patform_saml_settings plan has conflicting settings

[jon-parodi-yohana]

When creating or importing a platform_saml_settings resource, the setting for the depreciated setting no_auto_user_creation shows as being set to its default value of false regardless of the value of auto_user_creation

You cannot set both auto_user_creation and no_auto_user_creation such that they align in function, however they will always reflect opposing definitions if trying to prevent automatic user creation.

Scenario 1: attempting to define both

resource "platform_saml_settings" "saml" {
  name                         = "default"
  allow_user_to_access_profile = true
  auto_redirect                = false
  certificate                  = "redacted"
  email_attribute              = "email"
  enable                       = true
  group_attribute              = "group"
  login_url                    = "redacted"
  logout_url                   = "redacted"
  service_provider_name        = "redacted"
  sync_groups                  = true
  use_encrypted_assertion      = false
  verify_audience_restriction  = true

  auto_user_creation           = false     <-------
  no_auto_user_creation        = false     <-------
}

plan result:

Error: Invalid Attribute Combination
│ 
│   with platform_saml_settings.saml,
│   on saml.tf line 12, in resource "platform_saml_settings" "saml":
│   12:   auto_user_creation           = false
│ 
│ 2 attributes specified when one (and only one) of [no_auto_user_creation] is required

Scenario 2: Defining just auto_user_creation

resource "platform_saml_settings" "saml" {
  name                         = "default"
  allow_user_to_access_profile = true
  auto_redirect                = false
  certificate                  = "redacted"
  email_attribute              = "email"
  enable                       = true
  group_attribute              = "group"
  login_url                    = "redacted"
  logout_url                   = "redacted"
  service_provider_name        = "redacted"
  sync_groups                  = true
  use_encrypted_assertion      = false
  verify_audience_restriction  = true

  auto_user_creation           = false     <-------
}

plan result:

  # platform_saml_settings.saml will be created
resource "platform_saml_settings" "saml" {
    allow_user_to_access_profile = true
    auto_redirect                = false
    auto_user_creation           = false    <-------  Defined value, stating it will NOT auto create users.
    certificate                  = (sensitive value)
    email_attribute              = "email"
    enable                       = true
    group_attribute              = "group"
    login_url                    = "redacted"
    logout_url                   = "redacted"
    name                         = "default"
    no_auto_user_creation        = false    <------- defaults as false, stating that it WILL auto create users.
    service_provider_name        = "redacted"
    sync_groups                  = true
    use_encrypted_assertion      = false
    verify_audience_restriction  = true
}

In scenario 2, it still shows the depreciated setting as having a conflicted setting value making it ambiguous as to which will take precedence during an apply, if it doesn't fail entirely. One would assume that the non-depreciated setting would be the prioritized one but again, its ambiguous.

Terraform version: 1.9.8
JFrog Platform provider version: 1.19.1

[alexhung]

@jon-parodi-yohana Using your configuration, I am able to create the SAML settings resource:

alexh@alexh-mac terraform-provider-platform % terraform apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following
symbols:
  + create

Terraform will perform the following actions:

  # platform_saml_settings.saml will be created
  + resource "platform_saml_settings" "saml" {
      + allow_user_to_access_profile = true
      + auto_redirect                = false
      + auto_user_creation           = false
      + certificate                  = (sensitive value)
      + email_attribute              = "email"
      + enable                       = true
      + group_attribute              = "group"
      + login_url                    = "http://tempurl.org/login"
      + logout_url                   = "http://tempurl.org/logout"
      + name                         = "default"
      + no_auto_user_creation        = false
      + service_provider_name        = "okta"
      + sync_groups                  = true
      + use_encrypted_assertion      = false
      + verify_audience_restriction  = true
    }

Plan: 1 to add, 0 to change, 0 to destroy.
╷
│ Warning: Missing MyJFrog API Token
│
│   with provider["registry.terraform.io/jfrog/platform"],
│   on <empty> line 0:
│   (source code not available)
│
│ MyJFrog API Token was not found in the JFROG_MYJFROG_API_TOKEN environment variable or provider configuration block
│ myjfrog_api_token attribute. MyJFrog functionality will be affected.
╵

