Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Force Cloudflare Access Application to be recreated if SaaS app auth_type is changed #3332

Merged
merged 5 commits into from
May 30, 2024
Merged

Force Cloudflare Access Application to be recreated if SaaS app auth_type is changed #3332

merged 5 commits into from
May 30, 2024

Conversation

F21
Copy link
Contributor

@F21 F21 commented May 28, 2024

The auth_type of an application cannot be changed. The only way is to delete the app and create it again as the API will return a 500 when changing an app from oidc to saml or vice-versa.

In the UI, this is stated very clearly:

To change the authentication protocols for this application, delete the application and add the application again with your preferred authentication protocol.

This change adds the ForceNew behaviour to auth_type, so that when it is changed, the resource will be recreated, rather than updated.

Close #3314

@F21 F21 requested a review from jacobbednarz as a code owner May 28, 2024 06:41
@github-actions GitHub Actions
Copy link
Contributor

github-actions bot commented May 28, 2024
edited
Loading

changelog detected ✅

@F21 F21 force-pushed the auth_type-force-new branch from 3421377 to 520df6f Compare May 28, 2024 06:43
@F21 F21 force-pushed the auth_type-force-new branch from 520df6f to 62356bd Compare May 28, 2024 09:13
@ajholland
Copy link
Contributor

👍 Looks good to me, thank you for the contribution!

