Split sdm_role resource and use attachments about terraform-provider-sdm HOT 2 CLOSED

Hey @mbainter, I'm moving this over to our Zendesk platform, you'll be receiving another email where we will pick this up!

Thanks,

James

from terraform-provider-sdm.

For anyone else that stumbles on this trying to solve the same problem the followup was just that they'll look into it, and so far there hasn't been any indication of action.

In the meantime, the workaround that we're using for this is to let Okta push the roles to strongDM, then import the role into state. The terraform provider will update the role policy without a destroy/create cycle, so that works okay.

However, it is important that you use the lifecycle rules to set "prevent-destroy" in case someone makes a change (like a rename) that would cause a destroy/create cycle, or it will obviously break Okta's ability to manage the role and its membership.

If this does happen, you can fix it similarly:

1. use terraform state rm to delete the state
2. use the strongdm UI to delete the terraform-created role
3. "unlink" the group in okta, and tell it to leave the group behind
4. re-assign the group.
5. this will fail. click the failure notice, click the link to choose the linked role, and change it to create.
6. this will also fail, because the role doesn't actually exist, okta is just confused.
7. Unlink the group again, and choose to leave the group alone again
8. re-assign the group one more time -- this time you'll have the "create" option and it should be the default
9. verify the role was created, and grab the role id
10. re-import the role into terraform.
11. re-run terraform to apply the role policy

There could possibly be a more straightforward method in Okta, but that is the path that has worked consistently for me.

Hopefully StrongDM will eventually release a better implementation that works more effectively with an external SSO/SCIM provider.

from terraform-provider-sdm.