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

platform_saml_settings.saml: Creating...
platform_saml_settings.saml: Creation complete after 1s [name=default]
╷
│ Warning: Missing MyJFrog API Token
│
│   with provider["registry.terraform.io/jfrog/platform"],
│   on <empty> line 0:
│   (source code not available)
│
│ MyJFrog API Token was not found in the JFROG_MYJFROG_API_TOKEN environment variable or provider configuration block
│ myjfrog_api_token attribute. MyJFrog functionality will be affected.
╵

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.
alexh@alexh-mac terraform-provider-platform % terraform plan
platform_saml_settings.saml: Refreshing state... [name=default]

No changes. Your infrastructure matches the configuration.

Terraform has compared your real infrastructure against your configuration and found no differences, so no changes are needed.
╷
│ Warning: Missing MyJFrog API Token
│
│   with provider["registry.terraform.io/jfrog/platform"],
│   on <empty> line 0:
│   (source code not available)
│
│ MyJFrog API Token was not found in the JFROG_MYJFROG_API_TOKEN environment variable or provider configuration block
│ myjfrog_api_token attribute. MyJFrog functionality will be affected.
╵

The settings from REST API is:

{
  "name": "default",
  "enable_integration": true,
  "verify_audience_restriction": true,
  "login_url": "http://tempurl.org/login",
  "logout_url": "http://tempurl.org/logout",
  "certificate": "<redacted>",
  "service_provider_name": "okta",
  "auto_user_creation": false,
  "allow_user_to_access_profile": true,
  "use_encrypted_assertion": false,
  "auto_redirect": false,
  "sync_groups": true,
  "group_attribute": "group",
  "email_attribute": "email",
  "name_id_attribute": "",
  "ldap_group_settings": []
}

Changing auto_user_creation value to true:

alexh@alexh-mac terraform-provider-platform % terraform apply
platform_saml_settings.saml: Refreshing state... [name=default]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following
symbols:
  ~ update in-place

Terraform will perform the following actions:

  # platform_saml_settings.saml will be updated in-place
  ~ resource "platform_saml_settings" "saml" {
      ~ auto_user_creation           = false -> true
        name                         = "default"
        # (13 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.
╷
│ Warning: Missing MyJFrog API Token
│
│   with provider["registry.terraform.io/jfrog/platform"],
│   on <empty> line 0:
│   (source code not available)
│
│ MyJFrog API Token was not found in the JFROG_MYJFROG_API_TOKEN environment variable or provider configuration block
│ myjfrog_api_token attribute. MyJFrog functionality will be affected.
╵

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

platform_saml_settings.saml: Modifying... [name=default]
platform_saml_settings.saml: Modifications complete after 0s [name=default]
╷
│ Warning: Missing MyJFrog API Token
│
│   with provider["registry.terraform.io/jfrog/platform"],
│   on <empty> line 0:
│   (source code not available)
│
│ MyJFrog API Token was not found in the JFROG_MYJFROG_API_TOKEN environment variable or provider configuration block
│ myjfrog_api_token attribute. MyJFrog functionality will be affected.
╵

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

The API response is now:

{
  "name": "default",
  "enable_integration": true,
  "verify_audience_restriction": true,
  "login_url": "http://tempurl.org/login",
  "logout_url": "http://tempurl.org/logout",
  "certificate": "<redacted>",
  "service_provider_name": "okta",
  "auto_user_creation": true,
  "allow_user_to_access_profile": true,
  "use_encrypted_assertion": false,
  "auto_redirect": false,
  "sync_groups": true,
  "group_attribute": "group",
  "email_attribute": "email",
  "name_id_attribute": "",
  "ldap_group_settings": []
}

Whilst the terraform plan/terraform apply output shows the no_auto_user_creation attribute, the provider is not using its value at all when auto_user_creation is set. This is because no_auto_user_creation has default value set to false in the provider code.

This attribute will be removed completely from the resource in the next major release.

[alexhung]

@jon-parodi-yohana The deprecated attribute is removed in #181