@jacobbednarz
Copy link
Member

looks like the acceptance test is failing here

TF_ACC=1 go test ./internal/sdkv2provider -v -run "^TestAccCloudflareAccessApplication_" -count 1 -timeout 120m -parallel 1
=== RUN   TestAccCloudflareAccessApplication_BasicZone
--- PASS: TestAccCloudflareAccessApplication_BasicZone (8.86s)
=== RUN   TestAccCloudflareAccessApplication_BasicAccount
--- PASS: TestAccCloudflareAccessApplication_BasicAccount (7.79s)
=== RUN   TestAccCloudflareAccessApplication_WithSCIMConfigHttpBasic
--- PASS: TestAccCloudflareAccessApplication_WithSCIMConfigHttpBasic (9.49s)
=== RUN   TestAccCloudflareAccessApplication_UpdateSCIMConfig
--- PASS: TestAccCloudflareAccessApplication_UpdateSCIMConfig (14.71s)
=== RUN   TestAccCloudflareAccessApplication_WithSCIMConfigInvalidMappingSchema
--- PASS: TestAccCloudflareAccessApplication_WithSCIMConfigInvalidMappingSchema (4.09s)
=== RUN   TestAccCloudflareAccessApplication_WithSCIMConfigHttpBasicMissingRequired
--- PASS: TestAccCloudflareAccessApplication_WithSCIMConfigHttpBasicMissingRequired (4.28s)
=== RUN   TestAccCloudflareAccessApplication_WithSCIMConfigOAuthBearerToken
--- PASS: TestAccCloudflareAccessApplication_WithSCIMConfigOAuthBearerToken (9.71s)
=== RUN   TestAccCloudflareAccessApplication_WithSCIMConfigOAuth2
--- PASS: TestAccCloudflareAccessApplication_WithSCIMConfigOAuth2 (11.31s)
=== RUN   TestAccCloudflareAccessApplication_WithSCIMConfigOAuth2MissingRequired
--- PASS: TestAccCloudflareAccessApplication_WithSCIMConfigOAuth2MissingRequired (4.47s)
=== RUN   TestAccCloudflareAccessApplication_WithSCIMConfigAuthenticationInvalid
--- PASS: TestAccCloudflareAccessApplication_WithSCIMConfigAuthenticationInvalid (4.32s)
=== RUN   TestAccCloudflareAccessApplication_WithCORS
--- PASS: TestAccCloudflareAccessApplication_WithCORS (7.64s)
=== RUN   TestAccCloudflareAccessApplication_WithSAMLSaas
--- PASS: TestAccCloudflareAccessApplication_WithSAMLSaas (8.00s)
=== RUN   TestAccCloudflareAccessApplication_WithSAMLSaas_Import
=== PAUSE TestAccCloudflareAccessApplication_WithSAMLSaas_Import
=== RUN   TestAccCloudflareAccessApplication_WithOIDCSaas
--- PASS: TestAccCloudflareAccessApplication_WithOIDCSaas (7.88s)
=== RUN   TestAccCloudflareAccessApplication_WithOIDCSaas_Import
=== PAUSE TestAccCloudflareAccessApplication_WithOIDCSaas_Import
=== RUN   TestAccCloudflareAccessApplication_WithAutoRedirectToIdentity
--- PASS: TestAccCloudflareAccessApplication_WithAutoRedirectToIdentity (10.59s)
=== RUN   TestAccCloudflareAccessApplication_WithEnableBindingCookie
--- PASS: TestAccCloudflareAccessApplication_WithEnableBindingCookie (7.51s)
=== RUN   TestAccCloudflareAccessApplication_WithCustomDenyFields
--- PASS: TestAccCloudflareAccessApplication_WithCustomDenyFields (9.12s)
=== RUN   TestAccCloudflareAccessApplication_WithADefinedIdps
--- PASS: TestAccCloudflareAccessApplication_WithADefinedIdps (9.00s)
=== RUN   TestAccCloudflareAccessApplication_WithMultipleIdpsReordered
--- PASS: TestAccCloudflareAccessApplication_WithMultipleIdpsReordered (18.65s)
=== RUN   TestAccCloudflareAccessApplication_WithHttpOnlyCookieAttribute
--- PASS: TestAccCloudflareAccessApplication_WithHttpOnlyCookieAttribute (7.77s)
=== RUN   TestAccCloudflareAccessApplication_WithHTTPOnlyCookieAttributeSetToFalse
--- PASS: TestAccCloudflareAccessApplication_WithHTTPOnlyCookieAttributeSetToFalse (7.90s)
=== RUN   TestAccCloudflareAccessApplication_WithSameSiteCookieAttribute
--- PASS: TestAccCloudflareAccessApplication_WithSameSiteCookieAttribute (7.82s)
=== RUN   TestAccCloudflareAccessApplication_WithLogoURL
--- PASS: TestAccCloudflareAccessApplication_WithLogoURL (13.48s)
=== RUN   TestAccCloudflareAccessApplication_WithSkipInterstitial
--- PASS: TestAccCloudflareAccessApplication_WithSkipInterstitial (7.96s)
=== RUN   TestAccCloudflareAccessApplication_WithAppLauncherVisible
--- PASS: TestAccCloudflareAccessApplication_WithAppLauncherVisible (7.71s)
=== RUN   TestAccCloudflareAccessApplication_WithSelfHostedDomains
--- PASS: TestAccCloudflareAccessApplication_WithSelfHostedDomains (8.00s)
=== RUN   TestAccCloudflareAccessApplication_WithDefinedTags
--- PASS: TestAccCloudflareAccessApplication_WithDefinedTags (9.27s)
=== RUN   TestAccCloudflareAccessApplication_WithReusablePolicies
--- PASS: TestAccCloudflareAccessApplication_WithReusablePolicies (13.14s)
=== RUN   TestAccCloudflareAccessApplication_WithAppLauncherCustomization
--- PASS: TestAccCloudflareAccessApplication_WithAppLauncherCustomization (8.06s)
=== RUN   TestAccCloudflareAccessApplication_AuthTypeForcesNewResource
    resource_cloudflare_access_application_test.go:1034: Step 1/2 error: Check failed: Check 1/1 error: cloudflare_access_application.pfjpvejmxq: Attribute 'saas_app.auth_type' not found
--- FAIL: TestAccCloudflareAccessApplication_AuthTypeForcesNewResource (5.88s)
=== CONT  TestAccCloudflareAccessApplication_WithSAMLSaas_Import
--- PASS: TestAccCloudflareAccessApplication_WithSAMLSaas_Import (14.96s)
=== CONT  TestAccCloudflareAccessApplication_WithOIDCSaas_Import
--- PASS: TestAccCloudflareAccessApplication_WithOIDCSaas_Import (10.80s)
FAIL
FAIL	github.com/cloudflare/terraform-provider-cloudflare/internal/sdkv2provider	281.455s
FAIL
make: *** [testacc] Error 1

@F21
Copy link
Contributor Author

F21 commented May 29, 2024

oops @jacobbednarz , it should be saas.0.auth_type. This has been fixed in the latest commit.

@jacobbednarz
Copy link
Member

sorry, it still looks to be failing here.

