<iframe src="https://www.googletagmanager.com/ns.html?id=GTM-M74D8PB" height="0" width="0" style="display:none;visibility:hidden">
Loading
Skip to NavigationSkip to Main Content
System Status
Announcements
Announcements
Search
Search
Select Language
Knowledge Base
Knowledge Articles
Support Videos ↗
Documentation
Product Documentation ↗
Developer Documentation ↗
Product Release Notes ↗
Community
Events & Webinars
Okta Ideas ↗
Resources
Product Hub
Customer Success Hub
Product Release Update
Learning
Okta Learning ↗
Get Support
Open a Case
HomeKnowledge Base
Understanding the ignore_changes Argument in Terraform's Lifecycle Block
Jun 28, 2024
Okta Classic Engine
Okta Identity Engine
API Access Management
Overview

How to modify lifecycle meta argument when updating the Okta Terraform Provider from version 3x to 4x.

Applies To
  • Terraform 
Cause
  • Deprecated resources and datasources causing issues with the prior Terraform lifecycle meta-argument.
  • Before Okta Terraform Provider 4x, the ignore_changes argument could have been leveraged for some resources/data sources, as seen in the example below. It was advised to add the lifecycle argument to prevent the groups from being unassigned on subsequent runs:  
    resource "okta_app_oauth" "example" {
  label          = "example"
  type           = "service"
  response_types = ["token"]
  grant_types    = ["client_credentials"]
  token_endpoint_auth_method = "private_key_jwt"

  groups  = {
  name        = "Example"
  description = "My Example Group"
}

 lifecycle {
    ignore_changes = [
      groups
    ]
  }
}
The ignore_changes argument effectively functions when planning an update, as the groups attribute, a component of the resource block, will be disregarded. According to Terraform documentation, only attributes defined by the resource type can be ignored. ignore_changes cannot be applied to itself or any other meta-arguments.
Solution
  1. The recent release of terraform provider version 4x has brought about modifications to various resources. As a result, certain attributes have been removed. Consequently, the direct configuration of groups in the resource block "okta_app_oauth" is no longer supported. 
    resource "okta_app_oauth" "example" {
  label                      = "example"
  type                       = "web"
  grant_types                = ["authorization_code"]
  redirect_uris              = ["https://example.com/"]
  response_types             = ["code"]
}
  2. To assign the groups to the app it is necessary to employ a new resource  called "okta_app_group_assignments" for managing this particular aspect. 
    resource "okta_app_group_assignments" "example" {
  app_id   = "<app id>"
  group {
    id = "<group id>"
    priority = 1
  }
  group {
    id = "<another group id>"
    priority = 2
    profile = jsonencode({"application profile field": "application profile value"})
  }
}
  3. Consequently, the ignore_changes = [ groups ] will not be needed, since the resource okta_app_group_assignments does not possess the issue of groups being unassigned on the subsequent runs.

Recommended content

Still looking for help?
Loading
Understanding the ignore_changes Argument in Terraform's Lifecycle Block