[BUG] Impossible to set Cookie HMAC Signing Key

[dbryar]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Thank you for opening an issue. Please note that we try to keep the Terraform issue tracker reserved for bug reports and feature requests. For general usage questions, please see: https://www.terraform.io/community.html.

DaVinci Terraform provider Version

0.1.9

Terraform Version

1.4.2

Affected Resource(s)

• davinci_connection

Terraform Configuration Files

resource "davinci_connection" "cookie" {
  environment_id = pingone_environment.dev.id
  name           = "Cookie"
  connector_id   = "cookieConnector"
  property {
    name  = "hmacSigningKey"
    value = "x/xE87rPeJTSY3mGMnPQFBzaFUE1ESNKjGgkdj2+HEUdqeuZ3kk+M/2ziHb29QHtJWTywv+stxeZLPGtLGq4qF+CTwCb3XqjAjzv1QAGeJskiZS1rMjG27IwbOhQpqKHBR/ntFJORCOqvVZ5RglJkMcDz+unNkW6hFsPIuNzVlk="
  }
}

Debug Output

╷
│ Error: Unable to create connection. Error: status: 400, body: {"cause":null,"logLevel":"error","serviceName":null,"message":"Connector already exists","errorMessage":"Connector already exists","success":false,"httpResponseCode":400,"code":7000}
│ 
│   with davinci_connection.cookie,
│   on dev.tf line 1054, in resource "davinci_connection" "cookie":
│ 1054: resource "davinci_connection" "cookie"{
│ 
╵

Expected Behavior

I actually expected this to fail...

Actual Behavior

It did fail

Steps to Reproduce

1. terraform apply

Important Factoids

Normally I would just delete the connection in Ping DaVinci and allow the terraform plan to apply, however this is not working for the cookie connector for some reason

References

• [ENHANCEMENT] Support takeover of existing/bootstrapped resources #66

[dbryar]

FWIW I am using the connectorId (as opposed to the id) as an enum in generating the HCL so it would stand to reason that since the DaVinci provider does not have an import function, it could use the connectorId as a filter when performing a GET on /v1/connections to determine if the target already exists?

Terraform will perform the following actions:
  # davinci_connection.cookie will be created
  + resource "davinci_connection" "cookie" {
      + connector_id   = "cookieConnector"

// See https://registry.terraform.io/providers/pingidentity/davinci/latest/docs/resources/connection
export enum DavinciConnectorId {
  Annotation = "annotationConnector",
  Challenge = "challengeConnector",
  Cookie = "cookieConnector",
  Flow = "flowConnector",
  Error = "errorConnector",
  Fingerprint = "fingerprintjsConnector",
  Functions = "functionsConnector",
  Http = "httpConnector",
  Policy = "userPolicyConnector",
  Teleport = "nodeConnector",
  Token = "skOpenIdConnector",
  Variables = "variablesConnector",
  PingOneAuth = "pingOneAuthenticationConnector",
  PingOneSSO = "pingOneSSOConnector",
  PingOneMFA = "pingOneMfaConnector",
  PingOneNotifications = "notificationsConnector",
}

[dbryar]

Update:

Deleting the existing cookie connection works as long as the only update is the cookie.

If there is a flow that uses the cookie in the plan the default cookie connector may be created before the managed connector

[samir-gandhi]

I agree this is a scenario where being able to take over the default connection would be helpful.
We had been holding off on that until the "empty environment" feature is released.

Is there a reason you wouldn't want to create the cookie connector as a separate managed resource?
I suppose that may affect the enum function. It would also lead to two connections (one managed, one unmanaged), but it would avoid this conflict.

I'll check on the status of the empty environment and bring in #66 if it's still a ways out.

[patrickcping]

"Empty" or "clean" DaVinci environments can now be created, so overwriting existing resources is no longer required/recommended

By API

The follow API example shows how an environment can be created without bootstrapped/demo configuration, notice the billOfMaterials.products.tags array attribute:

curl --location 'https://api.pingone.eu/v1/environments' \
--header 'Content-Type: application/json' \
--header 'Authorization: Bearer <<token>>' \
--data '{
  "name": "New-Env_1698254427",
  "description": "New environment description",
  "type": "SANDBOX",
  "region": "EU",
  "billOfMaterials": {
    "products": [
      {
        "type": "PING_ONE_BASE",
        "description": "New environment product description",
        "console": {
          "href": "https://example.com"
        }
      },
      {
        "type": "PING_ONE_DAVINCI",
        "description": "New environment product description",
        "tags": ["DAVINCI_MINIMAL"]
      }
    ]
  },
  "license": {
    "id": "********-****-****-****-*************"
  }
}'

By PingOne Terraform Provider

This functionality will be delivered in v0.23.0 of the provider on completion of pingidentity/terraform-provider-pingone#611

[patrickcping]

Now v0.23.0 of the PingOne provider has been released, this needs a re-triage to determine if it's an issue that still needs work