=== RUN   TestAccCloudflareAccessApplication_WithAppLauncherCustomization
--- PASS: TestAccCloudflareAccessApplication_WithAppLauncherCustomization (18.67s)
=== RUN   TestAccCloudflareAccessApplication_AuthTypeForcesNewResource
    resource_cloudflare_access_application_test.go:1034: Step 1/2 error: Check failed: Check 1/1 error: cloudflare_access_application.nzhhzfioal: Attribute 'saas_app.0.auth_type' expected "saml", got ""
--- FAIL: TestAccCloudflareAccessApplication_AuthTypeForcesNewResource (6.01s)
=== CONT  TestAccCloudflareAccessApplication_WithSAMLSaas_Import
--- PASS: TestAccCloudflareAccessApplication_WithSAMLSaas_Import (10.64s)
=== CONT  TestAccCloudflareAccessApplication_WithOIDCSaas_Import
--- PASS: TestAccCloudflareAccessApplication_WithOIDCSaas_Import (10.55s)
FAIL
FAIL	github.com/cloudflare/terraform-provider-cloudflare/internal/sdkv2provider	306.816s
FAIL
make: *** [testacc] Error 1

are you able to run these tests locally and confirm it is working for you?

@F21
Copy link
Contributor Author

F21 commented May 29, 2024
edited
Loading

I am having trouble creating a token with the correct permissions:

Error: error creating Access Application for accounts "REDACTED": error from makeRequest: access.api.error.invalid_request: Account does not have permission to use saml_attribute_transform_jsonata (12130)

These are the permissions I've assigned:

  • Account -> Access: Apps and Policies -> Revoke, Edit, Read
  • Zone -> Access: Apps and Policies -> Revoke, Edit, Read

@F21 F21 force-pushed the auth_type-force-new branch from 99fd1e2 to b120016 Compare May 29, 2024 22:00
@jacobbednarz
Copy link
Member

nice one, that's got it.

