onelogin_saml_apps missing fields available in the API

[briggsy87]

Hi, sorry if these have been asked/addressed somewhere else but I have spent some time searching through the issues and found nothing relevant.

I currently have some custom python written which I use to call the OneLogin API's to create my new application, which seems to work great (with the exception of setting "provisioning": { "enabled": True } in the payload.

I recently noticed that this Onelogin terraform provider existed and since I use terraform heavily for a number of other resources, I thought it was a no brainer to switch over to this. I have converted my working python, and while the majority of the app gets created with the correct parameters, I am missing a bunch of things that worked in the API.

A few of the fields I set in the API that aren't available in terraform, or simply do not work are:

• policy_id - (this is a policy that is used to 'Require OTP'). The API takes this in the root of the payload.
• tab_id - (this is the area/category that the item would show up in the UI). The API also takes this in the root of the payload.
• configuration.external_role - The API takes this in the configuration block of the payload.
• configuration.external_id - The API also takes this in the configuration block of the payload.
• configuration.certificate_id - Terraform seems to allow this as a field, and tries to set it, but never succeeds and always rolls back to my default, each time I see this in the logs (.configuration: element "certificate_id" has vanished)
• provisioning.enabled - Terraform seems to allow this as a field, and tries to set it, but never succeeds, each time I see this in the logs (.provisioning["enabled"]: was cty.True, but now cty.False)

Below is my code:

terraform {
  required_providers {
    onelogin = {
      source  = "onelogin/onelogin"
      version = "0.2.0"
    }
  }
}

provider "onelogin" {
  # Configuration options set as ENV vars
}


resource onelogin_saml_apps example_saml_app {
  visible = true
  connector_id = XXXXX
  description = "AWS - AccountAutomation"
  name = "AWS - AccountAutomation"
  notes = "AWS - AccountAutomation"
#   tab_id = "XXXXX" #"Computed attributes cannot be set"
#   policy_id = "XXXXX" #"Computed attributes cannot be set"

	parameters {
        param_key_name = "https://aws.amazon.com/SAML/Attributes/RoleSessionName"
		label = "RoleSessionName"
		provisioned_entitlements = false
		user_attribute_mappings = "email"
		values = null
		skip_if_blank = false
		attributes_transformations = "none"
		default_values = ""
		user_attribute_macros = null

		safe_entitlements_enabled = false
		include_in_saml_assertion = false
	}

      parameters {
		param_key_name = "https://aws.amazon.com/SAML/Attributes/Role"
		label = "Role"
		provisioned_entitlements = false
		user_attribute_mappings = "none"
		values = null
		skip_if_blank = false
		attributes_transformations = "amazon_roles"
		default_values = null
		user_attribute_macros = false

		include_in_saml_assertion = false
		safe_entitlements_enabled = false
	}

	parameters {
		param_key_name = "saml_username"
		label = "Amazon Username"
		provisioned_entitlements = false
		user_attribute_mappings = "email"
		values = null
		skip_if_blank = false
		attributes_transformations = "none"
		default_values = null
		user_attribute_macros = null

		include_in_saml_assertion = false
		safe_entitlements_enabled = false
	}

  configuration = {
    signature_algorithm = "SHA-256"
    idp_list = "arn:aws:iam::000000000000:saml-provider/SSO-OneLogin"
    certificate_id = XXXXX
  }

  provisioning = {
    enabled = "true"
  }
}


resource onelogin_app_role_attachments role_1 {
    app_id = onelogin_saml_apps.example_saml_app.id
    role_id = XXXXX
}

resource onelogin_app_role_attachments role_2 {
    app_id = onelogin_saml_apps.example_saml_app.id
    role_id = XXXXX

    depends_on = [
        onelogin_app_role_attachments.role_1 #Added due to race condition error when creating
  ]
}

[Jmfwolf]

We are in the process of standardizing our SDKs by using OpenAPI specifications.
I have an OpenAPI generated terraform-provider-onelogin in prerelease if you would like t try it out.
https://github.com/onelogin/terraform-provider-onelogin/tree/openapi

[Jmfwolf]

@briggsy87 Please check out the latest v0.4.1 release.
It is a breaking change from the previous versions, the apps are one resource, but the configuration features as well as the tab_id, and policy_id have been added. Please let me know if there are any issues

[briggsy87]

Thanks @Jmfwolf I have been poking around with the newest release. I do see that it was a complete re-write since you are now using OpenAPI.

My first issue was around auth, took me a little bit to figure out that I needed to use my clientid and client secret to create a bearer token external to this whole process. I do see that this was already brought up in #112. Looks like you are planning to tackle that issue, which is great. Currently, the best option seems like running some pre-terraform script which fetches that token and feeds it into terraform.

I do see that some of the missing fields I mentioned above are now there like tab_id and policy_id, but what I can't seem to figure out (and couldn't really find in the documentation) is how the new code would accept the parameter blocks that I was using above. This contains things like the user_attribute_mappings.

Sorry for the close and re-open, hit the wrong button.

[chanceball]

I am facing the same issue, I haven't been able to find the rewritten equivalents of the configuration and parameter blocks that were in previous versions of the package for the onelogin_apps resource. This rewrite is a massive undertaking, so I could just be missing its new location.

[Jmfwolf]

Hi @chanceball and @briggsy87,

Thanks for your patience. I'm currently in the process of implementing the new design using the newer Terraform Provider Plugin Framework instead of the older Terraform SDK. Specifically for SAML and OIDC apps, I've had to redesign the OneLogin Go SDK. The new Go SDK and the new Terraform Provider are my top priority, given my other responsibilities.

I'll keep you updated on my progress.