Terraform Fails to Create Okta Group Rule Due to "Empty Access Token"

[ronballesteros]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

Terraform v1.7.5
on darwin_arm64
+ provider registry.terraform.io/okta/okta v4.12.0

Affected Resource(s)

• okta_provider

Terraform Configuration Files

terraform {
  required_providers {
    okta = {
      source  = "okta/okta"
      version = "~> 4.12.0"
    }
  }
}

provider "okta" {
  org_name  = "org_name"
  base_url  = "okta.com"
  client_id = "client_id"
  scopes    = ["okta.groups.manage"]
}

resource "okta_group_rule" "rule_test" {
  name              = "Test Rule"
  expression_type   = "urn:okta:expression:1.0"
  expression_value  = <expression_value>
  group_assignments = <group_assignments>
  status            = "ACTIVE"
}

Note: we pass in the private_key secret in our github actions as an env secret.

Debug Output

Panic Output

Expected Behavior

Terraform should have applied the rule config.

Can this be done in the Admin UI?

Yes, but we want to control this via TF

Can this be done in the actual API call?

Actual Behavior

When attempting to create an Okta group rule using Terraform (with using the private-key), the process fails with the following error:

Plan: 1 to add, 0 to change, 0 to destroy.
okta_group_rule.test_rule: Creating...
╷
│ Error: failed to create group rule: empty access token

This issue occurs during the execution of terraform apply, despite the fact that:

Terraform validates the private key and does not flag it as invalid.
When running the same Terraform configuration with an invalid private key, the error explicitly states:

okta_group_rule.test_rule: Creating...
╷
│ Error: failed to create group rule: invalid private key

This indicates that the private key in use is potentially valid. However, the Terraform provider is unable to generate or utilize a valid access token to communicate with Okta's API.

If we don't provide the private_key in the github action env var (secret), it defaults to looking for a token and the tf plan fails:

Error: [ERROR] failed to load sdk clients: your Okta API token is missing. You can generate one in the Okta Developer Console. Follow these instructions: https://bit.ly/get-okta-api-token

Steps to Reproduce

1. Use the same provider setup (with passing the private_key as a env secret.
2. Create a okta group resource

resource "okta_group_rule" "rule_test" {
  name              = "Test Rule"
  expression_type   = "urn:okta:expression:1.0"
  expression_value  = <expression_value>
  group_assignments = <group_assignments>
  status            = "ACTIVE"
}

3. Run terraform plan and approve the plan with terraform apply.

Important Factoids

• So when I run terraform apply with the correct okta private-key, I get an error with an empty token.
• When I run terraform apply with an invalid private-key, I get the expected error.

Shouldn't I be able to run terraform apply using the okta-provider with just the private-key and no access token?

References

• #0000

[ronballesteros]

I also did something like this in the provider to pass in the private_key to confirm this issue:

provider "okta" {
  org_name  = "okta-dev-satoshi"
  base_url  = "okta.com"
  client_id = "client_id"
  scopes    = ["okta.groups.manage"]
  private_key = <<EOT
-----BEGIN PRIVATE KEY-----
MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDJnVby0DiMCVqU
...
EOT
}

resource "okta_group_rule" "test_rule" {
  name   = "Test Rule"
  status = "ACTIVE"
  group_assignments = [
  "blah"]
  expression_type  = "urn:okta:expression:1.0"
  expression_value = "isMemberOfAnyGroup(\"blah\")"

}

This is what happens:

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # okta_group_rule.test_rule will be created
  + resource "okta_group_rule" "test_rule" {
      + expression_type   = "urn:okta:expression:1.0"
      + expression_value  = "isMemberOfAnyGroup(\"blah\")"
      + group_assignments = [
          + "blah",
        ]
      + id                = (known after apply)
      + name              = "Test Rule"
      + status            = "ACTIVE"
    }

Plan: 1 to add, 0 to change, 0 to destroy.
okta_group_rule.test_rule: Creating...
╷
│ Error: failed to create group rule: empty access token
│ 
│   with okta_group_rule.test_rule,
│   on group-rules.tf line 1, in resource "okta_group_rule" "test_rule":
│    1: resource "okta_group_rule" "test_rule" {

[jmalloc]

Edit: I'm not OP, but my manifestation of this was a me-problem: passing a non-empty, incorrect value to private_key_id also produces the empty access token error message.

I am having the same issue using Terraform Stacks with an ephemeral private key loaded from a variable set. I figured I'd post in case that gives some insight, though I am aware that Terraform Stacks is currently a beta feature.

Edit: This is also using v4.12.0 of the provider.

Deployment Config

# Note: All variables loaded from a variable set in this way are marked as `ephemeral`.
# To my knowledge there is no other way to read secrets from a variable set using Terraform Stacks.
store "varset" "vendor_okta" {
  id       = "varset-<redacted>"
  category = "terraform"
}

deployment "<redacted>" {
  inputs = {
    okta_organization   = store.varset.vendor_okta.organization
    okta_client_id      = store.varset.vendor_okta.client_id
    okta_private_key_id = store.varset.vendor_okta.key_id
    okta_private_key    = store.varset.vendor_okta.key

    # etc ...
  }
}

Stack config

provider "okta" "singleton" {
  config {
    base_url       = "okta.com"
    org_name       = var.okta_organization
    client_id      = var.okta_client_id
    private_key_id = var.okta_private_key_id
    private_key    = var.okta_private_key
    scopes = [
      "okta.apps.manage",
      "okta.apps.read",
      "okta.groups.read",
      "okta.policies.read",
    ]
  }
}

variable "okta_organization" {
  description = "The name of the Okta organization."
  type        = string
  ephemeral   = true
}

variable "okta_client_id" {
  description = "The client ID for the 'Terraform Provider' Okta application."
  type        = string
  ephemeral   = true
}

variable "okta_private_key_id" {
  description = "The ID of the public/private key pair for the 'Terraform Provider' Okta application."
  type        = string
  ephemeral   = true
}

variable "okta_private_key" {
  description = "The private key for the 'Terraform Provider' Okta application."
  type        = string
  sensitive   = true
  ephemeral   = true
}

[jmalloc]

Well, this is embarrassing - I was passing the wrong value for private_key_id, which resulted in the empty access token error message. So I suppose if possible it would be great to have a more specific error message in this case :)

[duytiennguyen-okta]

@ronballesteros I have been using OAuth2 without issue. From you comments, it seems like the server is trying to get the access token without success. A couple things you can try is

1. Set super admin roles for you oauth app.
2. Grant your oauth app the appropriate api scopes.

You can also try to run TF_LOG=debug terraform apply to see what the error says