TF_ACC=1 go test ./internal/sdkv2provider -v -run "^TestAccCloudflareAccessApplication_" -count 1 -timeout 120m -parallel 1
=== RUN   TestAccCloudflareAccessApplication_BasicZone
--- PASS: TestAccCloudflareAccessApplication_BasicZone (9.50s)
=== RUN   TestAccCloudflareAccessApplication_BasicAccount
--- PASS: TestAccCloudflareAccessApplication_BasicAccount (7.56s)
=== RUN   TestAccCloudflareAccessApplication_WithSCIMConfigHttpBasic
--- PASS: TestAccCloudflareAccessApplication_WithSCIMConfigHttpBasic (9.06s)
=== RUN   TestAccCloudflareAccessApplication_UpdateSCIMConfig
--- PASS: TestAccCloudflareAccessApplication_UpdateSCIMConfig (18.80s)
=== RUN   TestAccCloudflareAccessApplication_WithSCIMConfigInvalidMappingSchema
--- PASS: TestAccCloudflareAccessApplication_WithSCIMConfigInvalidMappingSchema (4.56s)
=== RUN   TestAccCloudflareAccessApplication_WithSCIMConfigHttpBasicMissingRequired
--- PASS: TestAccCloudflareAccessApplication_WithSCIMConfigHttpBasicMissingRequired (4.34s)
=== RUN   TestAccCloudflareAccessApplication_WithSCIMConfigOAuthBearerToken
--- PASS: TestAccCloudflareAccessApplication_WithSCIMConfigOAuthBearerToken (9.19s)
=== RUN   TestAccCloudflareAccessApplication_WithSCIMConfigOAuth2
--- PASS: TestAccCloudflareAccessApplication_WithSCIMConfigOAuth2 (16.09s)
=== RUN   TestAccCloudflareAccessApplication_WithSCIMConfigOAuth2MissingRequired
--- PASS: TestAccCloudflareAccessApplication_WithSCIMConfigOAuth2MissingRequired (4.25s)
=== RUN   TestAccCloudflareAccessApplication_WithSCIMConfigAuthenticationInvalid
--- PASS: TestAccCloudflareAccessApplication_WithSCIMConfigAuthenticationInvalid (4.28s)
=== RUN   TestAccCloudflareAccessApplication_WithCORS
--- PASS: TestAccCloudflareAccessApplication_WithCORS (9.18s)
=== RUN   TestAccCloudflareAccessApplication_WithSAMLSaas
--- PASS: TestAccCloudflareAccessApplication_WithSAMLSaas (11.46s)
=== RUN   TestAccCloudflareAccessApplication_WithSAMLSaas_Import
=== PAUSE TestAccCloudflareAccessApplication_WithSAMLSaas_Import
=== RUN   TestAccCloudflareAccessApplication_WithOIDCSaas
--- PASS: TestAccCloudflareAccessApplication_WithOIDCSaas (8.13s)
=== RUN   TestAccCloudflareAccessApplication_WithOIDCSaas_Import
=== PAUSE TestAccCloudflareAccessApplication_WithOIDCSaas_Import
=== RUN   TestAccCloudflareAccessApplication_WithAutoRedirectToIdentity
--- PASS: TestAccCloudflareAccessApplication_WithAutoRedirectToIdentity (9.28s)
=== RUN   TestAccCloudflareAccessApplication_WithEnableBindingCookie
--- PASS: TestAccCloudflareAccessApplication_WithEnableBindingCookie (7.82s)
=== RUN   TestAccCloudflareAccessApplication_WithCustomDenyFields
--- PASS: TestAccCloudflareAccessApplication_WithCustomDenyFields (8.05s)
=== RUN   TestAccCloudflareAccessApplication_WithADefinedIdps
--- PASS: TestAccCloudflareAccessApplication_WithADefinedIdps (9.74s)
=== RUN   TestAccCloudflareAccessApplication_WithMultipleIdpsReordered
--- PASS: TestAccCloudflareAccessApplication_WithMultipleIdpsReordered (15.55s)
=== RUN   TestAccCloudflareAccessApplication_WithHttpOnlyCookieAttribute
--- PASS: TestAccCloudflareAccessApplication_WithHttpOnlyCookieAttribute (12.60s)
=== RUN   TestAccCloudflareAccessApplication_WithHTTPOnlyCookieAttributeSetToFalse
--- PASS: TestAccCloudflareAccessApplication_WithHTTPOnlyCookieAttributeSetToFalse (11.12s)
=== RUN   TestAccCloudflareAccessApplication_WithSameSiteCookieAttribute
--- PASS: TestAccCloudflareAccessApplication_WithSameSiteCookieAttribute (7.14s)
=== RUN   TestAccCloudflareAccessApplication_WithLogoURL
--- PASS: TestAccCloudflareAccessApplication_WithLogoURL (7.48s)
=== RUN   TestAccCloudflareAccessApplication_WithSkipInterstitial
--- PASS: TestAccCloudflareAccessApplication_WithSkipInterstitial (7.15s)
=== RUN   TestAccCloudflareAccessApplication_WithAppLauncherVisible
--- PASS: TestAccCloudflareAccessApplication_WithAppLauncherVisible (7.21s)
=== RUN   TestAccCloudflareAccessApplication_WithSelfHostedDomains
--- PASS: TestAccCloudflareAccessApplication_WithSelfHostedDomains (8.60s)
=== RUN   TestAccCloudflareAccessApplication_WithDefinedTags
--- PASS: TestAccCloudflareAccessApplication_WithDefinedTags (8.92s)
=== RUN   TestAccCloudflareAccessApplication_WithReusablePolicies
--- PASS: TestAccCloudflareAccessApplication_WithReusablePolicies (10.00s)
=== RUN   TestAccCloudflareAccessApplication_WithAppLauncherCustomization
--- PASS: TestAccCloudflareAccessApplication_WithAppLauncherCustomization (7.56s)
=== RUN   TestAccCloudflareAccessApplication_AuthTypeForcesNewResource
--- PASS: TestAccCloudflareAccessApplication_AuthTypeForcesNewResource (13.98s)
=== CONT  TestAccCloudflareAccessApplication_WithSAMLSaas_Import
--- PASS: TestAccCloudflareAccessApplication_WithSAMLSaas_Import (10.31s)
=== CONT  TestAccCloudflareAccessApplication_WithOIDCSaas_Import
--- PASS: TestAccCloudflareAccessApplication_WithOIDCSaas_Import (10.45s)
PASS
ok  	github.com/cloudflare/terraform-provider-cloudflare/internal/sdkv2provider	290.283s

thanks for the PR.

@jacobbednarz jacobbednarz merged commit 0813420 into cloudflare:master May 30, 2024
9 checks passed
@github-actions github-actions bot added this to the v4.35.0 milestone May 30, 2024
github-actions bot pushed a commit that referenced this pull request May 30, 2024
Update CHANGELOG.md for #3332
82da055
@F21 F21 deleted the auth_type-force-new branch May 30, 2024 04:50
@github-actions GitHub Actions
Copy link
Contributor

This functionality has been released in v4.35.0 of the Terraform Cloudflare Provider.

Please see the Terraform documentation on provider versioning or reach out if you need any assistance upgrading.

For further feature requests or bug reports with this functionality, please create a new GitHub issue following the template. Thank you!

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Jun 12, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@jacobbednarz jacobbednarz Awaiting requested review from jacobbednarz jacobbednarz is a code owner

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v4.35.0
Development

Successfully merging this pull request may close these issues.

cloudflare_access_application should be replaced when auth_type is changed.
3 participants
@F21 @ajholland @jacobbednarz