actions]

This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 5 days

[andymadge]

This issue isn't resolved, nothing has changed.

As per my previous comment, the official docs should not be recommending a workaround which uses a deprecated feature. The groups attribute should surely be un-deprecated until a proper solution is available.